by Mónika Mercz
The United Nations (UN) Ad Hoc Committee (AHC) meeting in New York reached an agreement on the “Draft United Nations convention against cybercrime; strengthening international cooperation for combating certain crimes committed by means of information and communications technology systems and for the sharing of evidence in electronic form of serious crimes” on 8 August 2024.
The Council of Europe – through its Cybercrime Programme Office (C-PROC) – supported this treaty process, and the inclusion of a minimum of necessary human rights and rule of law safeguards. The C-PROC is responsible for assisting countries worldwide in strengthening their legal systems’ capacity to respond to the challenges posed by cybercrime and electronic evidence[1] on the basis of the standards of the Convention on Cybercrime (Budapest Convention).[2] The Budapest Convention is a framework that permits hundreds of practitioners from Parties to share experience and create relationships that facilitate cooperation in specific cases, and facilitates the use of its provisions by any country to create its guidelines, check list or model law. Key provisions of the Budapest Convention have been reproduced in the draft treaty as well.
As noted in the draft convention, technological innovation has created opportunities for a greater scale, speed, and scope of crimes. With the existence of artificial intelligence, digital networks and other developments, criminal activity such as terrorism, drug trafficking, migrant smuggling, firearms trafficking is becoming a widespread issue, much harder to combat than before. Combating cybercrime is a responsibility of all States, therefore, they must cooperate with one another, with the support and involvement of relevant international and regional organizations, as well as non-governmental organizations, civil society organizations, academic institutions and private sector entities, if their efforts in this area are to be effective.[3]
However, the Human Rights Watch issued a statement disavowing the convention, as they believe there is risk of inappropriate monitoring of global information flows.[4] The Electronic Frontiers Foundation has also raised objections to the wording in multiple articles of the convention, in their „Joint Statement on the Proposed Cybercrime Treaty Ahead of the Concluding Session”, also citing the lack of data sharing safeguards as a cause for concern.[5]Given these criticisms, what exactly does the Convention entail?
Article 5 and 6 of the Convention provide that „States Parties shall carry out their obligations under this Convention in a manner consistent with the principles of sovereign equality and territorial integrity of States”, and that „[n]othing in this Convention shall be interpreted as permitting suppression of human rights or fundamental freedoms”. States Parties are required to adopt measures to establish criminal offenses under their domestic law when intentionally accessing or modifying an information and communications technology system. These may include infringing security measures, interception of non-public transmissions of electronic data, damaging, deletion, deterioration, alteration, or suppression of electronic data, and causing serious harm. The offense may also involve obtaining, producing, selling, or making available a device or data intended for committing offenses, such as obtaining electronic data or accessing a system, unless the purpose is not to commit an offense. The article does not impose criminal liability for actions not related to the intended use of such systems. There are specific provisions in the Convention to provide safeguards against the abuse of children, as well as prevent the non-consensual dissemination of intimate images.
- The Convention requires each State Party to establish jurisdiction over offences committed within its territory, on board a vessel or aircraft, against a national of that State Party, a stateless person with habitual residence in its territory, an offense committed outside its territory for the commission of an offense within its territory, or against the State Party. States Parties may also adopt measures when the alleged offender is present in their territory and not extradited solely on the grounds of nationality. If a State Party is notified of other States Parties conducting similar investigations, they must consult each other to coordinate their actions. The Convention does not exclude the exercise of criminal jurisdiction established by a State Party in accordance with its domestic law.
- State Parties are required to adopt legislative measures to empower their competent authorities to collect or record traffic data in their territory and to compel service providers to cooperate and assist in this process. If a State Party cannot adopt these measures due to its domestic legal system, it can instead ensure real-time collection of traffic data. Additionally, State Parties must obligate service providers to keep confidential the execution of any power provided for in this article and any information relating to it. This applies to serious criminal offenses determined by domestic law.
- States Parties must cooperate in criminal matters, including investigating and prosecuting criminal offenses, collecting, obtaining, preserving, and sharing electronic evidence of criminal offenses, and serious crimes. This includes ensuring compliance with domestic laws and international laws. Dual criminality is considered fulfilled regardless of whether the laws of the requesting State Party place the offence within the same category or denominate it by the same terminology. States Parties transferring personal data must comply with their domestic laws and international obligations. If data cannot be provided in compliance, States Parties may impose conditions to achieve it. Bilateral or multilateral arrangements are encouraged to facilitate data transfers. (This is the point which raises the aforementioned concerns regarding data security. To achieve the best possible results, I believe that technological advancements, and the support of cybersecurity professionals is absolutely vital.)
- It is an obligation entailed in Article 41 of the Convention that each State Party shall designate a point of contact available 24 hours a day, 7 days a week, to ensure the provision of immediate assistance for the purpose of specific criminal investigations, prosecutions or judicial proceedings. Such assistance shall include facilitating the provision of technical advice; the preservation of stored electronic data; the collection of evidence and the provision of legal information; the locating of suspects; or the provision of electronic data to avert an emergency.
- A State Party may even request another State Party to order or otherwise obtain the expeditious preservation of electronic data stored by means of an information and communications technology system located within the territory of that other State Party. Additionally, there shall be mutual legal assistance in accessing stored electronic data, assistance in the interception of content data, and assistance in the real-time collection of traffic data.
The most pressing concern is that without robust privacy and human rights safeguards in the actual treaty text, there is a risk of increased government overreach, unchecked surveillance, and unauthorized access to sensitive data. The Convention does not include specific safeguards for highly sensitive data, such as biometric or privileged data, resulting in a decidedly discretionary nature of the safeguards. This may result in less protection of personal data, ultimately infringing human rights, a cornerstone of the UN’s order.
Nevertheless, the issues of cybercrime persist, and with a 30% year-to-year increase in cyber-attacks globally,[6] there is an undeniable need to act. Whether the Convention will achieve the desired results is yet to be seen, but its existence is a significant milestone in the fight against bad actors in the age of digitalization.
[1] Cybercrime Programme Office (C-PROC), https://www.coe.int/en/web/cybercrime/cybercrime-office-c-proc-
[2] The Convention on Cybercrime (Budapest Convention, ETS No. 185) and its Protocols, https://www.coe.int/en/web/cybercrime/the-budapest-convention
[3] Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes: Draft United Nations convention against cybercrime, 2024.
[4]https://www.unodc.org/documents/Cybercrime/AdHocCommittee/Reconvened_concluding_session/Written_submissions/OP8/HRW_comments_on_Rev3_20240729.pdf
[5] Katitza Rodriguez: Joint Statement on the Proposed Cybercrime Treaty Ahead of the Concluding Session, Electronic Frontiers Foundation, 2024. https://www.eff.org/deeplinks/2024/01/joint-statement-proposed-cybercrime-treaty-ahead-concluding-session
[6] Check Point Team: Check Point Research Reports Highest Increase of Global Cyber Attacks seen in last two years – a 30% Increase in Q2 2024 Global Cyber Attacks, 2024. https://blog.checkpoint.com/research/check-point-research-reports-highest-increase-of-global-cyber-attacks-seen-in-last-two-years-a-30-increase-in-q2-2024-global-cyber-attacks/
