Opinion No. 226 (2001)
Draft convention on cybercrime
The Assembly considers the fight against cybercrime to be a crucially important challenge in view of the obstacle which this form of crime may pose to the development of new technologies.
The Assembly notes that support for a binding legal instrument is unanimous, on the basis that specific international controls and the harmonisation of domestic laws will compensate for the failings of regulation left entirely in the hands of the operators concerned and for certain countries’ policy of uncompromising suppression. It therefore welcomes the preparation of the draft convention as the first international text in its field.
While recognising that the new convention will provide a substantial response to immediate requirements, the Assembly points out that the text will need to retain a certain amount of flexibility allowing for the relatively changeable nature of the different forms of cybercrime and the speed with which the new technologies are developing. It notes that the draft convention has been negotiated and will be adopted by states which possess the necessary technology to combat cybercrime, and that this fact will inevitably influence other states’ policy choices.
In the view of the Assembly, it is essential that there be common definitions of criminal offences, that the private sector continue to work on rendering computer networks secure; that governments issue appropriate and proportionate domestic legislation; that the business community, law enforcement bodies and civil society engage in dialogue; that an effort be made to standardise security procedures; and finally that awareness-raising programmes be launched.
The Assembly supports the draft convention on cybercrime presented by the Committee of Experts on Crime in Cyberspace (PC-CY) with the aim of pursuing “a common criminal policy aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international co-operation”, while upholding the imperatives of individual freedom.
The Assembly considers that the text rightly follows the lead of the various recommendations adopted by the Committee of Ministers by laying down an obligation for parties to criminalise certain offences, and it welcomes the fact that the European Commission’s communication on “creating a safer information society by improving the security of information infrastructures and combating computer-related crime” drew inspiration from the convention, thereby proving to cybercriminals that they face united opposition.
The Assembly believes that the challenge which the draft convention presents to national legal systems in terms of personal data protection necessitates extreme vigilance on its part. In this connection, it expresses its concern about the differing degree to which guarantees relating to government intrusion are honoured in Council of Europe member states as compared with non-members, even though the gap is being narrowed by the adoption of appropriate legislation in the latter countries.
The Assembly considers that the rights guaranteed by the draft convention must also be effectively protected in cases of transborder personal data transfers to third countries by surrounding such transfers with suitable safeguards. In this context, it takes note of the agreement reached between the European Commission and the United States, despite European Parliament reservations, on “safe harbours”.
The Assembly reiterates its appeal to the Committee of Ministers to assist states which are not yet party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data to introduce appropriate regulations in this field.
Accordingly, the Assembly recommends that the Committee of Ministers amend the draft convention as follows:
in the preamble, remove the brackets around “as conferred e.g. by the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” and “Recommendation No. R (87) 15 regulating the use of personal data in the police sector” and add, after this last phrase, “Recommendation No. R (97) 18 concerning the protection of personal data collected and processed for statistical purposes”;
at the end of the first sentence in Article 2, add the following phrase:
“, where that system is protected and recognised as such in domestic law”;
add the following sentence at the end of Article 3:
“These provisions extend to private and confidential professional communications from employees of private firms.”;
add the following sentence at the end of Article 5:
“These provisions extend to the sending of unsolicited electronic mail which obstructs the functioning of a computer system and to unsolicited inclusions on mailing lists.”;
in Article 6.1.a.1, replace the word “primarily” by the word “specifically”;
in Article 6.3, replace the words “in paragraph 1 (a) (2)” by “in paragraph 1 (a) (1)”;
in Article 10.3, delete the phrase “that other effective remedies are available and”;
in Article 11.1, replace “in accordance with Articles 2-10” by “in accordance with Articles 2 to 9”;
in Article 11.2, replace “in accordance with Articles 3 to 5, 7, 8, 9 (1) (a) and 9 (1) (c)” by “in accordance with Articles 3 to 5, 7, 8, 9 (1) (a), 9 (1) (b), 9 (1) (c) and 9 (1) (d)”;
in Article 13.1, replace “in accordance with Articles 2-11” by “in accordance with Articles 2 to 9 and 11” and add “and monetary sanctions” at the end of the paragraph;
insert a new paragraph 2 in Article 13:
“Each party shall take the necessary legislative and other measures to ensure that the criminal offences established in accordance with Article 10 are punishable by effective, proportionate and dissuasive sanctions”;
in Article 13.1, thus amended, and new Article 13.2, indicate what constitute permissible effective, proportionate and dissuasive sanctions, including deprivation of liberty, and monetary sanctions;
in new Article 13.3, indicate what constitute permissible effective, proportionate and dissuasive criminal or non-criminal sanctions or measures, including monetary sanctions;
at the end of footnote 29 to Article 15, add “and the 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”;
Replace Article 15 with the following text:
“Each party shall adopt, for the implementation and application of the powers and procedures referred to in this section, legislative and other measures establishing conditions and safeguards that will adequately protect human rights, in particular as provided in the Convention for the Protection of Human Rights and Fundamental Freedoms and its protocols and the International Covenant on Civil and Political Rights. The implementation of such measures shall require independent and effective control, based in each specific instance on findings of fact concerning the crime and specifying the person whose privacy is to be interfered with, with due regard for the proportionality of the specific powers and procedures to the nature and circumstances of the offence.”;
in Article 16.1, remove the brackets around “specified”;
in Article 16.2, replace “as necessary” by “from a minimum of sixty days to a maximum of one year”;
in Article 18.3, replace “users of its service” by “subscribers”;
at the end of Article 27.4.b, add “, with due regard to the generally accepted guarantees concerning data protection”;
remove the brackets around Article 27 bis and replace “may” by “shall” in paragraphs 2 and 4;
in Article 29.7, replace “not less than sixty days” by “from a minimum of sixty days to a maximum of one year”;
insert the following paragraph after Article 39.2:
“Where such an agreement or treaty is applied or relations are otherwise established in respect of the matters dealt with in the present Convention, this shall be done in accordance with the principles of this Convention.”;
lastly, provide a clear and detailed definition of the term “traffic data”.
The Assembly also recommends that the Committee of Ministers urge member states which have not already done so, as well as non-member countries wishing to accede to the new convention:
to sign and ratify the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, then its new additional protocol, as soon as possible;
to legislate on the protection of personal data on the basis of the principles contained in the convention mentioned in sub-paragraph i above.
The Assembly recommends that the Committee of Ministers seek to ensure that the new convention and European Community legislation in the field are compatible with each other.
Finally, the Assembly recommends immediately drawing up a protocol to the new convention under the title “Broadening the scope of the convention to include new forms of offence”, with the purpose of defining and criminalising the dissemination of racist propaganda, abusive storage of hateful messages, use of the Internet for trafficking in human beings, and the obstruction of the functioning of computer systems by “spamming” (sending “junk e-mail”).
The Assembly invites the Committee of Ministers to put the text of the draft convention before the Assembly again after the Committee of Ministers has decided upon that text, should substantial changes have been made other than those proposed by the Assembly.
Assembly debate on 24 April 2001 (11th Sitting) (see Doc.
9031, report of the Committee on Legal Affairs and Human Rights,
rapporteur: Mr Tallo).
Text adopted by the Assembly on 24 April 2001 (11th Sitting).