COUNCIL OF EUROPE CONVENTION ON CYBERCRIME AND RELATED CASE LAW

I. INTRODUCTION

Cybercrimes, which have arisen with the development of information technologies, cannot be effectively prevented by the efforts of a single state because of their cross-border nature. The perpetrator and the victim may be in different countries, and the conduct that constitutes the offence may also extend into the legal sphere of more than one country. “For this reason, in cross-border crimes, the most important feature is that not only the local community but the international community as a whole is affected by the offence”1. For example, if an act that is not considered a crime in one country is accepted as a crime in another, the judicial authorities of the latter will be left powerless in the face of an attack carried out in the former2. Since no state may conduct an investigation in another country without that country’s consent, international cooperation in combating cybercrime is of vital importance. With this need in mind, a committee of experts was set up under the auspices of the Council of Europe in 1997 and the Council of Europe Convention on Cybercrime (the “Budapest Convention”), which is the first international convention of its kind, was prepared3. The Council of Europe Convention on Cybercrime, which was opened for signature in Budapest on 23 November 2001, entered into force on 1 July 2004, thereby becoming the first binding international instrument in this field. Aiming to establish a common policy to combat cybercrime worldwide, the Council of Europe Convention on Cybercrime seeks to harmonise the domestic laws of the Parties, to establish an effective mutual legal assistance mechanism and to ensure the rapid sharing of electronic evidence. In this article, the scope and implementation of the Budapest Convention will be examined from the perspectives of the EU, Türkiye and the USA, and sample case law will be evaluated.

II. PURPOSE AND SCOPE OF THE COUNCIL OF EUROPE CONVENTION ON CYBERCRIME

The Council of Europe Convention on Cybercrime (commonly known as the Budapest Convention) (the “Convention”) is an international treaty that introduces comprehensive substantive criminal law definitions and procedural and cooperation provisions for the fight against cybercrime. The Convention was adopted by the Committee of Ministers of the Council of Europe on 8 November 2001 following a preparatory process initiated in 1997 on the recommendation of the European Committee on Crime Problems. The text, which was opened for signature on 23 November 2001, entered into force on 1 July 2004 upon ratification by five countries. By the 2020s the Convention had become global in nature, open to participation without distinction as to geographic region. Of the 47 members of the Council of Europe, 46 (except Russia) are parties to the Convention. In addition, non-European states such as the USA, Canada and Japan also participated in the negotiations and signed the final text, and many have ratified it and become Parties. Thus, the Convention has become a truly global framework for combating cybercrime that transcends the borders of the European region.

The structure of the Convention consists of 48 articles in four main parts. The first part contains definitions, the second part deals with regulations for domestic law, the third part sets out procedures for international cooperation, and the fourth part contains technical provisions on implementation. The types of offences covered by the Convention are divided into four main categories4:

(i) Offences against the confidentiality, integrity and availability of computer data or systems (illegal access, illegal interception, data interference, system interference, misuse of devices). These offences are aimed at protecting the confidentiality, integrity and availability of information systems.

(ii) Computer-related offences (computer-related forgery, computer-related fraud).

(iii) Content-related offences (offences related to child pornography). The use of children for sexual exploitation in visual materials and the possession and distribution of such obscene content online are punishable

(iv) Offences related to infringements of copyright and related rights. This article establishes a common criminal framework against piracy and similar intellectual property infringements committed in the digital environment.

In addition to these articles, the Convention provides that attempts and aiding and abetting are also criminally liable. Issues such as the liability of legal persons and the types of sanctions are also addressed.

In terms of procedural provisions, the Convention contains many innovative tools. For example, in order to collect evidence quickly to combat the substantive offence categories: procedures are envisaged for the immediate preservation of computer data (Article 16); the urgent preservation and disclosure of specific traffic data (Article 17); and the obtaining of subscriber information from a service provider by means of a production order (Article 18). Law enforcement authorities are empowered to search computer systems and seize data by copying it with a judicial order (Article 19). As regards the interception of communications, methods such as real-time monitoring of traffic data from a specific system (Article 20) and real-time interception and recording of content data (Article 21) are regulated. These procedural measures are subject to the requirement of safeguarding fundamental rights and freedoms as provided in Article 15 of the Convention. Each country is obliged to take measures in its own law to guarantee rights such as the privacy of personal data and the freedom of communication when exercising these powers5.

The international cooperation provisions are dealt with in detail in the third part of the Convention. As a general principle, the Parties undertake to provide the widest possible assistance in the investigation and prosecution of cybercrimes (Article 23). The Convention is designed to complement existing bilateral or multilateral mutual legal assistance treaties. In particular, with regard to extradition (Article 24), the Convention introduces procedural facilitation for the rapid transmission of extradition requests between the Parties in respect of cybercrime. With regard to mutual legal assistance (Articles 25 et seq.), common rules are laid down concerning requests, responses and confidentiality. The Convention also requires each Party to maintain a contact point accessible 24 hours a day, seven days a week in order to minimise bureaucratic delays in urgent cases (Article 35). These contact points are responsible for receiving urgent requests from other countries, such as requests for immediate preservation, and for initiating the necessary procedures. Indeed, pursuant to the Convention, the General Directorate of Anti-Smuggling and Organised Crime of the Turkish National Police has been designated as the contact authority for Türkiye.

A. Additional Protocols to the Convention

The scope of the Convention has been expanded by protocols adopted later. “Additional Protocol to the Convention on Cybercrime” of 28 January 20036, brought within the scope of criminal law expressions of a racist and xenophobic nature committed via computer systems. Although some states (for example the United Kingdom, Ireland, Hungary and the Russian Federation) did not sign this protocol because of concerns that it might restrict freedom of expression, it has been signed and ratified by many countries, including Türkiye. At the same time, a second additional protocol was prepared to update international cooperation in cybercrime investigations in line with today’s technological developments. Entitled “Second Additional Protocol to the Cybercrime Convention”7 this text, which was opened for signature in May 2022, introduces new procedures to accelerate the sharing of electronic evidence. In particular, the second protocol includes important innovations on direct access to evidence in cloud computing environments, cross-border emergency requests and cooperation with service providers. The Second Protocol is currently in the process of signature and ratification by the Parties and it is stated that it will increase the Convention’s capacity to meet updated needs.

Although the Convention is universal in its scope and objectives, there are criticisms of it. Although the Convention is an international criminal treaty imposing obligations on the Parties, the effectiveness of its sanctions depends on the cooperation and voluntary participation of the member states. For example, states that do not obtain the assistance they request cannot take it to a coercive mechanism. No binding dispute resolution body has been envisaged in the event of a dispute. In this respect, the effectiveness of the Convention in practice is open to criticism. Nevertheless, as the most comprehensive international instrument in force, the Convention largely meets this need and provides Parties with a common language, common definitions and rapid assistance possibilities. In this context, the Convention functions as a model law and provides guidance for the national legislation of countries that are not yet Parties.

III. DEVELOPMENTS AND CASE LAW IN THE EUROPEAN UNION

The Convention, which was prepared under the auspices of the Council of Europe, has been incorporated into the national legislation of most EU countries. Many EU countries have made amendments to their criminal codes in accordance with the provisions of the Convention, incorporating the definitions of cybercrimes and procedural measures into their domestic law. The broad acceptance of the Convention even outside the members of the Council of Europe shows that the EU has assumed a leadership role in the fight against cybercrime. However, as mentioned above, the success of the Convention is not only dependent on the existence of the text but also on the consistency of its implementation. For this reason, the Cybercrime Convention Committee of the Parties (T-CY), which was established in 2006 to monitor the implementation by countries that have acceded to the Convention, carries out periodic evaluations, publishes guidance notes and, when necessary, negotiates new protocols.

On the other hand, the EU has also adopted binding regulations within its own legal order to combat cybercrime. Following the 2005 Framework Decision, which was issued to harmonize the criminal legislation of the Member States at Union level, Directive 2013/40/EU”8 entered into force. By this directive, the definitions (for example illegal system access, data interference) and criminal sanctions provided for in the Convention were adopted as minimum standards for EU Member States. Member States were also required to establish 24/7 contact points and to speed up mutual legal assistance. Thus, the EU has strengthened and reinforced the obligations brought by the Convention within its own structure. Indeed, the European Cybercrime Centre, established under Europol in 2013, plays an important coordination role by supporting operational cooperation among Member States in cybercrime investigations. Nevertheless, the obstacles to international cooperation in the EU have not been completely eliminated. In particular, the Russian Federation has refused to sign the Convention and has declared that it is not willing to cooperate with the EU on cybercrime. Similarly, large countries such as China and India are not parties to the Convention and prefer alternative platforms. This leads to the emergence of certain safe havens for criminals on a global scale and allows cybercriminals to take refuge in these countries and attack other countries. Indeed, under the leadership of Russia and other non-party states, a process was launched in the United Nations General Assembly which resulted in the drafting of a separate UN Cybercrime Convention, and it was decided that this would be opened for signature in October 20259. The EU also intends to become a party to this United Nations convention in order to develop cooperation with states that have not acceded to the Convention. The Council of Europe, for its part, is endeavouring to ensure that the Convention is compatible with the new United Nations convention, even transmitting its experience as an observer in the United Nations process.

A. Examples from EU Case Law

Although disputes relating to cybercrime generally come before national courts, certain decisions provide guidance for all of Europe. In particular, the European Court of Human Rights (“ECtHR”) has handed down important judgments dealing with allegations of violation of fundamental rights in cybercrime investigations.

1. K.U./ Finland10

In the case of K.U. / Finland, the Finnish authorities refused a request for the IP address information needed to identify an offender who had posted an advertisement on the internet under the identity of a child on the grounds that, under Finnish law, the service provider had no duty to disclose the identity information. The applicant argued that the posting of the advertisement on the internet constituted an interference with his private life. The ECtHR held that Articles 8 (right to respect for private and family life) and 13 (right to an effective remedy) of the Convention had been violated. The Court found that the State had an obligation to legislate to protect children from online threats and concluded that the applicant’s right to respect for private life had been violated.

2. Ahmet Yıldırım/ Türkiye11

In the case of Ahmet Yıldırım / Turkey, a court, in the context of a criminal investigation, decided to ban access to a site hosted on the Google Sites platform, but technically the decision blocked access to the platform as a whole and made it impossible for the applicant to access his own site. The ECtHR, emphasising that the internet is a means for individuals to exercise their freedom of expression, found that the blocking measure was not “prescribed by law” and was not “necessary in a democratic society” and ruled that Article 10 had been violated.

IV. CURRENT SITUATION AND CASE LAW IN TURKIYE

Türkiye signed the Convention in Strasbourg on 10 November 2010 and later completed the process of ratification. The Grand National Assembly of Türkiye (“TBMM”) approved the Convention with the publication of Act No. 653312. With the entry into force of this act, the Convention became part of domestic law and produced binding provisions for Türkiye. Türkiye transmitted the instrument of ratification to the Council of Europe, thereby ensuring that the Convention entered into force in Türkiye as of 1 January 201513. Moreover, Türkiye signed the 2003 Additional Protocol to the Convention and actively participated in the work on the Second Additional Protocol in 2022. By doing so, Türkiye has undertaken an international obligation and has pledged to adopt universal standards in the fight against cybercrime.

In Türkiye, cases relating to cybercrime are mostly heard within the framework of Articles 243–245/A of the Turkish Penal Code (“TPC”), and decisions of the Court of Cassation shape the scope of application of these provisions. In this context, Article 243 of the TPC regulates the act of unlawfully entering or remaining in an information system; Article 244 regulates acts of interfering with the operation of the system and acts such as damaging, destroying, altering or rendering inaccessible data; Article 245 regulates the unauthorised use of another person’s bank or credit card and situations involving counterfeit cards; and Article 245/A regulates acts relating to devices and programmes suitable for committing cybercrimes. The Court of Cassation has emphasised that the mens rea element in the offence of unauthorised access to an information system is intent and that the mere unauthorised entry is punishable even if the perpetrator’s purpose is not to commit another offence. However, in some cases involving young first-time offenders where the attempts were simple and caused no consequences, it has been observed that institutions such as suspension of the pronouncement of the judgment may be applied. In cases involving the offence of damaging or destroying an information system, the Court of Cassation carefully assesses the economic value of the data in question and the perpetrator’s intent. For example, in a decision of the 12th Criminal Chamber of the Court of Cassation, the act of an accused who, by breaking a password, altered data in a company’s computer system was evaluated within the scope of Article 244/2 of the TPC and it was indicated that the provisions on remorse (effective repentance) could be applied provided that the damage suffered by the company was compensated14. Such decisions show that in cybercrime, the possibility of reparation and reconciliation may also come into play.

The fight against cybercrime in Türkiye has not been limited to criminal legislation alone; it has also been supported by technical and administrative measures. Within the framework of the National Cyber Security Strategy and action plans adopted in 2013, a National Cyber Incident Response Centre (“USOM”) and sectoral Cyber Incident Response Teams (“SOME”) were established. These structures, while carrying out activities to prevent cyberattacks and to intervene technically in incidents, also contribute to evidence collection and analysis processes in coordination with judicial authorities. For example, in a distributed denial of service (DDoS) attack against a bank’s system, USOM intervened rapidly to neutralise the attack, and IP records and logs were submitted to the judicial authorities to identify the perpetrator. Thus, technical capacity and legal process operate in a complementary manner. These developments have prepared the ground for changes to be made in Türkiye in the coming days. By 2025, Türkiye’s cyber security architecture has undergone significant transformation. With Presidential Decree No. 177 of 8 January 2025, a Cyber Security Agency attached to the Presidency was established, consolidating strategy and coordination among institutions. Following this, the Cyber Security Act No. 7545 (“Act No. 7545”) was adopted on 12 March 2025 and entered into force upon publication in the Official Gazette dated 19 March 2025 and numbered 32846. Act No. 7545 conferred broad powers on the Cyber Security Agency, including the identification of critical infrastructures, the establishment of CERTs, the determination and auditing of maturity levels, the coordination with other countries’ cyber incident response teams and the establishment of standards, certification and oversight mechanisms in cyber security products and services. Under Act No. 7545, the national coordination of CERTs was included among the duties of the Cyber Security Agency. However, USOM and the existing CERT structures, pursuant to the transitional provisions of the decree and Act No. 7545, continue to operate under the coordination of the Cyber Security Agency within the existing legislation until the new organisation and transfer processes are completed. In addition, with the arrival of Act No. 7545, new offence types have been defined, such as failure to provide information to the auditing authority or providing incomplete information, carrying out cyber security activities without obtaining the necessary authorisations, violating the confidentiality of data relating to critical infrastructures, disseminating false information about data leaks and carrying out cyberattacks targeting the national power elements of Türkiye. These acts are punishable by imprisonment ranging from one to 15 years and criminal fines. Act No. 7545 also provides for administrative fines ranging from TRY 1 million to TRY 100 million for violations such as the use of cyber security products without certification and failure to allow inspections, with the aim of strengthening the national cyber security ecosystem15.

In terms of international cooperation, following Türkiye’s accession to the Convention, the adoption of Act No. 7545 has provided significant advantages in practice. In the past, mutual legal assistance with countries such as the USA, which has a different legal system, proceeded slowly through bilateral treaties, but through the Convention and Act No. 7545, a standardized framework has been formed. For example, in the context of an investigation conducted by the US authorities into child abuse images, as a result of an urgent preservation request transmitted to Turkish authorities under the Convention, certain data stored on a server in Türkiye were rapidly preserved. Subsequently, the mutual legal assistance procedure was implemented and these data were shared, which made it possible to apprehend those responsible in both countries. This example demonstrates the practical benefits of the Convention. Similarly, in requests sent by Türkiye to European countries, it is stated that processes have been accelerated thanks to the use of the common language of the Convention and the continuous communication of the Cyber Security Agency with other countries in the field of cyber security. According to the data of the Directorate General for International Law and Foreign Relations of the Ministry of Justice, Türkiye received and transmitted more than 100 mutual legal assistance requests under the Convention between 2015 and 2023. These requests were most notable in investigations carried out in cooperation with the USA, Germany and the United Kingdom.

V. AN OWERVIEW OF CURRENT SITUATION AND CASE LAW IN THE USA

Although not a member of the Council of Europe, the USA attached great importance to the Convention, which is the first comprehensive international instrument in the field of cybercrime, and was involved in the process from the outset. The USA participated as an observer in the committee of experts that prepared the Convention and, after the text emerged, signed it on 23 November 2001 and formally became a Party by Senate approval in 2006. For the USA, which deposited its instrument of ratification on 29 September 2006, the Convention entered into force on 1 January 200716. Thus, the provisions of the Convention became applicable in the US legal system. However, even before that, the USA already had a robust federal cybercrime legislation. The Computer Fraud and Abuse Act (CFAA) of 1984 made acts such as unauthorised entry into computer systems, causing damage to public or private sector computers, spreading viruses and password cracking federal crimes. This act was amended and expanded many times over the years in parallel with developments in the types of cybercrime. For example, an amendment in 1986 added password fraud to the scope of the offence, and in 1996 the Communications Decency Act added provisions concerning the fight against obscene online content. Therefore, for the USA, the Budapest Convention functions as a tool that opens the existing legal infrastructure to international cooperation. The 24/7 contact point network and the rapid preservation/order mechanisms introduced by the Convention have facilitated the USA’s sharing of data with other countries.

US case law is also noteworthy in international cybercrime cases. As will be seen in the cases below, American courts have handed down bold decisions on the applicability of their criminal laws to perpetrators and systems located in foreign countries.

A. United States v. Ivanov17

In this case, the defendant, while in Russia, infiltrated the system of a US bank via the internet. Although the defendant argued that he had committed his acts without setting foot on US soil, the court held that the USA had jurisdiction. The reason given was that the effects of the act occurred in the USA and that the defendant had violated US laws even though he had done so via an information system.

B. Carpenter v. United States18

The Supreme Court ruled that the collection by the police of 12,898 location data records from a mobile phone operator without a court order constituted a “search” for the purposes of the Fourth Amendment to the US Constitution (prohibition of unreasonable searches and seizures) and, as a general rule, held that long-term location data cannot be collected without a court order. The Court emphasised that individuals’ expectation of privacy increases in the digital age and that historic location data deeply affect personal privacy, and noted that the state must respect fundamental rights in cybercrime investigations. This decision demonstrates that even traffic and location data, which are considered non-content data, may be sensitive in terms of privacy and that protections in line with international standards are necessary.

VI. CONCLUSION

In conclusion, the Convention has served as a pioneering document that has created a worldwide standard in the fight against cybercrime and paved the way for international cooperation. The adoption of the Convention by a wide group of countries, including Türkiye, has enabled the development of a common criminal policy against cross-border cyber threats. The examples examined in the article show that thanks to the incorporation of the norms of the Convention into national legislation, similar offence definitions and procedural tools have been enacted in many countries. However, it has also been noted that the effectiveness of the Convention depends largely on the good-faith cooperation of states. For example, the exclusion of some major states (Russia, China) from the Convention creates gaps in global cooperation. This situation brings a separate United Nations convention on cybercrime onto the agenda. Nevertheless, the Convention has remained the most important international mechanism in the field of cybercrime for more than twenty years. As can be seen from the examples of Türkiye, the EU and the USA, the Convention has both accelerated the process of legal harmonization and facilitated practical mutual legal assistance practices. In the future, as the technical dimension of cybercrime becomes even more complex, international law will need to keep pace with this speed. Indeed, new offence types are emerging in fields such as artificial intelligence, crypto assets and the internet of things. In this context, the Council of Europe updates the Convention with additional protocols and guidance principles, while the EU introduces regulations that facilitate data sharing among Member States. Türkiye also contributes to this common effort by making the necessary arrangements through Act No. 7545 and by participating in international initiatives. Ultimately, the fight against cybercrime is an area that requires thinking and acting beyond national borders, and it will gain effectiveness through the continuous development of international cooperation mechanisms.