Trust and Security digest (August 2022)

Ukraine: still a ‘not-so-cyber’ war? 

At the outset of Russia’s invasion of Ukraine, various commentators (including GPD) remarked on the surprisingly conventional, ‘non-cyber’ nature of the conflict. But six months on, is this still the case?

In a new blog, our Senior Legal Officer Ian Barber explores and unpacks the different ways that the war is intersecting with human rights in the digital environment.

A few takeaways from the piece:

• While cyberattacks and disinformation campaigns are not novel, aspects of their application and combination in this conflict may be
• The war is also having significant impacts on discussions in key cyber-related forums like the OEWG and AHC (including on the crucial issue of stakeholder inclusion)

(For reference, see also our initial response to the invasion in the February 2022 edition of the Digest).

Last week, the UN’s Ad Hoc Committee on Cybercrime (AHC) concluded its third substantive session, where member states finished giving their views on what should be included in some of the main chapters of the proposed convention on cybercrime.

Our Head of Global Engagement and Advocacy, Sheetal Kumar, was present at discussions; read her detailed analysis and summary of a slow but turbulent process, which may have significant implications for a range of human rights. Some key developments to note:

• There were a few concrete areas of progress (for one, that the convention should build on and complement existing treaties)

• However, a lot of hard discussions are yet to be had (e.g. on implementation)

• In this meeting, scope was a key area of contention—particularly around “international cooperation” and “preventive measures”

• A lot will hinge on how “cybercrime” is defined within the convention (what crimes it will include, what the thresholds for criminalisation will be). This is still yet to be decided

• The extent and strength of safeguards to protect human rights are another area of significant disagreement among states

• One big outcome was Brazil’s call for states to submit a list of their technical “needs” to the Secretariat, which attracted a lot of interest. It’s crucial that this process includes the voices of non-governmental stakeholders

On 8 August, the United Nations General Assembly approved the appointment of Mr. Volker Türk as the next UN High Commissioner for Human Rights. Türk, currently the Under Secretary-General for Policy, will be taking over the role from Michelle Bachelet.

The announcement came following months of calls by human rights organisations for an “open, transparent and merit-based process.” Despite these efforts, the OHCHR’s selection process was largely closed, with no information published on the candidates under consideration or the selection timeline, and without civil society input.

This lack of transparency is particularly concerning from a human rights perspective, given the OHCHR’s increasing influence over a range of urgent technology-related policy issues—from artificial intelligence to encryption.

In other instances, the OHCHR has shown itself to be open to civil society input. Recently, the office’s “Right to Privacy in the Digital Age” report cited recommendations submitted by the Global Encryption Coalition (of which GPD is a co-founder and steering committee member).

Data Protection legislation

• The government of India has withdrawn its 2021 Data Protection Bill, after the Joint Committee of Parliament proposed 81 amendments to it upon review.  The new draft will reportedly be out for consultation next year.

• In Malaysia, amendments to the Personal Data Protection Act 2010 (“PDPA“) have been tabled for approval by Parliament in October.

Cybersecurity and cybercrime

• Vietnam issued Decree No. 53/2022/ND-CP on Cybersecurity, which will take effect on 1 October. It covers data localisation and local authority measures on taking down fake news and illegal information, and includes provisions on data collection in relation to illegal activities. Vietnam also recently published a new national cybersecurity strategy.

• In Botswana, a new version of the Criminal Procedures and Evidence (Controlled Investigations) Bill passed the committee stage to become law. The new version incorporates recommendations from civil society organisations by prohibiting the interception of communications without a warrant, creating an oversight committee and requiring the committee to report annually on its work.