A new United Nations convention on cybercrime: fundamental rights come first


A new United Nations convention on cybercrime: fundamental rights come first

The EDPS published on 18 May 2022 its Opinion concerning the EU’s participation in the United Nations’ negotiations for a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (the future UN convention on cybercrime).

While reiterating support, in principle, to international cooperation in combatting cybercrime, the EDPS includes in its Opinion recommendations to ensure that the future UN convention upholds individuals’ data protection and privacy rights according to EU law.

The EDPS is concerned that, if not specifically addressed, the future UN convention risks weakening the protection of individuals’ fundamental rights, including the rights to data protection and privacy guaranteed under EU law, given the large number of countries, which each have their own legal system, that are partaking in its negotiations. As such, the EDPS advises the EU not to become party to the future UN convention on cybercrime, if its final draft does not guarantee these fundamental rights. 

Wojciech Wiewiórowski, EDPS, said: “Exchanging personal data between EU countries and non-EU countries to combat cybercrime comes with great responsibility. Strong safeguards must be put in place to ensure that the protection of individuals’ personal data in a non-EU country is not undermined, especially when sharing sensitive data related to alleged criminal activities”.

In its Opinion, the EDPS reaffirms that EU data protection law allows transfers of personal data to non-EU countries without additional requirements only if the non-EU country in question provides an adequate level of protection for individuals’ personal data. If a non-EU country does not provide an adequate level of protection for individuals’ personal data, specific transfers of personal data may be allowed exceptionally, providing that appropriate safeguards are put in place.

The EDPS makes four additional recommendations to ensure that individuals’ rights to data protection and privacy are upheld. Firstly, the cooperation, and therefore exchange of personal data, between countries should be limited to the crimes defined in the future UN convention. Secondly, the access to and exchange of personal data should be monitored carefully. In particular, the sharing of data should only take place between the law enforcement authorities of the countries concerned. Thirdly, future agreements between EU countries and non-EU countries that ensure a higher level of protection of individuals’ privacy rights than the UN convention, should apply instead. Fourthly and finally, an EU Member State should, in certain cases, be allowed not to cooperate under the international convention with a non-EU country party to the future UN convention.

Concluding its Opinion, the EDPS reiterates that it remains available to provide further advice throughout the UN Convention’s negotiations. The EDPS expects to be consulted on the draft UN convention before it is finalised.


Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.

The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.

Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.

The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725, which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.

Available languages: English