The Cybercrime Vacuum: Will the Budapest Convention Fail at India’s Digital Border

Abstract: 

We are currently in an era where technology is booming, and its effects are widespread.  These effects are both exciting and scary – exciting because they enable us to do certain  things in a way we could have never imagined, and terrifying because the outcomes of this  development are unpredictable. It is a normal human tendency to be afraid of things one is  unaware of. As of now, virtual boogeymen such as cybercrime and cyber terrorism have  infiltrated society, and this article addresses these two issues in general. Incidents like the  ongoing cyberattacks in the Russia-Ukraine war, the NotPetya ransomware attack of 2017,  the Stuxnet cyberattack on Iran’s nuclear program, or the Colonial pipeline attack of 2021,  which targeted the most extensive fuel pipeline system in the United States, highlight how  unsafe we are from cyber threats. To combat this, the Convention on Cybercrime, also known  as the Budapest Convention, came into effect in 2004, making it the first and only binding  international treaty that explicitly addresses Internet and computer crime. This article delves  deeply into the rising cyber threats and whether the Budapest Convention serves as a  practical measure against the aforementioned virtual boogeymen. Additionally, it examines  India’s stance on the Budapest Convention and whether its adoption will be advantageous to  India. 

Keywords: 

Cybercrime, Cyber terrorism, International Cooperation, Budapest Convention, Virtual  Boogeymen, Cross-border evidence, IT Act, Cyber security, Cybercrime Vacuum 

1. Introduction: 

It can’t be denied that the expansion of the internet has fundamentally reshaped society in  ways that humans couldn’t have imagined. The digital realm has undoubtedly revolutionised  commerce, governance, and communication. “A recent report from India’s National Statistics  Office (NSO) indicates that 7 in 10 Indians are now online, with the latest 70.0 percent  penetration figure more than 10 percentage points higher than the 58.4 percent figure reported by Kantar and the IAMAI just a few months ago.”1 This has inevitably aided in the surge of  digital crime, and India is now a hotspot for these threats. “Cyberwarfare has emerged as a  regular and deadly facet of international conflict in a world still filled with spies, hackers, and  top-secret digital weapons programs”.2 The situation has turned extremely alarming,  threatening to flush all the progress made until now down the drain. The biggest jurisdictional  challenge in cross-border cybercrime cases is that the victim, perpetrator, and evidence or  witnesses may reside in different countries, exposing the underlying ‘vacuum’ in international  enforcement. 

This article will analyse the argument regarding India’s continued hesitation to fully integrate  with the Council of Europe’s Convention on Cybercrime (the Budapest Convention) and  whether the possible integration will be fruitful for India. 

2. Cyber Terrorism and Cyber Crime – The ‘Virtual Boogeymen’: 

“Cyber crime may be said to be those species, of which, genus is the conventional crime, and  where either the computer is an object or subject of the conduct constituting crime” “Any  criminal activity that uses a computer either as an instrumentality, target or a means for  perpetuating further crimes comes within the ambit of cyber crime”3 The threat of cybercrime  is ubiquitous, permeating society and affecting individual organisations and even  governments. 

The other ‘Virtual Boogeyman’ that is Cyber Terrorism occurs when cyberspace is utilised to  create terror among people. The attack is usually for political or ideological goals and causes  violence and propagates fear. Prime examples include the Colonial Pipeline Ransomware  Attack (2021), in which a group known as DarkSide targeted the largest pipeline supplier in  the United States, resulting in the operational shutdown of pipeline services and the Stuxnet  attack, which involved a malicious worm targeting the Natanz uranium enrichment facility in  Iran, causing the facility’s centrifuges to malfunction and destroy themselves physically. “In addition, cyberterrorism has been used to spread propaganda and manipulate public opinion,  as well as to steal sensitive information, such as intellectual property or personal data. The  fear of cyberterrorism has also led to increased spending on cybersecurity measures by  governments and private companies.”4 

3. The Budapest Convention: 

“The Budapest Convention on Cybercrime, adopted in 2001, is a significant international  treaty aimed at addressing cybercrime and promoting international cooperation in combating  cyber threats.”5“The Convention serves as a comprehensive framework for countries to  harmonize their legislation, enhance investigative techniques, and facilitate the exchange of  information and evidence across borders.”6“The Convention encompasses a wide range of  cybercrimes, including offenses related to computer systems, data interference, computer related fraud, and child pornography.”7It serves to criminalize various offenses related to  cybercrime. It underscores the importance of international cooperation among countries and  emphasizes the need for robust domestic legislation to effectively combat the growing threat  of cybercrime. By establishing a common framework for addressing these issues, the  Convention aims to foster collaboration between nations to share information and best  practices, ensuring a united front against cybercriminals. Additionally, it encourages  countries to adopt comprehensive laws that address the complexities of cyber offenses,  thereby enhancing overall cybersecurity and protecting individuals and organizations from  potential cybercrime attack. 

4. Provisional analysis of Budapest Convention: 

The Convention is structured around three main pillars: criminalisation, procedural law, and  international cooperation.  

Criminalisation: 

• Article 2 (Illegal Access): This is a foundational article focusing on the  first act in any cyber offence, namely unauthorised logging, also known as  hacking.  
• Article 4 (Data Interference) & Article 5 (System Interference): These two  articles focus on the serious issue of criminalizing data interference and  system interference, as well as the act of severely hindering a computer’s  overall function and operational integrity. 
• Article 6 (Misuse of Devices): This article forbids any production or sale  of hacking tools intended to commit a security breach aiming to stop a  crime way before it happens. 

Procedural Law: 

These articles deal with the process of securing digital evidence. 

• Article 16 (Expedited Preservation of Stored Computer Data): Electronic  evidence is generally volatile and can be subject to deletion, hindering the  formal proceedings. To preserve evidence, this article empowers the authority to freeze the proof immediately. 
• Article 18 (Production Order) & Article 19 (Search and Seizure): These  articles serve as a subpoena or a search warrant, empowering the relevant  authorities to conduct an intrusive search of the suspected computer network or system. 

International Cooperation:  

• Article 23 (General Principles): “The Parties shall co-operate with each  other, in accordance with the provisions of this chapter, and through the  application of relevant international instruments on international  cooperation in criminal matters, arrangements agreed on the basis of  uniform or reciprocal legislation, and domestic laws, to the widest extent  possible for the purposes of investigations or proceedings concerning  criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.”8 
• Article 35 (24/7 Network): “Each Party shall designate a point of contact  available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or  proceedings concerning criminal offences related to computer systems and  data, or for the collection of evidence in electronic form of a criminal offence.”9 

5. Are Indian Legislations enough, or is there still some room for progress? 

India has been somewhat hesitant about joining the Budapest Convention. It is also true that  cybersecurity protection laws have evolved. Still, as crimes become increasingly  sophisticated, a crucial question arises: Are the existing laws sufficient, and will joining the  Convention bridge the remaining gap in cybersecurity protection? This section aims to  analyse Indian Legislations and their effectiveness in the virtual landscape. 

The Information Technology Act, 2000: 

• Section 66: Similar to Article 2 of the Convention, it declares the act of  breaching into a computer system or network with the wrongful intention to cause harm as punishable. 
• Section 43: This article serves as an excellent deterrent for The Criminal act of downloading viruses without permission, and can lead to a compensation of 1 crore rupees. 
• Section 66C: Criminalises identity theft 
• Section 69: Similar to Article 16 of the Convention 

The Digital Personal Data Protection Act, 2023 (DPDP Act): A comprehensive framework designed to regulate how personal digital data is  handled. It grants rights to data principals (individuals) and imposes responsibilities on data fiduciaries (entities that process this data). The Act is  anticipated to be Highly Effective. As India’s first modern data protection  legislation, it establishes rigorous requirements regarding consent, data breach  notifications, and significant financial penalties, aligning the country’s data  laws more closely with global standards.  

The New Criminal Codes (e.g., Bharatiya Nyaya Sanhita, 2023) 

These are poised to replace the Indian Penal Code (IPC) of 1860. These new  codes are expected to include updated provisions that address crimes committed through digital means, enhancing the existing IT Act. With the  potential for significant impact, they aim to incorporate modern offenses, such  as community service for minor crimes, along with clearer definitions for  digital offenses.  

6. Analysing the effectiveness of the Convention in Indian Landscape:

India is a massive economy, and the decision to join the Budapest Convention must be  carefully mulled over, as it has the power to shape or transform India’s cyberspace. 

1. Advantages of joining the Budapest Convention:

• Improved global cooperation: Traditional mutual legal assistance requests typically take anywhere from 6 months to 2 years to yield results, and electronic evidence is highly volatile; it can be deleted or encrypted almost  instantly. With the Budapest Convention, the 24/7 network of contact points  mitigates this problem. “The Convention’s framework facilitates mutual legal  assistance, ensuring smoother and expedited processes for obtaining electronic  evidence from foreign jurisdictions.”10 
• Further solidification of domestic legislation: Even though provisions of the Budapest Convention and the Indian Information Technology Act 2000 align, the adoption of the Budapest Convention will result in further solidification of  domestic legislation. By aligning its legislation with the Convention’s provisions, India can strengthen its legal framework for cyber evidence,  ensuring consistency, reliability, and adherence to international standards.
• As mentioned earlier in the article, the biggest jurisdictional challenge in  cross-border cybercrime cases is that the victim, perpetrator, and evidence or  witnesses may reside in different countries, exposing the underlying ‘vacuum’  in international enforcement. The Budapest Convention has successfully  standardised the means of obtaining cross-border evidence, making the  process less time-consuming and more efficient. 

Limitations: Where does the Convention fall short?

“While considering India’s membership in the Budapest Convention on Cybercrime, it  is important to address potential concerns and identify appropriate mitigation  measures.”11 

• The Article 32b problem: This is the primary reason behind India’s hesitancy in joining the Budapest Convention. India fears that this article will infringe upon the country’s sovereignty as it bypasses several of India’s domestic  judicial processes. 
• India’s non-involvement in the drafting of the Convention’s provisions: The Convention was drafted in 2000, and many non-European countries were not part of its drafting process, including India. It is fair to posit that a country  should not be a part of a Treaty whose provisions were not mediated or  negotiated by the said country, as it may not correctly reflect the bonds and  demands of the country. 
• Individual privacy concerns: “It is essential to ensure that adherence to the Budapest Convention does not compromise individual privacy rights and is in line with India’s existing data protection framework, such as the Personal Data  Protection Bill.”12“Mitigation measures can include conducting a thorough  analysis of the Convention’s provisions to ensure compatibility with domestic  privacy laws, implementing necessary safeguards for data protection, and  establishing mechanisms for oversight and accountability.”13 

7. Conclusion: Accession with Reservation:

Should India dive headfirst into the accession of the Budapest Convention, or should it  refrain from doing so? Indeed, the existence of a cybercrime vacuum, a product of volatile electronic evidence and slow mutual legal assistance treaties, hinders any progress made  against the ‘Virtual Boogeymen’. A comprehensive remedy addressing this issue should be India’s priority. 

Which is why India must strategically accede with intelligent reservations. Something that  balances sovereignty, individual privacy and also addresses cybercrime effectively. “Very recently in India, in January 2018, Ministry of Home Affairs in India mentioned the vital  need for international cooperation to supervise cybercrime activities and ensure data security.”14 

Accession will provide India with a 24/7 network, which standardises cross-border evidence  submission, making convictions faster and easier. However, it is also worth considering that Article 32b might infringe on the nation’s sovereignty, which is non-negotiable. 

A strategic approach which fosters co-operation through accession and protection through  reservation will be the most intelligent path. 

8. Bibliography: 

• Simon Kemp, Digital 2026: Global Overview Report (We Are Social & Meltwater,  Oct. 2025), available at https://datareportal.com/reports/digital-2026-global overview-report?rq=Digital%202026%3A%20Global%20Overview%20Report 
• Iftikhar S. 2024. Cyberterrorism as a global threat: a review on repercussions and  countermeasures. PeerJ Computer Science 10:e1772 https://doi.org/10.7717/peerj cs.1772 
• Kamini Dashora, *Cyber Crime in the Society: Problems and Preventions*, 3 J.  Alternative Persps. Soc. Scis. 240 (2011) 
• Council of Europe. (2001). Convention on Cybercrime (Budapest Convention).  Retrieved from https://www.coe.int/en/web/conventions/full-list/- /conventions/treaty/185 
• Von Lampe, K. (2016). Twenty-Five Years of the Budapest Convention: The Global  Framework against Cybercrime. Computer Law & Security Review, 32(2), 175-187 
• Article 2, Convention on Cybercrime 
• Article 24, Convention on Cybercrime 
• Article 35, Convention on Cybercrime 
• Makam Ganesh Kumar, India’s Evidence Act and the Case for Joining the Budapest  Convention: A Comprehensive Analysis of Cyber Evidence, SSRN Electronic J. (Jan.  2023) 
• The Personal Data Protection Bill, 2019 
• Acharya, R. (2020). Data Protection in the Digital Era: A Comparative Analysis of  India’s Personal Data Protection Bill and the GDPR. Journal of Cyber Policy, 5(1), 1- 23 
• Anuttama Ghose & S. M. Aamir Ali, Global Justice vis-avis Cyber Terrorism:  Analyzing the Effectiveness of the Budapest Convention in India, 29 SRI LANKA J.  INT’l L. 1 (2023).

1 . Simon Kemp, Digital 2026: Global Overview Report (We Are Social & Meltwater, Oct. 2025), available at  https://datareportal.com/reports/digital-2026-global-overview report?rq=Digital%202026%3A%20Global%20Overview%20Report . 

2Iftikhar S. 2024. Cyberterrorism as a global threat: a review on repercussions and countermeasures. PeerJ  Computer Science 10:e1772 https://doi.org/10.7717/peerj-cs.1772 . 

3 Kamini Dashora, *Cyber Crime in the Society: Problems and Preventions*, 3 J. Alternative Persps. Soc. Scis.  240 (2011).

4Iftikhar S. 2024. Cyberterrorism as a global threat: a review on repercussions and countermeasures. PeerJ  Computer Science 10:e1772 https://doi.org/10.7717/peerj-cs.1772 . 

5 Council of Europe. (2001). Convention on Cybercrime (Budapest Convention). Retrieved from  https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185. 

6 Von Lampe, K. (2016). Twenty-Five Years of the Budapest Convention: The Global Framework against  Cybercrime. Computer Law & Security Review, 32(2), 175-187. 

7 Article 2, Convention on Cybercrime.

8 Article 24, Convention on Cybercrime.

9 Article 35, Convention on Cybercrime.

10 Article 24, Convention on Cybercrime.

11 Makam Ganesh Kumar, India’s Evidence Act and the Case for Joining the Budapest Convention: A  Comprehensive Analysis of Cyber Evidence, SSRN Electronic J. (Jan. 2023). 

12 The Personal Data Protection Bill, 2019. 

13 Acharya, R. (2020). Data Protection in the Digital Era: A Comparative Analysis of India’s Personal Data  Protection Bill and the GDPR. Journal of Cyber Policy, 5(1), 1-23.

14 Anuttama Ghose & S. M. Aamir Ali, Global Justice vis-avis Cyber Terrorism: Analyzing the Effectiveness of  the Budapest Convention in India, 29 SRI LANKA J. INT’l L. 1 (2023).