On 5 April, the Council of the EU adopted a decision authorising member states to sign, in the interests of the EU, the second additional protocol to the Convention on Cybercrime of the Council of Europe (the Budapest Convention). The protocol aims to improve cross-border access to electronic evidence co-operation between member states and third countries, while ensuring a high level of protection for individuals and the compliance with EU data protection standards. 

taylor-vick-aWslrFhs1w4-unsplash (1)


On the 25 November 2021, the Commission adopted two Proposals for Council Decisions, under Article 16, 82(1) and 218(5) and (6) of the Treaty on the Functioning of the European Union, one authorising Member States to sign and the other to ratify, in the interests of the EU, the Second Additional Protocol to the Budapest Convention. The Budapest Convention is the first international treaty seeking to address crimes against and by means of computers and the securing of electronic evidence and has potential for global adoption. There are currently sixty-six members and according to Article 37, the treaty is open for accession by any country ready to implement it.

The rationale for the Protocol 

  • The evolution of information and communication technologies – while bringing unprecedented opportunities for mankind – also raises challenges, including for criminal justice and thus for the rule of law in cyberspace. 
  • While cybercrime and other offences entailing electronic evidence on computer systems are thriving and while such evidence is increasingly stored on servers in foreign, multiple, shifting or unknown jurisdictions, that is, in the cloud, the powers of law enforcement are limited by territorial boundaries. 
  • As a result, only a very small share of cybercrime that is reported to criminal justice authorities is leading to court proceedings and convictions, and most often victims do not obtain justice. 

What does the Protocol intend to solve? 

The Protocol is designed to respond to the following challenges: 

  • How to obtain the use of an account or Internet Protocol address used to commit an offence more efficiently? Such “subscriber information” is essential to proceed with an investigation. 
  • How and under what conditions to cooperate directly with a service provider in another Party to obtain such information? 
  • How to obtain the disclosure of data – including content data – from another Party without delay in an emergency where lives are at risk? 
  • How can government-to-government cooperation, including mutual assistance, be made more efficient and can additional tools be made available for cooperation on cybercrime and electronic evidence? 
  • And how can innovative effective and efficient means of cooperation be reconciled with rule of law and data protection requirements? 

This proposal has been heavily criticized by NGOs, service providers and some member states notably on global privacy protection concerns, limited time for feedback and the limited incorporation of civil society input.  

According to the T-CY, the proposal “achieves an outcome … that reconciles measures for an effective criminal justice response with strong rule of law and data protection safeguards.”