Argentina Signs Second Additional Protocol to the Cybercrime Convention

The Council of Europe adopted the Convention on Cybercrime, also known as the Budapest Convention, in November 2001. The instrument –described as the first international instrument specifically on cybercrime, i.e. on behaviors threatening the confidentiality, integrity, and availability of computer systems, networks, and data; and the misuse of such systems, networks, and data– entered into force in 2004. Argentina adopted the Budapest Convention in 2017 (more information on this link).

Seeing the significant increase in the exploitation of technology for criminal purposes, and taking into account that cybercrime is a serious threat to Human Rights and to democratic societies, the Council of Europe adopted the Second Additional Protocol to the Budapest Convention in 2021. The Protocol aims at ensuring international coordination and cooperation with criminal investigations and proceedings against cybercrime, as well as at enhancing the competence of criminal justice authorities to collect digital evidence within the framework of these proceedings.

In this sense, the Protocol distinguishes between:

• procedures to enhance direct cooperation with suppliers and entities of other Parties;
• procedures to improve international cooperation among authorities for stored computer data disclosure;
• procedures regarding mutual assistance in case of emergency; and
• procedures for international cooperation in the absence of applicable international agreements.

Regarding the procedures to enhance direct cooperation with providers and entities of other Parties, the Protocol states that Parties may request information from domain name registration service providers to identify or contact a domain name holder. It also contemplates the possibility for Parties to request specific information about subscribers of service providers within their territory.

One relevant aspect is that Parties will now be able to request authorities to be simultaneously notified. In turn, authorities have the power to prevent the disclosure of information, if such disclosure can undermine criminal investigations or proceedings, or if the grounds set out in the Convention for refusing mutual assistance are met.

The Protocol also contemplates procedures to enhance international cooperation between authorities for computer-stored data disclosure. This means that it introduces measures for Parties to cooperate on a government-to-government basis, by empowering their competent authorities to oblige service providers to provide subscriber information and traffic data. Further, it establishes that Parties can take the necessary measures in emergency situations for their contact point to request another Party's contact point immediate assistance to expedite the disclosure of a service provider's specific computer data without a proved prior mutual assistance request.

The Protocol includes as well procedures regarding mutual assistance in case of an emergency. In this sense, Parties may request mutual assistance promptly and expeditiously when one of them considers there is an emergency. To do so, Parties must detail sufficient facts justifying the emergency and the relation between the requested information and the emergency. The requested Parties will promptly decide on the request and on the conditions to provide the information .

As for procedures related to international cooperation in the absence of applicable international agreements, the Protocol introduces tools such as videoconferencing to receive depositions and statements from witnesses or experts, with the Parties agreeing in advance on procedural aspects guaranteeing the rights of the participants, regulating the intervention of experts and witnesses, and agreeing on formalities typical of judicial proceedings. The Parties may also establish and operate joint investigation teams to facilitate investigations or criminal proceedings.

The final provisions allow Parties to implement bilateral international agreements on the protection of personal data. Further, the provisions establish that the Party receiving the personal data must process them for the purposes in the Protocol, ensuring their accuracy, integrity, and currency; regulating the processing of sensitive data, the retention period, and the automated decisions. The Protocol states that Parties must inform the data subject of the processing, storage and accessibility, rectification, and review of their personal data.

Finally, the Protocol states that the Parties must ensure appropriate technological, physical, and organizational measures for protecting personal data of accidental or unauthorized loss, access, disclosure, alteration, or destruction. The Protocol regulates Parties’ actions upon detecting a security incident that harms individuals or another Party, as well as notifying when it affects national security or public safety. It also establishes, among others, the suspension of personal data transfer on the grounds of non-compliance with the Protocol, significant and imminent risk to the life or safety of an individual, or substantial damage to their reputation or property.

Argentina signed the Second Additional Protocol on February 16, 2023. It must now comply with the legislative procedure established in the Argentine Constitution to decide its approval and/or reservations.