EUROPEAN
COMMISSION
Brussels, XXX
[…](2021) XXX draft
ANNEX
ANNEX
to the
Proposal for a Council Decision
authorising Member States to sign, in the interest of the European Union, the Second
Additional Protocol to the Convention on Cybercrime on enhanced co-operation and
disclosure of electronic evidence (ETS No. XYZ)
EN
EN
ANNEX
Member States shall, when signing the Protocol, in the interest of the Union, make the
following reservations, declarations, notifications or communications, and other
considerations.
1.
RESERVATIONS
The Second Additional Protocol on enhanced co-operation and disclosure of electronic
evidence (ETS No. XYZ) to the Council of Europe ‘Budapest’ Convention on Cybercrime
(‘the Protocol') allows a Party, subject to Article 19, paragraph 1, to declare that it avails itself
Commented [ (1]: Do you mean “in accordance with”?
of a reservation provided in relation to a number of articles of the Protocol.
Member States shall refrain from reserving the right not to apply Article 7 (disclosure of
subscriber data) pursuant to Article 7, paragraphs 9, point a.
Member States shall refrain from reserving the right not to apply Article 7 (disclosure of
subscriber data) in relation to certain types of access numbers pursuant to Article 7,
paragraphs 9, point b.
Member States are encouraged to refrain from reserving the right not to apply Article 8
Commented [ (2]: Why is there “encouraged” instead of
(giving effect to orders from another Party) in relation to traffic data pursuant to Article 8,
“shall”? If we want to give freedom to the Member States
paragraph 13.
then the last para would suffice (“Where Article 19,
paragraph 1, provides…”).
Where Article 19, paragraph 1, provides a basis for other reservations, Member States are
authorised to consider and make their own reservations.
2.
DECLARATIONS
The Protocol also allows a Party, subject to Article 19, paragraph 2, to make a declaration in
Commented [ (3]: Do you mean “in accordance with”?
relation to a number of articles of the Protocol.
Member States shall make the declaration pursuant to Article 7, paragraph 2, point b,
indicating that orders issued to service providers in their territory must be issued by, or under
the supervision of, a prosecutor or other judicial authority, or otherwise be issued under
independent supervision. Accordingly, Member States shall make the following declaration
when depositing the instrument of ratification, acceptance or approval:
‘The order under Article 7, paragraph 1, must be issued by, or under the supervision
of, a prosecutor or other judicial authority, or otherwise be issued under independent
supervision.’
Member States are encouraged to refrain from declaring, under Article 9, paragraph 1, point
Commented
(4]: Why is there “encouraged” instead of
b, that they will not execute requests under Article 9, paragraph 1, point a, (expedited
“shall”? If we want to give freedom to the Member States
disclosure of computer data in an emergency) seeking only the disclosure of subscriber data.
then the last para would suffice (“Where Article 19,
paragraph 2, provides…”).
Where Article 19, paragraph 2, provides a basis for other declarations, Member States are
authorised to consider and make their own declarations.
3.
DECLARATIONS, NOTIFICATIONS OR COMMUNICATIONS
The Protocol also requires a Party, subject to Article 19, paragraph 3, to make declarations,
Commented
(5]: Do you mean “in accordance with”?
notifications or communications in relation to a number of articles of the Protocol.
Member States shall notify that when an order is issued under Article 7, paragraph 1, to a
service provider in its territory, it requires simultaneous notification of the order,
EN
1
EN
supplemental information and a summary of the facts related to the investigation or
proceeding, pursuant to Article 7, paragraph 5, point a. Accordingly, Member States shall, at
the time of signature or when depositing their instrument of ratification, acceptance or
approval, make the following notification to the Secretary General of the Council of Europe:
‘When an order is issued under Article 7, paragraph 1, to a service provider in our the
Commented [ (6]: Is this clear enough? Maybe it should
territory of [Member State], we require in every case simultaneous notification of the
be coupled with “established in” or “registered in” or any
order, the supplemental information and a summary of facts related to the
other indication? Please reflect.
investigation or proceeding’.
Pursuant to Article 7, paragraph 5, point e, Member States shall designate a single authority to
receive notification under Article 7, paragraph 5, point a, and perform the actions described in
paragraphs 5, point b, point c and point d, and communicate the contact information of that
authority.
Member States shall declare, under Article 8, paragraph 4, that additional supporting
information is required to give effect to orders under Article 8, paragraph 1. Accordingly,
Member States shall, at the time of signature or when depositing their instrument of
ratification, acceptance or approval, make the following declaration:
‘Additional supporting information is required to give effect to orders under Article 8,
paragraph 1. The additional supporting information required will depend on the
circumstances of the order and the related investigation or proceeding’.
Member States shall communicate and keep up to date the contact information of those
authorities designated under Article 8, paragraph 10, point a, to submit an order under Article
8, and of those authorities designated, under Article 8, paragraph 10, point b, to receive an
order under Article 8. The Member States that participate in the enhanced cooperation
Formatted: Not Highlight
established by Regulation (EU) 2017/1939 implementing enhanced cooperation on the
establishment of the European Public Prosecutor’s Office (‘the EPPO’) shall include the
Formatted: Not Highlight
EPPO, in the exercise of its competences as provided for by Articles 22, 23 and 25 of
Regulation (EU) 2017/1939, among the authorities communicated under Article 8, paragraph
10, point a and point b.
Member States shall communicate the authority or authorities to be notified under Article 14,
paragraph 7, point c, in relation to a security incident.
Member States shall communicate the authority or authorities to provide authorisation for the
purpose of Article 14, paragraph 10, point a, in relation to the onward transfer to another State
Commented
(7]: Isn’t it point b?
or international organisation of data received under the Protocol.
Where Article 19, paragraph 3, provides a basis for other declarations, notifications or
communications, Member States are authorised to consider and make their own declarations,
notifications or communications.
4.
OTHER CONSIDERATIONS
Member States that participate in the enhanced cooperation established by Regulation (EU)
2017/1939 implementing enhanced cooperation on the establishment of the European Public
Prosecutor’s Office (‘the EPPO’) shall ensure that the EPPO can, in the exercise of its
competences as provided for by Articles 22, 23 and 25 of Regulation (EU) 2017/1939, seek
cooperation under the Protocol in the same way as national prosecutors of those Member
States.
Member States shall ensure that, when transferring data for the purposes of the Protocol, the
receiving Party is informed that their domestic legal framework requires giving personal
EN
2
EN
notice to the individual whose data is provided, pursuant to Article 14, paragraph 11, point c,
of the Protocol.
With regard to international transfers on the basis of the EU-US Umbrella Agreement,
Member States shall communicate to the competent authorities of the United States, for the
purposes of Article 14, paragraph 1, point b, of the Protocol, that the Agreement applies to the
reciprocal transfers of personal data under the Protocol between competent authorities.
However, Member States shall take into account that the Agreement should be complemented
with additional safeguards that take into account the unique requirements of the transfer of
electronic evidence directly by service providers rather than between authorities as provided
under the Protocol. Accordingly, Member States shall, at the time of signature or when
depositing their instrument of ratification, acceptance or approval, make the following
communication to the competent authorities of the United States:
‘For the purposes of Article 14, paragraph 1, point b, of the Second Additional
Protocol to the Council of Europe Convention on Cybercrime, we consider that the
EU-US Umbrella Agreement applies to the reciprocal transfers of personal data under
the Protocol between competent authorities. For transfers between service providers
in our territory and authorities in the United States under the Protocol, the Agreement
applies only in combination with a further, specific transfer arrangement that
addresses the unique requirements of the transfer of electronic evidence directly by
service providers rather than between authorities’.
Member States shall ensure that, for the purpose of Article 14, paragraph 1, point c, of the
Protocol, they only rely on other agreements or arrangements if either the European
Commission has adopted an adequacy decision pursuant to Article 45 of the General Data
Protection Regulation (EU) 2016/679 or Article 36 of the Law Enforcement Directive (EU)
2016/680 for the third country concerned that covers the respective data transfers, or if such
other agreement or arrangement ensures appropriate data protection safeguards pursuant to
Article 46 of the General Data Protection Regulation or Article 37, paragraph 1, point a, of the
Law Enforcement Directive.
EN
3
EN
Document Outline