21 Aug 2023

The UN’s Cybercrime Convention: GPD calls for enhanced human rights protections

This week, states and other actors are convening at the UN’s Ad Hoc Committee on Cybercrime (AHC) to restart negotiations on a proposed new international convention on the use of ICTs for criminal purposes (or, cybercrime). Negotiations will be based on the recently published zero draft of the convention, which is intended to serve as a prototype version of the convention. However, fault lines remain at the AHC, and consensus on this text is not a guarantee.

Today, we publish our comprehensive analysis of the zero draft of the convention. From the outset of the AHC process, we—along with other civil society groups—have engaged with the aim of ensuring that offences covered within the convention are clearly defined and avoid criminalising expression protected under international human rights law. We’re also focused on ensuring that the procedural powers and provisions for international cooperation are precise and narrow in scope, and that the entire convention is underpinned by robust safeguards for human rights. 

Our analysis finds that various elements of the text need to be modified to mitigate risks to human rights. Below, we highlight our key concerns and recommendations.


Offences not limited to core cybercrimes

We welcome that the draft significantly narrows the scope of crimes included, but are concerned that it still expands its scope beyond ‘core’ cybercrimes–where ICTs systems are the direct objects, as well as the instruments, of the crimes. We recommend that the text is limited to the crimes contained in Articles 6-10 of the text. Where other offences are included, we recommend revisions to mitigate human rights risks.

We are particularly concerned by the inclusion of article 17 on offences relating to other international treaties. At present, it is unclear which current or future conventions are captured, which has the potential to drastically broaden the scope of the convention, introducing vague and duplicative provisions without clear guardrails for human rights. We, alongside many others, call for this provision to be removed.

In addition, we outline a range of recommended changes to ensure the convention does not capture the legitimate and publicly important activities of journalists, whistleblowers and security researchers. We note the need for a heightened standard of intent to commit the offences, expansive exception for activities conducted in the public interest, and a mandatory–rather than optional–requirement that the activities infringe security measures.

Vague scope for intrusive powers

At present, the zero draft does not go far enough in preventing potential overreach and abuse by states in using powers conferred by the convention. Provisions within the text extend the use of a wide range of powers and mechanisms for international cooperation beyond the offences the convention is intended to cover. This includes potentially intrusive powers like the real-time collection of traffic data (article 29), the interception of content data (article 30) and mutual legal assistance (article 40), which pose risks to individuals’ human rights—including privacy and freedom of expression. The expansion of such powers to an ill-defined range of offences is inconsistent with core international human rights principles, such as necessity and proportionality, and with states’ existing international human rights law obligations, which provide a clear framework for the use of powers and procedures and defend against their arbitrary application. 

To limit abuse, ensure legal clarity and facilitate effective action to combat cybercrime, we advise that the scope of the above provisions is limited to the core crimes contained in articles 6-16 of the convention, and includes additional guardrails for human rights applicable to procedural measures and international cooperation.

We also note with concern the language of article 28 on search and seizure of stored data states, which could be interpreted as incentivising states to adopt disproportionate measures, such as demanding the handling of encryption keys or disclosure of security vulnerabilities that enable surveillance.

Inadequate human rights protections

We welcome the inclusion of article 5 on respect for human rights, article 24 on conditions and safeguards for human rights, and article 36 on the protection of personal data. However, we are concerned that the wording of these provisions is insufficient to mitigate real-world risks.

We recommend a number of concrete additions to ensure the widest possible protection for human rights. This includes clarifying that human rights safeguards apply to the entirety of the convention, ensuring compliance with state obligations under international human rights law and customary international law, and incorporating all relevant human rights principles, including legality, legitimacy, necessity and proportionality.

To avoid unintended misuse of personal data, article 36 on the protection of personal data should be strengthened so that it does not exclusively rely on domestic provisions or international law, but also ensures that personal data transfers fulfil international human rights standards. Further, the article should explicitly reference widely recognised data protection principles, such as lawful and fair processing, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

We also make specific recommendations to ensure more robust protections for human rights, through incorporating robust grounds for refusing a request in general provisions relating to extradition (article 37) and mutual legal assistance (article 40). These are powers which, without adequate restraints on their arbitrary or discriminatory application, can pose serious risks to human rights.

Lack of monitoring around human rights compliance

As is indicated by the range of our concerns, the convention has the potential to impact a wide range of rights, including the rights to privacy, freedom of expression, and the right to non-discrimination (given the potential for many of these measures to be applied disproportionately against or to adversely impact members of groups protected under anti-discrimination law). For this reason, the text of convention should ensure that its implementation is measured against states’ existing international human rights law obligations–something which is lacking from the current text.

Specifically, article 53 on preventive measures, article 54 on technical assistance and capacity building and article 59 on the implementation of the convention should refer to the need to ensure compliance with international human rights law, as well as domestic law. Technical assistance and capacity building measures should also be subject to a human rights impact assessment before they are undertaken. The chapter on mechanisms of implementation should provide for periodic assessment of its impact on the enjoyment of human rights as a core element of its evaluation. For that purpose, non-state actors should be enabled to input to and strengthen the review process. 


Next steps

GPD will be attending negotiations at the AHC’s sixth substantive session, taking place from 21 August-1 September in New York, where we’ll closely monitor proceedings to see if our concerns are addressed. 

We will also be working alongside civil society groups from diverse regions to ensure that the treaty doesn’t undermine respect, protection and fulfilment of human rights.