Understanding Cyber Laws in the Globalised world: from the Budapest treaty to the UN

Introduction

Information and computer technology (ICTs) permeates every facet of one’s contemporary digital lifestyle. The expansion of technology and the use of the Internet have become a basic part of every individual, regardless of their age or work, be it student or employee. Some use ICTs to make their work and lifestyles hassle-free, but on the contrary some use ICTs for committing Cyber Crimes. Hence, cyber laws play a significant role as a foundational framework for ensuring human rights, i.e., ensuring security, protecting the right to privacy, and acting as regulatory governance in this contemporary cyberspace.

Globalisation has been a driving force behind the development of international law, which serves as a mechanism to regulate interactions among states. As L. Oppenheim, often regarded as the father of modern international law, defined it:

"The Law of Nations or International Law is the name for the body of customary and conventional rules which are considered legally binding by civilised States in their intercourse with each other.[1]"

In today’s digital age, technological advancements have transformed globalization into an interconnected digital ecosystem, mitigating geographical barriers and fostering seamless communication, trade, and innovation. A prime example of this transformation is e-commerce, which has revolutionized global commerce by enabling cross-border transactions and digital marketplaces.

However, this technological expansion—driven by the internet and emerging technologies such as artificial intelligence (AI), blockchain, and cloud computing—has not only boosted economies and strengthened communication networks but also introduced new vulnerabilities. The borderless nature of cyberspace presents significant legal and security challenges, necessitating a global regulatory framework to protect individuals, businesses, and states from cyber threats.

International Laws & Conventions

Unlike traditional or blue-collar crimes, cybercrime is not confined to any physical territory, it’s the meta world, which cannot be confined by national boundaries or laws and orders. Increasing cybercrimes like- breach of data, identity theft, and digital arrest, financial cyber frauds, threats the global security.   Cyber laws have become essential for protecting digitally sensitive information either of a company or of an individual, from cyber threats, and the need for the laws accelerated because of the interconnected nature of the digital landscape and additionally the need for a unified approach in the laws to combat cybercrime extra judicially.

1. Role of International Conventions in Regulating Cyber Laws

International Laws and conventions have played a significant role in combating cybercrimes because the state is not fully capable of prohibiting cybercrimes in a vacuum, because of its extra-territorial nature and its technological advancement. The interconnection of the digital world makes it a global problem, not a single-state issue, and for the decade there has been a continuous effort from international law, to make the state aware of the need to unite and coordinate actions against this global problem.[2].

To combat cybercrime with great effort, to strengthen global security, to bring uniformity in legal approaches and lastly, to protect human rights, several treaties and conventions have been introduced and developed, which have been discussed thoroughly. 

2. The Budapest Convention (2001)

After World War II, the 10 founding members, including all the members of the European Union (EU) and Council of Europe (COE) made a convention for the first time relating to cyber-crime and addressing the need for substantive and procedural laws, to expand its role beyond the territorial boundaries. It had an expansive view, following the recommendations of 1985 and 1989. A committee of Experts on Crime in Cyberspace was established for the drafting purpose in the year 1997[3].

This convention was the first binding convention that brought to light the increasing cybercrime, also known as the “European Convention on Cybercrime.[4].” The convention was opened for signature in the year November 2001 and came into force on July 01, 2004[5]. It was drawn by the Council of Europe in Strasbourg, with 64 other countries, including Japan, the United States, and others. Five Countries got the status of observer, and those countries were Canada, the Holy See, Japan, Mexico, and the United States of America.[6]” Although, India was a non-member of this convention.  

It was based upon three primary objectives, firstly it included that, “firstly, there was a need for the criminalisation of conduct; secondly focused on improving the techniques for investigation, focused on the procedural law tool, and lastly, required more cooperation among the nations for the effective international corporation, and it addresses the need to harmonise the national laws.” It addresses the most important cyber offences like illegal access of data or data infringement, misuse of devices, cyber fraud including cyber forgery, and the offence of child pornography. And, additionally, talk about the offences related to intellectual property rights, like infringement of the copyright.  The convention not only focuses on cyber offences, but also enables procedural powers, and its range is exhaustive.

It has two additional protocols as follows:

• 1^st Additional Protocol[7], which criminalised the acts committed through computer systems of a nature of racist and xenophobic.
• 2^nd Additional Protocol[8], was opened for signatory in March 2022, and has been designed to empower the effective investigation including electronic evidence.

This convention aimed for the free flow of the internet with restrictions that were defined to reconcile an effective criminal justice system with the safeguarding of human rights.  This convention was open to non-member states by invitation and achieved the unanimous decision of the parties of the convention.

A. Other Countries on Budapest Convention

The take on the convention could be easily understood by going through how many countries have signed the convention, ratified it or made it a part of their legislation:

• First, there is a category of countries that are part of COE, i.e., at the time of writing there were 12 members of COE that signed the convention but did not rectify it. Ironically, Russia which was part COE, did not even sign the convention.  
• The second category includes non-member states that had signed, i.e., Canada, Japan, and South Africa, and the invitation was sent to the nations that were, Argentina, Chile, Costa, Rica, The Dominica Republic, Mexico, and the Philippines.
• The Third category includes members that had ratified, including, the UK (2011), Malta (2012), and USA (2007).
• Lastly, the Fourth category includes non-member states that were preparing to ratify, including Australia, Canada, Japan, and Switzerland.  

The big advantage of this convention was the technologically neutral language, trying to address the jurisdiction issues, and talking about the procedural and substantive laws to combat cybercrime. 

B. Convention on Cyber-law & Sovereignty

This convention has also faced a lot of criticism, which could be considered as the reason for many nations' hesitation to sign this treaty and a few of them are:

• Violation of State Sovereignty, one of the major criticisms, as it infringes state sovereignty principle for accessing the data, and countries like Russia, India, and China are not in favour of giving access to European Authorities because of their national concern.
• The Euro-centric approach, primarily reflects the interests and values of European Nations, which made it difficult to create uniformity.
• Failure to address advanced and evolving digital threats, after having technological natural language, it had failed to address threats like spam, and other evolving digital cyber-crimes like deepfake.

They were the main reason for having an alternative approach, i.e., Russia proposing an alternative framework to the UN that would respect state sovereignty. Due to this reason, it has no binding force, although it acts as a Magna Carta for cyber laws, it is often used as a model law to shape their domestic cyber laws.  

3. Russia’s Convention on Cyber Crime

Russia, from the very beginning, was demanding a separate convention for cybercrime, because according to Russia, the European Convention on Cybercrime violates the state sovereignty and for years Russia has led a campaign that was in opposition to the Budapest Convention. And, for the same Russia-led initiative for a new cyber law convention in the UN. And, for almost 20 years Russia was proposing the UN make a treaty on the same.

• In the year 2017, Russia made an initial proposal and presented a draft named UN Convention in Combating Cybercrime, making it a formal beginning of a convention led by Russia on Cyber Crime before the UNGA. Iran and India also backed the argument of Russia.
• The idea was proposed in the year 2019 for the establishment of the Framework, sponsored by Russia, China and Cambodia also joined the proposal as a co-sponsor and India also voted in favour.  Russia proposed to call for the formation of this new committee to establish a new treaty that would allow nations and states to coordinate and share data according to their will to prevent cyber-crime.
• In the year 2020 in New York, there was an establishment Ad-Hoc Committee (AHC), to work on the recommendations as a response to Russia, and develop a comprehended framework on an international level.
• The treaty was then drafted for three years, and the year 2022 could be marked as a negotiation session; throughout the year 2022, multiple sessions occurred focusing on “definitions of cyber-crime, international corporation, and law enforcement power.”
• The finalized draft was published by AHC in June 2023, which includes the subsequent sessions, and addressed key issues like criminal offences and provisions of cross-border data access.

Recently, on 9^th of August, 2024[9] marked the victory of state sovereignty because the UN Office on Drugs and Crime announced the adoption of a “universal cybercrime convention” by the member state. This is the second International Convention on Cybercrimes protecting state sovereignty.  This convention is open for signature and ratification, and it will require at least 40 signatories from the countries, to come into force by 31^st December, 2026.

The Key theme of this convention, is that it has an inclusive, and broad definition of cyber-crime offences, it has tried to emphasise sovereignty issues, and has also the involvement of civil society organisations, that will ensure human rights integration with the framework of the convention.

The main critique of this convention is that it is too broad and could be easily misused and the criticism made by the Civil Society Organisation. The US, the UK, Japan, and Australia[10] Were against this convention because of the complexity of the treaty process, and according to them, there was no need to introduce a new convention. According to them, it is a duplicate of the old convention.

This marks the shift from the Budapest Convention towards the UN convention on cybercrimes, which will also respect sovereignty and will bring uniformity across the nations.

4. India’s take on these International Conventions

India has been very serious about its state’s sovereignty, and it has prioritised that and is in favour of the independent legislative approach whenever it comes to dealing with cyber-crimes, India’s stance on both of these important conventions is highly influenced by these considerations.

A. Budapest Convention (2001): India was a non-member, and was never a signatory of this convention because for the following reasons:

• This convention mandates the sharing of data with foreign law enforcement agencies, and India has prioritised State Sovereignty, India believed that it would violate the same, leading to raising concerns of rising jurisdictional interference of foreign executive bodies.
• India was excluded from the drafting process from the beginning of the drafting procedure.

B. Russia-led UN Convention on Cybercrime: India has been inclined towards this convention because it has a more inclusive approach, focuses and respects State Sovereignty, also this convention is aligned with India's Strategies, and that is the reason India has shown its inclination giving votes in favour of this convention. Although, India has still not rectified or signed the convention.

C. Despite its non-membership in international conventions, India has worked on its National Law Framework, and robust legislation to deal with the cyber-crimes:

• The Information Technology Act,2000 (IT ACT), is a specialised and primary legislation that deals with the punishment and definition of cyber offences like, “hacking (Section 66), Identity theft (section 66 C), Cyber terrorism (section 66 F), Unauthorised Access of Data and Data Breaches (section 43 & 66), and many more, it’s an inclusive act which with help of amendment can bring changes as required with technological advancement.
• Another important act, a new Criminal law, i.e., Bharatiya Nyaya Shanita (BNS, 2023), deals with offences like Cyber Fraud under section 317[11] Of the BNS, Cyber Stalking and harassment, including provision for Cyber Terrorism.
• The recognition of digital evidence and forensic Authentication of Digital Evidence is dealt with and explained under the Bharatiya Sakshya Adhiniyam (BSA, 2023).
• Additionally, India is also working on various policies to combat cyber offences, like the Digital Personal Data Protection Act, of 2023, which handles and regulates the handling the data access while safeguarding privacy rights, and others are building and establishing CERT-In[12], a nodal agency made up to respond to cybersecurity in India.

UN Initiatives: From where to here

From the year 1974, when the technologies started to advance and opened the gate for complex, unprecedented cyber-crimes, the UN has taken a lot of initiatives related to cyber-crimes and to make cyber laws and tried to encourage the international incorporation over a decade:

• The year 1990 to 2001, could mark an era of emerging awareness from, as initially, in the year 1990 the 8^th UN Crime Congress recognised computer-related offences for the first time, and adopted the principle and action plan to tackle the cyber offences in 1997. Afterwards, in the year 2001, the Budapest Convention was adopted by the EOC and became the first international treaty on cyber-crimes.
• Then, in the next decade, there was an adoption of various multilateral initiatives to encourage international cooperation between the member states. In the year 2002, The UN Commission on Crime Prevention and Criminal Justice (CPPCJ), was adopted to emphasize the need for the same, but failed to adopt advanced measures on cyber-crimes.
• In the present decade, the polarized approach has been adopted, in which an Expert Group Meeting was established in the year 2011, to study cyber-crimes as well as the diverse views of state members. And, in the year 2014, the Arab Convention on Combating IT offences was adopted.
• Later, in the year 2017, Russia-led initiatives addressing concern about human rights and safeguarding State Sovereignty submitted a draft on the same before the UN, which took over three years of drafting by AHC, 6 negotiation rounds in Vienna and New York, resulting in the agreement of the member state in the year 2023 and adoption by the UN in 2024, and open for signatory till the year 2026, marked as an establishment of second convention on cybercrimes.

Conclusion

For many years, cyberspace has marked its involvement in various aspects of the life of an individual. At the beginning of the expansion of cyberspace, the view was that effective governance and regulation in cyberspace could be achieved only through a multi-stakeholder approach which included multilayers like government, civil society, and digital organisation, but the development and evolutionary changes happened around the UN Cybercrime Convention has changed that view very effectively, and reflected a shift towards government-led incentives, with sovereignty in cyber laws is an emerging principle which is supported by the various strong nations. And, the UN is still in its early stages of dealing with cyber-crimes.

For the long run effectiveness, the international corporation is required to deal with the extra judicial cyber-crime, to safeguard human rights across the globe without any physical boundaries to deal with offences such as cyber terrorism, fraud, and breach of data. And, maintaining cooperation between nations is an important and difficult task for the effectiveness of the convention, and cyber-crimes like cyber war or cyber terrorism are global offences, as it affects the whole world in one way or another.

[1] Robert Jennings, Arthur Watts, Oppenheim's International Law. Volume I: Peace by Lassa Oppenheim.

[2] Jonathan Clough, A World of Difference: The Budapest Convention of Cybercrime and the Challenges of Harmonisation, 40 MONASH U. L. REV. 698 (2014).

[3] Council of Europe, 'Convention on Cybercrime (ETS No 185) Explanatory Report' (Explanatory Report). 

[4] Ibid.

[5] Convention.

[6] 'The Council of Europe's Relations with Non-Member States' (Council of Europe External Relations).    

[7] The criminalisation of acts of a racist and xenophobic nature committed through computer systems (ETS No. 189)

[8] Enhanced cooperation and disclosure of electronic evidence (CETS No. 224)

[9] United Nations: Member States finalize a new cybercrime convention. (n.d.). United Nations : Office on Drugs and Crime.

[10] Isabella Wilkinson, What is the UN cybercrime treaty and why does it matter? Chatham House, The Royal Institute of International Affairs, 2025.

[11] Stolen property.

[12] Indian Computer Emergency Response Team.

Download