Convention on Cybercrime
November 13, 2018
Reading Time: 5 minutes
Reading Time: 5 minutes
Image Credit: Gordonkoff/depositphotos
This LKI Explainer examines the key aspects of the Convention on Cybercrime, which Sri Lanka is party to. It highlights some of the emerging challenges and its role in Sri Lanka as a vital international legal instrument to regulate cybercrime.
- What are Cybercrimes?
- What is Cybersecurity and why is it important?
- What is the Budapest Convention on Cybercrime?
- What are the key features of the Convention?
- What are the objectives and priorities of the Convention?
- What are the responsibilities and obligations incumbent upon the State Parties to the Convention?
- Benefits and drawbacks of the Convention
- Implementation of the Convention in the Sri Lanka
- Key Readings
1. What are Cybercrimes?
- Cybercrimes are defined as crimes committed through the internet using a computer. This includes a wide range of offences against computer data and systems (such as ‘hacking’), computer-related forgery and fraud (such as ‘phishing’), content offences (such as disseminating child pornography), and copyright offences (such as the dissemination of pirated content).1
2. What is Cybersecurity and why is it important?
- Cybersecurity is the protection of computer networks, programs and other internet connected systems from cyberattacks.
- Cyberattacks could do irreparable and irreversible damage to businesses and persons. This includes the misuse of personal information such as email addresses and credit card information, or huge financial losses to multinational organisations. For instance, the Bangladeshi Central Bank was recently hacked and millions of dollars were transferred to dubious NGOs registered in Sri Lanka.2
- With Sri Lanka’s ambition to make Colombo a Global Financial Centre, strengthening of cybersecurity is imperative to enable a safer, reliable and more conducive environment for persons and organisations. Sri Lanka also has a rapidly growing Information Technology market amounting to USD 900 Million worth exports and employing a workforce of over 85,000.3
- Key priorities include increasing awareness, and developing related skills for law enforcement personnel, stakeholders and the general public.
3. What is the Budapest Convention on Cybercrime?
- The Convention on Cybercrime (also known as the Budapest Convention) is the first international convention4 set out to pursue a common criminal policy against cybercrime. It promotes the harmonisation of national laws, capacity building, and the fostering of international cooperation.
- The Convention was drafted by the Council of Europe and was opened for signatures on 23 November 2001. It entered into force on 1 July 2004.5
Figure 1: The Reach of the Budapest Convention as a guideline
Source: Alexander Seger6
4. What are the key features of the Convention?
- The Convention facilitates the detection, investigation and prosecution of crimes committed via the internet and other computer systems. This includes aiding or abetting the commission of an offence.
Figure 2: The Scope of the Convention
Source: Alexander Seger 7
* MLA- Mutual Legal Assistance – is an agreement between two or more States to gather and exchange information in an effort to enforce criminal law.
- The Convention broadly operates on three dimensions.8 First, it criminalises conduct such as illegal access and data interference. Second, it provides the procedural tools for states to follow, this includes search and seizure of computers and other devices used in the criminal activity. Finally, it places upon States an obligation for mutual cooperation in assisting with the investigations.
- The Budapest Convention is further supplemented by an Additional Protocol adopted in 2003, which makes using computer networks to publish xenophobic and racist propaganda, a punishable offence.9
5. What are the objectives and priorities of the Convention?
- The Convention aims to:
- Pursue, as a matter of priority, a common criminal policy aimed at the protection of society against cybercrime;
- Build the capacity of countries to combat cybercrime; and
- Function as a mutual information sharing channel in order to facilitate better law enforcement.
- The Preamble of the Convention emphasises the importance of maintaining a proper balance between the interest of law enforcement and respect for fundamental human rights, specifically the right to hold opinions without interference, freedom of expression and the rights concerning the respect for privacy.
6. What are the responsibilities and obligations incumbent upon the State Parties to the Convention?
- Each party is required to adopt legislative and other measures to establish the offences listed in Convention as criminal offences under its domestic law.
- Parties are primarily required to:
- Provide mutual assistance to states investigating crimes under the Convention;
- Allow search and seizure of stored computer data for investigations;
- Extradite those charged with cybercrimes or prosecute them domestically;
- Real-time collection of internet traffic data including IP addresses and email header information; and
- Preserve computer data for up to 90 days.
7. Benefits and drawbacks of the Convention
Benefits of the Convention:
- The Convention sets a normative standard within the international legal framework, acknowledging the need to pursue a common criminal policy and procedural law in relation to cybercrimes.
- It contains provisions concerning mutual assistance as well as extradition rules to further facilitate and enhance international cooperation.10
- It promotes cooperation between State parties and the private sector.
Drawbacks of the Convention:
- It does not cover a wide range of cybercrimes including identity theft, sexual grooming of children, and unsolicited emails and spam.
- Mutual legal assistance facilitated by the Convention is too complex and lengthy, rendering it inefficient in practice.11
- Enforcement of the Convention is limited since over two-thirds of States have not ratified the treaty.
8. Implementation of the Convention in Sri Lanka
- Sri Lanka ratified the convention in May 2015, becoming the first South Asian country and the second Asian Country (after Japan) to ratify the Convention.
- Preparation towards ratifying the Convention was carried out over several years under the “e-Sri Lanka Development Initiative.”12 This included regulatory reforms through the adoption of relevant legislation and capacity building.
- In June 2006, the Sri Lanka Computer Emergency Readiness Team Coordination Centre (Sri Lanka CERT) was established in collaboration with ICTA Sri Lanka. It acts as the focal point for cybersecurity in Sri Lanka.13
9. Key Readings
Clough, J. (2014). ‘A World of Difference: The Budapest Convention on Cybercrime and the Challenges of Harmonisation.’ Monash University Law Review,pp.702 [online].
(Accessed on 11 June 2018).
Daily FT. (2016). Bangladesh Bank hackers compromised SWIFT software, warning to be issued. [online] Available at: http://www.ft.lk/article/538316/Bangladesh-Bank-hackers-compromised-SWIFT-software–warning-to-be-issued (Accessed on 26 April 2016).
United Nations Office on Drugs and Crime. (2013). Comprehensive Study on Cybercrimes, New York: United Nations. [online]. Available at: https://www.unodc.org/documents/commissions/CCPCJ/CCPCJ_Sessions/CCPCJ_22/_E-CN15-2013-CRP05/Comprehensive_study_on_cybercrime.pdf (Accessed on 5 June 2018).
Shalini, S. (2016). ‘Budapest Convention on Cybercrime – An Overview.’ Centre For Communication Governance. [Online]. Available at: https://ccgnludelhi.wordpress.com/2016/03/03/budapest-convention-on-cybercrime-an-overview/ (Accessed on 9 June 2018).
1 United Nations Office on Drugs and Crime. (2010). UNODC Transnational Organized Crime Threat
Assessment – Cybercrime. [Online].
Available at: https://www.unodc.org/documents/data-and-analysis/tocta/10.Cybercrime.pdf (Accessed on 11 June 2018)
2 Fernando, J. (2016). ‘Cybercrime Legislation in Sri Lanka’. Available at: https://rm.coe.int/16806bdcd8 (Accessed on 8 November 2018).
3 Sri Lanka Export Development Board. (2018). ICT Services Overview. [online] Available at: http://www.srilankabusiness.com/export-services/ict/ [Accessed 2 Nov. 2018].
4 Council of Europe. (2004). Details of Treaty No. 185 Convention on Cybercrime [Online]. Available at: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185 (Accessed on 5 June 2018).
6 Seger, A. (2016). ‘Implementation of the Budapest Convention on Cybercrime’. [PowerPoint Presentation]. Available at: http://www.oas.org/juridico/pdfs/cyb9_coe_cyb_oas_dec16_v1.pdf
(Accessed on 7 October 2018).
8 Council of Europe. (2001). ‘The Convention on Cybercrime.’ European Treaty Services 185 [Online]. Available at: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_en.pdf (Accessed on 12 July 2018).
9 Council of Europe (2003) ‘The Additional Protocol of the Budapest Convention’ European Treaty Services 189 [Online].
Available at: https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=090000168008160f (Accessed 11 June 2018).
10United Nations Office on Drugs and Crime. (2013). Comprehensive Study on Cybercrimes, New York: United Nations. [Online] Available at: https://www.unodc.org/documents/commissions/CCPCJ/CCPCJ_Sessions/CCPCJ_22/_E-CN15-2013-CRP05/Comprehensive_study_on_cybercrime.pdf (Accessed on 5 June 2018).
11 Shalini, S. (2016). ‘Budapest Convention on Cybercrime- An Overview.’ Centre For Communication Governance. [Online] Available at:
(Accessed 9 June 2018).
12 Fernando, J. (2016) ‘Cybercrime Legislation in Sri Lanka’. Available at: https://rm.coe.int/16806bdcd8 (Accessed on 8 November 2018).
13 Sri Lanka CERT|CC. (2018). Sri Lanka Computer Emergency Readiness Team | Coordination Centre (Sri Lanka CERT). [online] Available at: http://www.slcert.gov.lk/aboutUs.php (Accessed 13 Nov. 2018).
MLA Mutual Legal Assistance
ICTA Information Technology and Communication Act
*Nilupul Gunawardena is a Research Fellow at the Lakshman Kadirgamar Institute of International Relations and Strategic Studies (LKI). The opinions expressed in this article are the author’s own views. They are not the institutional views of LKI, and do not necessarily represent or reflect the position of any other institution or individual with which the author is affiliated.