Octopus Cybercrime Community

In terms of substantive law, the current Criminal Code of Azerbaijan contains elements of all substantive law offences provided by the Budapest Convention.

The Criminal Procedure Code does not implement procedural powers in compliance with the Budapest Convention, with exception of partial implementation of production orders.

Amendments to procedural legislation were recommended by Council of Europe in 2017 and the concept of these provisions is reportedly discussed by the interagency commission chaired by the State Security Service of Azerbaijan.

In terms of substantive law, the current Criminal Code of Azerbaijan contains elements of all substantive law offences provided by the Budapest Convention (BC):

• articles 2, 3,4, 5 and 6 of the BC (c-i-a offences) are fully implemented;
• offence of computer forgery are also implemented (Art. 7 of BC);
• a general definition of fraud used – no specific computer data element is present (Art. 8 of BC);
• there is lack of necessary definitions of child pornography offences (Art. 9 of BC);
• general provisions are used for Intellectual Property Rights offences (Art. 10 of BC)
• concepts of attempt, aiding and abetting are also implemented (Art. 11 of BC);
• corporate liability provisions are present but general in scope (Art. of 12 BC).

The Criminal Procedure Code does not implement procedural powers in compliance with the Budapest Convention, with exception of partial implementation of production orders.

The notions of electronic evidence for the purpose of criminal proceedings, as well as important definitions of subscriber information, traffic data and content data, as required by the Convention, are not implemented as a part of general definitions of the criminal procedure or related legislation.

The Republic of Azerbaijan does not implement expedited preservation of stored computer data (Article 16 Budapest Convention) as a standalone measure. In order to achieve the purpose of this article, a production order (Article 143, p. 2 of the Criminal Procedure Code) is used, and search and seizure is an available alternative.

Regarding expedited preservation and partial disclosure of traffic data (Article 17 Budapest Convention), there is a sui generis possibility for its application: in general, while there is no legal obligation for service providers to retain traffic data, on the basis of the Law on Intelligence and Counter-Intelligence Activities (Articles 17 and 39), communication operators are required to establish an “appropriate level of cooperation with [...] authorities”, thereby enabling and assisting in the execution of some of the procedural measures in criminal cases.

The general legal framework for production orders (Article 18 Budapest Convention) is established by Article 143 of the Criminal Procedure Code (CPC), which, as read in conjunction with Article 135 of the CPC, enables authorities to request production of any type of stored computer data. However, article 143.2 of the CPC provides only for the possibility of voluntary production of data and as such does not have to be based on the court order. In the situation when the production of data is refused, the only workable alternative is search and seizure.

There are no specific provisions on search and seizure of stored computer data in Azeri procedural legislation. Therefore, the legal framework for traditional search and seizure is applicable.

Implementation of special provisions in the context of search and seizure provided by Article 19 (search of a connected system; making and retaining a copy of those computer data; maintaining the integrity of the relevant stored computer data; rendering inaccessible or removing those computer data in the accessed computer system) is not found in the procedural legislation of Azerbaijan. At the same time, provisions related to seizing or similarly securing computer data (p. 3(a)) and assistance of specialists in technical matters (p. 4) are covered by general regulations on seizure and involvement of specialists and experts in the criminal proceedings.

In general, Azeri legislation does not differentiate between real-time collection of traffic data and interception of content data (Articles 20 and 21 of Budapest Convention). Should the real-time collection of traffic data be executed in Azerbaijan, it would have to follow the legal framework established for interception of content data.

Article 21 of Budapest Convention is implemented in Azeri legislation through an article entitled “Interception of conversations held by telephone and other devices, of information sent by communication media and other technical means, and of other information”, which is one of the “investigative procedures” enumerated in Article 177 p.3 of the CPC and regulated in more details in Article 259 of the same Code. In addition, the subject-matter of article 21 of Budapest Convention is also covered by Article 10 of the Law on Operative-Detective Activity, which provides for a list of detective-search actions and includes, inter alia, examination of “other correspondence” alongside telephone conversations/telegraph messages. Court order is the main condition for the application of measures of interception of content. These actions can only be executed when it is impossible to achieve the goals of the law by other (less invasive) means. Maximum duration of interception is set to six months.

In terms of horizontally applicable conditions and safeguards (Article 15 Budapest Convention), although most of the elements limiting and controlling the application of more intrusive measures, such as search and seizure, real-time collection of traffic data and content interception, are present – such as existence of a criminal investigation, judicial order, exhaustion of lesser options and other conditions – the system of safeguards and guarantees is not implemented in a way that encourages application of less intrusive procedural powers before more intrusive options. The absence of clear and enforceable regulations implementing Articles 16-18 Budapest Convention is in itself an obstacle to setting up and implementing a coherent system of safeguards and guarantees which limits intrusion into the privacy of individuals.

Criminal Code of Republic of Azerbaijan (30 Dec. 1999)

Criminal Procedure Code of the Republic of Azerbaijan (14 July 2000)

National Security Concept of the Republic of Azerbaijan (23 May 2007) (Unofficial translation)

Decree of the President of the Republic of Azerbaijan On Certain Measures to Ensure the Security of Critical Information Infrastructure (17 April 2021) (Azerbaijani)

Detective-Search Activity Act (28 Oct. 1999)

Law on Civil Defense (30 Dec. 1997) (Unofficial translation)

Law on Personal Data Protection (11 May 2010) (Azerbaijani)

Law on Telecommunications (14 June 2005) (Azerbaijani)

Law on Information, Informatization and Protection of Information (3 Apr. 1998)

Law on the Right to Obtain Information (30 Sep. 2005)

Law of the Republic of Azerbaijan "On Protection of Children from Harmful Information" (30 Oct. 2018) (Azerbaijani)

Decree of the President of the Republic of Azerbaijan "On Measures in the field of Creation of Government Cloud and Provision of Cloud Services (3 June 2018) (Azerbaijani)

Order of the President of the Republic of Azerbaijan "On the establishment of the Coordination Commission for Information Security" (29 March 2018) (Azerbaijani)

Legal framework

• Agreement on Cooperation in Communications and Information Technologies between Azerbaijan and Russia (20 May 2021)
• Memorandum of Understanding (MoU) and Cooperation in Research and Development in the Field of Transport and Communications between Azerbaijan and Turkey (19 Feb. 2021)
• Member of GUAM Working Group on Cyber Security
• Member of Cybersecurity Alliance for Mutual Progress - CAMP Initiative which is a network platform to lift up the overall level of cybersecurity of members through development experiences and trends sharing;
• Party to Budapest Convention (as of 1 July 2010)
• Party to Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (as of 3 May 2010)
• Member of INTERPOL (as of 4 Nov. 1992)

Competent authorities and channels

24/7 points of contact and police to police cooperation

The authority in charge of the 24/7 contact point is the Department of Combating Crimes in Communications and IT of the Counter-intelligence Provision of the Economy at the State Security Service of the Republic of Azerbaijan.

In terms of requests, the following steps are involved:

• confirmation of receipt (if requested);
• legal review as to national and international requirements (within 3 days);
• if necessary, sending request back for additional clarifications or, otherwise,
• proceeding with the request or refusing to comply;
• if acceptable, sending the request for execution to provider/person.

Follow up is undertaken in cases of urgency or where a specific time for a response was requested and there is no feedback from the provider. Requests should in principle be executed within a 10-day period after receipt, as set by an applicable order of the Prosecutor General (in exceptional cases the execution can be prolonged, but not more than 2 months).

There is no special difference in terms of execution of urgent or regular requests.

Mutual legal assistance authorities

The International Legal Cooperation Department of the Prosecutor General’s Office is an independent structural unit, central authority at the pre-trial stage. In this regard, reciprocity and dual criminality are important pre-requisites for mutual legal assistance. The choice of channels of communication is irrelevant as the General`s Prosecutor Office would be the central recipient in all cases. The preferred means of communication include regular mail, email or fax.

At the stage of trial proceedings, the Ministry of Justice is the competent authority. A clear indication of the legal basis for the request is necessary, otherwise, reciprocity is a prerequisite in the form of express written assurance of reciprocity from the requesting state. Preferred means of communication include regular mail, email or fax.

For outgoing requests, the investigative or judiciary authority decides on the necessity of initiating a request. In such a case, all relevant materials of the case are collected, translated and sent to the competent authority for legal assistance (Ministry of Justice or the Prosecutor General’s Office). After check of the request against applicable legal requirements, the request is sent to the requested state through diplomatic channels or directly, whenever the treaty permits this.