In our most recent comments concerning the UN Cybercrime Convention, ARTICLE 19 continues to express deep concern about the latest Draft Text produced by the UN Ad Hoc Committee following the concluding session of the negotiations in New York in February 2024. Even after seven sessions of negotiations, there is still no consensus on the basic scope of the Convention or its safeguards against misuse. ARTICLE 19 argues that the failure of the process to sufficiently provide for human rights safeguards is fatal for the Convention’s future as an instrument that can be trusted to comply with international freedom of expression standards. We urge the States negotiating the Convention to reject the Draft and to oppose calls to extend the Committee’s mandate.
Since the Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (the Convention) was first proposed, ARTICLE 19 has been sceptical of the need for such a Convention. Seven negotiating sessions later, we remain gravely concerned about the fundamental vagueness of the Convention’s scope, numerous content-based offences, and underlying conflict of the Convention’s plain text with human rights standards. Lack of consensus on foundational provisions on the scope of criminalisation and international cooperation has led to the suspension of the session. The continuation of negotiations is now dependent on a proposal to the UN General Assembly and available resources.
ARTICLE 19 once again commented on key issues in the most recent Draft Text. Glaringly, the Convention fails to sufficiently incorporate broadly-supported human rights protections or due process safeguards. Judicial review, effective remedies, or international oversight, for example, are nowhere required – no matter how far-reaching or severe the underlying law enforcement powers or actions, and even though cybercrime laws are regularly abused by States to persecute vulnerable groups based on their expression, beliefs, religion, or identity.
In Article 35, which covers general principles of international cooperation, the Convention also provides for the ‘collecting, obtaining, preserving and sharing of evidence’ of ‘any serious crime’, defined by the Draft Text as any offence punishable by four or more years’ imprisonment. To use this blunt classification — which measures ‘seriousness’ by the severity of a State’s penalties rather than by any objective determination — to their advantage, States need only to create a domestic offence with a heightened penalty to be able to ‘legitimately’ trigger the serious crimes provision and the use of heightened procedural powers. The Convention’s provisions similarly allow for broad cross-border surveillance and police powers, unconstrained by any explicit data protection safeguards.
Though we have raised this concern previously, the Draft Text also still contains numerous content-based offences, some of which are cyber-enabled rather than cyber-dependent, placing them firmly outside the scope of a cybercrime treaty. We also note that criminal laws prohibiting dissemination of content are by definition restrictions on freedom of expression, so must be analysed according to the tripartite test under Article 19(3) of the International Covenant on Civil and Political Rights (ICCPR), which stipulates that restrictions must be provided for by law and be necessary and proportionate. The content-based offences in the Convention fail this test and risk criminalising those — like survivors of online gender-based violence and children — they are purported to help.
ARTICLE 19 has repeatedly highlighted the danger of the potential for abuse of such a Convention, and that it risks perpetuating many of the repeated and existing rights violations we have seen in ‘cybercrime’ laws around the world. We urge States to reconsider the value and necessity of continuing to invest in a process that has had more than enough opportunities to achieve consensus and failed.