Almost 20 years to the day after the Budapest Convention was opened for signature, a second additional protocol was adopted on 17 November by the Committee of Ministers of the Council of Europe. This amendment is timely given the evolution of cybercrime, but also because of the growing importance of digital evidence in traditional crime.

The genesis

Since 23 November 2001, the number of states that have ratified the Convention has increased. There are now 66 of them, and not all from the Council of Europe, since we have the United States, Canada, Australia, Japan, and countries in Africa and Latin America. But Russia, China, Cuba, Iran and North Korea—whose territories (to be diplomatically correct) are the starting point for many cyberattacks—are not signatories. Ireland has not ratified the Convention, even though it hosts the European headquarters of Gafa.

While the number of states that have ratified the Convention still seems insufficient—given the global nature of cybercrime—more than 20 of them have based their own laws on it and more than 50 have drawn inspiration from it. The Convention thus has a definite international influence. In 2003, the Convention was supplemented by an Additional Protocol concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems.

Since 2001, the digital space has changed dramatically, particularly under the influence of the development of the cloud. The Convention harmonises the domestic substantive criminal law elements of offences and the related provisions in the field of cybercrime. It provides for the rules of domestic criminal procedure necessary for investigation and prosecution. These rules cover both offences against computer systems and offences committed by means of such systems. The Convention also aims to facilitate the gathering of digital evidence necessary for the resolution of offences not directly related to cyberspace. The Convention establishes rapid and effective mechanisms for international cooperation. Because it is technology-neutral, it enjoys a certain stability. However, it must evolve in response to changes in cyberspace and changing practices.

With a view to supplementing or amending the Convention, in 2012, the Convention Committee on Cybercrime (T-CY) established—by virtue of its powers under Article 46 of the Convention—an ad hoc group on border access to data and territorial jurisdiction issues. In 2015, it established a « Cloud Evidence Group » to study criminal justice access to evidence stored in the cloud. In 2016, this group came to the conclusion that « cybercrime and the number of terminals, services and users (including mobile terminals and services)—and hence the number of victims—have reached such proportions that only a tiny fraction of cybercrime or other offences involving electronic evidence will ever be recorded and investigated. The vast majority of victims cannot expect justice to be done. » Thus it highlighted the difficulty of obtaining effective access to and disclosure of electronic evidence under the triple constraint of « cloud computing, territoriality, and jurisdiction. »

In view of the conclusions of the « Cloud Evidence Group », the Parties to the Convention concluded that the need was not to amend the Convention but to draw up a second additional protocol to strengthen the effectiveness of criminal justice action and preserve the rule of law. The T-CY therefore worked from September 2017 to May 2021, with numerous consultations, in particular within the framework of the Octopus Conferences on Cybercrime, which are held annually in Strasbourg and bring together experts from 80 countries working in international organisations, in the private sector and in the academic world.

The challenges

For the drafters of the Protocol, it was necessary to address the challenges of territoriality—a concept that is not very relevant in a borderless cyberspace. Data storage in the cloud poses many problems for investigators. Faced with the rigidity of requests for mutual assistance to other states, the drafters devised a simpler mechanism for issuing orders or requests to service providers of other parties to produce subscriber information and traffic data. In addition, to overcome the difficulties of the « who is » function that enables to identify registrants of domain names, the drafters devised a mechanism for obtaining the necessary information from registrars and registries. Finally, they wanted to strengthen the capacity to act in case of emergency.

The digital evidence covered by the Protocol

The scope of the new protocol is broad and goes beyond « cyber » offences in the strict sense. It applies to specific criminal investigations or proceedings concerning criminal offences « related to computer data and systems. » It therefore covers not only cybercrime, but any criminal offence for which evidence is in electronic form—the so-called « digital evidence. » The powers, procedures, and cooperation measures created by the Protocol can be used when the offence is committed through a computer system, or when an offence that was not committed through a computer system (e.g. murder) involves electronic evidence.

The Protocol provides for safeguards, in particular with regard to privacy and the processing of personal data[1]. The seven main cooperation measures are contained in Chapter II.

The first strengthen direct cooperation with suppliers and entities in other Parties. These are the so-called « direct cooperation » articles, which allow the competent authorities of a Party to engage directly with private entities.

Identification of domain name holders (Art. 6)

Obtaining the registration data of a domain name is often an essential step in many criminal investigations, particularly to locate Parties to whom requests for international cooperation should be addressed. Once accessible to all—through search tools known as WHOIS (who is), some parts of the information are now restricted, with negative effects on law enforcement and judicial missions. Domain name registration information does not allow precise conclusions to be drawn about someone’s private life. Its disclosure may therefore be less intrusive than that of other categories of data.

The Protocol remedies this difficulty. In order to link domain names to a person and a place, the competent investigating authorities are entitled to issue a request for information to an entity providing domain name registration services located in the territory of another Party, with a view to identifying or contacting the person who registered a domain name.

The Party in whose territory the entity (registrar, registry) is located shall take the necessary legislative measures to allow the disclosure of the requested information.

Direct disclosure of subscriber data (Art. 7)

The mutual assistance procedure is not the most appropriate means to deal with the increasing number of requests for volatile electronic evidence. Hence the definition of a simplified mechanism for issuing orders or requests to service providers of other Parties to produce information. This provision allows an order to be « issued by, or under the supervision of, a prosecutor or other judicial authority, or otherwise be issued under independent supervision ». Said order to produce specified and stored subscriber data may be sent directly to a service provider in the territory of another Party[2].

Procedures to enhance international cooperation between authorities for the disclosure of stored computer data

First, there are orders from one Party to another compelling a service provider established in its territory to produce expeditiously data relating to [3]specified and stored subscriber information and traffic data in the service provider’s possession or control (Art. 8).

There are also procedures for an urgent request for mutual assistance.

The notion of emergency corresponds to situations in which the risk is significant and imminent, which excludes cases where the risk to the life or safety of a person has already passed or is negligible. The future risk, if it exists, is not imminent. Thus, the explanatory report refers to « hostage situations in which there is a credible risk of imminent loss of life, serious injury or other harm to the victim; persistent sexual abuse of a child; immediate post terrorist attack scenarios in which authorities seek to determine with whom the attackers communicated in order to determine if further attacks are imminent; and threats to the security of critical infrastructure in which there is a significant and imminent risk of danger to life or safety of a natural person. »

Each Party shall ensure that its 24/7 « Point of Contact », as provided for in Article 35 of the Convention, can transmit a request to, and receive a request from, a Point of Contact in another Party for immediate assistance in obtaining from a service provider located in the territory of the Party concerned the expedited disclosure of specified stored computer data in the possession or control of that service provider, without a request for mutual legal assistance (Art. 9).

Each Party may request mutual legal assistance by the most expeditious means when it considers that there is an emergency. A person from each Party must be available twenty-four hours a day, seven days a week, to respond to a request made in such circumstances (Art. 10).

Procedures for international cooperation in the absence of applicable international agreements

Video conferencing or joint investigation teams are already implemented under Council of Europe instruments (e.g. the Second Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters, ETS No. 182, hereinafter « Second Protocol ETS No. 182 ») or under other bilateral and multilateral agreements. But since such mechanisms are not applied by all Parties to the Convention, the Protocol aims to fill the gap. Article 11, entitled « Video conferencing », and Article 12, entitled « Joint investigation teams and joint investigations, » provide for international cooperation measures that apply only where there is no mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the requested and requesting Parties.


The drafters of the Protocol also considered other measures that were not retained in order not to delay the publication of the text. These include « clandestine investigations using a computer system » and the extension of the scope of searches. These issues will be dealt with in another legal instrument. Given the evolution of uses and misuses of digital technology, it is certain that this Second Protocol will be followed by other initiatives, unless the law is allowed to drift in the face of the qualitative and quantitative growth of cybercrime.

[1] These safeguards do not add to those already provided by the EU through the General Data Protection Regulation (GDPR) and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the purpose of the prevention and detection of criminal offences, for investigation on and prosecution of these, or for the execution of criminal penalties, and to the free movement of such data.

[2] « Any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established: a. the type of communication service used, the technical provisions taken thereto and the period of service; b. the subscriber’s identity, postal or geographical address, telephone or other access number, billing and payment information, available on the basis of the service agreement or arrangement; or c. any other information on the site of installation of a communication equipment available on the basis of a service agreement or arrangement. »

[3] « Any data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service. »

Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.
Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.