Octopus Cybercrime Community

The Penal Code (Strafgesetzbuch - StGB) of Germany, as amended in 2009, covers extensively the substantive law provisions as required by the Budapest Convention on Cybercrime.

Similarly, the Criminal Procedure Code (Strafprozeßordnung – StPO) addresses all of the procedural powers of the Convention, with exception of Article 16 and 17: the concept of seizure of computer data, including the disclosure of data, is effectuated by applying the concept of seizure of the data carrier concerned.

The Penal Code includes the following crimes as defined by Articles 2-12 of the Budapest Convention on Cybercrime:

• illegal access (Article § 202a StGB is broader than Article 2 CCC because it criminalizes the unauthorized access to data, which may or may not include the access to a computer system. Furthermore, prosecution is only possible after complaint);
• unlawful interception (§ 202b StGB);
• data manipulation (§ 303a StGB);
• computer sabotage (§ 303b StGB);
• computer forgery (§ 269 ff StGB);
• computer fraud (§ 263a StGB);
• Article 6 (distribution of access codes or malware) is criminalized by § 202c StGB in as far it concerns facilitation of the crimes of § 202a and 202b StGB);
• Article 9 is embodied in § 184 StGB;
• Representatives of a legal person (Article 12) can be held criminally liable according to § 14 StGB. According to German legal theory, legal persons are not capable of committing crimes but can be held liable for committing offences (§§ 30, 130 Ordnungswidrigkeitengesetz (OWiG);
• Aiding and abetting (Article 12) is criminalized by §§ 26ff StGB and applicable to all crimes.

Criminal investigations are undertaken by the police or on request of the Prosecution Officer. The police are obliged to execute such a request. The Prosecution Officer is responsible for the undertaking of the criminal procedure.

The procedural/coercive measures defined by the Cybercrime Convention are included in StPO and are therefore applicable to investigations by German law enforcement authorities of any crime under their competence, as proscribed by Article 14 Cybercrime Convention.

The preliminary measures under the Cybercrime Convention (Article 16 and 17) are as such not implemented in StPO, because the concept of seizure of computer data, including the disclosure of data, is effectuated by applying the concept of seizure of the data carrier concerned, as regulated for tangible objects in §§ 94 ff StPO.

Disclosure of computer data (Article 18 ss 1 under a) for similar reasons is not as such implemented but is covered by § 95 StPO –duty to hand over physical objects including data carriers that may serve as evidence.

Disclosure of subscriber information by service providers is regulated by § 100j StPO and § 112 ss 2 and 4 StPO and § 113 TKG.

Collection of traffic data of publicly available communication services (Article 20) is subject of § 100g StPO. Traffic data is defined by § 96 ss 1, § 113a and 113b TKG (Telecommunication Act). Germany applied a data retention system for publicly accessible communication services for a period of six month. As a consequence of the decision of the German Constitutional Court of March 2010 §§ 113a and 113b TKG are declared void. [ BVerfG 1 BvR 256/08]

Production of traffic data and subscriber information can be ordered on the basis of § 100g StPO. Interception of telecommunications (Article 21) is regulated by § 100a StPO. The measure should in principle be ordered by the court – on request by the Prosecution Officer -, in urgent circumstances by the Prosecution Officer. The procedure is defined by § 100b StPO.

General rules and safeguards apply. Coercive measures can only be applied if permitted and defined by criminal procedural law (StPO) and if given conditions apply. Application of coercive measures is only legally possible if proportional (verhältnismässig) in relation to all interest involved. Specific in German StPO are rules on so called Beweisverbote, restrictions of the collection and the use of certain means of evidence.

No specific rules are given concerning cyber issues in the widest possible sense. However, it should be referred to specific safeguards concerning §§ 100a-101 StPO. Collection of traffic data is only permitted if necessary for the investigation of a serious crime or to establish the location of a suspect of such crime. §100a StPO ss 2 specifies under paragraphs a) to t) the type of such serious crimes, including the attempt or preparation of it. In view of the provisions Article 2-12

Cybercrime Convention only those defined by Articles 5, 7 and 9 Cybercrime Convention qualify as serious crimes within the scope of § 100a StPO. With regard to collection of traffic this measure is additionally applicable in case of the commission of a crime by means of telecommunication, provided that no other means to achieve the purpose are available and the measure is proportionate.

Since the procedures of §§ 113a and 113b TKG are declared void new law will be enacted restricting and detailing the purposes for which retained traffic data may be used. Interception of telecommunications is only possible in case of certain serious crimes. The law requires a yearly government report about application of § 100g StPO.

Apart from an extensive legal framework on technical aspects, other important regulations are:

• Telecommunications Act [Telekommunikationsgesetz (TKG) - vom 23. Juni 2021 (BGBl. I S. 1858), das zuletzt durch Artikel 8 des Gesetzes vom 10. September 2021 (BGBl. I S. 4147) geändert worden ist]. Article § 113a TKG defines the different types of traffic data and obliges service providers to retain such data for a period up to five (six) months. Chapter 2 of TKG (§§ 91 ff.) deals with data protection issues in telecommunications;
• Act on Internet services (Telemediengesetz-TMD) of March 2017, unsolicited e-mail can be fined if in violation with § 6 Unfair Competion Act (Unlautere Wettbewerb-UWG);
• Federal Data Protection Act of 30 June 2017, as amended by Article 12 of the Act of 20 November 2019 (Federal Law Gazette I, p. 1626).  [Bundesdatenschutzgesetz (BDSG) vom 30. Juni 2017 (BGBl. I S. 2097), das durch Artikel 10 des Gesetzes vom 23. Juni 2021 (BGBl. I S. 1858) geändert worden is];
• Copyright Act (Urheberrechtsgesetz – UrhG) of 9 September 1965, as last amended by Article 1 of the Act of 28 November 2018 (Federal Law Gazette I, p. 2014);
• The Act to adapt Copyright Law to the Requirements of the Digital Single Market (Gesetz zur Anpassung des Urheberrechts an die Erfordernisse des digitalen Binnenmarktes vom 31. Mai 2021), promulgated on 4 June 2021;
• Copyright Service Provider Act (Urheberrechts-Diensteanbieter-Gesetz - UrhDaG), in force since 1 August 2021 (unofficial translation in English);
• Art Copyright Act (KunstUrhG) of 9 January 1907, as last amended by Article 3 § 31 of the Law of February 16, 2001 (Federal Law Gazette I p. 266);
• German Telemedia Act (Telemediengesetz – TMG) of 26 February 2007;
• Energy Industry Act (Energiewirtschaftsgesetz – EnWG) of 7 July 2005;
• Act on the peaceful use of nuclear energy and protection against its dangers (Atomgesetz – AtG) of 15 July 1985;
• Banking Act (Kreditwesengesetz – KWG) of 9 September 1998;
• Unfair Competition Act (UWG) of 3 March 2010 (Federal Law Gazette I p. 254), as last amended by Article 5 of the Act of 18 April 2019 (Federal Law Gazette I, p. 466);
• Trade Secret Act (Gesetz zum Schutz von Geschäftsgeheimnissen – GeschGehG) of 18 April 2019;
• Second Act to Increase the Security of Information Technology Systems (IT Security Act 2.0) of 18 May 2021;
• Act of 14 August 2009 on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – BSIG), amended on 23 June 2017 by the implementation act of directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016;
• General Data Protection Regulation, GDPR (Regulation (EU) 2016/679 of 27 April 2016), supplemented by the Federal Data Protection Act of 30 June 2017 (Bundesdatenschutzgesetz – BDSG), and the data protection laws of the federal states.
• Act on Regulatory Offences (19 February 1987, last amended in 2019). [Gesetz über Ordnungswidrigkeiten in der Fassung der Bekanntmachung - OWiG vom 19. Februar 1987 das zuletzt durch Artikel 31 des Gesetzes vom 5. Oktober 2021 geändert worden ist.]
• Act on International Mutual Assistance in Criminal Matters, as amended by Article 4 of the Act of 10 December 2019 (Federal Law Gazette I, p. 2128)[Gesetz über die internationale Rechtshilfe in Strafsachen (IRG) in der Fassung der Bekanntmachung vom 27. Juni 1994 (BGBl. I S. 1537), das zuletzt durch Artikel 29 des Gesetzes vom 5. Oktober 2021 (BGBl. I S. 4607) geändert worden ist].

The Federal Republic of Germany is Party to most of the treaties and conventions on judicial international cooperation within the European Union and the Council of Europe. In case no Treaty or Convention is in force, the Act on international legal assistance (Internationale Rechtshilfe in Strafsachen- IRG) provides procedures and conditions for assistance. In this overview it is not dealt with legal assistance procedures between the individual German states (Länder). The special powers of articles 29-31 and 34 Cybercrime Convention are available for authorized requesting States under the IRG.

Concerning international police co-operation, Germany participates in the Joint Cybercrime Action Taskforce (J-CAT) of Europol’s Cybercrime Centre (EC3). Participants: Austria, Canada, Germany, France, Italy, the Netherlands, Spain, UK and USA. Australia and Colombia have also committed to the initiative.

The legal competence to start and direct criminal investigations is commissioned to the Prosecution Service §§ 160 StPO, with assistance from police. It is also the competence of the Prosecution Service to send and to receive international requests for cooperation in criminal matters. In compliance with Article 35 of the Budapest Convention, a 24/7 point of contact is established as part of the BKA in Wiesbaden, together with the G8- contact point and the Interpol contact point

Authority for extradition and provisional arrest in the absence of other treaties (Article 24)

Auswärtiges Amt (Werderscher Markt 1, 10117 Berlin), s. declaration of Germany of 09.03.2009 re. Art 24 par. 7 a

Authority for Mutual Legal Assistance in the absence of other agreements or arrangements (Article 27)

Auswärtiges Amt (Werderscher Markt 1, 10117 Berlin), s. declaration of Germany of 14.05.2009 re. Art 27 par. 2 a

24/7 Contact point (Article 35)

National High Tech Crime Unit at the Federal Criminal Police Office (Bundeskriminalamt) (Thaerstr. 11, 65193 Wiesbaden) declaration of Germany of 09.03.2009 re. Art 35 par. 1

Specific procedures and best practices for International Cooperation.