The Draft Convention on Cybercrime has faced criticism from
privacy activists and industry. US companies were concerned that
police of former Soviet-bloc nations might exploit new powers it
provides. They worry that all ISPs, telcos and other businesses
would have to co-operate with warrants issued by foreign courts,
exposing their trade secrets.
ISPs were concerned by data storage requirements, although the
Convention’s terms are less burdensome than some commentators first
thought. In the UK, the Regulation of Investigatory Powers Act
already makes interception possible in certain circumstances and
similar laws exist in other European countries. The text of the
draft Cybercrime Convention provides that data should be held for
at least 60 days – but it does not require all data to be held.
A request for preserving the data must specify, among other
things, the offence that is the subject of a criminal
investigation, the authority seeking the preservation, the stored
computer data to be preserved and its relationship to the offence,
together with any available information to identify the custodian
of the stored computer data or the location of the computer system.
The party receiving such a request must comply in accordance with
its domestic law.
In response to privacy concerns, previous drafts of the
Convention have been amended to provide that signatories must
ensure any national laws implementing the Convention respect
international human rights conventions and be subject to “judicial
or other independent supervision.”
The new draft will be submitted in June to the European
Committee on Crime Problems and in September to the Council’s
Committee of Ministers for adoption. Ratification by member states
is expected over the next year or two.
The Council describes it as “the first ever international treaty
to address criminal law and procedural aspects of various types of
criminal behaviour directed against computer systems, networks or
data and other types of similar misuse.”
