Cybercrime Ad Hoc Committee 2nd substantive session

The second substantive session of the Cybercrime Ad Hoc Committee was held from 30 May to 10 June 2022 in Vienna, Austria. 

In preparation for the second session, member states of the Ad Hoc Committee were invited to submit their drafting suggestions or general comments on the different chapters: ‘Criminalization’, ‘General Provisions’, and ‘Provisions on Procedural Measures and Law Enforcement of the Convention’ to the secretariat.

Drafting Suggestions

Argentina submitted its comments and emphasised the significance of the respect of sovereignty and integrity of states, as well as the respect of the principle of non-intervention in domestic affairs. For the procedural law measures and enforcement, Argentina referred to the provisions of the Budapest Convention, namely Art. 21 on the powers and procedures of the state parties on the interception of content data. Additionally, Argentina stated that conditions and safeguards should align with the International Covenant on Civil and Political Rights (ICCPR) and other international human rights law instruments. In the case of the rights and responsibilities of third parties being at stake, such rights may be limited by the powers and procedures of the states, as long as they are in line with Arts. 14 and 15 of the Budapest Convention.

Australia provided two separate documents about the criminalisation of ICTs. The first document focused on the criminalisation of cyber-dependent and cyber-enabled crimes. It stated that the criminalisation of offences should be consistent with the existing international instruments to avoid conflicts. Additionally, it stated that it remains open to broadening the convention beyond cyber-dependent and cyber-enabled crimes, and that it would be better to establish a common standard for cybercrime across all states.

The second document addressed the criminalisation of online child sexual abuse offences and exploitation. This proposal criminalised child abuse material through a computer system; facilitation of child abuse material through a computer system; grooming or procuring of a child for sexual purposes through a computer system; general provisions related to the proposal; child abuse material through a computer system; facilitation of child abuse material through a computer system; solicitation, engagement, and grooming or procuring of a child for sexual purposes.

Brazil provided its draft proposals in which it combined the proposals of Russia, China, the provisions from the Budapest Convention, and provisions from the Expert Group Meeting on Cybercrime of the United Nations Office on Drugs and Crime (UNODC).

The EU and its Member States provided proposals for the collection of electronic evidence, and stated that they remain open to discussing this issue for any type of crime, thus enhancing and promoting international cooperation. States shall be entitled to enforce any future bilateral agreements on the matter of cybercrimes, as long as they do not collide with the objectives and principles of the present convention. Additionally, it emphasised the importance of the protection of human rights and fundamental freedoms, especially the protection of the right to a fair trial, the rights of the defence, as well as the provision of assistance and protection of victims.

Ghana made its proposals based on the already existing international and regional legal instruments, including the UN Convention Against Corruption (UNCAC); the UN Convention Against Transnational Organised Crime (UNTOC); the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), and the Budapest Convention. Ghana stated that the convention should harmonise national laws on cybercrime and enhance international cooperation, offer sustainable capacity building and technical assistance, and ensure the protection of human rights when combating cybercrimes.

India stressed the importance of including the criminalisation of cyberterrorism in the convention. The Indian delegation stated that the term cyberterrorism should entail any attack on national security and sovereignty of the state. Additionally, India stated that the denial of access to any person authorised to access a computer resource, any attempt to access a computer resource without authorization, or causing computer contamination which is likely to cause death to a person, should be considered an act of cyberterrorism. Last, India proposed the criminalisation of offensive messages through communications services that include messages that are ‘grossly offensive or have menacing character’ or any message that would cause annoyance, inconvenience, or danger.

Jamaica and CARICOM supported the creation of the new convention on the criminalisation of ICTs and emphasised the importance of international cooperation and technical assistance in preventing such crimes. Protection of sovereignty, territorial integrity, and non-intervention was stressed when combating such crimes. With regard to the illegal access to computer systems or data, Jamaica referred to Art. 2 of the Budapest Convention, while adding that a state party may require that the offence be committed with dishonest intent.

Malaysia emphasised the importance of international cooperation, building technical assistance to enable member states to strengthen their capacity to address cybercrime, and ensuring the balance between the interests of law enforcement and respect for human rights.

South Africa stated that competent authorities should establish joint investigative bodies while ensuring full respect of the sovereignty of the state parties concerned. Additionally, the legislative measures that establish the criminal offences of infringement of copyrights (under the domestic laws of the state parties) should be in line with the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations, the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) and the WIPO Performances and Phonograms Treaty.

Russia submitted its second draft proposal, this time on behalf of Belarus, Burundi, China, Nicaragua, and Tajikistan. The second draft included submissions on the three chapters: ‘General Provisions’; ‘Criminalisation’, which outlined 23 cybercrimes; ‘Criminal Proceedings and Law Enforcement’; and ‘Measures to Prevent and Combat Offence and Other Illegal Acts in Cyberspace’. Russia emphasised the importance of state sovereignty when conducting cross-border investigations. At the same time, the draft proposed that state parties should empower competent authorities to seek access in the territory of jurisdiction of another state party where there are grounds to believe that ICT information is stored.

The UK stated that the purpose of the convention is to promote international cooperation and technical assistance to prevent and combat cybercrime, and that the implementation of states’ obligations should be in accordance with international human rights law. Additionally, the UK believes that the ‘General Provisions’ chapter of the convention should include a commitment to mainstreaming a gender perspective.

The USA, too, emphasised the importance of the protection of state sovereignty during investigation processes. With regard to the search and seizure of stored computer data, the USA provided a similar proposal to that of the EU and its member states. Additionally, the USA stated the importance of defining key terms in broad language, so that they are adoptable in each state party, with respect to human rights, fundamental freedoms, and sovereignty. The USA also proposed to consult the already existing UN instruments for effective models when determining jurisdiction, as well as any other already existing treaties for the offences set under the convention.

Vietnam provided its proposals to the chapters ‘General Provisions’, ‘Criminalization’, and ‘Procedural measures and Law Enforcement’ of the convention. Vietnam proposed the inclusion of the criminalisation of cyberterrorism in the convention, and stated that cyberterrorism should be considered ‘an act of terrorism or financing of terrorism which involves the use of cyberspace, information technology or electronic devices’.

General comments and proposals

Angola stated that the rapid evolution of new technologies led to the existence of legislative gaps. Angola encouraged the harmonisation of domestic legislation on cybercrime and electronic evidence. Additionally, it proposed the adoption of policies and actions to increase the digital literacy of citizens. Safeguarding the principles of equality and reciprocity between states with regard to the practice of collaboration in obtaining electronic evidence, while respecting fundamental rights, freedoms, and guarantees, as well as the protection of personal data, should also be included in the convention. Angola emphasised the importance of creating effective mechanisms and forms of cooperation between the authorities that investigate and prosecute cybercrimes. Last, any crimes that affect critical infrastructure should be considered cyberterrorism.

In its general provisions, Canada took into consideration the already-existing international legal instruments such as: the UNTOC, the UNCAC, and the Council of Europe Convention on Cybercrime. Canada referred to the potential infringement of human rights during investigation processes, and thus stressed the importance of including provisions that would ensure their protection. Regarding the criminalisation of offences, Canada proposed the usage of technology-neutral language in domestic laws to apply substantive criminal law offences to both current and future technologies.

Dominican Republic supported the creation of joint investigation teams, and stressed that each state party should ensure that the establishment, implementation, and application of provisions are subject to ‘conditions and safeguards provided under its domestic law, which shall provide for the full protection of human rights and liberties, incorporating the rule of law, legality, necessity and proportionality.’ With regard to the criminalisation of child exploitation, Dominican Republic stated that the denomination ‘minor’ should include any person under the age of 18, and that in no case the minimum age should be lower than 16. Last, the convention should include the criminalisation of the dissemination of intimate images, including revenge pornography, of a person who did not give their consent to that sharing.

The Islamic Republic of Iran proposed the use of modern technologies in the course of the investigation of cybercrimes, where the judicial authorities would be given reliable technical assistance. Additionally, Iran stood for promotion of moral values and human dignity, as well as  international governance based on non-discrimination.

Japan stated that the scope of the convention should be based on the provisions of the UNTOC and UNCAC. Additionally, cybersecurity and internet governance should not be addressed within this convention as it would have a chilling effect on legitimate economic activity and would go beyond the mandate of the Ad Hoc Committee. Japan said that it is necessary to avoid a chilling effect on legitimate operations and activities such as technology development or abuse of power by law enforcement activity. It also referred to international human rights law treaties and emphasised the protection of human rights and, especially, freedom of expression.

Mexico mentioned the two main challenges that the proposed convention is facing. First, it implies an increase in the complexity of the already elaborate existing bodies of international legislation and, second, the rapid evolution of cybercrime as a consequence of exponential technological change. Thus, Mexico proposed that the convention should not ignore, duplicate, reverse, or nullify the already existing international legal instruments. Instead, it would be useful to use general and timeless precepts to cover future cybercrimes. 

New Zealand stated that when including the provision on state sovereignty, states should consider that cyberspace does not have a clear territorial link, and any cyber activity may involve infrastructure that operates simultaneously in multiple territories. The delegation of New Zealand also stressed the importance of the protection of human rights, fundamental freedoms, and the rule of law in the convention.

Norway provided a brief proposal concerning the issues that need to be addressed in the new convention. The first is the inclusion of strong protection of human rights and fundamental freedoms, and provision of the necessary safeguards. Second, it proposed the criminalisation of cyber-dependent crimes, stressing the importance of avoiding double offences and keeping a technology-neutral language. Third, Norway mentioned that the committee should take into account the already existing international legal instruments on cybercrime such as the UNCAC and UNTOC. Last, it proposed a specific provision for the protection of human rights that is in line with the Universal Declaration of Human Rights (UDHR), the ICCPR, and other international human rights legal instruments.

Singapore stressed that the convention should be based on the term ‘cybercrime’ to cover current and emerging cybercrime threats, and thus sharpen the focus of the convention. Additionally, Singapore prefered to use ‘prevent and combat’ cybercrimes, in accordance with the previous legal instruments, including the UNTOC. Singapore also focused on procedural measures and law enforcement, and stressed the need to expedite measures for lawful requests for the preservation of data for digital evidence. Last, Singapore proposed the avoidance of prescriptive terms in operational processes, to make the convention easier to harmonise and apply to national legal structures.

Switzerland’s proposals are based on, or inspired by, the existing international criminal law treaties and are aimed at creating a convention that would facilitate and expedite states’ and relevant authorities’ understanding of what cybercrime is. Thus, Switzerland proposed that the future convention should be specifically focused on a limited and clearly defined number of cyber-dependent crimes, and an even more limited number of cyber-enabled crimes. The convention should focus on behaviours, and not technologies, to reflect new technological developments; build upon the already existing international legal instruments; include clear and concise provisions; ensure the protection of human rights, especially the rights to privacy, freedom of expression, freedom of association, and other human rights legal instruments.

Tanzania proposed the protection of whistle-blowers and witnesses in cybercrime proceedings and the right of due process of the defendants. Tanzania also stressed that it is imperative to provide technical support to developing countries, including training, technical assistance, and the exchange of expertise. Last, it proposed the inclusion of joint investigations of cybercrimes in the convention due to the borderless nature of these crimes.

Uruguay stated that the convention should take into account the already existing international legal instruments to combat ICT crimes. It also stated that in cases of overlapping jurisdictions of two or more states, temporal priority in the investigation and complaint should be taken into account. Last, it mentioned that human rights and fundamental freedoms should be taken into account when drafting the convention and that they should be aligned with the UDHR, the ICCPR, and other relevant international human rights legal instruments.