Cybercrime law strengthens international cooperation

Key Provisions
New Procedural Approaches
Comment

On September 15 2009 Parliament passed a new law on cybercrime. Law 109/2009 transposes Council Framework Decision 2005/222/JHA of February 24 2005 on attacks against information systems and implements the Convention on Cybercrime, repealing Law 109/1991.

Key Provisions

Whereas Law 109/1991 dealt exclusively with substantive issues, the new law not only regulates cybercrime, but also introduces procedural rules that further promote mechanisms for international cooperation. The new law offers few substantive innovations, but the most significant changes affect the aiding and facilitation of data theft. The law criminalizes:

• the production, sale, distribution or other provision of computer data or devices that are intended to enable:
  • illegal access to computer data;
  • data interception;
  • data interference; and
  • IT system interference;
• the introduction of data or devices into one or more computer systems for such a purpose; and
• the importing, distribution, sale and possession (for commercial purposes) of devices that allow access to a payment or communications system or a restricted access service used to commit computer-related forgery.

The applicable penalties include greatly increased fines and prison terms, with maximum penalties ranging from one to 10 years' imprisonment.

The legislative changes were intended to incorporate the provisions of Article 6 of the convention, but they do not transpose it exactly. The legislature has not explicitly criminalized the procurement for use and importation of devices used to commit the crimes of illegal access, illegal interception and data and system interference. Furthermore, the law does not explicitly provide that such offences occur only when the devices in question are imported, possessed, produced, sold, distributed or otherwise made available with the specific purpose of committing the crimes in question.

Legal persons may be held responsible for the crimes identified in the law - a reflection of Article 12 of the convention - and in the same general terms set out in the Penal Code.

New Procedural Approaches

The main innovations under the new law relate to procedural approaches to cybercrime.

The competent courts can order the preservation of computer data for up to three months and may extend this period to one year. A preservation order can include traffic data that indicates the origin of a communication and the type of communications service used, as well as the communication's recipient, route, time, date, size and duration.

The law introduces a production order procedure that authorizes the courts to compel a person or entity to submit or allow access to computer data in that person or entity's possession or control. This procedure can apply to service providers, which can be compelled to submit private information relating to their subscribers, including:

• names;
• postal or geographic addresses;
• telephone and other access numbers; and
• billing and payment information.

The law excludes from the scope of such orders computer data stored on systems used by lawyers, doctors, bank employees and journalists. It also regulates search and seizure procedures for stored computer data. Article 19 of the convention allows national authorities to choose between several methods of computer data seizure, including:

• seizure of the storage medium itself, a copy of the data or other means of preserving or storing the data;
• permanent deletion of the data; or
• alternative methods of rendering data inaccessible.

Unlike the production order procedure, a search and seizure operation can target data stored in computer systems used by lawyers, doctors, bank employees and journalists. In these cases, the law makes search and seizure subject to the Code of Criminal Procedure and the Journalism Code of Ethics; however, this does not completely avoid the risk of endangering the particular standards of secrecy that apply to the professions in question.

Many of the mechanisms provided for by law, particularly in respect of data preservation and search and seizure, confer extensive powers on the criminal police that do not require judicial authorization. The legislature has sought to justify this in terms of the need to act promptly in investigating and pursuing cybercrime (and other crimes detectable through computer systems). However, this approach has the more questionable effect of potentially restricting individual rights and privacy without the intervention of a judge. Moreover, procedural rules laid down in the new law apply much more widely than the model of application outlined by the convention, extending the approach to any crime perpetrated using a computer system and for which evidence must be obtained in electronic form.

The international cooperation provisions of the law establish several mechanisms for mutual assistance in the investigation of cybercrime and the gathering of electronic evidence. The law provides for the creation of a permanent point of contact, which integrates the 24/7 Network set forth in Article 35 of the convention. This point of contact - which already exists within the criminal police service - is responsible for ensuring (i) the provision of immediate assistance in criminal investigations or proceedings concerning computer systems and data, and (ii) the collection of evidence in electronic form in relation to a criminal offence.

The new law establishes specific jurisdictional rules, as provided for in Article 22 of the convention. The law applies not only to offences committed in the Portuguese territory, but also to offences committed by Portuguese citizens abroad if no other criminal law applies.

Comment

It is generally agreed that the law represents a necessary and welcome attempt to revise Portuguese law on IT-related crime, but responses to some aspects have been mixed. Much criticism has been directed at the law's likely effectiveness in fighting cybercrime - for instance, it does not introduce more advanced mechanisms designed specifically to combat Internet-based crimes, such as the use of 'Trojan horses'(1) by the criminal investigation authorities. Despite reasonable reservations about how extensive its effect will be, the law represents a useful and much-needed tool in the fight against constantly evolving forms of cybercrime.

For further information on this topic please contact Cláudia Amorim or Maria Manuel Simões at Sérvulo & Associados by telephone (+351 21 093 30 00), fax (+351 21 093 30 01) or email (ca@servulo.com or mms@servulo.com).

Endnotes

(1) Software that infiltrates a computer system without the user's knowledge.