Cybercrime, referred to broadly as crime committed via the Internet and computer systems, is a phenomenon that continues to affect individuals and entities worldwide, and to pose increasing challenges to law enforcement authorities. One of these challenges is related to the transborder nature of cybercrime, which has implications for the efficiency and effectiveness of any measures aimed at combating this phenomenon.
The Convention on Cybercrime (also known as the Budapest Convention), adopted in 2001 within the framework of the Council of Europe, aims to respond to this challenge by setting a minimum common ground for national legislations on cybercrime, as well as a framework for international cooperation among countries. The Convention, initially signed by 31 countries, is currently ratified by 48 countries (40 members states of the Council of Europe, plus Australia, Canada, Dominican Republic, Japan, Mauritius, Panama, Sri Lanka and the United States of America).
The first part of the Convention describes types of acts that countries should deem as criminal offences through national legislations; these include: offences against the confidentiality, integrity and availability of computer data and systems (such as illegal interception and data and system interference); computer-related offences (forgery and fraud); content-related offences (child pornography); and infringements of copyright and related rights. This section also includes provisions on procedural law, outlining the powers and procedures necessary for law enforcement authorities to engage in activities aimed at detecting, investigating and prosecuting cybercrime. The second part of the Convention focuses on international cooperation aspects, and outlines a series of general principles for such cooperation, as well as specific provisions on mutual assistance between countries in areas such as accessing of stored computer data, and interception, preservation, and disclosure of data. In 2003, a Protocol has been added to the Convention, on the criminalisation of acts of a racist and xenophobic nature committed through computer systems.
The Budapest Convention can be seen as the only de-facto international treaty on cybercrime (given that it has also been ratified by countries beyond Europe, and therefore does not have a regional coverage only), and it continues to be open to accession by interested countries. The Convention has been used as basis for many national legislations dealing with cybercrime-related issues, as well as for regional legal instruments in this area (such as the Cybercrime Directive of the Economic Community of West African States and the African Union Convention on Cyber Security and Personal Data Protection). However, some countries have also raised concerns over certain provisions of the Convention (especially those related to international cooperation and mutual assistance), which were seen as violating international law norms and countries' sovereignty.
The implementation of the Convention is facilitated by the Cybercrime Convention Committee, which is composed of representatives of signatory states. The Committee is also tasked with facilitated the exchange of information regarding the use of the Convention, as well as with considering future amendments that can be brought to the treaty. In June 2013, the Committee adopted a series of guidance notes representing the common understanding of parties regarding the use of the Budapest Convention on the following issues: computer systems, botnets, transborder access, identity theft, DDOS attacks, critical infrastructure attacks, malware, and spam. In addition, the Cybercrime Programme Office, opened by the Council of Europe in 2014, supports countries in building and strengthening their capacities to respond to cybercrime challenges, on the basis of the Budapest Convention.