Status regarding Budapest ConventionStatus : Party Declarations and reservations : – See legal profile
The Slovenian National Cyber Security Strategy was adopted in February 2016. The strategy is based on three main pillars: prevention, response, awareness.
The strategy consists in the specific strategic objectives and related measures:
- Obj. 1 Strengthening and systemic regulation of the national cyber security assurance system;
- Obj. 2 The safety of citizens in cyberspace;
- Obj. 3 Cyber security in the economy;
- Obj. 4 Providing the operation of critical infrastructure in the sector of ICT support;
- Obj. 5 Cyber security assurance to ensure public security and combat cyber crime;
- Obj. 6 Development of defence cyber capabilities;
- Obj. 7 Ensuring safe operation and availability of ensuring conditions for the smooth operation of key ICT systems in the event of major natural and other disasters;
- Obj. 8 Strengthening national cyber security through international co-operation
Objective 5, on the fight against cybercrime also foresees actions on: regular training on cyber security for law enforcement participating in the development of cyber capacities for public security and in combatting cybercrime as well as regular updating of the laws and procedures in line with the development of ICT.
In April 2017, Slovenia adopted the resolution on obligations and the organisation of the established national cyber security authority, applying thus the requirements imposed by the NIS Directive on measures to ensure high overall level of network and information security in European Union (NIS Directive 2016). (Source: https://www.cyberwiser.eu/slovenia-si)
Previously, in March 2010, the National Assembly of Republic of Slovenia adopted the Resolution on the National Security Strategy of the Republic of Slovenia. Based on this Resolution, the Republic of Slovenia created the national strategy for responding to cyber threats and the misuse of information technologies, and aimed to adopt necessary measures to ensure effective cyber defence which included, to the maximum possible extent, include the public and private sector. The Republic of Slovenia also took active steps to suppress crime related to the publication and dissemination of illegal content on the World Wide Web.
In October 2012, the National Assembly of Republic of Slovenia adopted the Resolution on National Plan on the Prevention and Combating of Crime for the Period 2012 – 2016 (available only in Slovenian language). Chapter 6.4. of this document contains the strategy for improving detection and investigation of cybercrime offences. Herein it is emphasised that also better cooperation between law enforcement authorities and other state bodies and NGOs as well as their education and training in the area of fighting cybercrime can have positive effects on the number of detected, investigated and adjudicated cybercrime offences. The resolution points out also the fact that there is no effective, safe and up-to-date system of informing and exchanging information on incidents or attacks on government and non-government information systems and important infrastructure. Consequently, the Resolution sets a strong emphasis on education and mutual cooperation, informing, coordination and exchange of knowledge and experiences between various institutions, and anticipates the establishment of a Government Centre for Informing on Incidents in Information Systems that will: 1) be competent for investigating incidents in information systems of public sector authorities, 2) provide timely information on detected threats, and 3) carry out also preventive and educational tasks in the area of fight against cybercrime. (Source: https://www.gov.si/teme/informacijska-varnost/)
State of cybercrime legislation
There is no law that would specifically regulate the area of cyber security and fight against cybercrime in Republic of Slovenia. Cybercrime offences are included in Criminal Code, and processed in accordance with Criminal Procedure Act that applies to all criminal proceedings.
Further information on cyber security legislation and its implementation can be found in Slovenian language here.
Substantive law that contains also cybercrime offences is Criminal Code of Slovenia (further on CC; the version in force is available only in Slovenian language). It includes all offences provided in Cybercrime Convention and additional Protocol to the Convention.
The following criminal offences can be placed into the group of offences against the confidentiality, integrity and availability of computer data and systems:
- attack on information system (Article 221 CC),
- misuse of information system (Article 237 CC),
- manufacture and acquisition of weapons and instruments intended for commitment of criminal offence (Article 306 CC, § 3),
- abuse of personal data (Article 143 CC, § 2), and
- terrorism (Article 108 CC, § 3(1) that is in between incriminating cyber-terrorism).
As regards computer-related offences, computer-related forgery and computer-related fraud, they do not constitute special criminal offence in Slovenia, but such activities can, dependent on the circumstances of concrete case, constitute general criminal offence of fraud (Article 211 CC), falsification of documents (Article 251 CC) or other criminal offence.
Content-related offences are in Slovenian CC the following:
- solicitation of persons under fifteen years of age for sexual purposes (Article 173.a CC),
- presentation, manufacture, possession and distribution of pornographic material (Article 176 CC),
- abuse of personal data (Article 143 CC, § 3), and
- public incitement to hatred, violence and intolerance (Article 297 CC).
And the following criminal offences are related to infringements of copyright and related rights:
- violation of moral copyright (i.e. right to be named as an author) (Article 147 CC),
- violation of material copyright (i.e. property rights) (Article 148 CC), and
- violation of rights related to copyright (Article 149 CC).
For all mentioned criminal offences also legal persons can be held liable according to the provisions of Act on Liability of Legal Persons for Criminal Offences (available only in Slovenian language).
The Criminal Procedure Code implements specific procedural powers required by the Budapest Convention, with exception for preservation powers and production orders.
Procedural rules on detection and investigation of cybercrime offences (as well as all other offences) are included in Criminal Procedure Act (further on: CPA, version in force is available only in Slovenian language). Main provisions regarding computer data and collection of electronic evidence are Articles 219.a and 223. a CPA that regulate:
- seizure of electronic device (provisions on seizure of electronic device are of special nature vis-a-vis general provisions on seizure of objects for the purpose of criminal proceeding. CPA develops broad definition of electronic device, including electronic devices, devices connected to electronic device and electronic data holders, such as telephone, fax, computer, floppy disk, optical media and memory cards),
- preservation of electronic data (electronic data should be either saved on another proper data holder in a way that their identity and integrity is preserved and they can be used in further procedure, or the identical copy of the whole data holder should be made and the integrity of this copy should be assured), and
- investigation of electronic device (it includes obtaining the data from electronic device, i.e. the investigation of the content stored on the electronic device).
Owner, user, administrator of guardian of the electronic device or the person that has access to the device is obliged, on the demand of the authority that has seized the device, to do everything necessary that (s)he is able to do to prevent the data from being destroyed, altered or hidden. In addition, owner or user of electronic device is obliged to enable the authorities to obtain access to the device, to provide decryption keys or passwords and explanations on how to use the device that are necessary for the purpose of the investigation. Failing to provide such help can lead to a fine or even imprisonment up to one month. However, sanctions cannot be used against those people who are protected by constitutionally guaranteed privilege against self-incrimination, such as suspect, defendant and the person who cannot be called as a witness.
As regards preservation and retention of traffic data, they were processed and collected on the basis of Articles 162 – 169 of Electronic Communications Act (further on ECA). Telecommunication operators were obliged to retain those data for 14 (telephone communication) or 8 (internet and other communication) months for the specific needs of criminal proceedings. However, in July 2014 Constitutional Court of Republic of Slovenia declared those ECA provisions unconstitutional, and consequently abrogated them and ordered operators to immediately destroy all retained traffic data (Constitutional Court Decision No. U-I-65/13). This decision is based on previous decision of Court of Justice of European Union (joint decision in cases -293/12 in C 594/12 of 8. April 2014) that declared Data Retention Directive invalid. Therefore traffic data retention is not regulated in Slovenia momentarily (abrogated provisions of ECA have not yet been substituted with new regulation), and law enforcement authorities can obtain only those data that telecommunication operators store for the business purposes (mainly for invoicing). Article 149.b CPA that is regulating traffic data obtaining from operators for the need of criminal proceeding is still in force, but can be used only theoretically, since operators do not retain or store those data after July 2014. According to provision of Article 149.b, § 1 and 2, operator is (was) obliged to provide traffic data (number or other identification mark of electronic communication users, type, time and duration of call or other form of communication, amount of downloaded data and location where communication took place) to the competent authority based on court order issued by investigating judge on written request of state prosecutor. However, no court order is needed for the police to request data on owner or user of certain communication means and on time when this means was or is in use (Article 149.b, § 3).
Real-time collection of traffic data and interception of content data is in Slovenia possible with special investigating measure that allows monitoring of electronic communications using listening and recording devices and the control and protection of evidence on all forms of communication transmitted over the electronic communications network. Rules and conditions for implementation of this measure in concrete case are regulated in Articles 150 and 151 CPA. This measure can be used only for narrow circle of criminal offences that are explicitly listed in CPA (in between for (cybercrime) offences from Articles 108, 173.a and 176 CC). This measure can be ordered by investigating judge on written request of state prosecutor if there are well-grounded reasons for suspicion that certain person committed or is committing criminal offence, and if there is well-grounded suspicion that certain communication means or computer system was or is used in connection to that criminal offence. When ordered, the measure is then enforced by the police.
General rules and safeguards apply also in criminal proceedings for cybercrime offences. As explained above, traffic data can be in criminal proceedings obtained only on the basis of court order. The same holds true for application of special investigating measure for monitoring of electronic communications in real time. This investigating measure is in addition limited on narrower circle of serious criminal offences.
Related laws and regulations
Rules and regulations that directly or indirectly refer (also) to the cybercrime topic are the following:
- Personal Data Protection Act,
- Electronic Communications Act,
- Electronic Commerce Market Act (available only in Slovenian language)
- Electronic Commerce and Electronic Signature Act (available only in Slovenian language).
- Information Security Act (available also here)
In 2009, Computer Investigation Centre was established within the Criminal Police Directorate. In addition six police departments for computer investigation are operating on regional level withih all major police directorates in the country. Also National Investigating Bureau is employing computer forensic experts. As regards State Prosecution Office, there are no separate departments for prosecution of cybercrime, but some state prosecutors are specialized (or are specializing) for this area.
Main contact point for reporting network security incidents involving systems and networks located in Slovenia is SI-CERT, Slovenian Computer Emergency Response Team. It is operating in the scope of Academic and Research Network of Slovenia (ARNES).
In Slovenia, also Safer Internet Centre SAFE.SI is active. This national project is aimed at promoting and ensuring a better and safer internet and mobile phone use for children, teenagers, parents and teachers. It is co-financed by the European union. Part of it is hotline for reporting hate speech and child sexual abuse images on the internet, called Spletno oko (Online Eye).
Competent authorities and channels
Different types of mutual legal assistance and other forms of cooperation in criminal cases between member states of European union that are regulated in ACCMMSEU, are mostly based on the principle of direct cooperation between competent authorities, i.e. courts, state prosecution offices or administrative authorities, dependent on the concrete case. Exchange of data from criminal records and some other tasks based on ACCMMSEU falls within the competence of Sector for international legal aid of the Ministry of Justice (website available only in Slovenian language). With the purpose of further improvement of international judicial cooperation in criminal matters, ACCMMSEU is enabling Slovenian authorities to cooperate also with European Judicial Network. Contact points of this Network are established at district courts, Supreme Court, Office of the State Prosecutor General, Ministry of Justice and Office for the Money Laundering Prevention. Republic of Slovenia is having also its national representative in Eurojust.
When international cooperation is based on the provisions of CPA, requests of domestic courts and prosecution offices are as a rule submitted to the foreign authorities through diplomatic channels, via Ministry of Foreign Affairs. The same is valid for submitting requests of foreign judicial authorities to Slovenian counterparts (in such cases also Ministry of Justice is included). However, in urgent cases those requests can be sent via the Ministry of Interior (if reciprocity exists) or in cases of money laundering via the Office for the Money Laundering Prevention. But under the condition of reciprocity or on the basis of provisions in international documents also direct mutual legal assistance between domestic and foreign authorities participating in criminal procedure is possible, including usage of technical means, such as computer networks and other means of information and communication technology.
As regards international police cooperation, International Police Co-operation Division is operating within Criminal Police Directorate, providing amongst other the cooperation of Slovenian police with Interpol and Europol.
International Police Co-operation Division is also the Slovenian contact point for 24/7 Network based on Article 35 of Cybercrime Convention. In concrete cases this division as a rule engages the Centre for Computer Investigation for technical assistance.
Practical guides, templates and best practices
The Republic of Slovenia signed most conventions and international treaties adopted by the Council of Europe and the European Union that include (also) rules on international cooperation in criminal proceedings. Besides, Slovenia signed a number of bilateral treaties (list is available only in Slovenian language) regulating mutual legal assistance in criminal-law matters with various countries. As regards domestic regulation, basic legal framework for international cooperation in criminal cases (also in the area of prosecution of cybercrime offences) is in Slovenia composed of:
- Act on Cooperation in Criminal Matters with the Member States of the European Union (further on ACCMMSEU; the version in force is available only in Slovenian language) that is regulating cooperation in criminal cases between competent authorities of the Republic of Slovenia and other member states of European Union. This cooperation comprehends mutual recognition and enforcement of different court decisions, including European arrest warrant and European evidence warrant, transfer of criminal prosecution to other country, mutual legal assistance in criminal cases, including establishment of joint investigation teams (JITs) and joint enforcement of investigating measures, and other forms of cooperation as provided in European union regulation; and
- Criminal Procedure Act (version in force is available only in Slovenian language), that is in chapter 30 and 31 regulating the procedure for mutual legal assistance and implementation of international treaties in criminal-law matters, and extradition procedures. These provisions of CPA are of subsidiary nature and apply only if international treaty or law do not provide different regulation, and only in relation to third countries (i.e. non-member states of EU).
“The subject of protection afforded by Article 37 of the Constitution is communication regarding which an individual legitimately expects privacy. Obtaining information regarding the complainant's dynamic IP address does not interfere with his right to communication privacy determined by the first paragraph of Article 37 of the Constitution, taking into account all the circumstances of the case, as by his conduct the complainant himself waived his privacy and therefore could not have a legitimate expectation of privacy regarding his communications.
The identity of the communicating individual is one of the important aspects of communication privacy, therefore it is necessary to obtain a court order for its disclosure in accordance with the second paragraph of Article 37 of the Constitution. However, since the complainant himself waived the legitimate expectation of privacy, the information on the identity of the IP address user no longer enjoyed protection of privacy in terms of communication privacy, but only in terms of the data privacy determined by Article 38 of the Constitution. Therefore, by obtaining the data regarding the given name, surname, and address of the dynamic IP address user that was used by the complainant to communicate, the police did not interfere with his communication privacy and therefore a court order was not required for the disclosure of his identity.
If it is clear from the search order that it was issued with the intent to review the data stored on the computer and other data storage media, an additional court order is not required for the review of computer files."
- Supreme Court of Republic of Slovenia, Judgement I Ips 216/2010 of 20. January 2011 (available only in Slovenian)
" In on-line communication using the programme (such as e.g. E-mule) that enables practically unascertainable (unlimited) number of possible coincidental contacts we cannot speak about private communication. […]"
- Supreme Court of Republic of Slovenia, Judgement I Ips 461/2007 of 31. January 2008 (available only in Slovenian)
" When the defendant (with co-defendants) breaks in foreign bank accounts in on-line banking system and transfer the money to his bank account and latter took out the money from bank, he commits criminal offence of grand theft […]."
- Higher Court in Ljubljana, VSL decision II Kp 9220/2011 of 7. February 2012 (available only in Slovenian)
" Right to privacy cannot be of absolute nature, but is limited with (constitutional) protection of rights and benefits of other persons, in concrete case of the children. Sexual exploitation of children and child pornography severely violate child's human right to sustainable upbringing and development. Therefore established infringement of defendant's right to (communication) privacy that was consequence of the fact that telecommunications operator did not destroy the traffic data after the deadline for their legal retention expired, and was able to provide them to the police on the basis of court order, is in concrete case of smaller significance, compared with the goal that justified obtaining traffic data from the operator, i.e. detection of a person who committed a crime that is prosecuted ex officio, and is intended for fighting sexual abuse and exploitation of children and for protection of child's human rights."
Sources and links
- Legal Information System of Republic of Slovenia: Pravno-informacijski sistem Republike Slovenije (available only in Slovenian)
- Constitutional Court of Republic of Slovenia
- Judiciary of Republic of Slovenia
- Office of the State Prosecutor General
- Slovenian Police
- Ministry of Justice, Sector for international legal aid (website available only in Slovenian)
- Information Commissioner: Personal Data Protection on the Internet
- SI-CERT, Slovenian Computer Emergency Response Team
- Safer Internet Centre SAFE.SI
- Spletno oko (Online Eye) – hotline for reporting hate speech and child sexual abuse images on the internet
- Electronic Evidence in the Slovene Criminal Procedure Act (L. Selinšek), Digital Evidence and Electronic Signature Law Review, Vol. 7 (2010), p. 77 – 86.
- Cyber Security in Slovenia page
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.
Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?
Share this information with us helping to keep this platform up to date.
- Cybercrime website
- Template: Mutual Legal Assistance Request for subscriber information (Art. 31 Budapest Convention). English and bilingual versions available.
- Template: Data Preservation Request (Articles 29 and 30 Budapest Convention). English and bilingual versions available.