A new United Nations convention on cybercrime: fundamental rights come first

The EDPS published on 18 May 2022 its Opinion concerning the EU’s participation in the United Nations’ negotiations for a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (the future UN convention on cybercrime).

While reiterating support, in principle, to international cooperation in combatting cybercrime, the EDPS includes in its Opinion recommendations to ensure that the future UN convention upholds individuals’ data protection and privacy rights according to EU law.

The EDPS is concerned that, if not specifically addressed, the future UN convention risks weakening the protection of individuals’ fundamental rights, including the rights to data protection and privacy guaranteed under EU law, given the large number of countries, which each have their own legal system, that are partaking in its negotiations. As such, the EDPS advises the EU not to become party to the future UN convention on cybercrime, if its final draft does not guarantee these fundamental rights. 

Wojciech Wiewiórowski, EDPS, said: “Exchanging personal data between EU countries and non-EU countries to combat cybercrime comes with great responsibility. Strong safeguards must be put in place to ensure that the protection of individuals’ personal data in a non-EU country is not undermined, especially when sharing sensitive data related to alleged criminal activities”.

In its Opinion, the EDPS reaffirms that EU data protection law allows transfers of personal data to non-EU countries without additional requirements only if the non-EU country in question provides an adequate level of protection for individuals’ personal data. If a non-EU country does not provide an adequate level of protection for individuals’ personal data, specific transfers of personal data may be allowed exceptionally, providing that appropriate safeguards are put in place.

The EDPS makes four additional recommendations to ensure that individuals’ rights to data protection and privacy are upheld. Firstly, the cooperation, and therefore exchange of personal data, between countries should be limited to the crimes defined in the future UN convention. Secondly, the access to and exchange of personal data should be monitored carefully. In particular, the sharing of data should only take place between the law enforcement authorities of the countries concerned. Thirdly, future agreements between EU countries and non-EU countries that ensure a higher level of protection of individuals’ privacy rights than the UN convention, should apply instead. Fourthly and finally, an EU Member State should, in certain cases, be allowed not to cooperate under the international convention with a non-EU country party to the future UN convention.

Concluding its Opinion, the EDPS reiterates that it remains available to provide further advice throughout the UN Convention’s negotiations. The EDPS expects to be consulted on the draft UN convention before it is finalised.