Introduction
In today’s interconnected digital landscape, cybersecurity and data protection have become crucial concerns for individuals, businesses, and governments worldwide. The rise of sophisticated cyber threats and increasing data privacy issues have led many countries to develop legal frameworks aimed at safeguarding data and securing cyberspace.[1] However, the global nature of cyber risks and data flows calls for collaborative international frameworks to ensure consistent cybersecurity standards and data protection measures. This need has prompted organizations like the United Nations, European Union (EU), Council of Europe, and the Organization for Economic Cooperation and Development (OECD) to introduce treaties, regulations, and guidelines aimed at harmonizing cybersecurity and data privacy laws.
First, it is essential to understand what cybersecurity is and to identify its most pressing challenges. The Cybersecurity and Infrastructure Security Agency (U.S. CISA) defines cybersecurity as protecting networks, devices, and data from unauthorized access and ensuring the confidentiality, integrity, and availability of information.[2] It includes technologies, practices, and policies aimed at preventing cyberattacks and safeguarding computer systems, applications, data, financial assets, and individuals from threats such as ransomware, malware, phishing, and data theft.[3] Cybersecurity is a critical global challenge as cyber threats grow in scale and sophistication, affecting organizations and governments worldwide.[4] The Computer Crime Research Center estimates that cybercrime costs will exceed $12 trillion by 2025.[5] Insufficient cybersecurity measures leave economies, governments, and individuals vulnerable to identity theft and privacy violations. As attacks increase, cybersecurity becomes essential to global stability, requiring international cooperation, strategic investments, and a collective commitment to combat these threats.
The interconnectedness of digital infrastructure allows cyber threats to easily cross borders, causing widespread damage. A data breach in one country can impact international markets, highlighting the economic risks of weak cybersecurity.[6] Attacks on critical infrastructure, like energy grids and healthcare systems, pose national security risks.[7] As Cybersecurity Ventures reports, global spending on cybersecurity is expected to exceed $1.75 trillion from 2021 to 2025.[8] It might be surprising to learn that even prominent international institutions aren’t immune to cyber threats. In 2015, the Permanent Court of Arbitration (PCA)—a key player in resolving international disputes—fell victim to a significant cyberattack.[9] This breach compromised the PCA’s website, implanting malware that infected visitors’ computers and potentially exposed them to data theft.[10] As cyber threats escalate, cohesive international legal frameworks for cybersecurity and data protection are urgently needed. Countries are recognizing the ineffectiveness of a fragmented approach, prompting efforts to establish international standards and cooperative policies to strengthen global responses to cybercrime.[11] In the following sections, this essay examines key international legal frameworks that address these challenges and ongoing efforts to create a unified approach to cybersecurity.
Key International Legal Frameworks on Cybersecurity
I. The Budapest Convention on Cybercrime[12]
The Budapest Convention on Cybercrime, formally known as the Convention on Cybercrime of the Council of Europe, was opened for signature on November 23, 2001, as the first international treaty addressing crimes committed via the internet and other computer networks.[13] It was created in response to the rising prevalence of cybercrime in the late 1990s due to increased internet usage. Recognizing the need for international cooperation, the Council of Europe initiated a collaborative drafting process involving legal experts, law enforcement agencies, and member state representatives.[14] The Convention aims to balance effective law enforcement with the protection of fundamental rights, such as privacy and freedom of expression. It establishes a framework for mutual assistance among countries, enabling them to share information and resources during cybercrime investigations.[15] By promoting common standards for the investigation and prosecution of cybercrime, the Convention seeks to harmonize national laws and enhance cooperation in transnational cases.
The Budapest Convention includes crucial articles on cybersecurity and data protection. Title 1 covers offenses related to unauthorized access, data manipulation, system interference, and misuse of devices. It also addresses cybercrimes involving fraud, forgery, child pornography, and intellectual property infringements. These measures aim to protect computer systems and data from malicious activities.[16] Article 24 facilitates international cooperation through extradition, allowing countries to request the transfer of accused cybercriminals to face justice.[17] Finally, Article 25 promotes mutual legal assistance in collecting evidence, enabling countries to collaborate in investigations and ensuring that digital evidence can be effectively gathered across borders.[18] Together, these provisions form a comprehensive framework that strengthens the international response to cybercrime.
II. The General Data Protection Regulation (GDPR)[19]
The General Data Protection Regulation (GDPR) is a significant advancement in data protection law, setting strict standards for personal data processing and storage in the European Union (EU). Enacted on May 25, 2018, the GDPR aimed to unify data protection laws across member states and enhance individuals’ control over their data. Its origins trace back to the European Data Protection Directive (95/46/EC) from 1995, which was deemed inadequate as technology and data practices evolved.[20] The GDPR’s drafting involved extensive consultation among EU institutions, member states, and civil society, initiated by a proposal from the European Commission in 2012 to reform the data protection framework in response to growing digital technologies and global data flows.[21] After years of discussions, the final GDPR text was approved by the European Parliament and the Council of the European Union in April 2016.
GDPR is built around several key principles and rights that protect individuals’ personal data. Article 5 emphasizes lawful, fair, and transparent processing, requiring data collection for specific, legitimate purposes while ensuring it is limited, accurate, and up to date.[22] Article 6 outlines the conditions for lawful processing, such as obtaining consent and fulfilling legal obligations, reinforcing the regulation’s commitment to protecting individuals’ rights.[23] Article 32 focuses on data security, mandating that data controllers and processors implement appropriate technical and organizational measures to safeguard personal data against breaches.[24] Additionally, Article 25 introduces “data protection by design and by default,” requiring organizations to integrate data protection measures into their processes from the outset, thereby minimizing unnecessary data collection and enhancing overall privacy.[25]
III. The EU Cybersecurity Act[26]
The EU Cybersecurity Act, officially known as Regulation (EU) 2019/881, was adopted on April 17, 2019, as part of the EU’s broader strategy to enhance cybersecurity across the region.[27] In response to the increasing frequency and sophistication of cyber threats, this legislation established a comprehensive framework aimed at improving the overall level of cybersecurity within the EU. Its roots trace back to the Cybersecurity Strategy for the EU adopted in 2013, which led to the creation of the European Union Agency for Cybersecurity (ENISA) and the development of a coordinated response to cybersecurity challenges.[28] The Act further strengthens ENISA’s mandate and introduces a European cybersecurity certification framework.[29]
The EU Cybersecurity Act establishes a cybersecurity certification framework for products, services, and processes, aiming to enhance trust and security within the internal market. Article 1 highlights the regulation’s general objectives, which include enhancing network and information security across the EU,[30] while Article 3 details ENISA’s specific tasks, such as supporting cybersecurity policy development and building EU-wide capacity.[31] Article 4 assigns ENISA the role of promoting and providing advice on cybersecurity certification.[32] Additionally, Article 7 outlines ENISA’s support for operational cooperation at the Union level, including facilitating information exchange, advising Member States on cybersecurity incidents, organizing exercises, providing a technical situation report, and assisting in the response to large-scale cross-border cybersecurity crises.[33]
IV. UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security[34]
The United Nations Group of Governmental Experts (GGE) on cybersecurity has been pivotal in establishing international norms for responsible state behavior in cyberspace since its formation in 2004. Convened by the UN General Assembly amid rising concerns about the misuse of information and communication technologies (ICTs) and potential cyber conflicts, the GGE examines threats to international security and recommends guiding norms. A key milestone was the 2013 third report, which recognized that existing international law, including the UN Charter, applies to state behavior in cyberspace, affirming that principles such as sovereignty, non-intervention, and the prohibition on the use of force are relevant in this domain.[35]
The GGE’s 2015 report built upon previous work by introducing voluntary, non-binding norms to enhance cybersecurity stability. Section III of the report underscores the need for states to protect critical infrastructure by not allowing their territory to be used for internationally wrongful acts involving ICTs, and advises against actions that could harm another state’s infrastructure.[36] Section V emphasizes cooperation among states to address ICT-related threats through information sharing and confidence-building measures, fostering a more secure global cyberspace.[37] Additionally, section VI highlights the importance of aligning cyber policies with human rights, ensuring that actions in cyberspace respect fundamental freedoms such as privacy and freedom of expression.[38]
The GGE’s work is not without its challenges. The group has often struggled to reach consensus on specific issues due to differing national interests and perspectives on sovereignty, security, and the role of state control over ICTs.[39] Despite these challenges, the GGE’s reports have been instrumental in shaping the global discourse on cybersecurity, influencing other international frameworks and regional organizations, including the EU and NATO.[40] Through its norms and principles, the GGE has laid the groundwork for a rules-based international order in cyberspace, even as it continues to grapple with complex issues like attribution, deterrence, and the role of non-state actors in cyber conflict.
Conclusion
In conclusion, international legal frameworks on cybersecurity and data protection are vital in addressing the challenges of the digital age. As cyber threats grow and data breaches increase, these frameworks provide essential guidelines that promote security, accountability, and trust. By fostering cooperation among nations and stakeholders, they establish norms for responsible behavior in cyberspace while protecting individual rights and privacy. As technology evolves, it is crucial for these frameworks to adapt to ensure they effectively safeguard national and global cybersecurity interests, balance human rights, and create a safer digital landscape for all.
[1] Cybersecurity Rules Saw Big Changes in 2024: Here’s What to Know, World Economic Forum (Oct. 17, 2024), https://www.weforum.org/stories/2024/10/cybersecurity-regulation-changes-nis2-eu-2024/.
[2] Cybersecurity and Infrastructure Security Agency, What is Cybersecurity?, (Feb. 1, 2021), https://www.cisa.gov/news-events/news/what-cybersecurity.
[3] Gregg Lindemulder & Matt Kosinski, What Is Cybersecurity?, IBM, https://www.ibm.com/topics/cybersecurity (Aug. 12, 2024).
[4] Id.
[5] Computer Crime Research Center, The Cost of Cybercrime to Reach Over $12tn by 2025 (Jan. 24, 2024), https://www.crime-research.org/news/24.01.2024/4132/.
[6] Keman Huang, Stuart Madnick & Fang Zhang, Navigating Cybersecurity Risks in International Trade, HARV. BUS. REV. (Dec. 2, 2021), https://hbr.org/2021/12/navigating-cybersecurity-risks-in-international-trade.
[7] Gregg Lindemulder & Matt Kosinski, What Is Cybersecurity?, IBM, https://www.ibm.com/topics/cybersecurity (Aug. 12, 2024).
[8] David Braue, Global Cybersecurity Spending To Exceed $1.75 Trillion From 2021-2025, Cybersecurity Ventures (Sept. 10, 2021), https://cybersecurityventures.com/cybersecurity-spending-2021-2025/.
[9] Musa Saidu, The Curious Case of Data Breach in Permanent Court of Arbitration, The Legal Journal on Technology (May 18, 2021), https://www.thelegaljournalontechnology.com/post/the-curious-case-of-data-breach-in-permanent-court-of-arbitration; Bienvenu, Pierre & Grant, Benjamin, Data Protection and Cyber Risk Issues in Arbitration: Dealing with Regulation, Cyber-Attacks and Hacked Evidence, Int’l Arb. Rep.Issue 13, at 20 (Sept. 2019).
[10] Id.
[11] Cybersecurity Rules Saw Big Changes in 2024: Here’s What to Know, World Economic Forum (Oct. 17, 2024), https://www.weforum.org/stories/2024/10/cybersecurity-regulation-changes-nis2-eu-2024/.
[12] Convention on Cybercrime, Council of Europe, ETS No. 185 (Nov. 23, 2001), https://www.europarl.europa.eu/cmsdata/179163/20090225ATT50418EN.pdf.
[13] Id.
[14] Convention on Cybercrime, Special Edition Dedicated to the Drafters of the Convention (1997-2001), https://rm.coe.int/special-edition-budapest-convention-en-2022/1680a6992e.
[15] Id.
[16] Convention on Cybercrime, Council of Europe, ETS No. 185, arts. 2-13 (Nov. 23, 2001).
[17] Convention on Cybercrime, Council of Europe, ETS No. 185, art. 24 (Nov. 23, 2001).
[18] Convention on Cybercrime, Council of Europe, ETS No. 185, art. 25 (Nov. 23, 2001).
[19] General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, 2016 O.J. (Apr. 27, 2016).
[20] Ernst Oliver Wilhelm, A Brief History of the General Data Protection Regulation (1981-2016), IAPP (Feb. 2016), https://iapp.org/resources/article/a-brief-history-of-the-general-data-protection-regulation/.
[21] Id.
[22] General Data Protection Regulation (EU) 2016/679, art. 5, O.J. L 119 (May 4, 2016).
[23] General Data Protection Regulation (EU) 2016/679, art. 6, O.J. L 119 (May 4, 2016).
[24] General Data Protection Regulation (EU) 2016/679, art. 32, O.J. L 119 (May 4, 2016). You can do short cites for the same legislation but different articles.
[25] General Data Protection Regulation (EU) 2016/679, art. 25, O.J. L 119 (May 4, 2016).
[26] Regulation (EU) 2019/881, 2019 O.J. (L 151) 15, http://data.europa.eu/eli/reg/2019/881/oj.
[27] Id.
[28] Id.
[29] The EU Cybersecurity Act, SHAPING EUROPE’S DIGITAL FUTURE, EU (Nov. 21, 2024), https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-act.
[30] Regulation (EU) 2019/881, art. 1, 2019 O.J. (L 151) 15.
[31] Regulation (EU) 2019/881, art. 3, 2019 O.J. (L 151) 15.
[32] Regulation (EU) 2019/881, art. 4, 2019 O.J. (L 151) 15.
[33] Regulation (EU) 2019/881, art. 7, 2019 O.J. (L 151) 15.
[34] U.N. Secretary-General, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, U.N. Doc. A/70/174 (July 22, 2015), https://digitallibrary.un.org/record/799853?v=pdf.
[35] U.N. Secretary-General, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, U.N. Doc. A/68/98 (June 24, 2013), https://documents.un.org/doc/undoc/gen/n13/371/66/pdf/n1337166.pdf.
[36] U.N. Secretary-General, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, § III, U.N. Doc. A/70/174 (July 22, 2015).
[37] U.N. Secretary-General, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, § V, U.N. Doc. A/70/174 (July 22, 2015).
[38] U.N. Secretary-General, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, § VI, U.N. Doc. A/70/174 (July 22, 2015).
[39] Maj. Gen. (Ret.) Dan Efrony, The UN Cyber Groups, GGE and OEWG – A Consensus Is Optimal, But Time Is of the Essence, JUST SECURITY (July 16, 2021), https://www.justsecurity.org/77480/the-un-cyber-groups-gge-and-oewg-a-consensus-is-optimal-but-time-is-of-the-essence/.
[40] Michael Schmitt, The Sixth United Nations GGE and International Law in Cyberspace, JUST SECURITY (June 10, 2021), https://www.justsecurity.org/76864/the-sixth-united-nations-gge-and-international-law-in-cyberspace/.