04 May 2023

Human rights safeguards urgently needed: notes from the fifth AHC session

Last month, we were in Vienna for the fifth session of the UN’s Ad Hoc Committee on Cybercrime (AHC), where states are negotiating a proposed UN convention on cybercrime which poses urgent risks to human rights.

At a livestreamed press briefing with the Electronic Frontier Foundation, Access Now, ARTICLE 19 and Epicenter.Works, we highlighted a range of issues with the treaty, from its broad scope to a lack of human rights safeguards.

At this session, states discussed the chapters on international cooperation, technical assistance, preventive measures, mechanisms of implementation, the final provisions, and the preamble. Key issues included the scope of the international cooperation chapter and the inclusion of safeguards throughout the chapters to protect human rights. Below, we highlight some key takeaways:


The scope of international cooperation is a major fault line

During the session, we heard many states describe international cooperation as being at the heart of the draft treaty—with much of the discussion focused on the scope of cooperation.

The EU and its member states said that they could accept a broader scope for the sharing of electronic evidence (a key form of international cooperation) across a wider range of offences (including those not covered by the convention), subject to two conditions. One, that the sharing of evidence is limited to instances where the alleged conduct is crime in both countries (dual criminality); two, that it applies only to serious crimes (as defined by the same standard in the UN Convention Against Transnational Organized Crime).

Other states, including Mexico, Kenya, Malaysia and Switzerland, preferred a more limited scope—one which limits evidence sharing to the crimes defined in the convention. However, these states diverged on the inclusion of other conditions, which are critical to ensuring a genuinely narrow scope. Russia, in turn, sought to vastly expand the scope of electronic evidence sharing to cover any offence.

Neither approach is fully sufficient from a human rights perspective. Alongside other groups, we’ve been calling for a model of international cooperation which is both narrow in scope, and includes the important conditions (on dual criminality and serious crimes) set out by the EU bloc.

A narrow and clearly defined scope is necessary to provide transparent, coherent, and—ultimately—effective international cooperation on cybercrime. This is critical, given that strengthening cooperation is precisely the reason many states are engaging with this process. By contrast, a broad scope, especially when coupled with an overly vague and expanded criminalisation chapter, will introduce confusion, delay requests for cooperation, and undermine human rights in the process.


Human rights safeguards under fire by some

We were concerned to see a number of states suggesting that references to human rights safeguards throughout the chapters were unnecessary and duplicative. Egypt argued that a more siloed approach was necessary to ensure distinction between the draft treaty as a criminal justice process and separate to human rights treaty processes, while India said the draft treaty already contained ample safeguards.

This logic doesn’t hold up: the wording of the treaty is still being negotiated, and there isn’t yet agreement on the inclusion of references to conditions and safeguards. As we and other human rights groups have shown, existing references are, in fact, likely to be inadequate in their current wording, and we are concerned by narratives that undermine the application of human rights and the rule of law in the context of cybercrime.

A bright spot was that states including the US, Japan, the Dominican Republic and the UK supported the deletion of the provision on special investigative techniques, while others reserved their views. The direction of travel is positive: this provision is overly vague and broad, incentivising interference with the right to privacy, and—as noted by EFF and Privacy International—permitting the use of unforeseen technologies.


Conflict and convergence

There were areas of both conflict and convergence in discussions on the remaining chapters. To spotlight a few:

  • In negotiations of the preventive measures chapter, Germany and Switzerland positively echoed GPD’s submission that preventive measures should be distinct from criminal justice measures which may interfere with human rights. However, many states continued to reject the inclusion of human rights references.
  • In discussions on the preamble, Senegal delivered a strong statement on the need to ensure strong safeguards, while states including Uruguay, Sweden and Argentina called for a gender perspective to be incorporated.
  • There was broad agreement on the preferred mechanism to review the implementation of the treaty. Most states converged in favour of a body made up of representatives of all member states (known as a conference of state parties to the convention). Encouragingly, Australia and Canada pointed to the need to ensure that any review mechanism is founded upon inclusivity and transparency, including by ensuring the participation of non-governmental actors.


Next steps

Like others, we are now looking ahead to the “zero draft” of the treaty, which will be discussed at the AHC’s next meeting in New York (21 August – 1 September 2023). Following this, there will be a concluding session in early 2024 where states are intended to formally agree the treaty.

With key issues like the use of terms and scope of the criminalisation chapter still up in the air, the expectation is that the 2024 session will be a substantive one. Certain states have now made public their preference for the treaty to be agreed on by consensus, rather than subject to a vote (see recent comments by the US in a Washington Post article). For the treaty to get anywhere close to agreement, it will need to be limited to areas of international consensus—that is, limited to core cybercrimes (criminal offences where ICT systems are the direct objects, as well as instruments, of the crimes)—and ensure complementarity with states human rights obligations.

At GPD, we’ll continue to closely follow the process, and to advocate for a treaty which does not undermine the respect, protection and fulfilment of human rights.