Pixelated Illustration of European Union Flags

EU data protection authority raises alarm over UN cybercrime treaty negotiations

The European Union’s independent data protection authority warned this week that a United Nations treaty on cybercrime in negotiation could leave citizens’ privacy rights at risk, adding that it would advise the EU not to become party to the treaty if certain guarantees aren’t added. 

UN representatives and experts are set to convene in Vienna from May 30 to June 10 for the second meeting of an Ad Hoc Committee about an international cybercrime treaty. Russia is the driving force behind the cybercrime convention, having pushed for years for a replacement for the Council of Europe’s Budapest Convention on Cybercrime. Russia is not a signatory to that treaty, first adopted in 2001 and negotiated with limited input from outside the region. 

In an Opinion released Wednesday, the European Data Protection Supervisor (EDPS) wrote “there is a substantial risk that the final text of the Convention could lead to a weakening of the fundamental rights and freedoms of natural persons provided for by EU law, in particular their rights to data protection and privacy.”

If that’s the case, the EDPS Opinion advises the EU against signing onto the convention. The Opinion also recommended four main negotiating directives: 

-to limit the international cooperation provisions to the crimes defined in the Convention; -direct access to data by third country law enforcement authorities and cross-border direct cooperation with service providers should be excluded;

-to ensure that future bilateral and multilateral agreements with third countries should apply in lieu of the Convention should these future agreements ensure higher standards with regard to the protection of fundamental rights, in particular the right to privacy and data protection;

-to ensure that the Convention shall not have effect between two Contracting States if one of them makes the notification that the ratification, acceptance, approval or accession of another Contracting State will not have the effect of establishing relations between those two Contracting States pursuant to this Convention.

The data protection authority doubled down in a press release Friday, writing that it supports international cooperation against cybercrime in principle—but not at the expense of weakening EU citizens’ legally guaranteed privacy and data protection rights. 

“Strong safeguards must be put in place to ensure that the protection of individuals’ personal data in a non-EU country is not undermined, especially when sharing sensitive data related to alleged criminal activities,” said EDPS Wojciech Wiewiórowski.

The United Nations narrowly approved a Russian Federal resolution to develop a global cybercrime treaty in December 2019, by a vote of 79-60 with 33 countries abstaining. Since then, the international community has struggled to define what a cybercrime is in an age when almost everything in our lives–including most crimes–has some sort of digital element. 

Meanwhile, human rights groups warn that a broad treaty could lead to abuse by authoritarian regimes who already have a track record of persecuting activists, journalists, and political dissidents using domestic cybercrime laws. 

This includes Russia, which has tightened its control over its domestic internet infrastructure for years while creating laws that limit freedom of expression and increased access to private data. 

The first session of the Ad Hoc Committee working on the treaty finally met in late February of this year as the Russian invasion of Ukraine played out on physical and digital battlefields. The Committee includes representatives of some countries that opposed the resolution proposing the treaty, including the United States, as Vice Chairs. 

The group already has dozens of new submissions to weigh when it reconvenes at the end of the month.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Andrea Peterson

Andrea Peterson

(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.