27 Jan A new look at the Budapest Convention on Cybercrime
Author: Helaine Leggat
National law is the domestic law of a state which governs the relationship between a state and its subjects as individuals and entities (like companies). States have the capacity to make and enforce laws in their own spheres but not to impose their laws on other states.
Public international law[1] is the body of law which governs the relationship between states and between certain recognised international entities (like the United Nations and the International Court of Justice). It serves as a framework for the practice of stable and organised international relations. Cooperation at an international level is brought about through agreements called treaties or conventions.
An international convention[2] is an instrument that is binding under international law on states, and other entities with recognised legal personality such as the United Nations and the International Court of Justice.
Conventions do not automatically apply to states. Under the general principles of the law of conventions, the act of signing a convention does not automatically make the signatory state a party to that convention. A further act such as ratification or accession is required for the state to be bound by the convention. Legislation may also be required to be promulgated into the national law of a state in order for the terms of the convention to be implemented within the state[3].
In summary, conventions in international law can become part of a sovereign state’s national law.
The Budapest Convention on Cybercrime
The Convention on Cybercrime of the Council of Europe was opened for signature in Budapest in November 2001. Twenty-two years later remains the most relevant international agreement on cybercrime and electronic evidence.
Since then, information and communication technologies (ICT) have transformed societies worldwide. They have also made them highly vulnerable to security risks such as cybercrime, mis- and disinformation, foreign influence and more. While there is recognition of the need to strengthen security, confidence and trust in ICT and to reinforce the rule of law and the protection of human rights in cyberspace, all things “cyber” have become more important as they touch upon the fundamental rights of individuals as well as the national security interests of states.
The Budapest Convention is a criminal justice treaty that provides states with (i) the criminalisation of a list of attacks against and by means of computers; (ii) procedural law tools to make the investigation of cybercrime and the securing of electronic evidence in relation to any crime more effective and subject to rule of law safeguards; and (iii) international police and judicial cooperation on cybercrime and e-evidence.
It is open for accession by any state prepared to implement it and engage in cooperation.
Acceptable norms of behaviour in cyberspace
The Council of Europe’s Chart of signatures and ratifications of Convention on Cybercrime (ETS No. 185) shows that at 27 January 2023 the total number of ratifications/accessions is 68.
In simple terms, this means that 68 countries have agreed that certain behaviours are not acceptable in cyberspace, and further, that these prohibited behaviours have been written into the national laws of those 68 states. In turn, this means that there is overwhelming agreement between these states as to what is and is not acceptable behaviour in cyberspace. To illustrate how this works, the first paragraph below shows the provisions of Title 1 of the Cybercrime Convention, and the paragraph below that, how these provisions have been codified into the Australian Criminal Code Act (Cth). The laws of the other 68 countries have similar provisions. So while one state cannot impose its laws on other states, the result of a convention is all states expected behaviours are the same.
Section 1 – Substantive criminal law – Cybercrime Convention
Title 1 – Offences against the confidentiality, integrity and availability of computer data and systems
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.
Australia – Criminal Code Act 1995 (Physical & Fault Elements)
Division 477—Serious computer offences
477.1 Unauthorised access, modification or impairment with intent to commit a serious offence
477.2 Unauthorised modification of data to cause impairment
477.3 Unauthorised impairment of electronic communication
Division 478—Other computer offences
478.1 Unauthorised access to, or modification of, restricted data
478.2 Unauthorised impairment of data held on a computer disk etc.
478.3 Possession or control of data with intent to commit a computer offence
478.4 Producing, supplying or obtaining data with intent to commit a computer offence
Notably, alongside this wide consensus on what constitutes cybercrime, there is also wide consensus on defences to certain actions constituting a cybercrime. It is important to note that as in any criminal matter any successful prosecution would depend upon the state proving each of the specific elements in each of the offences listed above, including the physical and fault elements (intention, recklessness etc.) of the crime.
It is also important to note that there are numerous defences in criminal law actions that are similarly recognised across the 68 states – with the result that 86 countries already agree what is not a criminal offence.
We will look at these further in next month’s article, because properly applied and allowing for the sort of legal interpretation we see coming from courts in the United States, there is a compelling basis for legally describing what constitutes acceptable behaviour in cyberspace.
This article is written with a view to assist boards in decision-making in relation the lawful countermeasures to cyber risk and attack.
[1] Private international law, or conflict of laws, addresses the questions of (1) which jurisdiction may hear a case, and (2) the law concerning which jurisdiction applies to the issues in the case.
[2] http://www.uncitral.org/uncitral/en/uncitral_texts.html and https://treaties.un.org/
[3] UNCITRAL monitors ratifications of conventions and enactments of UNCITRAL. It is also advisable to consult the United Nations Treaty Collection for authoritative status information.
