Status regarding Budapest Convention
See legal profileCybercrime policies/strategies
National Cyber Security Strategy 2019-2024 was adopted in December 2019. The government’s main objectives for the new National Cyber Security Strategy 2019 – 2024 are to ensure the state can respond to and manage incidents, including those with a national security component, and to protect critical national infrastructure from cyber-attacks. Under the new Strategy, more efforts are planned to increase skills as well as awareness among enterprises and private individuals around cybersecurity.
In terms of cybercrime, the strategy envisages supporting international cooperation to combat cybercrime and promote formal and informal cooperation in cyberspace, including by engaging in sustainable capacity building in third countries. Ratification of the Budapest convention by Q2 2021 is part of the commitment to combatting cybercrime.
Cybercrime legislation
State of cybercrime legislation
The Criminal Justice (Offences Relating to Information Systems) Act 2017 introduced substantive law provisions as required by the Budapest Convention on Cybercrime.
The same Act provides for the procedural powers of search, while the Criminal Justice Act 2011 also provides for judicial orders requiring the production of documents or information that relates to a criminal investigation.
Additional provisions exist in the Communications (Retention of Data) Act 2011 around the retention and production of certain online data by service providers. However, powers to order the production and the preservation of data seem too limited and are the subject of ongoing legal challenge, both in Ireland and across the EU.
Implementation of full suite of procedural powers compliant to the Budapest Convention is underway.
Substantive law
Criminal Justice (Offences Relating to Information Systems) Act 2017 criminalizes the following offences:
- Accessing information system without lawful authority, etc.
- Interference with information system without lawful authority
- Interference with data without lawful authority
- Intercepting transmission of data without lawful authority
- Use of computer programme, password, code or data for purposes of section 2, 3, 4 or 5
The Criminal Justice (Theft and Fraud Offences) Act 2001 contains some relevant provisions in terms of forgery and fraud offences, while the Child Trafficking and Pornography Act 1998 and Copyright and Related Rights Act 2000 address relevant content-related offences extensively.
Procedural law
The general power to preserve data arises from the warrant authorising its seizure in the first place. In addition, where the data arises from the search of a system or device which has been seized under warrant or the lawful search of an arrested person, the data may be preserved where there is reason to believe it is evidence of a criminal offence. The preservation of data by a service provider on behalf of law enforcement is subject to mutual agreement and the eventual submission of a disclosure request by the LEA involved.
There are a number of provisions in Irish legislation relating to production orders (issued by a court) for evidential material. These include section 52 of the Criminal Justice (Theft and Fraud Offences) Act 2001 (theft and fraud offences), section 63 of the Criminal Justice Act 1994 (drug trafficking, terrorist financing, indictable offences, international crimes, and asset confiscation) and section 15 of the Criminal Justice Act 2011 (specified white collar offences, and system/data interference offences).
The Communications (Retention of Data) Act 2011 requires providers of electronic communications services to retain certain non-content data for a period of time. This is an obligation to proactively retain data, as distinct from a requirement to preserve data in response to a law enforcement request. A member of An Garda Síochána not below the rank of Chief Superintendent may issue a request to a service provider requiring disclosure of the data above where he/she is satisfied that it is required for: a. the prevention, detection, investigation or prosecution of a serious offence carrying a penalty of five or more years' imprisonment b. the safeguarding of state security c. the saving of a life. The permissibility of data retention is being considered by the Court of Justice of the European Union and may require amendments to Irish law in this area.
Section 7 of the Criminal Justice (Offences Relating to Information Systems) Act 2017 introduces specific powers of search and seizure. It also introduced a power to operate any computer system or require any person at the location to provide access codes or keys to the system, or to make its contents legible. The Section 7 warrant under the Child Trafficking and Pornography Act 1998 makes no specific reference to computers or computer data but does provide for the search and seizure of anything which may be evidence of or relating to an offence of child pornography. Similarly, a warrant under section 10 of the Criminal Justice (Miscellaneous Provisions) Act 1997 provides for the search and seizure of any place and thing which may be evidence of the commission of a serious offence. This includes any offence of sexual exploitation of a child under the Criminal Law (Sexual Offences) Act 2017, including those committed online.
Safeguards
The Constitution of Ireland sets out the protections which apply to a citizen's fundamental rights. Some of those rights are directly enumerated, such as privacy, while others are unenumerated, such as the right to freedom of expression. However, the courts have consistently held that such unenumerated rights, including those set out in the European Convention on Human Rights, are inherent in Article 40 of the Constitution.
As a signatory, Ireland is bound by the European Convention on Human Rights, as transposed into Irish law by the European Convention on Human Rights Act 2003, which guarantees under Article 8 that all persons have a right to respect for their private lives, which shall not be interfered with by government or other authority save in accordance with the law and in the interests of public safety or national security, or for the prevention of crime or the protection of health, morals or the rights and freedoms of others.
Similarly, Article 10 of the European Convention on Human Rights asserts that all persons have a right to freedom of expression, including the right to hold opinions without interference from the state, subject to similar restrictions as above for Article 8. The Irish state recognises it obligations to uphold those rights, and An Garda Síochána, in the exercise of its policing duties, strives to protect and respect those individual rights.
Related laws and regulations
Criminal Justice (Miscellaneous Provisions) Act, 1997
Child Trafficking and Pornography Act, 1998
Copyright and Related Rights Act, 2000
Criminal Justice (Theft and Fraud Offences) Act, 2001
Communications (Retention of Data) Act 2011
Criminal Justice (Offences Relating to Information Systems) Act 2017
Specialised institutions
Garda National Cyber Crime Bureau (GNCCB), An Garda Síochána
The investigation and prevention of cybercrime is the primary responsibility of the Garda National Cyber Crime Bureau (GNCCB). The Bureau is a separate section within Special Crime Operations which includes other national units and is under the direction of an Assistant Commissioner. The Bureau is headed by a Detective Superintendent with oversight from the Chief Superintendent of the Garda National Economic Crime Bureau. It is staffed by qualified forensic computer experts who have expertise in the area of cybercrime investigations and computer forensics. However, uniformed and detective officers within An Garda Síochána (Irish Police) are mandated to investigate all types of crime, including cybercrime. The advice and assistance of the GNCCB is available to all members of law enforcement when needed.
The Garda National Cyber Crime Bureau provides a 24/7 service to members of An Garda Síochána in the area of cybercrime and computer forensics. Outside office hours a member of the Bureau at management rank is available on request through the senior management at the Garda Communications Centre.
All urgent requests are prioritised on identified facts and risk factors and where deemed urgent, a forensic examiner/investigator is assigned to assist the local officer. A State prosecutor is available to police members of senior rank for consultation in terms of charges and potential prosecutions in all areas, including cybercrime
There are no specialized cybercrime prosecutors. The Director of Public Prosecutions (DPP) has no investigative function and no power to direct An Garda Síochána or other agencies in their investigations. The director may advise investigators in relation to the sufficiency of evidence to support nominated charges and the appropriateness of charges or in relation to legal issues arising in the course of investigation. They may also advise on the need to obtain further evidence or complete additional investigative actions.
CSIRT-IE – national Irish Computer Security Incident Response Team
CSIRT-IE is the body within Ireland’s National Cyber Security Centre (NCSC) that provides assistance to constituents in responding to cyber security incidents at a national level for Ireland. The team has a strictly defined constituency consisting mainly of Government bodies and Critical National Infrastructure providers.
Sources:
http://data.consilium.europa.eu/doc/document/ST-7160-2017-REV-1-DCL-1/en/pdf
https://www.ncsc.gov.ie/CSIRT/
International cooperation
Competent authorities and channels
The Minister for Justice and Equality is the central authority for mutual legal assistance and, in this regard, is responsible for receiving and ensuring the execution of incoming requests. In practice, the Minister's functions are carried out by civil servants in the Department's Criminal Mutual Assistance and Extradition Division. Division personnel (who are not prosecutors, lawyers or police) determine if a request is lawfully made, assess the relevance of evidence sought, establish whether there is dual criminality, pursue enquiries with the service provider, direct police to obtain a production order/search warrant etc. and generally deal with the requesting authorities. The division's personnel are not involved in the investigation and prosecution of domestic offences.
Sources:
http://data.consilium.europa.eu/doc/document/ST-7160-2017-REV-1-DCL-1/en/pdf
Practical guides, templates and best practices
Mutual assistance is covered by the Criminal Justice (Mutual Assistance) Act 2008 which provides for the enactment of international agreements between Ireland and other countries on mutual assistance in criminal matters including the issue of cybercrime.
Jurisprudence/case law
Sources and links
National Cyber Security Strategy 2019-2024
Criminal Justice (Miscellaneous Provisions) Act, 1997
Child Trafficking and Pornography Act, 1998
Copyright and Related Rights Act, 2000
Criminal Justice (Theft and Fraud Offences) Act, 2001
Communications (Retention of Data) Act 2011
Criminal Justice (Offences Relating to Information Systems) Act 2017
Criminal Law (Sexual Offences) Act 2017
http://data.consilium.europa.eu/doc/document/ST-7160-2017-REV-1-DCL-1/en/pdf
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.
Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?
Share this information with us helping to keep this platform up to date.
- Cybercrime website
- Template: Mutual Legal Assistance Request for subscriber information (Art. 31 Budapest Convention). English and bilingual versions available.
- Template: Data Preservation Request (Articles 29 and 30 Budapest Convention). English and bilingual versions available.