COUNCIL DECISION (EU) 2022/722
of 5 April 2022
authorising Member States to sign, in the interest of the European Union, the Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence
THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 and Article 82(1), in conjunction with Article 218(5) thereof,
Having regard to the proposal from the European Commission,
Whereas:
(1) On 6 June 2019, the Council authorised the Commission to participate, on behalf of the Union, in the negotiations on a Second Additional Protocol to the Council of Europe Convention on Cybercrime (CETS No 185) (‘the Convention on Cybercrime’).
(2) The Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence (‘the Protocol’) was adopted by the Committee of Ministers of the Council of Europe on 17 November 2021 and is envisaged to be opened for signature on 12 May 2022.
(3) The provisions of the Protocol fall within an area covered to a large extent by common rules within the meaning of Article 3(2) of the Treaty on the Functioning of the European Union (TFEU), including instruments facilitating judicial cooperation in criminal matters, ensuring minimum standards of procedural rights as well as data protection and privacy safeguards.
(4) The Commission has also submitted legislative proposals for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters and a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, introducing binding cross-border European Production and Preservation Orders to be addressed directly to a representative of a service provider in another Member State.
(5) With its participation in the negotiations on the Protocol, the Commission ensured its compatibility with the relevant common Union rules.
(6) A number of reservations, declarations, notifications and communications in relation to the Protocol are necessary to ensure compatibility of the Protocol with Union law and policies. Others are relevant to ensure the uniform application of the Protocol by Union Member States that are Parties to the Protocol (‘Member State Parties’) in their relation with third countries that are Parties to the Protocol (‘third-country Parties’), as well as the effective application of the Protocol.
(7) The reservations, declarations, notifications and communications on which guidance is given to the Member States in the Annex to this Decision, are without prejudice to any other reservations or declarations that they might wish to make individually where the Protocol so permits.
(8) Member States which do not make reservations, declarations, notifications and communications in accordance with the Annex to this Decision at the time of signature should do so when they deposit their instrument of ratification, acceptance or approval of the Protocol.
(9) Following the signature and the ratification, acceptance or approval of the Protocol, the Member States should, in addition, observe the indications set out in the Annex to this Decision.
(10) The Protocol provides for swift procedures that improve cross-border access to electronic evidence and a high level of safeguards. Therefore, its entry into force will contribute to the fight against cybercrime and other forms of crime at global level by facilitating cooperation between Member State Parties and third-country Parties, ensure a high level of protection of individuals, and address conflicts of law.
(11) The Protocol provides for appropriate safeguards in line with the requirements for international transfers of personal data under Regulation (EU) 2016/679 of the European Parliament and of the Council (1) and Directive (EU) 2016/680 of the European Parliament and of the Council (2). Therefore, its entry into force will contribute to the promotion of Union data protection standards at global level, facilitate data flows between Member State Parties and third-country Parties, and ensure compliance of Member State Parties with their obligations under Union data protection rules.
(12) The swift entry into force of the Protocol will furthermore confirm the position of the Convention on Cybercrime as the main multilateral framework for the fight against cybercrime.
(13) The Union cannot sign the Protocol, as only states can be parties thereto.
(14) Member States should therefore be authorised to sign the Protocol, acting jointly in the interests of the Union.
(15) Member States are encouraged to sign the Protocol during the signing ceremony, or at the earliest possible date thereafter.
(16) The European Data Protection Supervisor was consulted in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council (3) and delivered an opinion on 21 January 2022.
(17) In accordance with Articles 1 and 2 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union (TEU) and to the TFEU, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(18) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(19) The authentic versions of the Protocol are the English and French versions of the text, adopted by the Committee of Ministers of the Council of Europe on 17 November 2021,
HAS ADOPTED THIS DECISION:
Article 1
The Member States are hereby authorised to sign, in the interest of the Union, the Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence (‘the Protocol’) (4).
Article 2
1. When signing the Protocol, Member States may make reservations, declarations, notifications or communications in accordance with Sections 1 to 3 of the Annex to this Decision.
2. Member States signing the Protocol which do not make reservations, declarations, notifications or communications as referred to in paragraph 1 at the time of signature of the Protocol, shall do so when they deposit their instrument of ratification, acceptance or approval of the Protocol.
3. Following the signature and the ratification, acceptance or approval of the Protocol, the Member States shall, in addition, observe the indications set out in Section 4 of the Annex to this Decision.
Article 3
This Decision shall enter into force on the date of its adoption.
Article 4
This Decision shall be published in the
Official Journal of the European Union
.
Article 5
This Decision is addressed to the Member States.
Done at Luxembourg, 5 April 2022.
For the Council
The President
B. LE MAIRE
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(2) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
(3) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
(4) The text of the Protocol will be published together with the decision authorising its ratification.
ANNEX
This Annex sets out the reservations, declarations, notifications, communications and indications referred to in Article 2.
1. Reservations
Pursuant to Article 19, paragraph 1, of the Protocol, a Party may declare that it avails itself of one or more of the reservations provided for in certain articles of the Protocol.
Pursuant to Article 7, paragraph 9.a, of the Protocol, a Party may reserve the right not to apply Article 7 (Disclosure of subscriber information). Member States shall refrain from making such a reservation.
Pursuant to Article 7, paragraph 9.b, of the Protocol, a Party may, subject to the conditions therein, reserve the right not to apply Article 7 to certain types of access numbers. Member States may make such a reservation, but only in relation to access numbers other than those necessary for the sole purpose of identifying the user.
Pursuant to Article 8, paragraph 13, of the Protocol, a Party may reserve the right not to apply Article 8 (Giving effect to orders from another Party for expedited production of subscriber information and traffic data) to traffic data. Member States are encouraged to refrain from making such a reservation.
Where Article 19, paragraph 1, provides a basis for other reservations, Member States are authorised to consider and make such reservations.
2. Declarations
Pursuant to Article 19, paragraph 2, of the Protocol, a Party may make the declarations identified in certain articles of the Protocol.
Pursuant to Article 7, paragraph 2.b, of the Protocol, a Party may, with respect to orders issued to service providers in its territory, make the following declaration:
‘
The order under Article 7, paragraph 1, must be issued by, or under the supervision of, a prosecutor or other judicial authority, or otherwise be issued under independent supervision.
’.
Member States shall, with respect to orders issued to service providers in their territory, make the declaration set out in the second paragraph of this Section.
Pursuant to Article 9 (Expedited disclosure of stored computer data in an emergency), paragraph 1.b, of the Protocol, a Party may declare that it will not execute requests under paragraph l.a of that Article, seeking only the disclosure of subscriber information. Member States are encouraged to refrain from making such a declaration.
Where Article 19, paragraph 2, provides a basis for other declarations, Member States are authorised to consider and make such declarations.
3. Declarations, notifications or communications
Pursuant to Article 19, paragraph 3, of the Protocol, a Party is to make any declarations, notifications or communications identified in certain articles of the Protocol according to the terms specified therein.
Pursuant to Article 7, paragraph 5.a, of the Protocol, a Party may notify the Secretary General of the Council of Europe that when an order is issued under paragraph 1 of that Article to a service provider in its territory, that Party requires, in every case or in identified circumstances, simultaneous notification of the order, the supplemental information and a summary of the facts related to the investigation or proceeding. Accordingly, Member States shall make the following notification to the Secretary General of the Council of Europe:
‘
When an order is issued under Article 7, paragraph 1, to a service provider in the territory of [Member State], [Member State] requires in every case simultaneous notification of the order, the supplemental information and a summary of the facts related to the investigation or proceeding.
’.
In accordance with Article 7, paragraph 5.e, of the Protocol, Member States shall designate a single competent authority to receive the notification under Article 7, paragraph 5.a, of the Protocol, and perform the actions described in Article 7, paragraphs 5.b, 5.c and 5.d, of the Protocol, and shall, when the notification to the Secretary General of the Council of Europe under Article 7, paragraph 5.a, of the Protocol is first given, communicate to the Secretary General of the Council of Europe the contact information of that authority.
Pursuant to Article 8, paragraph 4, of the Protocol, a Party may declare that additional supporting information is required to give effect to orders under paragraph 1 of that Article. Accordingly, Member States shall make the following declaration:
‘
Additional supporting information is required to give effect to orders under Article 8, paragraph 1. The additional supporting information required will depend on the circumstances of the order and the related investigation or proceeding.
’.
In accordance with Article 8, paragraphs 10.a and 10.b, of the Protocol, Member States shall communicate and keep up to date the contact information of the authorities designated to submit an order under Article 8, and of the authorities designated to receive an order under Article 8, respectively. The Member States that participate in the enhanced cooperation established by Council Regulation (EU) 2017/1939 (1), implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’), shall include the EPPO, within the limits of the exercise of its competences as provided for in Articles 22, 23 and 25 of that Regulation, among the authorities communicated under Article 8, paragraphs 10.a and 10.b, of the Protocol, and do so in a coordinated manner.
Accordingly, Member States shall make the following declaration:
‘
In accordance with Article 8, paragraph 10, [Member State], as a Member State of the European Union participating in the enhanced cooperation on the establishment of the European Public Prosecutor’s Office (“the EPPO”), designates the EPPO, in the exercise of its competences, as provided for in Articles 22, 23 and 25 of Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (“the EPPO”), as a competent authority.
’.
In accordance with Article 14, paragraph 7.c, of the Protocol, Member States shall communicate to the Secretary General of the Council of Europe the authority or authorities to be notified under Article 14, paragraph 7.b, of the Protocol, for the purposes of Chapter II, Section 2, of the Protocol, in relation to a security incident.
In accordance with Article 14, paragraph 10.b, of the Protocol, Member States shall communicate to the Secretary General of the Council of Europe the authority or authorities to provide authorisation for the purposes of Chapter II, Section 2, of the Protocol, in relation to the onward transfer to another State or international organisation of data received under the Protocol.
Where Article 19, paragraph 3, of the Protocol provides a basis for other declarations, notifications or communications, Member States are authorised to consider and make such declarations, notifications or communications.
4. Other indications
Member States that participate in the enhanced cooperation established by Regulation (EU) 2017/1939 shall ensure that the EPPO can, in the exercise of its competences as provided for in Articles 22, 23 and 25 of that Regulation, seek cooperation under the Protocol in the same way as national prosecutors of those Member States.
With regard to the application of Article 7, in particular in relation to certain types of access numbers, Member States may subject an order under that Article to the scrutiny of a prosecutor or other judicial authority when their competent authority receives a simultaneous notification of the order prior to the disclosure of the requested information by the provider.
In accordance with Article 14, paragraph 11.c, of the Protocol, Member States shall ensure that, when they transfer data for the purposes of the Protocol, the receiving Party is informed that their domestic legal framework requires giving personal notice to the individual whose data is provided.
With regard to international transfers on the basis of the Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences (2) (‘the Umbrella Agreement’), Member States shall, for the purposes of Article 14, paragraph 1.b, of the Protocol, communicate to the competent authorities of the United States that the Umbrella Agreement applies to the reciprocal transfers of personal data under the Protocol between competent authorities. However, Member States shall take into account that the Umbrella Agreement should be complemented with additional safeguards that take into account the unique requirements of the transfer of electronic evidence directly by service providers rather than between authorities as provided for under the Protocol. Accordingly, Member States shall make the following communication to the competent authorities of the United States:
‘
For the purposes of Article 14, paragraph 1.b, of the Second Additional Protocol to the Council of Europe Convention on Cybercrime (“the Protocol”), [Member State] considers that the Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences (“the Umbrella Agreement”) applies to the reciprocal transfers of personal data under the Protocol between competent authorities. For transfers between service providers and authorities under the Protocol, the Umbrella Agreement applies only in combination with a further, specific agreement within the meaning of Article 3, paragraph 1, of the Umbrella Agreement that addresses the unique requirements of the transfer of electronic evidence directly by service providers rather than between authorities. In the absence of such a specific transfer agreement, such transfers may take place under the Protocol, in which case, Article 14, paragraph 1.a, in conjunction with Article 14, paragraphs 2 to 15, of the Protocol apply.
’.
Member States shall ensure that they apply Article 14, paragraph 1.c, of the Protocol, only if the European Commission has adopted an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 of the European Parliament and of the Council (3) or Article 36 of Directive (EU) 2016/680 of the European Parliament and of the Council (4) for the third country concerned that covers the respective data transfers, or on the basis of another agreement that ensures appropriate data protection safeguards pursuant to Article 46(2), point a, of Regulation (EU) 2016/679 or Article 37(1), point a, of Directive (EU) 2016/680.
(1) Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) (
OJ L 283, 31.10.2017, p. 1
).
(2)
OJ L 336, 10.12.2016, p. 3
.
(3) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(4) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
Feedback