Unlimited Evidence Gathering: EU Ratifies Controversial UN Cybercrime Convention

It is becoming increasingly likely that the highly controversial United Nations convention on combating cybercrime will soon actually come into effect. The EU Council of Ministers has set the course for this. In a decision published on Monday, October 7, the body of government representatives authorizes the EU Commission and the 27 member states to sign the UN Cybercrime Convention.

The international treaty dates back to a proposal by Russia and China from 2017. It has been contentious from the outset. Among the biggest points of contention are regulations for cross-border access to personal data, for example in cloud services (E-Evidence), on extradition procedures, mutual legal assistance, and the liability of service providers. Civil rights activists and tech corporations have protested against the initiative for years. They fear disproportionate surveillance that could be used for repressive purposes.

“IT fraud, large-scale hacker attacks, the scourge of sexual abuse and exploitation of children on the internet, and other forms of cybercrime are on the rise,” justifies the Danish Minister of Justice Peter Hummelgaard on behalf of the Council Presidency, explaining the EU's support. “By adopting this international legal instrument, we have now taken an important step in our global fight against this type of crime.”

Ratification by the end of 2026

The convention can be signed from October 25 until the end of 2026. It will enter into force 90 days after the deposit of the 40th instrument of ratification, acceptance, approval, or accession. With the Council decision, well over half of the way should have been covered if individual EU countries do not back out. The Council Presidency intends to prioritize the completion of further formalities and also to request the consent of the EU Parliament.

A key aspect of the convention is the harmonization of the criminalization of certain cyber offenses among participating countries. All signatory states commit to criminalizing behaviors such as online fraud or illegal interception of messages in their national legislation. The agreement also aims to advance the criminalization of online material related to child sexual abuse, grooming, and the non-consensual distribution of intimate images. At the EU level, these are already offenses, but on a broader international level, they are not yet.

“Minimal Safeguards”

Countries that ratify the agreement commit to cooperating in the investigation and prosecution of involved offenses. This includes the collection and sharing of electronic evidence. This also applies to cases of international organized crime, provided they can be punished with a prison sentence of at least four years. This threshold is not particularly high.

Critics complain that the treaty “grants unlimited powers for evidence collection for crimes that have little to do with cybercrime.” At the same time, the convention contains only “minimal safeguards and restrictions.” They see fundamental rights, such as the right to privacy and freedom of expression, as acutely threatened. The EU Council, on the other hand, emphasizes: “The Convention contains important safeguards to prevent its misuse by participating countries to commit or legitimize human rights violations.”

(dahe)