New Cybercrime Protocol will undermine our privacy to compensate for the rising powers of law enforcement authorities
This new international agreement raises serious concerns as its shortcomings promise to undermine the safeguards to our fundamental rights, including our privacy and procedural rights.
That’s why civil society is urging the European Parliament to request the opinion of the European Court of Justice (CJEU) on the compatibility of the Second Additional Protocol of the Council of Europe (CoE) Cybercrime Convention with the Treaties, including the Charter of Fundamental Rights. Read our paper on the direct transfers of personal data from service providers in the European Union (EU) to law enforcement authorities in third countries to get an understanding of the incompatibility of the new Cybercrime Protocol with EU law.
In 2017, the Council of Europe (CoE) and its Cybercrime Committee started preparing an additional protocol to the Budapest Convention on Cybercrime – a new tool for its State Parties’ law enforcement authorities (LEAs) to have access to data held by private companies located on other States’ territory in the context of criminal investigations. There are 66 Parties to the Convention today, including the United States of America and other countries beyond Council of Europe members. Any State may accede to the Convention upon invitation. After the Cybercrime Committee rushed through the last steps of the negotiations to finalise the new Additional Protocol, the text will now be opened for signature and ratification by interested Parties on 12 May 2022. In two draft Council decisions, the European Commission has recommended that all Member States join the new instrument “in the interest of the EU”. On 5 April, the Council of the EU authorised the signature by Member States. It’s now time for the European Parliament to give its consent to the approval of the Council’s decision authorising Member States to ratify it.
The compatibility of the new Protocol with EU law is unclear to ensure it is in line with the Treaties and especially with the Charter, the European Parliament must request the opinion of the CJEU. Where the opinion of the Court is adverse, the envisaged agreement may not enter into force unless it is amended or the Treaties are revised.
Why is the CJEU opinion necessary now?
If a judgment of the CJEU is delivered after the Protocol has been ratified and it determines that one or more provisions of the Protocol are incompatible with the Treaties, this would inevitably provoke serious difficulties for the EU internally and for the EU’s international cooperation with third countries. Furthermore, as an international agreement of the EU, the Protocol will be superior to EU secondary laws such as the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), and hence, may undermine important safeguards in these instruments. Therefore, an opinion of the CJEU will provide legal guidance on this issue which is crucial in order to ensure that any decision of the European Parliament on whether or not to give its consent to the agreement is duly considered and informed.
What must be changed in the Protocol and how?
Generally, there are no sufficient safeguards for the data protection, privacy and procedural rights proposed to counterbalance the expansion of powers of law enforcement authorities. Civil society, professional organisations and EU institutions, among which EDRi, the European Data Protection Board, the EU Fundamental Rights Agency, the Council of Bars and Law Societies of Europe (CCBE) and EDRi member Access Now, have been contentiously calling for stronger protections of fundamental rights. Nevertheless, the modifications and improvements were not incorporated into the final text.
In this paper, we highlight the shortcomings of this international agreement in terms of fundamental rights protections which, if ratified by the EU Member States without further amendments, could lead to substantive breaches of EU law. The paper focuses on the direct transfers of personal data from service providers in the EU to law enforcement authorities in third countries, and is not exhaustive on the potential incompatibility of the Protocol with the Treaties.
Our analysis, which takes into consideration the opinions of the European Data Protection Supervisor (EDPS) and Board (EDPB), points out the following issues in particular:
The possibility to refuse direct requests is too limited;
The review by a court or independent administrative authority is not guaranteed; and
Specific measures ensuring compliance with the essential equivalence requirements are missing
What’s up next?
EDRi has been sending submissions to the CoE since 2016 and took part in all consultation rounds organised by the leading Cybercrime Committee of the Council of Europe to ask for human rights to be respected. It joined the Octopus conferences organised by the CoE and the roundtables organised by the European Commission on the developments of the negotiations. As the ratification process is about to start, we will engage with the Members of the European Parliament to discuss the challenges raised by this new international agreement in relation to the respect of EU’s high data protection and privacy standards in order to best inform their decision on whether or not to give their consent to its adoption by EU Member States.
- Recommendations regarding Cross-border access to data for law enforcement, EDRi
- Cross-border access to user data by law enforcement in 2021: A year in review, EDRi
- New Cybercrime Protocol: weak safeguards against big risks of abuse, EDRi
- Nearly 130 public interest organisations and experts urge the United Nations to include human rights safeguards in proposed UN Cybercrime Treat, EDRi (13 January 2022)
- 6th round of consultation on the Cybercrime Protocol and civil society participation (20 April 2021)
- Joint Civil Society Response to the provisional draft text on “Joint investigation teams and joint investigations”, “Expedited disclosure of stored computer data in an emergency” and “Requests for domain name registration information” of the Cybercrime Convention Committee (T-CY) (15 December 2021)
Explore EDRi’s work on -
Secret negotiations about Europol: the big rule of law scandal In negotiations held behind closed doors, the Council of Member States and the European Parliament are about to torpedo all the efforts of the European data protection watchdog’s to hold Europol accountable for its illegal data practices.Read more
Recommendations on cross-border access to data Position paper on the European Commission’s proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal mattersRead more
Intensified surveillance at EU borders: EURODAC reform needs a radical policy shift In an open letter addressed to the European Parliament Civil Liberties, Justice and Home Affairs Committee, 34 organisations protecting the rights of people on the move, children and digital rights including European Digital Rights (EDRi) urge policymakers to radically change the direction of the EURODAC reform – the European Union (EU) database storing asylum seekers’ and migrants’ personal data - in order to respect fundamental rights and international law.Read more