On 17 November, the Council of Europe, an international human rights body, adopted the second Additional Protocol to the Budapest Convention to tackle the current surge in cybercrime. The Protocol is intended to ‘extend the rule of law further into cyberspace, protect internet users, and help provide justice for those who become victims of crime.’
Although the Protocol should be opened for signature for the parties to the Convention in May 2022, it puts accession limitations on states that are not part of the Convention. As the explanatory report puts it, ‘unlike the First Protocol (Article 11), this Protocol does not foresee a procedure for accession to this Protocol. A State wishing to sign and become a Party to this Protocol will need to become a Party to the Convention first’ (para 294 explanatory report on Article 16).
International Cooperation under the Budapest Convention
The Budapest Convention, which opened for signature 20 years ago, remains one of the world’s most important international agreements regarding cybercrime both for the 66 states parties to the Convention, including non-members of the Council of Europe, but also for non-party states. More than 80% of world states have based their domestic legislation on cybercrime on this Convention.
The Convention (adopted on 23 November 2001) and its first Additional Protocol concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (adopted on 28 January 2003) create a framework for international cooperation between signatory parties to tackle cybercrime, including the harmonisation of cybercrime legislation concerning both criminal and procedural law.
Some non-party states seek to replace the Budapest Convention by creating a new cybercrime treaty. Most notable amongst them is Russia, which at the end of 2019 managed to pass a resolution at the UN establishing an ad-hoc intergovernmental committee to create a draft of a global comprehensive cybercrime treaty. The committee should begin its negotiations in January 2022.
The Second Additional Protocol
On 8 June 2017, the Cybercrime Convention Committee, in its 17th plenary session, approved the Terms of Reference for the Preparation of a Draft 2nd Additional Protocol to the Budapest Convention on Cybercrime, which laid down the scope of the Protocol. Civil society and other stakeholders were also involved in the drafting to incorporate cross-sectoral reservations. The drafting began in 2017 and has taken more than 90 meetings.
The new Protocol addresses more efficient mutual legal assistance; direct cooperation with service providers in other jurisdictions regarding requests for subscriber information, preservation requests and emergency requests; safeguards for preserving human rights; and trans-border access to data. It aims to develop a framework for obtaining electronic evidence more effectively.
Mutual Legal Assistance
To enhance the time-consuming and ‘inefficient‘ mutual legal assistance framework established by the Convention, the Protocol establishes emergency mutual assistance. Article 10 seeks to provide a rapidly expedited procedure for mutual assistance requests made in emergencies. By ‘emergency’, the Protocol means a ‘situation in which there is a significant and imminent risk to the life or safety of any natural person’ (Article 3 section 2. c). Under this provision, the requested state is required to respond to the request quickly. All states are required to ensure the permanent availability of members of their authorities responsible for responding to the mutual assistance requests. As the explanatory report para 177 puts it, ‘authority should implement procedures to ensure that staff may be contacted in order to review emergency requests outside normal business hours.’
Direct Cooperation with Service Providers
Articles 6 and 7 address the direct cooperation of a requesting party with a service provider in another state. Under Article 6, entities providing domain name registration services are required to provide, on receiving a valid request from the law enforcement agency of another state, information for identifying or contacting the registrant of a domain name. The entities providing domain name registration services include ‘organisations that sell domain names to the public as well as regional or national registry operators which keep authoritative databases of all domain names registered for a top-level domain and which accept registration requests.’ (Explanatory report par. 75).
Article 7 of the Protocol establishes direct cooperation with service providers. A law enforcement agency of the requesting country can obtain subscriber information directly from a service provider in the territory of another state. The article gives the option for states to require notification regarding such a request to a provider on its territory. Under this article, a state can also choose to guarantee human rights by requiring the order to be issued by or under the supervision of a prosecutor or other judicial authority or otherwise be issued under independent supervision. However, the information to be disclosed by the service providers under this article is limited to domain name registration or subscriber information containing the subscriber’s identity, payment information, the type of communication service used and the physical address of the subscriber (Explanatory report para 93).
Under these articles, the state issuing an order or request does not have to use the mutual legal assistance process, which could be time-consuming.
Trans-border Access to Data
Articles 11 and 12 address enhanced cooperation between parties. Article 11 deals with using video conferencing to take testimony or statements from a witness or expert. This should provide a timely solution to any issues that may arise concerning the execution of an order or request issued by another state.
Article 12 gives the competent authorities of two or more states the option to establish joint investigation teams that would facilitate a criminal investigation. Such a measure seems crucial in combating transnational cybercrime as it speeds up investigation. The states’ authorities must then agree on the exact terms and conditions under which the joint investigation teams will operate. They should include ‘specific purpose, composition, functions, duration, location, organisation, transmitting and using the information of evidence, terms of confidentiality and others’ (Explanatory report para 206).
Human Rights Safeguards
Article 13 requires parties to ensure that their domestic law adequately protects human rights and liberties. It also refers to Article 15 of the Convention, which addresses the state’s obligations to protect fundamental human rights and liberties under international treaties.
Protection of personal data is under Article 14 which provides specific safeguards for personal data transferred based on the Protocol. Given the different frameworks for data protection between states, implementation of this Article will be subjected to review under Article 23. The data protection measures include limitations on the use of the data to purposes described in the Protocol, safeguards for sensitive data, data retention requirements, restrictions on automated decisions, requirements for data security measures, limitations on onwards transfers, and requirements to have in place judicial and non-judicial remedies to provide redress for violations of this provision.
The Protocol lists two exceptions from the required data protection. Under the first, if the requesting party and the receiving party are ‘mutually bound by an international agreement that establishes a comprehensive framework between those Parties for the protection of personal data’, the protections under Article 14 do not have to be employed. An example of such an international agreement is Convention 108+ (Explanatory report para 222). The second states that even if no international agreement on data protection binds both parties, they may transfer the data under an informal agreement between themselves. These informal agreements are not required to be made public, although the explanatory report in para 223 encourages parties to communicate such agreements to the public to maintain legal certainty and transparency.
If there is a systematic or material breach of data protection obligations, a suspension may be invoked under Article 14 para 15. However, the suspension of transfers should be used only as a final measure. Suspension should therefore be employed when there is evidence of a systematic or material breach of the terms of the Protocol or if a material breach is imminent (Explanatory report para 282).
Although the Protocol includes data protection, its aim is not to create an international data protection instrument but rather a practical criminal justice cooperation framework. Given the direct cooperation between states and service providers in the territory of other states, inquiries into cybercrime proceedings should be quick. By following the multi-stakeholder approach and incorporating remarks of all the actors engaged in the draft procedures, the Protocol presents means to further strengthen the already ‘rocky’ fight against cybercrime.
However, whether or not the treaty is successful will depend on its adoption. The conditions placed on the accession to the Protocol reinforce the international fight against cybercrime since a state interested in joining the signatory parties to the Protocol must become a party to the Convention itself. Due to the Protocol’s link with the Convention and the whole human rights system established by the ECHR, it is a much-needed initiative to counter the attempts of certain states to establish a parallel system of international law on cybercrime and cyber security. Its wide adoption should also serve to shed some light on the interpretation of sovereignty and jurisdiction in cyberspace by states, a development that would be more than welcome given the paucity of legal precedent on the matter.
Author: Dominik Zachar, Masaryk University
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.