Posted on 08 Aug 2024
The advanced, unedited copy of the AHC’s treaty is out and only two days remain of the negotiation process to finalise it. Many governments came to the negotiations wanting it all – strong powers of enforcement and control, with little oversight for rights and a wide scope for actions. The draft provides what these governments want, but in reality they may have created a document that not only does not foster cooperation beyond already existing regional groups and friendly governments, but also creates obstacles to technical advancement in their own countries.
At its heart, the draft treaty is an agreement to assist law enforcement and other government agencies to get access to electronic data. The scope of crimes covered by the treaty is wide as delegates approach the final stages of agreement, something that we have advocated against since the start of the negotiations in 2022. The draft text provides for cooperation on crimes established under the convention, for serious crimes (i.e. those that are punishable by four years or more), or ‘other criminal offenses’. The main measures set out in various chapters are focused on enabling the collection of electronic evidence, which would be permissible for any criminal offence or serious crimes, depending on the context.
The chapter on technical assistance (chapter 7) lays bare the interest of the treaty because it shows where support from the UN will focus to implement it. The technical assistance measures listed are focused on technical capabilities, mostly directed at law enforcement’s ability to track and collect data, evidence and proceeds from cybercrimes or crimes that use an ICT device.
However, there are no measures for legal training or judicial oversight of electronic evidence collection, or how to properly use electronic data in building legal cases, which includes personal data security. These gaps and omissions are not only worrying from a rule of law perspective. But it begs the question, what would be the point in providing support to request, collect and retain data if such data could become inadmissible in future legal proceedings from improper handling? The two references to legal support are for victim and witness protection, and a vaguely worded training in relevant procedural law and regulation. This chapter is key because it outlines – and limits – what activities UN agencies will carry out related to this treaty. And unlike the scope and powers of the treaty, this section is quite narrow.
Throughout the negotiations, the technical assistance provisions have been stripped of rights-centred training and gender mainstreaming support. However, as it stands now, the list of provisions does not even include basic judicial support for a criminal justice treaty, let alone training on how to protect data.
This treaty has built-in unintended consequences
There are articles within the treaty that were hard fought to protect against it being used as an instrument for discriminatory purposes, but they are not enough to contain the potential fallout from this treaty.
Articles 28–30, as they stand, will not only have a chilling effect on the tech sector, and in particular multinational companies choosing to store data in other countries outside their headquarters. But it also applies to the banking sector. Under the wording in the draft, a government would be able to compel a multinational bank with a presence and data storage in that country to turn over financial information to the government in secret with no judicial oversight. If and when it is adopted, private sector compliance divisions will have to assess whether they can continue to do business in countries ratifying the treaty and identify their own safeguards against abuse – which could mean closing operations there and relocating. This would not just have an impact on local economies and local staff, but also on wider knowledge, training and technical capacity for key economic sectors.
Who’s going to mind the shop?
The chapter on implementation delivers weak oversight provisions. A review mechanism is not mandatory, nor are inputs from non-governmental stakeholders. The optional quality written into the convention will make it much easier for governments to push back on civil society participation and review of government actions, even when these are carried out in partnership with UN agencies. The requirement by some countries to include a supplemental protocol to expand the list of crimes has been replaced with a more general option to create protocols once this convention is ratified.
The consequences of this draft are concerning. This new treaty delivers strong powers for law enforcement and other government agencies, including intelligence services, with little mandatory oversight for its conference of parties. It prioritizes building the capacity of law enforcement, and having the flexibility to apply enforcement measures to a wide range of crimes and activities. It would have a chilling effect on journalists and activists, as we have constantly cautioned against, as well as on the tech, business and banking sectors in our hyper-connected world.
With little time left and waning political will, we recommend the following steps are taken by governments:
- Explicitly add judicial measures to the technical assistance list.
- Make review of treaty implementation mandatory.
- Elevate the articles on safeguards to apply across all chapters of the treaty.
- Evaluate the potential impacts of articles 28–30, on access to electronic data.
The GI-TOC will attend the session and regularly report on proceedings. We will keep our eyes and ears to the ground to give you the latest news, in your inbox, throughout the session.
You can follow daily updates on this page. Sign up to our UN engagement mailing list here to receive our updates in your inbox.
To access the updates from the concluding session of the Cyber AHC (between 29 January and 9 February 2024) click here.