The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.
Largely unnoticed by the public, a major event took place in the past week. The Federal Senate of Brazil approved the draft legislative decree triggering Brazil’s adhesion to the Convention on Cybercrime, signed in Budapest, Hungary, in 2001, and usually referred to as the “Budapest Convention.”
This evolution has major consequences at both the national and international levels for Brazil. Let’s unpack them.
First, what is the Budapest Convention?
The Convention on Cybercrime was elaborated by the Council of Europe, the same organisation at the origin of “Convention 108” on the protection of personal data (the Budapest Convention is Council of Europe’s Convention N°185). It is the world’s first international treaty on cybercrime and fosters a cybercrime regulation compatible with human rights and rule of law. The treaty has three main objectives:
- First, it aims to harmonise national frameworks on the theme through the integration of a predefined list of cybercrimes (Articles 2-11) in the signatories’ domestic frameworks. It is important to highlight that the scope of the Convention covers not only crimes against computer systems and data, but also crimes committed through electronic means, such as fraud, diffusion of child sexual abuse material, and copyright infringement. This last issue deserves to be emphasised as the Convention’s provisions regarding the protection of intellectual property have been frequently criticised, as they can significantly expand the criminal responsibility in copyright infringement cases.
- Secondly, the Convention aims to improve the investigation techniques for cybercrimes, demanding that each participant nation foresees new search and seizure powers to local law enforcement authorities. These include the power to compel an Internet access provider to retain user data, and the power to monitor online activities in real time (Articles 16-22).
- Finally, the treaty promotes and expands international cooperation, for it requires that each Party assists the law enforcement authorities of other participant country’s “to the widest extent possible” (Articles 23-35).
Despite its European genesis, the treaty ended up attracting the attention of non-European nations, becoming a global reference. Since 2001, 66 countries have ratified the Convention, including several large non-European countries such as Argentina, Canada, Japan, South Africa, and the United States. By providing consistency and a technology-neutral approach to cybercrime, the Convention plays a useful role in setting international standards on a key issue that, by definition, involves and affects actors in different jurisdictions.
This treaty has been attracting the world’s interest because the fight against cybercrime and preservation of cybersecurity have become essential concerns for companies, public administrations, and any connected individual, but there is no other global instrument on the issue, although the United Nations have recently started a discussion on such a global agreement, which was first proposed by Russia.
What is the impact on Brazil?
Brazil will enjoy a framework with more efficient international cooperation and technical assistance, will be able to easily integrate the cybercrime taxonomy, and will have procedural tools to investigate, manage electronic evidence, prosecute, and adjudicate cybercrimes more efficiently.
It is worth mentioning that, to facilitate international cooperation, the Council of Europe supports the functioning of the “24/7 Network” including an official list of national contact points for expeditious assistance amongst Network members. Hence, Brazil will become a member of said Network, besides having to adapt its national normative frameworks to incorporate the international cooperation mechanisms, cybercrime categorisation, and shared forensics procedures.
To illustrate the impact, one can consider South Africa. After joining the Budapest Convention, the country has recently adopted the Cybercrimes Act to integrate the substantial and procedural elements of the treaty in its national framework.
The South-African example is also notable as Brazil and South Africa are the only two BRICS countries that have joined the Budapest Convention. Russia, India, and China, have traditionally resisted the Convention, considering its adoption by non-European countries as a capitulation to European imperialism, and have kept coordinating cybersecurity issues within the Shanghai Cooperation Organization of which they are all members.
Clearly, the accession to the Convention brings many advantages, but choosing this “Europe-led” model could complicate the Brazilian stance at the BRICS and UN levels.
How compatible are Budapest and BRICS?
The Brazilian Ministry of Foreign Affairs has welcomed Brazil’s accession to the treaty, stressing its positive impact. However, the implementation of the Convention will require some additional “gymnastics”, to make this new international commitment compatible with the ongoing BRICS and UN discussions.
The BRICS cooperation on cybersecurity started with the 2013 eThekwini Declaration and Action Plan, issued at the BRICS Summit held by South Africa, a few months after the Snowden revelations. On the occasion, BRICS leaders, understanding the reach of the programs revealed by Snowden, called for the elaboration of “universally accepted norms, standards and practices” on cybersecurity.
With a very low profile, cybersecurity cooperation amongst BRICS has been growing steadily, thanks to the “Working Group of Experts of the BRICS States on security in the use of ICTs”, established in 2014 with a mandate to share information and good practices to “develop practical cooperation with each other in order to address common security challenges in the use of ICTs.”
The latest BRICS meeting, held in New Delhi, has represented a turning point in the “pentalateral” cooperation on digital matters. Particularly, the concluding statement of the 2021 BRICS Summit included new pledges on cybersecurity to “establish legal frameworks of cooperation among BRICS” and BRICS intergovernmental agreements on the issues.
In their joint statements, BRICS leaders have consistently emphasised that the UN is the most appropriate venue for international policy development on cybersecurity and cybercrime, and they have devoted considerable effort in this regard.
The BRICS 2021 Declaration also praised the consensus found in the recent report by the “UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security”, composed of experts from 25 countries that included representatives of all the BRICS.
Therefore, the implementation of the Budapest Convention requires a very careful effort from Brazil to integrate a framework with a clear European inspiration, while also developing an internationally binding treaty on cybercrime at the UN, and also simultaneously exploring intra-BRICS agreements on cybersecurity.
Being able to achieve all these results will not be easy and will require remarkable coordination between the Brazilian Legislature and the Foreign Affairs Ministry. It will be highly interesting to observe what will happen in the “smaller” BRICS club as it will probably reveal a lot of what to be expected from the global negotiations at the UN level.
Luca Belli is a professor at FGV Law School, where he directs the Center for Technology and Society at FGV and the CyberBRICS project. Views expressed are personal and do not necessarily reflect the views of MediaNama.
Originally published in Medianama.