In the context of ongoing international negotiations for an international convention on cybercrime, reference has been made to the Council of Europe Convention on Cybercrime (Budapest Convention) as a benchmark for addressing criminal sanctions in cyberspace. While the Convention contains some positive features, including codified intentionality requirements, and avoids many pitfalls that ARTICLE 19 has analysed in various domestic cybercrime instruments (such as lack of intentionality requirements, lack of requirements of “serious harm,” and content-based offences), it fails to strike a proper balance for freedom of expression. As such, we believe that it is not a model instrument from a human rights perspective. In this briefing, ARTICLE 19 highlights freedom of expression issues with the Budapest Convention and identifies problems that should not be replicated in the text of the new instrument. We hope that this analysis will guide the work of the Ad hoc Committee as it moves to the next stage of the negotiations.
In May 2022, ARTICLE 19 analysed the Council of Europe’s Convention on Cybercrime, also known as the Budapest Convention, and its First and Second Additional Protocols. While it contains some positive features, we note that it does not sufficiently protect a range of human rights, such as privacy and freedom of expression. As the United Nations Office on Drugs and Crime (UNODC) Ad Hoc Committee set up to create a cybercrime treaty progresses in its negotiations, we are concerned that these shortcomings could be replicated in this new instrument and ultimately undermine the protection of human rights.
The Budapest Convention entered into force on 1 July 2004 and is considered the benchmark instrument in addressing criminal sanctions in cyberspace. While it states that it is ‘mindful’ of striking a balance between the interests of law enforcement and the protection of human rights, we believe it falls short. Among other points, it fails to provide adequate protections for the rights to privacy and freedom of expression. For instance, while Article 15 aims to offer some ‘conditions and safeguards’ for human rights, there is no clarity on how to counterbalance its criminal and procedural provisions in elsewhere in the Convention.
ARTICLE 19 observes that, while some offences in the Budapest Convention require intent, important substantive protections are merely optional. The Budapest Convention fails to consistently require ‘serious’ harm and ‘dishonest intent’ for criminalisation in its substantive provisions, and instead, allows the concerned Parties the option to include heightened standards. Therefore, we recommend that, due to the profound implications of cybercrime legislation for freedom of expression, at the maximum, only a few core offences from the Budapest Convention should be considered, namely those with clear requirements of ‘serious’ harm and ‘dishonest’ intent.
While ARTICLE 19 questions the need for a new cybercrime instrument, we note that the Budapest Convention includes a range of issues that should not be included in any new instrument. In our briefing, we highlight that the Budapest Convention:
- Fails to provide specific procedural protections for privacy and freedom of expression, as it almost solely focuses on providing expansive powers to law enforcement;
- Contains unnecessary content and copyright offences that create a chilling effect on freedom of expression. In particular, we raise concerns about the inclusion of copyright-related criminal offences, as well as the compatibility of criminal sanctions for non-commercial copyright infringement;
- Includes far-reaching procedural provisions for law enforcement seizure and surveillance powers that threaten human rights due to the lack of privacy and due process protections;
- Fails to require dual-criminality as a pre-requisite for mutual legal assistance;
- Fails to recognise the importance of the right to anonymity online in the Second Additional Protocol.