The First International Convention on Cybercrime
On October 25, 2025, the United Nations Convention against Cybercrime was opened for signature. The Convention was widely accepted and signed by 72 countries. Though concerns have been raised by human rights groups about provisions regarding surveillance, collections and sharing of data, the Convention is a landmark step insofar as it aims to facilitate international cooperation in prosecuting cybercrimes. The Convention criminalizes acts like illegal interception, online forgery, online frauds, child pornography, dissemination of non-consensual obscene images, money laundering etc. Further, it provides for procedural measures like preservation and disclosure of relevant data.
Intersection with Data Protection
The Convention gives five definitions in the context of data protection:
· Electronic Data: It means any representation of facts, information or concepts in a form suitable for processing in an information and communications technology system. This is the broadest category and may include any digital information existing on a computer or online system.
· Traffic Data: It means any electronic data relating to a communication by means of an information and communications technology system, generated by an information and communications technology system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration or type of underlying service. Metadata may be an example of the same.
· Subscriber Information: It means information that is held by a service provider, relating to subscribers of its services other than traffic or content data which may be fruitful in disclosing the identity of the subscriber or the type of communication service used. It may include name, address, location, email ID, phone number etc.
· Content Data: It means any electronic data, other than subscriber information or traffic data, relating to the substance of the data transferred by an information and communications technology system, including, but not limited to, images, text messages, voice messages, audio recordings and video recordings.
· Personal Data: It means any information relating to an identified or identifiable natural person. Therefore, this may include any of the above categories if they identify an individual.
The Convention obliges State parties to mutually assist one another in disclosing electronic data, collecting traffic data and intercepting content data (Art. 40). State parties may request one another to preserve, access, seize and disclose electronic data. (Art. 41 and 44). Further, State parties are obliged to expeditiously disclose traffic data (art. 42). State parties shall also endeavour to provide mutual assistance for collection and recording of content data (Art. 46). As all these categories are capable of containing personal data, the Convention provides certain measures for the secure transfer of personal data.
Measures to Protect Personal Data
Article 36 of the Convention deals with the protection of personal data and provides for the following safeguards:
· Transfer of personal data between State parties must be in accordance with domestic data protections laws and if this cannot be achieved, a State party may deny transfer of personal data.
· State parties can impose conditions on the transfer in order to comply with domestic laws.
· State parties may enter into bilateral or multilateral data sharing agreements in order to facilitate transfer personal data.
· State parties receiving the personal data must ensure the existence of appropriate safeguards for the protection of such personal data.
· Before transferring personal data to another country or international organization, the receiving State party must obtain express authorization from the transferring State party.
Though authorization is required for transfer of personal data to another country or international organization, the Convention is silent of intra-country transfers and management of personal data. Even if contractual obligations exist prior to such transfer, if the receiving party lacks the infrastructure to honour those obligations, it can lead to a serious privacy concern.
Moreover, the Convention is silent on the manner of intra-country utilisation of the received personal data. As multiple organisations including private entities are involved in the detection and prosecution of crimes, it becomes important to clearly highlight data protection obligations to ensure the right to privacy.
Is this the time to evolve international standards on data protection?
The Convention mentions bilateral and multilateral agreements as a prospective solution to address privacy concerns. When such broad powers of surveillance, transfers, interception and identification are being conferred, it becomes important to develop international standards for data protection. As data protection laws vary across States, it may become difficult to achieve the requisite standards. Therefore, this is the appropriate time to deliberate upon bare minimum uniform practices in respect of data protection in order to build a robust data protection mechanism globally.
