After almost four years of negotiations (September 2017 to May 2021) and formal adoption on 17 November 2021 (→ eucrim 4/2021, 234), the Second Additional Protocol to the Convention on Cybercrime (Budapest Convention) was opened for signature on 12 May 2022. The Second Additional Protocol serves the goal of effectively combating crime on the Internet and improving international cooperation in the securing and surrender of electronic evidence. The protocol contains, among other things, regulations on direct cooperation of authorities with providers based in another State Party in order to receive domain registration and subscriber data. In addition, the protocol provides for several tools for enhanced cooperation between the authorities of the State Parties (→ eucrim 2/2021, 109).

On 12 May 2022 (the day that opened the treaty for signature), 17 Council of Europe member states (among them 13 EU Member States) and four non-members of Council of Europe signed the protocol. In order to enter into force, five ratifications are required.

The EU participated in the negotiations of the Protocol. The Commission negotiated on behalf of the EU after having received a respective mandate by the Council in June 2019 (→ eucrim 2/2019, 113). However, the EU itself cannot sign the Protocol as only states can be parties to it. Therefore, on 5 April 2022, the Council adopted a decision authorising the EU Member States to sign, in the interest of the EU, the Second Additional Protocol to the Budapest Convention following the procedure of Art. 218(5) TFEU. Member States were encouraged to sign the Protocol during the signing ceremony on 12 May 2022, or as soon as possible after that. The decision was made on the basis of a respective proposal by the Commission, which was presented in December 2021 (COM(2021) 718). Still not finalised is the procedure that will lead to a Council decision to ratify the protocol. In order for the Council to adopt such a decision, the European Parliament must first give its consent (Art. 218(6) TFEU). The Commission tabled the proposal for this decision in December 2021 as well (COM(2021) 719).

On 20 January 2022, the European Data Protection Supervisor (EDPS) submitted his opinion on the two Commission proposals to sign and ratify the Second Protocol to the Budapest Convention. He acknowledged positively that no provision on direct access to data by law enforcement authorities has been included in the final text of the Protocol and that many safeguards have been included. The EDPS recommended EU Member States to declare the reservation not to apply direct cooperation with service providers if requests for accessing certain types of information are made by non-EU countries that will be party to the Protocol. Thus, the EU can ensure that additional safeguards in the review process of these requests are upheld in the EU Member States. The EDPS also called for further clarifying the interaction between the Protocol and other international agreements, such as the EU-US Umbrella Agreement, which could apply instead of the data protection provision of the Protocol.

Meanwhile, negotiations on EU legislation to regulate access by law enforcement authorities to data stored by service providers are ongoing (→ separate news item).