The UN Ad Hoc Committee on Cybercrime began its sixth negotiating session on August 21, 2023 in New York. The Committee is mandated to develop a comprehensive international treaty on countering the use of information and communications technologies for criminal purposes. Human Rights Watch and ARTICLE 19 analyzed the draft text and outlined key concerns. The treaty as currently drafted risks criminalizing online expression and conduct that is protected under international human rights standards. It also authorizes the use of intrusive tools to investigate crimes without proper safeguards, and creates a new global framework for international cooperation that could result in a race to the bottom in cross-border policing. Human Rights Watch and ARTICLE 19 have been emphasizing these concerns in their engagement with the Committee and submitted the analysis to the Committee for its consideration. 

Table of Contents

Introduction

The Draft Text’s near-unlimited scope undermines human rights

Article 17: Substantive offences should be clearly articulated in the Proposed Convention

Preamble, Paragraph 3: Remove unrelated offences

Article 22: Scope of Jurisdiction measures will have negative human rights implications

The Draft Text’s criminal offences pose a threat to human rights

Articles 13 and 14: Avoid unduly restricting the rights of children and freedom of expression more generally

Article 15: Avoid infringing on the rights of survivors of online gender-based violence

Articles 6-10: Core cybercrime provisions lack key safeguards and limitations

Draft Text’s overall human rights provisions fall short

Paragraphs 9, 11 and 12 of the preamble & Article 5

General safeguard in Articles 21, 23, 24 and 35 require more robust protections for human rights

Scope and Breadth of the Draft Text’s policing and cooperation powers

Chapters IV-V: Limit scope of policing powers and cooperation to offences established in the Convention

Articles 40(4), 42-26, 47 and 54: Overbroad global cooperation powers

 

 

Introduction

1. Human Rights Watch (HRW) and ARTICLE 19 welcome the opportunity to provide observations and recommendations to the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes on its draft text of the proposed convention (hereafter “the Draft Text” or “the Proposed Convention”).[1] We recognize that the Committee has worked extensively on the Draft Text and that some of the most problematic proposals have been rightly excluded. Despite this progress, much more work is needed to safeguard human rights in the treaty.
2. Our main concerns with the Draft Text are:

• Its near unlimited scope, which risks both substantively criminalizing acts beyond core cybercrimes, and disproportionately increasing policing powers and cooperation for those offences.
• Criminalization of acts that risk:
  •     Encroaching on the rights of children, in particular lesbian, gay, bisexual, and transgender (LGBT) children, including adolescents, seeking information about sexual and reproductive health and rights, sexual and gender diversity, and other topics that fall under the rubric of comprehensive sexuality education.
  •     Encroaching on the rights of survivors of online gender-based violence, including people targeted with non-consensual dissemination of intimate images.
  •     Lack of adequate protections for the legitimate work of civil society organizations, journalists, security researchers, and whistleblowers, as well as for protected expression that has scientific, artistic, or literary value.
• Increased policing powers and cooperation beyond core cybercrimes, without adequate human rights safeguards.
• Inadequate safeguards in the general human rights provisions, which is particularly concerning in light of the nature and scope of this Proposed Convention.

3. Our main recommendations are as follows:

• Recommendation 1: Delete Article 17 in its entirety. [6-14]

• Recommendation 2: Delete Paragraph (3) of the preamble. [15-17]

• Recommendation 3: Amend Article 22 to include proportionality and prevent it from applying to multi-national platforms that have not committed an offence under Article 6 to 16. [18-19]

• Recommendation 4: Delete Article 13 in its entirety. If the provision is nonetheless retained, amend Article 13 to exclude conduct that does not unduly risk harm to a child and has a legitimate purpose and to limit the risk of criminalizing non-exploitive conduct of children, an unduly expanded range of prohibited content, and the creation, possession or sharing of prohibited content in non-exploitive circumstances [due to a lack of context]. [21-27]

• Recommendation 5: Delete Article 14 in its entirety. If the provision is nonetheless retained, amend Article 14 to limit the risk of criminalizing activities of children who are above the age of consent but still captured by the Draft Text, of criminalizing people seeking or imparting information regarding sexual and reproductive health, and of the use of these provisions to discriminate against same-sex interactions. [25-27]

• Recommendation 6: Consider the appropriateness of including Article 15. If the provision is retained, amend Article 15 to mitigate the risk of criminalizing survivors particularly where the perpetrator is an authority figure, to center the lack of freely given consent, to criminalize the non-consensual capturing of intimate images and to exempt conduct that is a matter of public interest or for a legitimate purpose related to the administration of justice. [28-31]

• Recommendation 7: Amend Articles 6-10 so that: fraudulent or otherwise malicious intent conduct must result in serious harm or damage in order to be criminalized, bypassing technical safeguards is a core element of each criminal act, and a public interest exception is included. [32-33]

• Recommendation 8: Amend Article 5 so that it ensures the Proposed Convention does not threaten human rights and to mainstream a gender perspective and take into consideration the circumstances of persons and groups who face discrimination and marginalization, amend the preamble to add Paragraph 9bis recognizing the important role of civil society, the Office of the High Commissioner for Human Rights and the international human rights mechanisms in the implementation of the Proposed Convention, and amend Paragraphs 11 and 12 of the preamble so that international human rights law and standards are reflected. [35-38]

• Recommendation 9: Amend Articles 21, 23, 24 and 35 to align the Draft Text’s core safeguards regarding due process, investigative powers and international cooperation with international human rights law including through incorporation of the principles of legality, necessity, proportionality, and dual criminality. [39-43]

• Recommendation 10: Delete Articles 23(2)(b) and 23(2)(c), and amend Articles 35(1), 40(1), 40(4), 41(1), 45(2), 47(1) and 47(1)(b)(if retained) so that international cooperation and mutual legal assistance are limited to in scope to offences established in accordance with Articles 6 to 16 of the Draft Text. [45-50]

• Recommendation 11: Amend Article 40(4) to exclude proactive cross-border disclosure of personal data, amend Articles 42-46 so that mutual legal assistance is carried out in accordance with safeguards and limitations set out in Chapter IV of the Draft Text, amend Articles 44 and 45 to allow refusal of requests for mutual legal assistance on the basis of the grounds contained in Article 40(21), remove Articles 47(1)(b) and (c), remove Article 47(1)(g) or, at minimum, amend it to exclude any sharing of personal data, amend Article 47(1)(d) to remove information sharing regarding the use of privacy-enhancing tools, and amend Article 54 to incorporate safeguards against human rights abuses. [51-56]

4. We note that more extensive commentary on chapters related to procedural measures and law enforcement, as well as international cooperation by the Electronic Frontier Foundation (EFF) and Privacy International (PI) and by ARTICLE 19 is available.[2]

The Draft Text’s near-unlimited scope undermines human rights

5. Human Rights Watch [and ARTICLE 19] appreciate that the drafting process has made some progress in eliminating substantive offences that are “cyber-enabled” rather than “cyber-dependent”, in particular those which would have restricted freedom of expression and other human rights. However, the Draft Text continues to be problematic in scope, criminalizing activities that do not constitute “core” cybercrimes while proposing chapters on investigative powers and international cooperation that apply to all serious crimes. Article 17 of the Draft Text is a central concern in that it extends an indeterminate range of offences to digital contexts without modification, including some offences that pose a direct threat to freedom of expression.   

Article 17: Substantive offences should be clearly articulated in the Proposed Convention

Recommendation 1: Delete Article 17 in its entirety. [6-14]

6. The Draft Text continues to lack a coherent articulation of what does or does not constitute a cybercrime. While it initially appears to limit the number of substantive offences to Articles 6 through 16, language throughout the Draft Text indicates the scope is far from limited to those offences. Rather, the scope is explicitly open-ended.
7. By virtue of Article 17, any offence included in a binding treaty becomes a cybercrime, an expanding list of offences that already includes everything from drug offences to smuggling of migrants.
8. A complete understanding of the challenges raised by this provision would require a detailed assessment of numerous existing treaties. This assessment is difficult to carry out at the present stage as it is not clear what pre-existing treaties are covered. Article 17 is not, for example, limited to treaties duly registered in accordance with Article 102 of the UN Charter and may be viewed by some parties as applying to instruments ranging from binding regional or even bilateral agreements to trade agreements. The full implications of Article 17 cannot be understood because as currently drafted, it could also apply to future treaties including where those future treaties deliberately avoid applying their provisions to online environments.
9. The principle underpinning Article 17 essentially establishes that if technology is used in the commission of a crime, then it constitutes a cybercrime. This approach is particularly concerning in light of the propensity of States to use cybercrime measures against civil society organizations and human rights defenders.[3] The treaty should clearly articulate the harm it is addressing and only include specified “core” cybercrimes where communications networks are an integral component of the criminal act. Its procedural powers and international cooperation chapters should similarly be limited to specific investigations and prosecutions of these core cybercrimes.                            
10. We question the utility of this provision. Most offences in pre-existing treaties are not inherently limited to physical contexts and, absent practical barriers that suggest a given provision is ill-suited to criminalizing online behavior, would already apply. If the provision is intended to be redundant in nature, it creates challenges by embedding overlapping obligations regarding the online dimensions of offences in one Convention while both online and real-world offences remain governed by the underlying treaties in question. If the provision is intended to extend existing offences to online environments despite practical barriers it does so without consideration of the different challenges that can arise in digital contexts and despite a lack of consensus regarding the degree to which these offences should apply online. Indeed, reliance on Article 17 will only be necessary in the absence of consensus regarding the online dimensions of existing treaty obligations. This blunt approach can lead to significant unintended consequences including erosion of human rights and can bypass many of the explicit limitations adopted in the Proposed Convention as well as in the underlying treaties that Article 17 would extend to the online environment. We provide some indicative examples of these challenges below.
11. The Council of Europe Convention on Cybercrime (the Budapest Convention) explicitly excluded attempts to incorporate a range of content-related offences as these raised significant freedom of expression concerns and therefore could not generate consensus.[4] Among these attempts were proposals to extend racist and xenophobic speech offences included in the International Convention on the Elimination of All Forms of Racial Discrimination (ICERD) to the online ecosystem,[5] which were excluded from the Budapest Convention and instead negotiated in a separate protocol criminalizing racist and xenophobic speech committed through computer systems that has enjoyed more limited adoption.[6] We note that under international human rights law, any advocacy of national racial or religious hatred that constitutes incitement to discrimination, hostility, or violence should be prohibited by law. However, States are not obligated to criminalize such expression.[7] The criminalization of racist and hate speech, particularly in online environments, is frequently weaponized by States seeking to attack online expression by civil society groups and particularly groups critical of governments.[8] Compelling States to extend ICERD offences to the Internet without modification or safeguard poses a direct risk to human rights.
12. In adopting racist and xenophobic speech offences to the online ecosystem, the optional Council of Europe protocol incorporated a number of specific safeguards necessary to adapt the provision to digital networks.[9] By virtue of Article 17, hate speech offences included in instruments such as ICERD could be extended to the online environment without any of these safeguards in place.[10]
13. Article 17 also causes challenges for States who may wish to reserve all or part of the online aspect of an ICERD offence. The Council of Europe optional protocol explicitly states that a Party may reserve the right not to attach criminal liability to the distribution of racist and xenophobic material to the public through a computer system, where the material advocates, promotes, or incites discrimination that is not associated with hatred or violence, provided that other effective remedies are available or doing so would be incompatible with principles concerning freedom of expression established by its national legal system.[11] As the obligation to extend ICERD offences to online contexts would arise from Article 17 of the current Convention and not from ICERD itself, comparable reservations would need to be consistent with this Proposed Convention rather than with Article 20 of ICERD.[12] Similar challenges would arise in relation to reservations in relation to any offences housed in other treaties and extended to the online environment by virtue of Article 17.
14. A number of other offences in existing treaties will also be problematic if extended to the online environment without modification. For example, treaties that were negotiated decades ago to address terrorism-related physical attacks are not an effective means of addressing this complexity and should not be forcefully stretched to address cyberattacks by virtue of Article 17.Offences criminalizing physical attacks on civil aviation have, for example, been adopted in a patchwork of instruments. [13] Each of these instruments has different levels of adoption amongst State Parties and each establishes different thresholds for intent and jurisdiction while many do not address these criteria at all.[14] Where thresholds are established, many are designed to address physical attacks and are ill-suited to addressing cyber threats. The conduct criminalized by these civil aviation instruments and extended to digital contexts through Article 17 will frequently overlap imperfectly with offences set out in Articles 6-10 of the Draft Text,[15] but without the calibration and limitations negotiated in these proposed provisions. Limitations on criminal intent adopted in Articles 6-10 of the Draft Text will not apply to cyber threats criminalized under Article 17, nor would conditions established in Articles 18-22 of the Draft Text to address jurisdiction, establish the proper scope of corporate liability and impose due process safeguards.[16] We therefore recommend the deletion of Article 17 in its entirety.

Preamble, Paragraph 3: Remove unrelated offences

Recommendation 2: Delete Paragraph (3) of the preamble. [15-17]

15. The inclusion of the list of issues of concern in Paragraph (3) creates a disconnect between the preamble and the criminal offences contained in Chapter I, which the Draft Text aims to address.
16. Paragraph (3) addresses cyber-enabled offences “related to terrorism, trafficking in persons, smuggling of migrants, illicit manufacturing of and trafficking in firearms,” which in our view have no place in this treaty. Paragraph (3) should be removed as it only creates confusion and ambiguity as to the scope of the Draft Text.
17. The reference to terrorism is particularly concerning, as there is no universally agreed upon definition of terrorism under international law. States have often leveraged this highly subjective term to justify repressive measures that illegitimately and disproportionately restrict the rights to free expression, opinion and belief, including peaceful dissent. [17] A June 2023 joint global study by the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism found widespread and systematic abuse of civil society and shrinking of civic space through laws and measures ostensibly aimed at countering terrorism..[18] Absent a clear, narrow definition of terrorism that comports with international human rights standards, Paragraph (3) risks perpetuating these and other human rights violations by expanding the application of already overbroad counterterorrism laws to cybercrime.

Article 22: Scope of Jurisdiction measures will have negative human rights implications 

Recommendation 3: Amend Article 22 to include proportionality and prevent it from applying to multi-national platforms that have not committed an offence under Article 6 to 16. [18-19]

       1. Each State Party shall adopt such measures as may be necessary and proportionate to establish its jurisdiction over the offences established in accordance with articles 6 to 16 of this Convention when:

        …

       6bis. This Article does not apply to any legal person who has committed no offence under Articles 6 to 16 may be held liable for the commission of such offences in accordance with Article 18.

18. It is common practice for States to enact cohesive regulation of internet and communication platforms, including through cybercrime laws. These regimes increasingly include severe frameworks for asserting jurisdiction over multinational platforms. Common features of these frameworks include licensing requirements for online platforms, local presence and data localization requirements, the imposition of heavy fines, and the power to block or throttle platforms that refuse to comply with local laws. [19]Article 22 obligates State Parties to take “measures as may be necessary” to establish jurisdiction over cybercrime offences included in the Proposed Convention. The provision includes no safeguards or restrictions on what measures might be considered excessive,[20] and may be relied upon by States to justify practices that are incompatible with human rights when asserting investigative jurisdiction.[21] Questions regarding when jurisdiction over multi-national platforms and their subsidiaries can be asserted in cross-border investigations remain difficult to resolve with no clear consensus and should not be addressed through this Proposed Convention.[22] 
19. In addition to being inherently problematic for failing to safeguard against the adoption of jurisdiction-conferring mechanisms that are incompatible with human rights, Article 22 is also an avenue to the enforcement of a range of “cybercrime” offences that amount to flagrant human rights abuses. By treating any conduct that might occur on a digital network as a potential “cybercrime” under Article 17, the Proposed Convention legitimizes an all-encompassing approach that invites States to address their own national priorities when enacting comprehensive cybercrime regimes. Often this list will include problematic “public morality”, “undermining national unity”, or “false news/disinformation” offences that are incompatible with the right to non-discrimination and the freedom of expression and association as part and parcel of a broader cybercrime package. A number of countries, for example, have criminalized expression around gender and sexuality under the guise of ‘cybercrime’, while other countries use cybercrime laws to punish peaceful protestors and political dissidents. [23]
     
20. While Article 22 is limited in application to offences “established in accordance with Articles 6 to 16 of this Convention”, in practice once these measures are used to compel jurisdiction over multi-national platforms States will have jurisdiction to investigate and enforce their entire suite of cybercrime offences established under national law. Article 22 is therefore problematic to the extent it facilitates investigation and enforcement of cybercrime offences that are incompatible with human rights by legitimizing disproportionate means of enforcing jurisdiction against multi-national platforms. The Proposed Convention’s provisions should foreclose foreseeable abuses of human rights in its implementation, and Article 22 should be amended to mitigate these risks.[24]   

The Draft Text’s criminal offences pose a threat to human rights

20. A number of the criminal offences contained in Chapter II threaten human rights. Articles 13 and 14 in particular may unduly restrict the rights of children and freedom of expression more generally. Article 15 could undermine the rights of survivors of technology-facilitated gender-based violence. The core cybercrime offences (Articles 6-10) lack critical safeguards to limit their misuse against whistleblowers, security researchers, and others.   

Articles 13 and 14: Avoid unduly restricting the rights of children and freedom of expression more generally

Recommendation 4: Delete Article 13 in its entirety. If the provision is nonetheless retained, amend Article 13 to exclude conduct that does not unduly risk harm to a child and has a legitimate purpose and to limit the risk of criminalizing non-exploitive conduct of children, an unduly expanded range of prohibited content, and the creation, possession or sharing of prohibited content in non-exploitive circumstances [due to a lack of context]. [21-27]

21. Child sexual exploitation and the spread of child sexual abuse material (CSAM) are cyber-enabled offences that engage multiple, complex human rights issues. For these reasons, a cybercrime treaty is not the right forum to discuss them. Human Rights Watch and ARTICLE 19 urge States to uphold their obligations under international human rights law by adopting comprehensive approaches to addressing CSAM.
22. As drafted, Articles 13 and 14 risk infringing on children’s rights and criminalizing content that may have scientific, educational, artistic, or literary value. These articles may also restrict the legitimate experience and expression of gender and sexuality of children, including adolescents.[25] Human Rights Watch [and ARTICLE 19] are particularly concerned about how criminalizing vaguely defined online content and activity will impact children seeking information about sexual and reproductive health and rights, sexual and gender diversity, discrimination and gender-based violence, and other topics that fall under the rubric of comprehensive sexuality education.  
23. States already have international treaty obligations to protect children from sexual exploitation and eradicate the spread of CSAM. [26] 176 States are already parties to the Optional Protocol to the Convention on the Rights of the Child on the sale of children, child prostitution and child pornography, which provides for mutual investigative assistance. Human Rights Watch [and ARTICLE 19] urge States to uphold their international treaty obligations to protect children from sexual exploitation and eradicate the spread of CSAM and question whether a cybercrime treaty is a necessary place to impose additional obligations.
24. Human Rights Watch and ARTICLE 19 recommend deleting Articles 13 and14 in their entirety. At the very minimum, the text of these articles should be amended to address the concerns outlined below.[27]

• If Article 13 is not deleted in its entirety, we recommend the following amendment to mitigate the risk of criminalizing protected speech:

Article 13(2)bis: No person shall be convicted of an offence under this article if the act that is alleged to constitute the offence:

(a) has a legitimate purpose related to the administration of justice or to science, medicine, education, or art; and

(b) does not pose an undue risk of harm to a child.

• The term “possession” in Article 13(1)(c) has posed a risk of over-criminalization in many CSAM provisions in national law. Given the nature of computing systems, possession can occur without the knowledge of an individual if, for example, images are shared without solicitation in a general-purpose chat group or images are cached on an individual’s local device without their knowledge or awareness.

The inclusion of “controlling” and “facilitating” in 13(1)(c) and (d), respectively, could also lead to criminal liability for service providers acting as mere conduits. To avoid the risk of prosecution under this clause, intermediaries or controllers may implement preventative measures, like general monitoring of users or device-side scanning, which are disproportionate and undermine the human rights to freedom of expression and privacy.[28] We recommend amending Article 13(1)(c) to read “Knowingly Ppossessing or and and Article 13(1)(d) to read “Financing, facilitating or profiting.” Article 13 should also be amended to add “13(1bis): Nothing in this Article requires a service provider to monitor its services or affirmatively seek facts indicating infringing conduct.”

• Leaving the terms “sexual activity”, “sexual pose”, and “sexual purposes” in Article 13(2)(a)(i), (ii), and (iii) undefined in the definition of “child sexual abuse or child sexual exploitation material” risks potentially exceedingly broad application and could result in the criminalization of protected speech.

The use of “sexual activity or pose” and “sexual activity” in Article 13(2)(a) problematically broadens the scope of criminalized activities. Core international instruments addressing CSAM are limited to criminalizing “explicit sexual activity” whereas “sexual activity” as a relative term is broader in scope.[29] This is particularly problematic as some jurisdictions define “sexual activity” broadly to include, for example, kissing of a child or even potentially kissing in the presence of a child.[30] Combined with other elements of Article 13, which criminalizes any material that “depicts or represents a child or a person appearing to be a child” engaging in “real or simulated” sexual activity or “in the presence” of sexual activity, this definition could criminalize many artistic, scientific, educational, or literary works that entail no exploitation of children and have no connection to the underlying harm intended to be addressed. Article 13 should not heighten the risk of capturing activity that is not graphic or explicit, such as kissing, by expanding the definition of CSAM in existing core international instruments. We would also suggest that the drafters consider adopting a closed definition of the activity being criminalized in the text of the Proposed Convention.[31]

The vagueness of these terms could result in criminalizing legitimate content under the following circumstances: parents sending photos of a child’s sexual organs to a doctor ahead of a consult or as part of a telehealth appointment, adolescents who are above the age of consent but defined as children under this Proposed Convention sharing content of a sexual nature consensually, children seeking access to sexual and reproductive health information, or even family capturing photos of intimate, private moments, photos that when stripped of context could be interpreted as falling under the broad definition of CSAM.[32]

• Article 13(2)(b) defines “material” to include not only “images” but also “written material.” It is not clear the limits of what written material include, and whether this could give rise to the banning or sale of books. Note, for instance, that there exist world-wide best-selling novels (such as the Song of Ice and Fire series by George R.R. Martin, famously adapted to the Game of Thrones television series) that frequently describe or depict brutal acts as part of their story, including sexual abuse of children. [33] Far from fringe works, these novels have been translated into 47 languages, sold nearly 100 million copies worldwide, and adapted into one of the most popular television series globally of all time.[34] Part of the appeal of the stories for many is the grim social commentary they provide on war and history. Nevertheless, criminalizing the possession or sale of this book would appear to be encouraged by Article 13, as drafted.

The Draft Text appears to address this by offering optional protections for expression in Article 13(3), allowing States to limit laws to instances featuring a real child or visual depictions. We are concerned that given the discretionary nature, this section does not provide a strong enough protection against infringements on artistic or literary expression.

• Article 13(4) takes steps to decriminalize the creation of sexual material by children but does not go far enough to protect children’s free expression when it comes to sharing of consensual material between them (self-generated or not). The Committee on the Rights of the Child has advised that “States should avoid criminalizing adolescents of similar ages for factually consensual and non-exploitative sexual activity.” [35] Requiring that States Parties “take steps” is not sufficient to protect children who are above the age of consent but still defined as children for the purposes of this Proposed Convention from being prosecuted for self-generated material. The focus on self-generation is both too narrow in some contexts and too broad in others. For example, it does nothing to protect partners who consensually possess such material or the consensual sharing of material that is not self-generated. But it also fails to criminalize material that a child is coerced into creating, which is technically captured by them on their own device and could be considered self-generated.

Recommendation 5: Delete Article 14 in its entirety. If the provision is nonetheless retained, amend Article 14 to limit the risk of criminalizing activities of children who are above the age of consent but still captured by the Draft Text, of criminalizing people seeking or imparting information regarding sexual and reproductive health, and of the use of these provisions to discriminate against same-sex interactions. [25-27]

25. “Solicitation for sexual purposes” under Article 14 is too vague, and could potentially criminalize sexual acts, or even just communicating about sexual acts with children who are above the age of consent but still defined as children for the purposes of this Proposed Convention. “Communicating” or “making any arrangement with a child for sexual purposes” could include communications about sexual and reproductive health information, like obtaining contraceptives or even just learning about them, obtaining information about one’s own body, and finding community or counseling for LGBT and other children International human rights law guarantees children a right to information about sexual and reproductive health, yet efforts to provide adequate sexual and reproductive health information frequently face a concerning backlash.[36] The term “solicitation” may also be problematic as it is appears in national cybercrime legal provisions that have been used to target LGBT people.[37]
26. The issues we highlight in relation to Articles 13 and 14 above are compounded in jurisdictions where there has already been a push to criminalize pornography. For example, regional instruments such as the Arab Convention on Cybercrime broadly call for punishment of pornography; where this is the case, terminology like “sexual activity” may be interpreted broadly to target material that is protected under international human rights law.
27. These terms could also be interpreted to discriminate against same-sex interactions, which have historically been targeted under obscenity, “morality,” indecency, and pornography laws. Human Rights Watch and ARTICLE 19 have documented that cybercrime laws, sometimes used in conjunction with laws criminalizing consensual same-sex conduct, “inciting debauchery,” “debauchery,” and “prostitution,” are used to target and prosecute LGBT people, regardless of whether same-sex acts occur, creating a climate in which LGBT people can be prosecuted merely for expressing themselves online, in particular in Middle East and North African countries.[38] A significant study of the role of digital evidence in the persecution of LGBT people in Egypt, Lebanon, and Tunisia found that due to increased reliance on digital evidence as a component of prosecution, there is a corresponding increase in the use of cybercrime laws to persecute LGBT people.[39]

Article 15: Avoid infringing on the rights of survivors of online gender-based violence

Recommendation 6: Consider the appropriateness of including Article 15. If the provision is retained, amend Article 15 to mitigate the risk of criminalizing survivors particularly where the perpetrator is an authority figure, to center the lack of freely given consent, to criminalize the non-consensual capturing of intimate images and to exempt conduct that is a matter of public interest or for a legitimate purpose related to the administration of justice. [28-31]

28. The non-consensual dissemination of intimate images (NCDII) is a form of gender-based violence. It engages multiple, complex human rights issues and for these reasons, a cybercrime treaty is not the right forum to discuss them. Under the Convention on the Elimination of Discrimination against Women (CEDAW), States have a responsibility to protect the right to live free from gender-based violence, including in online and virtual spaces, and outline state obligations to fulfill that right.[40] CEDAW and other treaties require States to show due diligence in preventing violation of rights by private actors and to investigate and punish acts of violence.[41]
29. As drafted, Article 15 falls short by potentially encroaching on women’s rights, in particular the rights of survivors. For example, Article 15(1) could be used against survivors, especially if the perpetrator is an authority figure. For example, if a survivor has documented abuse of a sexual nature, transmitting evidence of such abuse in an effort to gain access to justice could be criminalized with this clause. Criminalizing acts cannot be justified if their purpose or effect is to prevent legitimate criticism of public figures, the exposure of corruption, official wrongdoing, or to protect the reputation of heads of state or other public officials or public figures.[42]
30. Likewise, Article 15(2), which defines “intimate image” is drafted too broadly and could include artistic expression and satire as forms of “representation.” Additionally, “reasonable expectation of privacy” is not a commonly understood standard in international human rights law and its use here without context does not provide sufficient clarity to delineate the scope of this criminal provision.[43]
31. Article 15 should be revised to focus on the lack of freely given consent. It should also include an exception for matters of public interest to avoid the use of privacy claims to interfere with the administration of justice for gender-based violence or without justification in order to prevent the dissemination of information about matters in which the public has an interest or concern of being informed;[44]  

 1.    Each State Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the recording, offering, selling, distributing, transmitting, publishing or otherwise making available of an intimate image of a person by means of [a computer system] [an information and communications technology device], without the freely given consent of the person depicted in the image.

2.    For the purpose of paragraph 1, “intimate image” shall mean a visual recording or representation of a natural person made by any means, including a photograph, film or video recording in which the person is nude, is exposing their genital organs, anal region or breasts, or is engaged in explicit sexual activity, and in respect of which, there was an absence of freely given consent at the time of the recording or disseminationthere were circumstances that gave rise to a reasonable expectation of privacy.

Article 15(2)bis: No person shall be convicted of an offence under this article if the act that is alleged to constitute the offence has a legitimate purpose related to the administration of justice or a matter of the public interest;

Articles 6-10: Core cybercrime provisions lack key safeguards and limitations

Recommendation 7: Amend Articles 6-10 so that: fraudulent or otherwise malicious intent conduct must result in serious harm or damage in order to be criminalized, bypassing technical safeguards is a core element of each criminal act, and a public interest exception is included. [32-33]

Article 10bis. Limitations and Public interest exception

1. Articles 6-10 shall not apply to any person who uses or discloses information for the purpose of revealing a misconduct, wrongdoing, fraud, an illegal activity or a human rights violation or where a person acted in the public interest or for the purpose of protecting a general public interest.

2. A State Party shall require that the conduct described in paragraphs 1 of Articles 6 to 10 result in serious harm and that the offences in Articles 6 to 10 be committed by infringing security measures and with fraudulent or otherwise malicious intent.

32. The core cybercrime offences contained in Articles 6-10 are drafted in such a way that they risk criminalizing legitimate activities, especially those carried out by journalists, human rights defenders, and security researchers.We recommend consolidating the following safeguards and restrictions in Article 10bis and amending Articles 6 to 10 accordingly:

• The requirement that the acts committed in these Articles be “committed intentionally” should be retained and clarified to specify that the intent should be fraudulent or otherwise malicious[45] to avoid criminalizing very common practices, such as the sharing of passwords for online services among family and friends, or routine work of independent security researchers and whistleblowers, which could chill crucial cybersecurity work and access to public interest information.[46] 
• Articles 6-10 should be strengthened by adding a requirement that they result in serious harm or damage, to avoid far-reaching criminalization as well as far- reaching procedural and law enforcement measures, beyond what is necessary and proportionate. 
• Articles 6 and 8-10 should explicitly require the bypassing of technical safeguards as a core element of the criminal act. Absent this requirement, the risk of criminal sanctions on the basis of terms of use violations is too great and could allow service providers to unilaterally establish the scope of criminal liability.[47]
• A public interest exception should be added to ensure that the treaty cannot be instrumentalized to restrict the legitimate work of civil society organizations, journalists, security researchers, whistle-blowers and other actors pursuing the public interest.

33. The Draft Text currently relies on a “without right” qualifier that is too undefined and permissive a concept to address the specific and well documented negative impacts core cybercrime offences can have. Over two decades of experience has demonstrated that these activities are not sufficiently excluded through a “without right” qualifier and Articles 6-10 instead require specific limitations. The term is widely used in the Budapest convention to prevent overcriminalization in light of the broad range of conduct covered by these offences The concept of “without right” is best suited to shielding activities approved by service providers but not where service providers are incentivized to withhold authorization by contractual or other means because their interests are at odds with other individuals.[48] The ambiguity places too powerful a tool in the hands of prosecutors, who have threatened individuals with severe criminal penalties for what are at best minor infractions.[49] National courts have struggled to prevent cybercrime provisions from over-criminalizing activity that does not constitute “hacking” or bypassing technical safeguards to access a computer system. Service providers and employers have been empowered to prohibit pro-consumer interoperability content scraping tools,[50] stifle legitimate security research and tools,[51] prevent legitimate users of a system or service from authorizing others to access it including through password sharing,[52] and criminalize government or corporate whistleblowers.[53]

Draft Text’s overall human rights provisions fall short

34. The lack of adequate human rights safeguards is particularly concerning in light of the nature and scope of this convention. In contrast to other criminal law instruments overseen by the United Nations Office of Drugs and Crime (UNODC), cybercrime offences have been abused to attack human rights defenders, journalists, whistleblowers, and political dissidents.[54] Contrary to other UNODC instruments, the Draft Text’s scope is expansive and currently includes policing measures in relation to any serious crime.

Paragraphs 9, 11 and 12 of the preamble & Article 5 

Recommendation 8: Amend Article 5 so that it ensures the Proposed Convention does not threaten human rights and to mainstream a gender perspective and take into consideration the circumstances of persons and groups who face discrimination and marginalization, amend the preamble to add Paragraph 9bis recognizing the important role of civil society, the Office of the High Commissioner for Human Rights and the international human rights mechanisms in the implementation of the Proposed Convention, and amend Paragraphs 11 and 12 of the preamble so that international human rights law and standards are reflected. [35-38]

35. The Draft Text introduces state obligations that are likely to have a profound impact on human rights. We propose amendments to Article 5 to articulate the human rights protections that are required to ensure that nothing in the Proposed Convention threatens human rights, most notably rights to privacy, freedom of expression, and due process, and to in particular safeguard the rights of persons and groups in positions of vulnerability and marginalization who are more likely to have their rights violated both by cybercrime and by efforts to address it. We propose the following amendments to Article 5:

Article 5. Respect for human rights

1.States Parties shall carry out ensure that the implementation of their obligations under this Convention is consistent with their obligations in accordance with international human rights law, including but not limited to rights arising pursuant to their obligations under the International Covenant on Civil and Political Rights, the Convention on the Rights of the Child, Convention on the Elimination of All Forms of Discrimination against Women, the International Covenant on Economic, Social, and Cultural Rights, and additional protocols and other applicable international human rights instruments, and which shall incorporate the principles of legality, necessity and proportionality.

2. States Parties shall

(a) mainstream a gender perspective and to empower women and girls, and shall

(b) take into consideration the special circumstances and needs of persons and groups who face discrimination and marginalization in measures undertaken to prevent and combat [the use of information and communications technologies for criminal purposes] [cybercrime].

36. Elements of the preamble that seek to address human rights also fail to provide sufficient context to ensure the Proposed Convention will respect human rights in its adoption and implementation.[55] We propose Paragraph 9bis, recognizing that civil society, the Office of the High Commissioner for Human Rights, and the international human rights mechanisms will play a key role in ensuring that implementation of the treaty is human rights compliant:

9bis Recognizing the role and participation of civil society, the Office of the High Commissioner for Human Rights and the international human rights mechanisms as key to ensuring that the implementation of this Convention is human rights compliant.

37. Paragraph 11 should be amended as follows to ensure that clarify the applicability of international human rights law and standards:

(11) Mindful of the need to achieve law enforcement objectives and to ensure respect for human rights and fundamental freedoms as enshrined in applicable international and regional instruments, and international human rights law and standards,

38. Paragraph 12 of the preamble acknowledges the right to protection against unlawful interference with the right to privacy, including the protection of personal data. The provision undermines the right to privacy by limiting its scope of recognition to “unlawful” interferences, meaning it only recognizes interferences with privacy that are not provided for under law. This amounts to a misrepresentation of international human rights law, which requires that any interference with the right to privacy including with the right to data protection cannot be unlawful or arbitrary and that it must comply with the principles of legality, necessity, and proportionality.[56] The text of Paragraph 12 should be amended to reflect this:

(12) Acknowledging the right to protection against unlawful Stressing that any interference with the right to privacy, including the right to personal data protection of personal data, should comply international human rights law, which shall at a minimum incorporate the principles of legality, necessity, and proportionality

General safeguard in Articles 21, 23, 24 and 35 require more robust protections for human rights

Recommendation 9: Amend Articles 21, 23, 24 and 35 to align the Draft Text’s core safeguards regarding due process, investigative powers and international cooperation with international human rights law including through incorporation of the principles of legality, necessity, proportionality, and dual criminality. [39-43]

39. The Draft Text's core safeguards, Articles 21, 23, 24 and 35, fall short of requirements in international human rights law.
40. Article 21 does not reflect the principle that criminal sanction should only be reserved for the most serious conduct[57] and falls short of requiring reasonable doubt as a condition of conviction as well as compliance with the principles of legality, necessity and proportionality.[58] We would recommend the following amendments:

21(3) Each State Party shall endeavour to ensure that any discretionary legal powers under its domestic law relating to the prosecution of persons for offences established in accordance with articles 6 to 16 of this Convention are exercised in order to maximize the effectiveness of law enforcement measures in respect of those offences and with due regard to the need to deter the commission of such offences and to promote environments conducive to non-offending and rehabilitation of offenders.

4. Each State Party shall ensure that any person prosecuted for offences established in accordance with articles 6 to 16 of this Convention enjoys all rights and guarantees in conformity with domestic law and consistent with the obligations of the State Party under international human rights law, including the right to a fair trial, the right to the presumption of innocence, and the rights of defence and incorporating the principles of legality, strict necessity and proportionality.

41. Article 23 is no longer limited in scope to measures established for the purpose of specific criminal investigations and proceedings, opening the door to mass, bulk or indiscriminate surveillance by removing the obligation to ensure investigative powers are used in connection with individual cases concerning particular suspects.[59] We are concerned that this important limiter, which was present in previous drafts of this provision, has been removed and recommend its reinstatement:

23(1) Each State Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this chapter for the purpose of specific criminal investigations or proceedings.

42. Article 24 fails to incorporate the principles of necessity and legality and the need for prior judicial authorization premised on a robust factual basis prior to any interference with the right to privacy, including the right to data protection.[60] Accordingly we recommend the following amendments:

24(1). Each State Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this chapter are subject to conditions and safeguards provided for under defined by its domestic law, which shall be in compliance with consistent with its obligations under international human rights law, and which shall incorporating at a minimum incorporate the principles of legality, necessity, and proportionality, and require a factual basis justifying the use of such powers and procedures.2. Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include prior judicial or other independent authorization and review, demonstrable grounds justifying application, and limitation of the scope and the duration of such power or procedure, publication of statistical information periodically detailing the use of powers and procedures, remedial actions taken, adequate notification and access to effective remedies, and reasonable retention limitations.

43.  Article 35 establishes general principles for international cooperation. These principles exclude critical limitations and safeguards adopted elsewhere in the Draft Text and require no dual criminality condition. [61]Absent these safeguards and limitations, Article 35 creates a framework for international cooperation that threatens human rights.[62] We recommend the following amendments to address these limitations:

35(1) States Parties shall cooperate with each other in accordance with the provisions of this Convention, as well as other applicable international instruments on international cooperation in criminal matters, and domestic laws, for the purpose of specific investigations, prosecutions and judicial proceedings concerning offences established in accordance with articles 6 to 16 of this Convention…

1bis. Cooperation between State Parties shall be in compliance with international human rights law, incorporating at a minimum the principles of legality, necessity, and proportionality, shall respect the principle of dual criminality, and shall occur only where resulting prosecutions shall be in compliance with international human rights law, including the right to a fair trial, the right to the presumption of innocence, and the rights of defense.

2. In matters of international cooperation, whenever the principle of dual criminality is shall be considered a requirement, and it shall be deemed fulfilled irrespective of whether the laws…

Scope and Breadth of the Draft Text’s policing and cooperation powers

44. The Draft Text’s policing and international cooperation measures continue to apply well beyond offences set out in Articles 6 – 10 of the Draft Text. In addition, a number of the Draft Text’s specific policing and cooperation powers are too broad and threaten to infringe on human rights.

Chapters IV-V: Limit scope of policing powers and cooperation to offences established in the Convention

Recommendation 10: Delete Articles 23(2)(b) and 23(2)(c), and amend Articles 35(1), 40(1), 40(4), 41(1), 45(2), 47(1) and 47(1)(b)(if retained) so that international cooperation and mutual legal assistance are limited to in scope to offences established in accordance with Articles 6 to 16 of the Draft Text. [45-50]

• Provisions in Article 23(2)(b) and 23(2)(c), extending the scope of the Draft Text’s procedural measures beyond offences set out in Articles 6 to 16 should be stricken entirely.
• Article 35(1) outlining the general scope of international cooperation should be amended so that international cooperation obligations do not apply to the collection, obtaining, preservation and sharing of evidence in electronic form of “serious crimes, including offences covered by article 17 of this Convention when applicable.”
• Article 40(1) outlining the scope of mutual legal assistance requirements should be amended so that mutual legal assistance for the purposes of collecting evidence in electronic forms does not apply to “serious crimes, including offences covered by article 17 of this Convention when applicable.”

• Article 40(4) authorizing State Parties to proactively share information should replace “information relating to criminal matters” with “information relevant to specific investigations, prosecutions and judicial proceedings of offences established in accordance with Articles 6 to 16 of this Convention.”

• Article 41(1) obligating State Parties to join a 24/7 network should be amended so that it provides no independent authority for immediate assistance unless it is “in accordance with Article 40 of this Convention” and to preclude immediate assistance for the purpose of collecting evidence in electronic form of “serious crime, including those offences covered by article 17 of this Convention when applicable.”
• Article 45(2) outlining cooperation on real-time collection of traffic data should amended as follows:

45(2) Each State Party shall provide such assistance at least with respect to criminal offences for which real-time collection of traffic data would be available in a similar domestic case and which are established in accordance with Articles 6 to 16 of this Convention.

• Article 47(1) and 47(1)(b) (if retained) on direct law enforcement cooperation should each replace “offences covered by this Convention” with “specific offences established in accordance with Articles 6 to 16 of this Convention.”

45. We appreciate that many elements of Chapters IV-V of the Proposed Convention, which outline a series of investigative and enforcement powers and international cooperation mechanisms, are now properly limited in application to offences established in accordance with Articles 6 to 16 of the Draft Text. By virtue of Article 17, however, many of these otherwise limited provisions are extended in application to numerous other offences and many other provisions in Chapters IV-V continue to apply to all serious offences rather than those explicitly articulated in Articles 6 to 16 of the Draft Text. [63] This ongoing over-reach has the negative effect of diluting expertise and resources that would otherwise be directed to core cybercrime offences, splintering efforts at international cooperation and particularly efforts to address online and physical dimensions of offences adopted in other instruments and included only by virtue of Article 17, and raising concerns over the adequacy of human rights safeguards.[64]
46. Chapter V of the Draft Text in particular provides for increased international cooperation between States Parties for the purpose of investigations, prosecutions and judicial proceedings concerning offences in Articles 6 to 16 and the collection, obtaining, preservation and sharing of evidence in relation to any serious offences. With respect to the gathering of electronic evidence in relation to any serious offences, Chapter V requires State Parties to afford one another the widest measure of mutual legal assistance and to designate a point of contact available 24 hours a day, 7 days a week, in order to ensure the provision of immediate assistance. Extending the scope of mutual legal assistance to all serious offences is deeply problematic in the absence of a dual criminality requirement. States will be obligated to assist on offences established in treaties they have explicitly chosen not to adopt, and on crimes that offend fundamental rights. As the Draft Text’s due process obligations are strictly a function of its core criminal provisions,[65] while its human rights safeguards do not apply to its international cooperation provisions,[66] States will also be obligated to cooperate in instances where human rights protections fall short.  
47. The extension of some obligations would dilute their effectiveness by compelling cooperation on a wide range of offences rather than on core cybercrimes that would benefit from specific cooperation. Article 47(1)(b), for example, obligates State Parties to cooperate on any offences covered by the Convention without assessing whether this level of mandatory cooperation is necessary or even helpful with respect to all offences included by virtue of Article 17.
48. In many contexts, there is minimal benefit to applying this obligation so broadly and despite an absence of dual criminality, due process obligations, and human rights safeguards. For example, limiting the scope of compelled cooperation in Article 41 to offences set out in Articles 6 to 16 and to cooperation measures specifically articulated in the Convention would preserve the Convention’s safeguards and limitations and avoid an obligation to assist in the absence of dual criminality while not precluding State Parties from informal cooperation more broadly. State Parties will join the pre-existing and informal 24/7 cooperation network that has existed since 1990 to fulfill their obligations under Article 41 and so will be well placed to cooperate more broadly, if selectively, once they are members.[67] In addition, the 24/7 network is intended to operate as a window to expedited mutual legal assistance requests.[68] As currently drafted Article 41 authorizes parties to wholly bypass the regime established in Article 40 including the need for a central authority to assess requests against grounds for refusal set out in Article 40(21).[69]
49. In other instances, applying the Proposed Convention’s provisions to all serious crimes would create overlapping cooperation mechanisms. The Draft Text provides for this increased international cooperation for any offences without regard to any pre-existing cooperation mechanisms in place regarding those offences. This risks creating multiple and potentially inconsistent or conflicting obligations for international cooperation among States Parties to treaties that would fall under Article 17, as well as potentially inconsistent or conflicting safeguards. As a recent report prepared by the UN Security Council’s Counter-Terrorism Committee Executive Directorate noted in the context of international cooperation on lawful access to digital evidence, competing and conflicting mechanisms create complexity that undermine the objective of mutual legal assistance reform.[70] The presence of multiple competing options for international cooperation also creates avenues and incentives for law enforcement to pick the option of least resistance, frequently to the detriment of human rights.[71]
50. We recommend limiting the scope of Chapters IV-V so that these chapters and their underlying provisions only apply to offences established in accordance with Articles 6 to 16.

Articles 40(4), 42-26, 47 and 54: Overbroad global cooperation powers

Recommendation 11: Amend Article 40(4) to exclude proactive cross-border disclosure of personal data, amend Articles 42-46 so that mutual legal assistance is carried out in accordance with safeguards and limitations set out in Chapter IV of the Draft Text, amend Articles 44 and 45 to allow refusal of requests for mutual legal assistance on the basis of the grounds contained in Article 40(21), remove Articles 47(1)(b) and (c), remove Article 47(1)(g) or, at minimum, amend it to exclude any sharing of personal data, amend Article 47(1)(d) to remove information sharing regarding the use of privacy-enhancing tools, and amend Article 54 to incorporate safeguards against human rights abuses. [51-56]

51. A number of the Draft Text’s substantive provisions do not incorporate sufficient human rights protections and are particularly at risk of significant abuse.
52. Articles 40(4)-(5) authorize proactive information disclosures without any consideration for the safeguards of sending or recipient states. This provision raises a particularly heightened threat to online anonymity to the degree it allows proactive disclosure of subscriber data.[72] Despite limits in Article 40(5), the provision also creates problematic opportunities for parallel construction[73] and particularly as there is no requirement that proactively shared information be vetted by a recipient country’s central authority in writing prior to being sent to law enforcement agencies nor are the standard grounds for refusal set out in Article 40(21) incorporated. To prevent abuse of this provision, any proactive sharing of personal information should be excluded:

Amend Article 40(4) by adding “… State Party may, without prior request, transmit information relating to criminal matters to a competent authority in another State Party where … could result in a request formulated by the latter State Party pursuant to this Convention and where the information does not include any personal data.”

53. Articles 42-46 adopt a number of obligations for mutual legal assistance that overlap with powers outlined in Chapter IV but without incorporation of any of the limitations and safeguards included in Chapter IV. In addition, Articles 44 and 45 should be amended to incorporate conditions and limitations on mutual legal assistance included in Articles 35 and 40, including refusal of requests on the basis of grounds contained in Article 40(21). We recommend consolidating these limitations and safeguards in Article 46bis and amending Articles 42-46 accordingly:

Article 46bis. Safeguards and limitations

1. Mutual legal assistance provided further to Articles 42 to 46 shall be governed by the conditions and procedures provided for under domestic law, limitations imposed in Articles 25 to 30, and safeguards and conditions imposed in Article 24, and shall only be provided to the extent permitted under applicable treaties and domestic law.

2. Mutual legal assistance provided further to Articles 42 to 46 shall respect conditions and limitations imposed in Articles 35 and 40 and shall be subject to refusal on the basis of the grounds contained in Article 40(21).

54. Article 47 adopts a number of requirements for direct law enforcement cooperation.[74] Article 47(1)(b) requires direct sharing of information including the identity, whereabouts and activities of persons suspected of offences. Similar cross-border information sharing mechanisms have been abused to locate and identify political dissidents in diaspora communities as a precursor to harassment and other forms of transnational repression.[75] Article 47(1)(f) requires open-ended information sharing “for the purpose of early identification” of offences covered by the Convention even though many early investigative steps can be highly intrusive.[76] These provisions include no limitations, no protections for the right to privacy and the right to data protection, no safeguards for particularly vulnerable persons such as asylum seekers,[77] and no requirement for central authorities to vet information prior to disclosure and refuse on the basis of grounds outlined in Article 40(21) or where doing so would pose a threat to human rights.
55. Article 47(1)(c) requires the sharing of “necessary items or data for analytical or investigative purposes.” This type of open-ended and generalized information sharing poses a substantial risk to human rights. Analytical models in particular will frequently involve deeply sensitive information collected without appropriate the types of limitations that are normally in place for investigations of specific offences.[78] Article 47(1)(d) requires information sharing regarding “means of concealing activities” used to commit offences, opening the door to information sharing aimed at undermining general purpose privacy enhancing tools such as VPNs and encryption safeguards. We would therefore recommend that:

Articles 47(1)(b) and (c) be removed and that Article 47(1)(f) be limited in application to “exchange of information that is not personal data” or removed altogether. Article 47(1)(d) should be amended to remove “and other means of concealing activities.”

56. Article 54 creates a vehicle for technical assistance and capacity building but does not include any measures to prevent human rights abuses. [79] We support the recommended amendments to Article 54 proposed by EFF and PI.