International Journal on Criminology Volume 7, Number 1, Winter 2019/2020 | Page 13

International Journal on Criminology
in China—a country where the state collects personal data, in particular biometric
data, 10 on a massive scale—constitutes a major failure and a form of cybercrime.
Such abuses must be punished under criminal law in accordance with the applicable
European legislation, especially when the personal data have transited across
Europe or relate to European nationals.
The security of personal data has ceased to be an issue of individual freedom
alone now that big data, the black gold of AI, can be used for criminal purposes
or to impair democracy. In this regard, information and guarantees of individuals’
rights must be further improved.
2. Strengthening the Legal Instruments
It is self-evident that cybercrime is a form of organized crime with transnational
dimensions and vectors. It stimulates coordination and cooperation between
multiple actors in technical, financial, social, and other areas. The international
level is therefore where we must strengthen instruments and transpose them efficiently
to the national level.
In this regard, the Council of Europe Convention on Cybercrime, 11 known
as the Budapest Convention, serves as the principal international instrument, as
it has been ratified by nonmember states, including the United States, Canada,
Japan, Australia, and Senegal. The convention, adopted in 2001, is unfortunately
dated. It scarcely includes technological developments and the arrival of new
actors. It also suffers from the fact that Russia has not signed it and that China
opposes it; these two countries consider the convention to be too focused on repression.
In any event, this instrument must still be modernized, as part of a third
protocol, in order to define new offenses, strengthen network security, and extend
liability to new actors. 12
At the European level, the GDPR is the general framework imposed on
those who process personal data. However, it is necessary to strengthen the means
of action that aim to suppress forms of cybercrime targeting such data. In this regard,
the Directive on the European Investigation Order 13 implements the principle
of mutual recognition for the collection of evidence. However, the time frames
it imposes, which are drastically shorter than those observed in terms of classic
mutual assistance in criminal matters, are too large for combating cybercrime,
especially when it comes to financial fraud, which gives rise to significant movements
of funds in short periods of time.
10 “Données personnelles: Facebook les a partagées avec des groupes chinois,” Le Figaro, June 6, 2018.
11 Convention of November 23, 2001, which entered into force on July 1, 2004.
12 A second protocol on the fight against terrorism is still in development.
13 Directive 2014/41/EU, implemented in France by order 2016-1636 of December 1, 2016. See
Thomas Cassuto, “La Directive concernant la Décision d’enquête européenne,” AJ Pénal Dalloz
(July-August 2014): 338.
8