New Cybercrime Protocol will undermine our privacy to compensate for the rising powers of law enforcement authorities

This new international agreement raises serious concerns as its shortcomings promise to undermine the safeguards to our fundamental rights, including our privacy and procedural rights.

By EDRi · April 13, 2022

That’s why civil society is urging the European Parliament to request the opinion of the European Court of Justice (CJEU) on the compatibility of the Second Additional Protocol of the Council of Europe (CoE) Cybercrime Convention with the Treaties, including the Charter of Fundamental Rights. Read our paper on the direct transfers of personal data from service providers in the European Union (EU) to law enforcement authorities in third countries to get an understanding of the incompatibility of the new Cybercrime Protocol with EU law.

In 2017, the Council of Europe (CoE) and its Cybercrime Committee started preparing an additional protocol to the Budapest Convention on Cybercrime – a new tool for its State Parties’ law enforcement authorities (LEAs) to have access to data held by private companies located on other States’ territory in the context of criminal investigations. There are 66 Parties to the Convention today, including the United States of America and other countries beyond Council of Europe members. Any State may accede to the Convention upon invitation. After the Cybercrime Committee rushed through the last steps of the negotiations to finalise the new Additional Protocol, the text will now be opened for signature and ratification by interested Parties on 12 May 2022. In two draft Council decisions, the European Commission has recommended that all Member States join the new instrument “in the interest of the EU”. On 5 April, the Council of the EU authorised the signature by Member States. It’s now time for the European Parliament to give its consent to the approval of the Council’s decision authorising Member States to ratify it. 

The compatibility of the new Protocol with EU law is unclear to ensure it is in line with the Treaties and especially with the Charter, the European Parliament must request the opinion of the CJEU. Where the opinion of the Court is adverse, the envisaged agreement may not enter into force unless it is amended or the Treaties are revised.

Why is the CJEU opinion necessary now?

If a judgment of the CJEU is delivered after the Protocol has been ratified and it determines that one or more provisions of the Protocol are incompatible with the Treaties, this would inevitably provoke serious difficulties for the EU internally and for the EU’s international cooperation with third countries. Furthermore, as an international agreement of the EU, the Protocol will be superior to EU secondary laws such as the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), and hence, may undermine important safeguards in these instruments. Therefore, an opinion of the CJEU will provide legal guidance on this issue which is crucial in order to ensure that any decision of the European Parliament on whether or not to give its consent to the agreement is duly considered and informed.

What must be changed in the Protocol and how?

Generally, there are no sufficient safeguards for the data protection, privacy and procedural rights proposed to counterbalance the expansion of powers of law enforcement authorities. Civil society, professional organisations and EU institutions, among which EDRi, the European Data Protection Board, the EU Fundamental Rights Agency, the Council of Bars and Law Societies of Europe (CCBE) and EDRi member Access Now, have been contentiously calling for stronger protections of fundamental rights. Nevertheless, the modifications and improvements were not incorporated into the final text. 

In this paper, we highlight the shortcomings of this international agreement in terms of fundamental rights protections which, if ratified by the EU Member States without further amendments, could lead to substantive breaches of EU law. The paper focuses on the direct transfers of personal data from service providers in the EU to law enforcement authorities in third countries, and is not exhaustive on the potential incompatibility of the Protocol with the Treaties.

Our analysis, which takes into consideration the opinions of the European Data Protection Supervisor (EDPS) and Board (EDPB), points out the following issues in particular:

  • The possibility to refuse direct requests is too limited;

  • The review by a court or independent administrative authority is not guaranteed; and

  • Specific measures ensuring compliance with the essential equivalence requirements are missing

What’s up next?

EDRi has been sending submissions to the CoE since 2016 and took part in all consultation rounds organised by the leading Cybercrime Committee of the Council of Europe to ask for human rights to be respected. It joined the Octopus conferences organised by the CoE and the roundtables organised by the European Commission on the developments of the negotiations. As the ratification process is about to start, we will engage with the Members of the European Parliament to discuss the challenges raised by this new international agreement in relation to the respect of EU’s high data protection and privacy standards in order to best inform their decision on whether or not to give their consent to its adoption by EU Member States.

Explore EDRi’s work on -

An illustration showing people using different types of technology gear such as: smart watches, smart phones, laptops. The devices have wires connected to them, that lead to an underground centre resembling a data warehouse where their personal data such as: religious beliefs, political affiliation, family and friends is extracted and exploited for causes such as participating at protests by law enforcement.

Secret negotiations about Europol: the big rule of law scandal In negotiations held behind closed doors, the Council of Member States and the European Parliament are about to torpedo all the efforts of the European data protection watchdog’s to hold Europol accountable for its illegal data practices.

Read more

Recommendations on cross-border access to data Position paper on the European Commission’s proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters

Read more

Intensified surveillance at EU borders: EURODAC reform needs a radical policy shift In an open letter addressed to the European Parliament Civil Liberties, Justice and Home Affairs Committee, 34 organisations protecting the rights of people on the move, children and digital rights including European Digital Rights (EDRi) urge policymakers to radically change the direction of the EURODAC reform – the European Union (EU) database storing asylum seekers’ and migrants’ personal data - in order to respect fundamental rights and international law.

Read more

(Contribution by:)

Chloé Berthélémy

Chloé Berthélémy

Policy Advisor

Twitter: @ChloBemy