The EDPS published on 20 January 2022 his Opinion on two Proposals: one to authorise EU Member States to sign the second Protocol to the Budapest Convention on Cybercrime, and one to authorise EU Member States to ratify this same Protocol.
The Budapest Convention on Cybercrime aims to facilitate the investigating and prosecuting of crimes, in particular cybercrimes, through international cooperation. The second Protocol of this Convention aims to enhance cooperation between law enforcement authorities of different Parties for the collection of evidence for the purpose of specific criminal investigations or proceedings. In addition, the Protocol includes provisions for direct cooperation between the law enforcement authorities and service providers across borders.
Wojciech Wiewiórowski, EDPS, said: “Investigating and prosecuting crime is a legitimate aim, for which international cooperation, including the exchange of information, plays an important role. The EU needs sustainable agreements for sharing personal data with non-EU countries for law enforcement purposes. These agreements should be fully compatible with EU law, including the fundamental rights to privacy and data protection.”
Given the risks associated with the processing of individuals’ personal data in criminal matters, all the appropriate safeguards should be in place so that the level of protection for individuals guaranteed by EU law is not undermined. Against this background, the EDPS makes a series of recommendations in his Opinion concerning the Proposals.
In its current form, the Protocol would allow non-EU countries that are party to the Protocol to directly request service providers in the EU to disclose certain types of information that could pose a significant risk to the fundamental rights to privacy and data protection. The EDPS believes that requests for accessing specific types of information, in particular certain types of access numbers, should only be granted if they are transmitted to the authorities of the Member States and not directly sent to service providers. For these reasons, the EDPS recommends that EU Member States reserve the right not to apply the direct cooperation provision with service providers in this context, in order to ensure that additional safeguards in the review process of these requests are upheld in the EU Member States.
To ensure the proper review of requests sent to service providers in the EU by non-EU countries that are party to the Protocol, the EDPS also advises that EU Member States designate a judicial authority, or another independent authority, to conduct the review.
Concluding his Opinion, the EDPS recommends further clarifying the interaction between the Protocol and other international agreements, such as the EU-US Umbrella Agreement, which could apply instead of the data protection provision of the Protocol.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725, which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019
Personal data: see EDPS Glossary
Processing personal data: see EDPS Glossary
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).