Controversy surrounds new cybercrime protocol as plenary vote still hangs in the balance

“If ratified by EU Member States without further amendments - or at least significant reservations and declarations,” EDRi argues, the Protocol “could lead to substantive breaches of EU law.” [MDart10/Shutterstock]

While the date for the ratification of the Second Additional Cybercrime Protocol by the European Parliament is yet to be set, civil society and some MEPs have called for the opinion of the European Court of Justice over data and privacy concerns. 

The Second Additional Protocol to the Budapest Convention on Cybercrime was opened for signature at the Council of Europe in Strasbourg on Thursday (12 May). It is modernising the original convention of 2001 to adapt to the challenges of the 21st century, aiming to ensure a common and cooperative criminal policy approach. 

In November 2021, Ministers at the Council of Europe formally approved the Protocol. Now, after the countries’ signing on 12 and 13 May, the text needs to be given consent by the European Parliament. 

The international advocacy group European Digital Rights (EDRi), as well as the non-profit Internet Service Providers Austria (ISPA), are calling on the European Parliament to use its power to request the opinion of the Court of Justice of the EU (CJEU) on the compatibility of the Protocol with the Treaties.

“If ratified by the EU Member States without further amendments – or at least significant reservations and declarations,” EDRi argues, the Protocol “could lead to substantive breaches of EU law.” 

Privacy concerns

EDRi is not an isolated voice. The European Data Protection Board, the EU Fundamental Rights Agency and the Council of Bars and Law Societies of Europe also called for stronger protections of fundamental rights. 

The critics lament that the expansion of powers of law enforcement authorities is not followed by sufficient safeguards in terms of data protection, privacy and procedural rights. The Protocol will be superior to EU secondary laws such as the General Data Protection Regulation (GDPR). 

A major issue concerns the direct transfers of personal data from service providers in the EU to law enforcement authorities in third countries where the Protocol refrains from a mandatory notification of the authorities in the country where the provider is based.

“The legal assessment and proportionality assessment should not be the task of private companies,” Andreas Gruber, head of legal at ISPA, told EURACTIV.

ISPA is also critical of the fact that requests from foreign public prosecutors’ offices have to be answered, even if corresponding data queries require a court authorisation at the national level.

Liberal MEP Moritz Körner publicly asked the European Parliament to request the opinion of the CJEU. The question is whether Körner’s position has enough back in the house to make such a request.

Efforts to simplify cooperation between the member states and third states must “ensure high levels of data protection for citizens”, conservative MEP Eva Maydell said. 

Questions regarding the level of trust in enforcement agencies were raised by MEP Bart Groothuis from Renew Europe. Groothuis told EURACTIV: “This has been written for law enforcement agencies, without taking into account the daily practice of intelligence agencies and how that intersection works in practice. Is this really the level of trust we think we have?” 

Any state can accede to the Convention upon invitation. 

Serbia reacts strongly to Kosovo Council of Europe application

Following Kosovo’s submission of an application to the Council of Europe (CoE) on Thursday (12 May), Serbian President Aleksander Vučić called an urgent meeting of the National Security Council for Friday, claiming Pristina has violated a number of agreements.

Potential competition 

The European Commission has recommended that all member states join the new instrument “in the interest of the EU”. 

A reason why the European Commission is pushing for the ratification of the Protocol is the competition by another Cybercrime Treaty currently in progress by the UN, says EDRi Policy Advisor Chloé Berthélémy. 

Deputy director-general of DG HOME, the EU’s migration and home affairs body, Olivier Onidi, said in a hearing at the European Parliament’s civil liberties and justice committee (LIBE) earlier this year that since the process at the UN has started, “this is an additional element why we are so adamant to go through the ratification process for the Budapest Second Protocol in order to ensure this instrument remains the key instrument and our guide for activities in this context.”

Notably, the UN Treaty is being pushed forward by Russia and China, with the concluding sessions expected for 2024. 

Requesting the opinion of the CJEU could further delay the ratification of the Protocol. However, if the Protocol is ratified fast and it later turns out provisions are incompatible with the Treaties, as some say they are, that would put the EU in a tough spot both internally and internationally.

Council of Europe response

In response to the concerns, Alexander Seger, Head of the CoE cybercrime division, stressed at a press conference last Friday: “We feel very comfortable that we meet the requirements and that this instrument will also stand the test of courts later on.” 

Seger also referred to the numerous sessions of negotiations and six rounds of consultation between September 2017 and May 2021, assuring that the text met European Union law. 

EDRi took part in all consultation rounds organised by the leading Cybercrime Committee to ask for human rights to be respected. However, their suggested modifications and improvements were not considered in the final text. 

Next steps

The date for the vote in the European Parliament is yet to be determined, as several political groups have expressed the wish to first examine the texts more closely.

The President of the European Parliament could also first call for an opinion from the European Parliament’s Committee on Legal Affairs (JURI). 

[Edited by Luca Bertuzzi/Nathalie Weatherald]

Subscribe to our newsletters