Support Our Work Mailing list About / Contact
  • Home /
  • News /
  • 2024 /
  • October /
  • European data protection authorities urged to take action on new cybercrime convention

European data protection authorities urged to take action on new cybercrime convention

Topic
Policing Law Privacy Encryption Data retention
Country/Region
UN EU

01 October 2024

A letter signed by Statewatch and a number of other organisations calls for the European Data Protection Board to issue an opinion on the new UN Convention on Cybercrime, due to the "serious risks" it poses to human rights. Those risks include provisions that would empower national authorities to obtain access to encrypted communications and force communications service providers to retain large amounts of user data.

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.


Image: Jordan Harrison, Unsplash

It is now expected that the UN General Assembly will adopt the convention by the end of this year. The draft text is available here: Draft United Nations convention against cybercrime: Strengthening international cooperation for combating certain crimes committed by means of information and communications technology systems and for the sharing of evidence in electronic form of serious crimes (pdf)

The letter was coordinated by Ligue des Droits Humans.

Open letter to the European Data Protection Board: We urge the Board to issue an opinion on the United Nations convention against cybercrime

Ms. Anu Talus
Chair European Data Protection Board
Rue Wiertz, 60
1047 Brussels
edpb@edpb.europa.eu

Brussels, 27th September 2024

Dear Chair of the EDPB,
Dear EDPB Members,
Dear EDPB Secretariat,

We, the undersigned organizations, are writing to you regarding the new United Nations Convention against cybercrime. The final text of the Convention has been approved by an Ad Hoc Committee to the UN General Assembly this August. It will be submitted to the General Assembly for formal adoption at the end of September.

The Convention's aim is to prevent and combat cybercrime, and facilitate cooperation on the issue. Those objectives are legitimate. However, the scope and methods of the Convention pose several serious risks for human rights. Those have been pointed out by civil society. Amongst those, we address you this letter regarding the risks posed by the convention to the right to privacy as protected in EU law.

The Convention would notably empower authorities to:

  • compel service providers or individuals to disclose vulnerabilities of information and communications technology systems or to provide relevant authorities with access to encrypted communications
  • force the retention of large amounts of data by service providers during unspecified periods of time.

Additionally, the proposed Convention's use of broad or undefined concepts opens up the risk of widescale human rights violations against civil society. The Convention notably:

  • criminalizes accessing "information and communications technology system without right" (art. 8), thus putting journalists, security researchers and human rights defenders at risk;
  • criminalizes the use of tools frequently used by cybersecurity researchers (art. 7 & 11).

We are concerned that ratification of the Convention by EU member States or by the Union itself would undermine and weaken the protection of privacy in the EU. In particular, we are deeply concerned that ratification of this Convention could encourage States to weaken encryption despite the EDPB's warnings against doing so. The proposed Convention would also potentially breach the European Convention on Human Rights. According to the European Court of Human Rights, prohibiting encryption and creating backdoors breaches the right to respect for private and family life.

Further, we are concerned that the Convention could be used by authoritarian States as a tool of repression against EU citizens or persons residing in the EU.

For these reasons, we call on the EDPB to assess the proposed Cybercrime Convention and the risks it could pose to the right to privacy as protected in the European Union. We ask the EDPB to issue an own-initiative opinion.

Yours sincerely,

Signatories

International Federation for Human Rights (FIDH)

Liga voor mensenrechten (BE)

Ligue des droits humains (BE)

Privacy First (NL)

Statewatch (UK)

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

Next article 

EU: Definition of “potential terrorists” opens door to broad information-sharing

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error

Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.

About | Contact | Privacy Policy