Octopus Cybercrime Community

There is no law that would specifically regulate the area of cyber security and fight against cybercrime in Republic of Slovenia. Cybercrime offences are included in Criminal Code, and processed in accordance with Criminal Procedure Act that applies to all criminal proceedings.

Further information on cyber security legislation and its implementation can be found in Slovenian language here.

Substantive law that contains also cybercrime offences is Criminal Code of Slovenia (further on CC; the version in force is available only in Slovenian language). It includes all offences provided in Cybercrime Convention and additional Protocol to the Convention.

The following criminal offences can be placed into the group of offences against the confidentiality, integrity and availability of computer data and systems:

• attack on information system (Article 221 CC),
• misuse of information system (Article 237 CC),
• manufacture and acquisition of weapons and instruments intended for commitment of criminal offence (Article 306 CC, § 3),
• abuse of personal data (Article 143 CC, § 2), and
• terrorism (Article 108 CC, § 3(1) that is in between incriminating cyber-terrorism).

As regards computer-related offences, computer-related forgery and computer-related fraud, they do not constitute special criminal offence in Slovenia, but such activities can, dependent on the circumstances of concrete case, constitute general criminal offence of fraud (Article 211 CC), falsification of documents (Article 251 CC) or other criminal offence.

Content-related offences are in Slovenian CC the following:

• solicitation of persons under fifteen years of age for sexual purposes (Article 173.a CC),
• presentation, manufacture, possession and distribution of pornographic material (Article 176 CC),
• abuse of personal data (Article 143 CC, § 3), and
• public incitement to hatred, violence and intolerance (Article 297 CC).

And the following criminal offences are related to infringements of copyright and related rights:

• violation of moral copyright (i.e. right to be named as an author) (Article 147 CC),
• violation of material copyright (i.e. property rights) (Article 148 CC), and
• violation of rights related to copyright (Article 149 CC).

For all mentioned criminal offences also legal persons can be held liable according to the provisions of Act on Liability of Legal Persons for Criminal Offences (available only in Slovenian language).

The Criminal Procedure Code implements specific procedural powers required by the Budapest Convention, with exception for preservation powers and production orders.

Procedural rules on detection and investigation of cybercrime offences (as well as all other offences) are included in Criminal Procedure Act (further on: CPA, version in force is available only in Slovenian language). Main provisions regarding computer data and collection of electronic evidence are Articles 219.a and 223. a CPA that regulate:

• seizure of electronic device (provisions on seizure of electronic device are of special nature vis-a-vis general provisions on seizure of objects for the purpose of criminal proceeding. CPA develops broad definition of electronic device, including electronic devices, devices connected to electronic device and electronic data holders, such as telephone, fax, computer, floppy disk, optical media and memory cards),
• preservation of electronic data (electronic data should be either saved on another proper data holder in a way that their identity and integrity is preserved and they can be used in further procedure, or the identical copy of the whole data holder should be made and the integrity of this copy should be assured), and
• investigation of electronic device (it includes obtaining the data from electronic device, i.e. the investigation of the content stored on the electronic device).

Owner, user, administrator of guardian of the electronic device or the person that has access to the device is obliged, on the demand of the authority that has seized the device, to do everything necessary that (s)he is able to do to prevent the data from being destroyed, altered or hidden. In addition, owner or user of electronic device is obliged to enable the authorities to obtain access to the device, to provide decryption keys or passwords and explanations on how to use the device that are necessary for the purpose of the investigation. Failing to provide such help can lead to a fine or even imprisonment up to one month. However, sanctions cannot be used against those people who are protected by constitutionally guaranteed privilege against self-incrimination, such as suspect, defendant and the person who cannot be called as a witness.

As regards preservation and retention of traffic data, they were processed and collected on the basis of Articles 162 – 169 of Electronic Communications Act (further on ECA). Telecommunication operators were obliged to retain those data for 14 (telephone communication) or 8 (internet and other communication) months for the specific needs of criminal proceedings. However, in July 2014 Constitutional Court of Republic of Slovenia declared those ECA provisions unconstitutional, and consequently abrogated them and ordered operators to immediately destroy all retained traffic data (Constitutional Court Decision No. U-I-65/13). This decision is based on previous decision of Court of Justice of European Union (joint decision in cases -293/12 in C 594/12 of 8. April 2014) that declared Data Retention Directive invalid. Therefore traffic data retention is not regulated in Slovenia momentarily (abrogated provisions of ECA have not yet been substituted with new regulation), and law enforcement authorities can obtain only those data that telecommunication operators store for the business purposes (mainly for invoicing). Article 149.b CPA that is regulating traffic data obtaining from operators for the need of criminal proceeding is still in force, but can be used only theoretically, since operators do not retain or store those data after July 2014. According to provision of Article 149.b, § 1 and 2, operator is (was) obliged to provide traffic data (number or other identification mark of electronic communication users, type, time and duration of call or other form of communication, amount of downloaded data and location where communication took place) to the competent authority based on court order issued by investigating judge on written request of state prosecutor. However, no court order is needed for the police to request data on owner or user of certain communication means and on time when this means was or is in use (Article 149.b, § 3).

Real-time collection of traffic data and interception of content data is in Slovenia possible with special investigating measure that allows monitoring of electronic communications using listening and recording devices and the control and protection of evidence on all forms of communication transmitted over the electronic communications network. Rules and conditions for implementation of this measure in concrete case are regulated in Articles 150 and 151 CPA. This measure can be used only for narrow circle of criminal offences that are explicitly listed in CPA (in between for (cybercrime) offences from Articles 108, 173.a and 176 CC). This measure can be ordered by investigating judge on written request of state prosecutor if there are well-grounded reasons for suspicion that certain person committed or is committing criminal offence, and if there is well-grounded suspicion that certain communication means or computer system was or is used in connection to that criminal offence. When ordered, the measure is then enforced by the police.

General rules and safeguards apply also in criminal proceedings for cybercrime offences. As explained above, traffic data can be in criminal proceedings obtained only on the basis of court order. The same holds true for application of special investigating measure for monitoring of electronic communications in real time. This investigating measure is in addition limited on narrower circle of serious criminal offences.

Rules and regulations that directly or indirectly refer (also) to the cybercrime topic are the following:

• Personal Data Protection Act,
• Electronic Communications Act,
• Electronic Commerce Market Act (available only in Slovenian language)
• Electronic Commerce and Electronic Signature Act (available only in Slovenian language).
• Information Security Act (available also here)

Different types of mutual legal assistance and other forms of cooperation in criminal cases between member states of European union that are regulated in ACCMMSEU, are mostly based on the principle of direct cooperation between competent authorities, i.e. courts, state prosecution offices or administrative authorities, dependent on the concrete case. Exchange of data from criminal records and some other tasks based on ACCMMSEU falls within the competence of Sector for international legal aid of the Ministry of Justice (website available only in Slovenian language). With the purpose of further improvement of international judicial cooperation in criminal matters, ACCMMSEU is enabling Slovenian authorities to cooperate also with European Judicial Network. Contact points of this Network are established at district courts, Supreme Court, Office of the State Prosecutor General, Ministry of Justice and Office for the Money Laundering Prevention. Republic of Slovenia is having also its national representative in Eurojust.

When international cooperation is based on the provisions of CPA, requests of domestic courts and prosecution offices are as a rule submitted to the foreign authorities through diplomatic channels, via Ministry of Foreign Affairs. The same is valid for submitting requests of foreign judicial authorities to Slovenian counterparts (in such cases also Ministry of Justice is included). However, in urgent cases those requests can be sent via the Ministry of Interior (if reciprocity exists) or in cases of money laundering via the Office for the Money Laundering Prevention. But under the condition of reciprocity or on the basis of provisions in international documents also direct mutual legal assistance between domestic and foreign authorities participating in criminal procedure is possible, including usage of technical means, such as computer networks and other means of information and communication technology.

As regards international police cooperation, International Police Co-operation Division is operating within Criminal Police Directorate, providing amongst other the cooperation of Slovenian police with Interpol and Europol.

International Police Co-operation Division is also the Slovenian contact point for 24/7 Network based on Article 35 of Cybercrime Convention. In concrete cases this division as a rule engages the Centre for Computer Investigation for technical assistance.

The Republic of Slovenia signed most conventions and international treaties adopted by the Council of Europe and the European Union that include (also) rules on international cooperation in criminal proceedings. Besides, Slovenia signed a number of bilateral treaties (list is available only in Slovenian language) regulating mutual legal assistance in criminal-law matters with various countries. As regards domestic regulation, basic legal framework for international cooperation in criminal cases (also in the area of prosecution of cybercrime offences) is in Slovenia composed of:

• Act on Cooperation in Criminal Matters with the Member States of the European Union (further on ACCMMSEU; the version in force is available only in Slovenian language) that is regulating cooperation in criminal cases between competent authorities of the Republic of Slovenia and other member states of European Union. This cooperation comprehends mutual recognition and enforcement of different court decisions, including European arrest warrant and European evidence warrant, transfer of criminal prosecution to other country, mutual legal assistance in criminal cases, including establishment of joint investigation teams (JITs) and joint enforcement of investigating measures, and other forms of cooperation as provided in European union regulation; and
• Criminal Procedure Act (version in force is available only in Slovenian language), that is in chapter 30 and 31 regulating the procedure for mutual legal assistance and implementation of international treaties in criminal-law matters, and extradition procedures. These provisions of CPA are of subsidiary nature and apply only if international treaty or law do not provide different regulation, and only in relation to third countries (i.e. non-member states of EU).