By Maureen E. BANSAH
Cybercrime has become a widespread and rapidly evolving threat in today’s digital age. It costs the global economy trillions of dollars annually and disrupts lives and institutions.
From phishing scams stealing personal information to online fraud draining savings, the consequences of cybercrime extend far beyond financial losses.
Cyberattacks can undermine critical business processes and government infrastructure, eroding public trust and compromising sensitive data. As a result, the need for a unified international response has never been more urgent.
To address this pressing need, the United Nations General Assembly adopted the UN Convention Against Cybercrime (the “Convention”) on December 24, 2024, after five years of extensive negotiations.[1] This landmark treaty represents the first global, legally binding instrument designed to combat cybercrime and the first international criminal justice treaty in two decades.
Its key objectives include improving the effectiveness of measures to prevent and combat cybercrimes, strengthening international cooperation in addressing them, and facilitating technical assistance and capacity-building efforts, particularly for developing countries.[2]
Background
Before this treaty, international instruments like the Council of Europe Convention on Cybercrime (the “Budapest Convention”) and the African Union Convention on Cybersecurity and Personal Data Protection (2014) addressed cybercrime. While these instruments played significant roles, they were limited in global reach and faced challenges in keeping pace with the dynamic technological environment.
The journey toward the Convention began in the late 2010s. In December 2019, the UN General Assembly established an ad hoc committee to draft a global cybercrime treaty in response to the rising threat of cybercrime.
[3] Resolution 75/282, adopted in May 2021, mandated the committee to present a draft Convention at its seventy-eighth session.[4]
Between 2022 and 2024, the committee held multiple negotiating sessions and consultations, culminating in the adoption of the treaty in December 2024.[5] The Convention will open for signature in Hanoi, Vietnam, and enter into force 90 days after ratification, acceptance, approval or accession by the 40th state.[6]
Overview of the Convention
The Convention, structured in nine chapters, provides a comprehensive framework for addressing cybercrime. Below are the highlights of its key provisions:
General Provisions
Under the general provisions, the Convention outlines its statement of purpose, defines key terms, and establishes its scope. Notably, it does not define cybercrime, leaving a conceptual gap that may complicate implementation. The provisions emphasise integrating cybercrime-related offences into domestic laws, respecting state sovereignty, and upholding international human rights standards.[7]
Criminalisation of Offences
The Convention urges states to adopt legislative and other measures necessary to establish certain acts as offences. The following are the categories of offences as set out in the Convention:
(i)Offences related to the integrity of information and communication technology (ICT) systems, such as illegal access, data interference, and ICT-related fraud or theft.
(ii) Offences related to children (child protection), including online sexual abuse, exploitation of material distribution, and grooming of a child to commit a sexual offence.
(iii) Non-consensual dissemination of intimate images.
(iv) Money laundering of proceeds derived from the offences listed above.
In addition, the Convention encourages states to criminalise inchoate forms of offences, such as participation and attempts and holds legal entities accountable while safeguarding procedural rights to ensure fairness.[8]
Procedural Measures and Law Enforcement
Member states are encouraged to implement legislative and operational measures to enhance criminal investigations while ensuring the protection of human rights. Additionally, the Convention has provided the following measures:
- Prescribed that all measures, such as data preservation, search and seizure, and interception of communications, are proportionate.
- Provided guidelines for protecting witnesses and victims, including physical and psychological support.
- Outlined regulations concerning the freezing, seizing, and confiscation of criminal proceeds whilst ensuring that the rights of third parties are respected.[9]
International Cooperation
Given the transnational nature of cybercrime, the Convention provides mechanisms for cross-border collaboration, including extradition, joint investigations, and asset recovery. It establishes a 24/7 contact point network to facilitate rapid responses and promotes alignment of national frameworks with international standards.
The Convention also outlines, in detail, general principles of mutual legal assistance requiring state parties to provide the broadest possible support in combating cybercrime while ensuring that such cooperation aligns with their domestic legal systems.[10]
Technical Assistance and Information Exchange
Global disparities in state capacity, including funding and resources, leave developing countries particularly vulnerable to cybercrime. The Convention, recognising this gap, advocates for knowledge sharing, training, and technology transfer to improve the prevention, detection, investigation, and prosecution of cybercrime.
The relevant provisions encourage collaboration with non-governmental organisations (NGOs), civil society, and private entities. Additionally, they emphasise the importance of financial support and technical resources in harmonising standards, strengthening institutional capabilities, and addressing the societal impact of cybercrime.[11]
Criticisms of the Convention
While hailed as a milestone, the Convention has drawn criticism, primarily regarding its potential impact on human rights:[12]
- The absence of clear definitions for concepts like cybercrime may lead to inconsistent interpretations and enforcement.
- The broad provisions on data access and interception also raise concerns about potential misuse by investigative agencies to legitimise intrusive investigations and unauthorised access to personal information.[13]
- Save for the principles of necessity and proportionality, the treaty lacks other explicit safeguards like legality and non-discrimination, leaving human rights protections largely dependent on individual states.[14]
While these concerns remain, states are responsible for implementing human rights protections and may enact legislation to ensure stronger safeguards. In response to these criticisms, one may consider Article 6 of the Convention, which provides that states must ensure that the implementation of their obligations under the treaty is consistent with their obligations under international human rights law and that they do not use the provisions of the Convention as an excuse to violate human rights and fundamental freedoms.[15]
Additionally, disparities in legal systems, technological capacities, and resources among states may hinder effective implementation. Developing countries, especially, may face challenges aligning with the Convention’s requirements without adequate resources and support.[16]
Conclusion
Undoubtedly, the Convention marks a significant step in addressing the challenges of cybercrime as digital technologies continue to shape our world. Its provisions for criminalisation, procedural measures, and international cooperation provide a solid foundation for addressing these challenges.
However, its success hinges on careful implementation, genuine collaboration among states, and a commitment to balancing security with human rights.
To ensure the treaty’s effectiveness, member states must prioritise transparency, accountability, and proportionality in their approaches. Addressing criticisms, particularly regarding human rights protections and capacity disparities, will be crucial to fostering trust and ensuring the Convention’s long-term impact.
The author is a lawyer and academic based in Accra, Ghana. She can be contacted at [email protected].
[1] The Convention can be accessed here: https://documents.un.org/doc/undoc/gen/n24/372/04/pdf/n2437204.pdf
[2] Article 1 of the Convention
[3] Countering the Use of Information and Communications Technologies for Criminal Purposes”, UN Doc. A/RES/74/247, General Assembly Resolution, 27 December 2019.
[4] Countering the Use of Information and Communications Technologies for Criminal Purposes”, UN Doc. A/RES/75/282, General Assembly Resolution, 26 May 2021.
[5] United Nations, Report of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes on its Reconvened Concluding Session. Available at https://documents.un.org/doc/undoc/gen/v24/056/75/pdf/v2405675.pdf
[6] United Nations, United Nations General Assembly Adopts Milestone Cybercrime Treaty https://news.un.org/en/story/2024/12/1158521 (last accessed 13 January 2025)
[7] Chapter I – Articles 1-6 of the Convention
[8] Chapter II – Articles 7- 22 of the Convention
[9] Chapter IV – Articles 23-34 of Convention
[10] Chapter V – Articles 35-52 of the Convention
[11] Chapter VII – Articles 54-56 of the Convention
[12] Electronic Frontier Foundation, The UN Cybercrime Draft Convention Remains Too Flawed to Adopt, (last accessed 13 January 2025)
[13] Article 30 of the Convention; Chatham House, What is the UN Cybercrime treaty, and why does it matter? https://www.chathamhouse.org/2023/08/what-un-cybercrime-treaty-and-why-does-it-matter
[14] Supra
[15] Just Security, The UN Cybercrime Convention: Analyzing the Risks to Human Rights and Global Privacy, https://www.justsecurity.org/98738/cybercrime-convention-human-rights/ (last accessed 13 January 2024)
[16] Manohar Parrikar Institute for Defence Studies and Analyses, United Nations Cybercrime Convention: a Milestone in Digital Governance? https://www.idsa.in (last accessed 10 January 2025)
