Make haste slowly: the Budapest Convention

By Anne French

Good news! New Zealand has acceded to the Budapest Convention at last.

The Council of Europe Convention on Cybercrime was opened for signature in Budapest in November 2001. It provides for:

  • the criminalisation of conduct ranging from illegal access, data and systems interference to computer-related fraud and child pornography;
  • procedural law tools to investigate cybercrime and secure electronic evidence in relation to any crime; 
  • and efficient international cooperation.

Those all look like good things to do, so you could be excused for wondering why it has taken us more than 23 years to get to this point.

It has been a long and winding road. For a start, for the first ten years of its existence, we didn’t even declare an intention to accede to the Budapest Convention.

In 2011, the Ministry of Justice noted that ‘New Zealand’s legal and operational arrangements conform with many of the Convention’s provisions’. It considered that ‘The Convention would improve New Zealand’s ability to obtain data created or used to offend within New Zealand’s legal jurisdiction but held in other countries.

The intention to accede was reiterated in the National Plan to Address Cybercrime 2015, where it was the first item under Priority Action 4, ‘Closer Cooperation on Cybercrime’.

In 2019, accession was mentioned in New Zealand’s Cyber Security Strategy, where the first item under the heading Proactively tackle cybercrime was ‘seeking Cabinet agreement to accede to the Budapest Convention’. The intention was mentioned in the Report of the Royal Commission of Inquiry into the terrorist attack on Christchurch masjidain on 19 March 2019. Recommendation 29 stated in full:

“On 2 June 2020, Cabinet agreed in principle to New Zealand’s accession to the Council of Europe Convention on Cybercrime (the Budapest Convention) and to consult publicly to inform a further Cabinet decision. The Convention is the first, and currently only, treaty specifically seeking to address internet and computer crime. Accession to the Budapest Convention would assist New Zealand to initiate or strengthen relationships with member countries by signalling New Zealand’s commitment to multilateral efforts to combat cybercrime. By providing a standardised framework for cooperation through aligned national cybercrime laws, the Convention facilitates cooperation on criminal investigations of cybercrime and wider crimes involving electronic evidence, for example private social media communications relating to a crime and stored in the cloud by companies such as Facebook."

So what was the problem?

Unlike other jurisdictions, which keep adapting their digital harm laws as things change, New Zealand’s criminal law and digital evidence-gathering tools have remained static for years. The Crimes Act 1961, the Search and Surveillance Act 2012, and the Telecommunications (Interception Capability and Security) Act 2013 had not been adapted to accommodate new cybertechnologies and threat behaviours.

It wasn’t until 2020, after another announcement, that the policy work began. The legislation was finally introduced in September 2024, received its third reading on 24 July, and Royal Assent last week, on 30 July.

We have at last joined Fiji, Tonga, and Vanuatu (along with the rest of the Five Eyes) as Parties. Congratulations to Minister Goldsmith and the team at the Ministry of Justice. For more on the Convention, and its impact on cybercrime over the first 20 years, take a look here.

Bio note:

Anne French, TINZ member, consults on innovation and strategy. In 2022-23, with colleagues, she prepared an assessment of the NZ cybercrime risk landscape for government clients.

Blog Post written by: