From Budapest to Hanoi: Comparing the COE and UN Cybercrime Conventions

At the end of 2024, the United Nations gave final approval to a hotly contested Convention Against Cybercrime (UN Convention). Later this year, Vietnam will host a signing ceremony in Hanoi. Many countries are expected to sign the convention at that time. The Trump administration has yet to indicate whether the United States will be among them. Without U.S. participation, the UN Convention would be a much less effective instrument.

Many Western countries, including the United States and those in Europe, initially opposed the idea of a universal cybercrime treaty. Instead, they encouraged countries to accede to the 2001 Council of Europe (COE) Cybercrime Convention (popularly known as the Budapest Convention) and its protocols. There are now 78 parties to the Budapest Convention. But major countries, including China, India, and Russia, have not joined the Budapest Convention and are not likely to in the future. Many in the Global South perceive the Budapest Convention as “in name and spirit a European convention” and “dismiss [it] as non-inclusive and non-representative.” Russia seized on such sentiment to propose a UN Cybercrime Convention, and it put forward an initial draft text that would have addressed vague conduct relating to extremism and terrorism, alarming many countries.

Various civil society groups and technology companies sought to shape the UN Convention through issuing position papers and sending representatives to lobby negotiators. Still, many were dissatisfied with the result and ultimately called for countries not to sign it. A series of press articles appeared with provocative titles reflecting the sign of the times: “The UN finally advances a convention on cybercrime…and no one is happy about it,” and “UN Cybercrime Treaty: Why is the Tech Industry up in arms?” Some of that criticism has also appeared in Lawfare.

To understand why the UN Convention has generated such controversy, we closely compared its provisions to those of the well-established Budapest Convention. We also have explored major criticisms of the UN Convention through this comparative prism. What follows is a summary of our findings and conclusions. A longer version of our assessment can be found on the Cross-Border Data Forum (CBDF) website. A comprehensive side-by-side chart comparing the UN and Budapest Conventions is included in the CBDF publication.

Major Findings

The UN Convention has the potential to significantly aid countries—particularly in the global South—in combating crimes committed through information and communications technology systems (ICTS). All states joining the UN Convention must incorporate into their criminal codes an agreed array of cyber offenses. Most are cyber-dependent, meaning they can be committed only through use of ICTS. Examples include illegal access to ICTS and interference with electronic data. Other offenses, such as money laundering, are also criminalized under the UN Convention to the extent they are committed through ICTS.

In addition, parties to the UN Convention must equip their criminal investigators and prosecutors with a common arsenal of procedural powers and procedures: expedited preservation of stored electronic data (Article 25); expedited preservation and partial disclosure of traffic data (Article 26); orders requiring the production of stored electronic data (Article 27); powers to search and seize stored electronic data (Article 28); real-time collection of traffic data (Article 29); interception of content data (Article 30); and asset freezing, seizure, and confiscation (Article 31).

Each party also must stand ready to assist other parties’ cybercrime investigations that have a transnational element, through extradition, mutual legal assistance, and asset freezing and confiscation. Numerous countries in the Global South currently lack these measures in their domestic laws, so the UN Convention would serve to stimulate the necessary legislation.

A series of safeguards cabin these powerful new tools. The principal ones are found in Article 6 (respect for human rights), Article 21(4) (due process guarantees), Article 24(4) (procedural powers safeguards), Article 36 (personal data protection), and Article 40(22) (non-discrimination in mutual legal assistance). These protections as a whole go beyond those contained in earlier UN crime conventions such as the 2000 UN Convention Against Transnational Organized Crime (UNTOC) and the 2003 UN Convention Against Corruption (UNCAC). Many governments view these protections as comparable to—if not exceeding—those in the Budapest Convention.

The COE’s Cybercrime Division, in its own analysis of the UN Convention, commends it as a “major political achievement given the current international context” (emphasis added). The COE observes that the “core concepts and measures” of the UN Convention are drawn from the Budapest Convention, as well as from UNTOC and UNCAC. In sum, the COE concludes, the “UN treaty represents a narrow criminal justice treaty that is largely consistent with the Budapest Convention and that contains minimum safeguards necessary for international cooperation.”

Criticisms

Many observers distrusted the UN cybercrime initiative from the very beginning, due to Russia’s role as protagonist and its persistent efforts to criminalize vague conduct relating to extremism and terrorism. They are not persuaded by the battery of safeguards that negotiators managed to incorporate into the instrument. One U.S. critique dismissed the safeguards’ value as “difficult to reconcile with the intent of the Draft Convention’s staunchest proponents or with the domestic and transnational repression practiced by those states.”

A related reason for persisting unease is the prospect of a supplementary protocol negotiation at which Russia is very likely to reintroduce its problematic criminalization proposals relating to extremism and terrorism. The UN has pledged to hold a protocol negotiation in the coming years. The COE delicately observes that this occasion “provides some States with a further opportunity to promote information control.” Russia and its allies are unlikely to muster sufficient global support in the protocol negotiation for their additional criminalization proposals. However, Western powers including Europe and, ideally, the United States, would need to engage forcefully to ensure that the UN Convention is not supplemented in ways that could damage free expression.

Beyond Russia-related concerns lies a structural reason for the level of public controversy that the UN Convention negotiations have caused. Historically, national law enforcement authorities have dominated UN crime convention negotiations, which often take place largely out of the public eye. For example, UNTOC and UNCAC negotiations were both conducted largely in sessions closed to human rights and corporate groups. The negotiators of the UN Convention, by contrast, allowed accredited outside observers an unprecedented degree of transparency into the negotiation. For example, observers’ position papers were circulated through the UN document system, their representatives roamed the halls buttonholing national delegations, and they were given discrete opportunities to formally address negotiating sessions as well.

In addition, during the two decades since the earlier UN crime conventions were negotiated, human rights organizations have grown in strength, and some now maintain a permanent presence in Vienna, home of the UN Office of Drugs and Crime. Moreover, companies that transfer data across borders, such as cloud service providers, have expanded the reach of their international public policy operations to track multilateral crime negotiations. The maturing of human rights and corporate advocacy left its mark on the UN Convention negotiating process, as negotiators from national law enforcement agencies were continually confronted with civil society and corporate concerns. Indeed, the arguments by these two sets of stakeholders dovetailed to a remarkable extent, as their representatives periodically reminded governments of their concerns.

Governments responded, to an extent, by expanding safeguards provisions, such as those relating to mutual legal assistance. They also acknowledged the legitimate role of cybersecurity researchers (Article 53), but companies remain concerned that the conduct of such persons nonetheless could be captured through the UN Convention’s criminalization provisions.

Critics, however, remain largely unmoved by the result. Many continue to regard the UN Convention as a dangerous expansion from the Budapest Convention, despite their substantial degree of parallelism. Commentators suggest that the UN Convention provisions concerning human rights protections are unlikely to significantly increase protections against the practices of non-democratic countries such as China and Russia, since it is ultimately up to countries to apply such protections within the context of their own legal systems. Others similarly aver that the Budapest Convention can be considered more demanding when it comes to adherence to human rights standards. Another worry is that the UN Convention provision for liability of legal persons (Article 18) lacks the express criminal intent requirement of the Budapest Convention. Platform companies’ legitimate content moderation practices thus conceivably could be considered criminal interference with electronic data.

Moreover, the Budapest Convention is widely trusted because it is a known commodity, with a body of interpretation that has developed over 20 years, and dedicated oversight through the COE secretariat and the committee representing parties. The fact that many, though not all, parties to the Budapest Convention are democratic governments also contributes significantly to the UN Convention’s credibility among civil society and companies—something that a universal convention at the UN level will never achieve.

***

The Biden administration issued a temporizing statement before joining consensus on the final passage of the UN Convention at the UN General Assembly. The Trump administration—distrustful of multilateralism and attuned to risks to free expression—may be more skeptical.

The European Data Protection Board initially expressed caution about the UN Convention. EU member state governments and the European Commission see law enforcement value in the UN Convention, however, and both can be expected to sign.

A decision by the United States not to sign the UN Convention would substantially weaken the instrument’s effectiveness, since most repositories of data sought by foreign governments are currently stored in U.S. territory. “Without US participation and access to its vast pool of data, the treaty’s operational value will be close to zero,” concludes one organization focused on combating transnational crime. Such an outcome unquestionably would be a bitter defeat for law enforcement’s efforts to combat the latest forms of criminality. As Vietnam prepares its grand signing conference, the eventual practical value of the UN Convention remains in doubt.