Posted on 29 Sep 2022
At the end of August, the third meeting of the UN Ad Hoc Committee (AHC) to elaborate a new treaty on crimes committed using information and communications technologies (ICTs) took place in New York. This was the AHC’s second meeting to collect perspectives for the drafting of a textual basis for discussion.
Delegates assembled at the UN to address the issues of international cooperation, technical assistance and prevention, and to exchange views on the preamble and final provisions of the future treaty. The AHC will draft separate texts from the May and August consultations, and discuss them in meetings before a complete draft is developed in the second half of 2023.
The AHC had prepared questions to guide the discussions – as they did for the May meeting –which narrows the focus to specific issues, rather than having states provide general statements. But geopolitics continued to underpin the technical meeting. A number of countries made statements against the Russian invasion of Ukraine, including Japan, South Korea in addition to a number of Western states. Costa Rica drew attention to the crippling cyberattack it suffered across its public services, both to highlight the extent of risks and to explain how other states stepped in to help.
During the meeting, most time and attention were given to international cooperation, while states moved more quickly through the other issues, with less detail explored at this stage. There was agreement among states to use language from the UN Convention against Transnational Organized Crime (UNTOC) and the UN Convention Against Corruption (UNCAC) as a basis for many elements, especially on technical assistance and prevention, as well as some measures for international cooperation. States also referred to the Council of Europe’s Convention on Cybercrime (Budapest Convention) and the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) as references for treaty language.
On the issue of international cooperation, states discussed points such as data protection and approaches for access to cross-border data. The scope for cooperation was a topic of debate. China called for international cooperation to cover counterterrorism while ensuring the protection of national sovereignty, a position wider than most states. Others continued to express a preference for activities such as e-evidence sharing to be limited to crimes covered under the convention, such as South Korea and Pakistan. There was emerging consensus that extradition requests should apply only to crimes covered under the treaty (rather than the wider concept of all crimes committed using ICTs). It seems the issue of scope may be addressed topic by topic within the section.
On the issue of safeguards and grounds for refusal (for extradition or responding to a mutual legal assistance request, for example), states outlined a range of ideas. Many pointed to the UNTOC and UNCAC as references, but others were more explicit: Namibia argued that grounds for refusal should include human rights violations; Armenia said they should encompass human rights violations such as discrimination based on sexual orientation; and others, including Japan and Norway, said they should take into account refusal on political grounds.
Although many of the safeguards discussed derive from human-rights and other crime treaties (for example dual criminality, the right to a fair trial or extradition refusal based on possibility of torture), data protection is specific to the context of a cyber-instrument. Protection of data builds on existing articles, such as Article 12 of the UN Universal Declaration of Human Rights, but the sheer volume of existing electronic data and the intimate detail of personal data (e.g., from location to personal contacts to health records) increases the risks for cooperation in data sharing.
The EU said that receiving countries must have adequate safeguards for processing sensitive data, including political or religious opinions, biometric and genetic data, and data on sexual orientation. They argued that state parties could make cooperation dependent on ensuring data protection, with the ability to refuse cooperation based on lack of ability to protect data. Senegal highlighted the Malabo Convention as a reference for language on personal data protection.
China’s perspective is that data protection should include national sovereignty concerns, and representatives argued that the treaty should not allow a state to directly collect data from companies or servers in a third country where it is stored if it violates domestic law. Russia agreed – unsurprisingly, as this is a key issue both countries have with the Budapest Convention. Some parties to the Budapest Convention, including Canada and Australia, noted that adding such a clause may be too onerous to negotiate for this new proposed treaty, although they are open to it.
Yet some common ground was forming. A number of countries, including those in the EU, as well as China and Pakistan, agreed that a clause should state that data cannot be shared with a third party.
Implementation and technical assistance
States were asked to consider how a treaty should be implemented in practice. At this early stage, positions on this are still forming, but many states offered initial ideas. They discussed where an implementation mechanism would sit within the UN system, what rules it might follow and what role a review mechanism could serve. A number of states, including Egypt, Thailand and many countries from Latin America and the Caribbean, called for this treaty to have its own Conference of Parties – a decision-making body where all state parties are present.
Supporters of this noted that other UN formats (for example the Commission on Narcotic Drugs or the Commission on Crime Prevention and Criminal Justice [CCPCJ]) are not inclusive of all state parties, and others indicated that the rules of these forums are less inclusive than those established by the AHC to elaborate this treaty. Paraguay questioned the viability of placing the treaty within another forum, highlighting that if the treaty were to sit, for instance, within the CCPCJ, if CCPCJ members not parties to the convention would have a vote through CCPCJ mechanisms. States also discussed what role a review mechanism could serve, and although ideas where expressed, many seemed to feel this could be discussed at a later stage in negotiations.
There was strong support for the ongoing role of civil society, the private sector and other stakeholders during future implementation and review of the treaty, including from the US, Nigeria, Uruguay and Mexico. Advocates recommended that implementation modalities support outside participation. A number of states argued that the AHC’s rules should set a precedent for the rules governing implementation, which incorporate protections designed to prevent stakeholders from being excluded.
On technical assistance, states broadly agreed on its inclusion, but there were debates over the what and how. There was not much discussion on the scope of assistance – whether it should encompass crimes only covered by the treaty or all crimes committed using ICTs. Senegal raised the questions of how this would be different from providing support for cyber security and how distinctions should be made; France called for technical assistance to focus only on cyber-dependent crimes (i.e. forms of crime that require computer systems). Brazil suggested that states could voluntarily do a stocktaking of their technical assistance needs and provide it to the committee to better understand what the treaty should offer.
What next for the treaty?
This meeting concluded the formal gathering of positions and ideas before the initial text of the new treaty is drafted. There will be a meeting for multi-stakeholders in early November and the initial text will be shared ahead of the next AHC, which convenes in early 2023. It is likely that much of the foundational text will be taken from terminology already agreed upon for other conventions, such as the UNTOC and the UNCAC, but there are a number of issues that are unique to a cyber-focused treaty. As member states find out what has and has not been included in the proposed treaty text, positions and key interests are sure to become clearer.
This article is supported by the Swiss Permanent Mission to the United Nations in Vienna. The views expressed do not necessarily reflect the views of the Swiss government.