Back Spain

Status regarding Budapest Convention

Status regarding Budapest Convention

Status : Party Declarations and reservations : Declaration in the instrument of ratification deposited on 3 June 2010. Original English. In case the present Convention on Cybercrime is extended by the United Kingdom to Gibraltar, the Kingdom of Spain would like to make the following declaration: 1. Gibraltar is a Non-Self-Governing Territory for whose external relations the United Kingdom is responsible and which is undergoing a process of decolonization in accordance with the relevant decisions and resolutions of the United Nations General Assembly. 2. The Gibraltar authorities are local ones and exercise exclusively internal powers which have their origin and basis in the distribution and attribution of powers made by the United Kingdom, in accordance with the provisions of its domestic legislation, as a sovereign State on which the said Non-Self-Governing Territory depends. 3. Accordingly, any participation by the Gibraltar authorities in the application of this Convention shall be considered as taking place solely within the domestic jurisdiction of Gibraltar and shall not be deemed to involve any change in respect of the preceding two paragraphs. Period of effect: 1/10/2010. Declaration set out in a letter deposited with the instrument of ratification on 3 June 2010. Original: English. In accordance with articles 24 and 27 of the Convention, Spain declares that the designated central authority is the Subdirectorate General for International Legal Cooperation of the Ministry of Justice. The above statement refers to articles 24, 27. Declaration made in a letter deposited together with the instrument of ratification on 3 June 2010. In accordance with article 35 of the Convention, Spain declares that the designated contact point of the 24/7 network is the General Commissariat of the Judicial Police of the Ministry of the Interior. Period of effect: 1/10/2010. The above declaration refers to article 35. See legal profile

Cybercrime policies/strategies

National Cybersecurity Strategy 2019 has been approved by the National Security Council of the Government of Spain.

Cybercrime legislation

State of cybercrime legislation

In 2015 Spain changed its penal substantive law and also procedural law in order to be according to the Budapest Convention on Cybercrime.

Substantive law

According to the Organic Law 1/2015, 30th March, modifies or includes the following list of crimes in the Penal Code (some of which were previously regulated) :

  • Crimes against sexual freedom and sexual indemnity of children:
    • Children/disabled pornography through ICTs (Art. 189)
    • Harassment of minors through ICTs (Art. 183 ter)
  • Crimes against freedom:
  • Harassed a person by insisted and repeatedly engaging through ICT (Art. 172 ter)
  • threats/intimidation through ICTs (Articles 169 et seq.)
  • Crimes against privacy:
  • Attacks/interception of systems and data (Art. 197 bis and ter)
  • Discovery and disclosure of secrets through ICT (Art. 197)
  • Crimes against property and socio-economic order:
    • Fraud committed through ICTs (Art. 248 and 249)
    • Discovery of company secrets through ICTs (Arts. 278 and sq.))
    • Crimes against broadcasting/interactive services (Art. 286)
    • Crimes of computer damages (Arts. 264, 264 bis and 264 ter)
    • Crimes against intellectual property committed through ICTs (Art. 270 and sq.)
  • Crimes against the Constitution:
  • Discrimination through ICT (Art. 510)

Procedural law

Spain has adopted in 2015 legislative measures applicable to all technological investigations. Those measures were necessary to establish the powers and procedures foreseen in section 2.2 of the Budapest Convention on Cybercrime.

 

After the Organic Law 13/2015 of 5 October, the Criminal Procedure Act establishes the powers and guarantees provided for the regulation of technological research in compliance with the parameters of Articles 16, 17, 18, 19, 20 and 21 of the Convention. They are regulated in Chapter IV of Title VIII, "Community provisions for the interception of telephone and telematic communications, the capture and recording of verbal communications using electronic devices, the use of technical devices for surveillance, image location and capture, the search for mass data storage devices and remote registration of computer equipment".

The Judge may order the measures regulated in this chapter ex officio or at the request of the Public Prosecutor's Office or the judicial police.

 

The judicial authorisation of this measures must be based on the principles of: speciality, adequacy, exceptional nature, necessity and proportionality. (Article 588 a. I.)

 

The measures are: interception of communications (Article 588 bis y ter and sq.), expedited disclosure of traffic data, injunction for providing data or granting access to data, search of computer data (Article 588 ter.), searching mass data storage devices (Article 588 sexies – with particular regulation on seizure data which are in a cloud ), remote searches of computer equipment ( Article 588 septies),authorization of member of the Judiciary police to act under an assume identity in communications held on closes communication channels with specific authorization to exchange or send files which are illegal. (Article 282.bis.) and protective measures as data preservation order (Article 588 octies). 

Safeguards

The above-mentioned technological research measures will always require judicial authorisation when they affect fundamental rights.

Related laws and regulations

  • Law 34/2002, 11th July, on information society services and electronic commerce, regulates which service providers are established in Spain.
  • Organic Law 3/2018 , 5th December ,on the Protection of Personal Data and the Guarantee of Digital Rights
  • Royal Legislative Decree 1/1996, 5th April, 1996, approving the revised text of the Law on Intellectual Property, regularizing, clarifying and harmonizing the legal provisions in force on the subject. (Law 2/2019, 1th March , which amends the revised text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, 12th of April and which incorporates into Spanish law Directive 2014/26/EU of the European Parliament and Council, of February 26, 2014, and Directive (EU) 2017/1564 of the European Parliament and Council, of September 13, 2017).
  • Law 25/2007, 18th October on the conservation of data relating to electronic communications and public communications networks.
  • Law 9/2014 , 9th May, General of Telecommunications.
  • Royal Decree 1889/2011, 30th December , regulating the functioning of the Intellectual Property Commission.
  • Law 8/2011, 28th April establishing measures for the protection of critical infrastructures.
  • Royal Decree 12/2018, 7th September on security of networks and information systems.

Specialised institutions

The General´s Prosecutor’s Office has a Unit that is a specialized on Cybercrime and a network of specialized prosecutors. The Central Unit of Cybercrime, coordinated by a Prosecutor of the first Category supported by two deputy prosecutors, has the scope is to coordinate all the activities of the prosecutors, nationwide. The specialized network will be integrated by a district attorney of each and every Provincial Prosecutor´s office, who will be responsible for the respective provincial Unit. Every specialized unit will have the number of prosecutors considered to be necessary in reason of the volume of the activity that they should develop.

 

There is no such a structure regarding judges.

 

The General´s Prosecutor’s Office already established a first delimitation of what was to be understood as cybercrime in its Instruction 2/2011 of 11 October “Concerning Specialised High Prosecutors on Computer-related Crimes and the Sections for computer-related crimes of the Prosecutor’s offices.

 

The offences which are competence of this area of specialisation are currently those listed below, grouped into three categories:

  1. Crimes where the object of the criminal activity is the computer systems themselves or the ICT.
  • Computer damages (Articles 264, 264 bis, 264 ter and 264 quater of the Criminal Code)
  • Illegal access to systems, illegal interception and availability of tools to commit these offences (Articles 197 bis, 197 ter, 197 quarter and 197 quinquies of the Criminal Code)
  • Discovery, disclosure or dissemination of secrets committed through ICTs or whose object are data recorded in electronic or telematic files or supports (Article 197 of the Criminal Code).
  • Discovery and disclosure of business secrets committed through the use of ICTs or whose object is data recorded in computer or electronic files or media. (Article 278 of the Criminal Code).
  • Offences against broadcasting and interactive services (Article 286 of the Criminal Code)

 

B) Crimes where criminal activity uses the advantages offered by ICTs for its execution.

  • Fraud committed through ICT (Article 248.2 a) b) and c) of the Criminal Code,
  • Harassment of children through ITC, child grooming (Article 183 ter of the Criminal Code)
  • Children/disabled persons pornography (Article 189 of the Criminal Code)
  • Crimes against intellectual property when committed using ICTs (Articles 270 et seq. of the Criminal Code)

 

C) Crimes in which criminal activity uses for its execution the advantages offered by ICTs or its research that demands specific knowledge in the field.

  • Falsification of documents when ICTs have been used for the execution of the crime, when that circumstance was a determining factor in the criminal activity and generated special technical complexity in the criminal investigation(Articles 390 et seq. of the Criminal Code )
  • Slander and defamation against public officials, authorities or agents of the same, committed through ICTs ( Articles 211 et seq. of the Criminal Code)
  • Threats/intimidation through ICTs (Articles 169 et seq. of the Penal Code)
  • Harassment through ICTs (Article 172 ter of the Criminal Code)
  • Degrading treatment through ICTs (Article 173.1 of the Criminal Code)
  • Discrimination against individuals or groups of individuals defined by their personal, family, physical, ideological, racial, national, economic or sexual characteristics through ICTs (Articles 510 and 510 bis of the Criminal Code)

 

Also, any other type of crime in which the use of ICTs has been a determining factor in its execution and in which this circumstance generates a special complexity in the criminal investigation.

 

With a view to unifying criteria regarding the interpretation and the application of criminal definitions to wrongful acts committed through the network, the General Prosecutor’s Office has produced and issued the following circulars:

  • Circular 2/2015 of 19 June, “on the crimes of child pornography after the reform introduced by OL1/15”, in which the legal concept of child pornography and the objective and subjective elements of the different categories of offences related to the production, possession and distribution of child pornography are analysed, as well as the aggravated sub-types and the additional penalties to be imposed.
  • Circular 8/2015 of 21 December “on the crimes against intellectual property committed through information society services after the reform introduced by LO1/2015”, focussing on the establishment of guidelines for the interpretation of the new criminal definitions punishing these conducts in the light of the recent criteria laid down by the case-law of both national and international courts on this matter.
  • Circular 3/2017, “on the reform of the Criminal Code introduced by OL 1/2015 of 30 March concerning the crime of discovery and disclosure of secrets and the crime of computer damages”, with regard to the criminal definitions punishing attacks against information systems and which are the result of incorporating Directive 2013/40/EU to Spanish Law. Member States are therein invited to define as crimes conducts that were not regarded as such in the Framework Decision 2005/222/JHA, such as the illegal interception of non-public transmissions of computer data, or the intentional production, sale or purchase for the purpose of using, importing, distributing or in any other way making available instruments suitable for the perpetration of this type of offences in order to be used to that end.
  • Circular 1/2019, "on common provisions and safeguards for technology research measures in the Code of Criminal Procedure”.
  • Circular 2/2019 , "on the interception of telephone and telematic communications"
  • Circular 5/2019 , "on the registration of computer devices and equipment"

With the above circulars, the General Prosecutor’s Office wants to establish common guidelines on the interpretation and application of the mentioned precepts. These can be used not only by the members of the Public Prosecution Service, but also by any other legal practitioners, members of law enforcement bodies and other organisations involved in preventing such conducts and/or ensuring security in cyberspace

 

From Law Enforcement perspective, the Ministry of Interior leads the cybersecurity policies. The structure was consolidated by Royal Decree 770/2017, where State Secretariat for Security coordinates the cybersecurity actions through CNPIC (National Critical Infrastructure Protection and Cybersecurity Centre).

  • Within CNPIC, the OCC (Cybersecurity Coordination Office) undertakes the technical coordination and communication with the national CERTs and it is the POC with the cybercrime investigation units of Spanish LEAs.
  • Spain has an integral model of LEAs with full capabilities across the country. Guardia Civil and Cuerpo Nacional de Policía have specialized cybercrime units, not only engaged in investigation activities but also in forensics, R & D and intelligence. There are also some regional police forces, such as Mossos d´Esquadra and Ertzainza with cybercrime units.

 

On the other hand, Spain has the Cybersecurity National Institute (INCIBE) on behalf of Ministry of Economic Affairs and Digital Transformation. This Institute manages the INCIBE-CERT, the reference cybersecurity incidents response center for citizens and Spanish private law entities, since Royal Decree-Law 12/2018 (Spanish Network and Information Security Directive transposition) has published.

 

Last but not least, the Spain Data Protection Agency is the independent public authority responsible for ensuring the privacy and data protection of Spanish citizens

International cooperation

Competent authorities and channels

Spain signed most of the treaties and conventions on judicial international cooperation within the European Union and the Council of Europe. We could mention, among others:

  • European Convention on Mutual Assistance in Criminal Matters, done at Strasbourg, 20th April 1959 (Instrument of Ratification 14Th July, 1982)
  • Additional Protocol on Mutual Assistance in Criminal Matters, 17.III.1978 (Ratified on 2-8-91)
  • Second Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters, done at Strasbourg, 8th November, 2001 (Ratified on 1-6-2018)
  • Convention on Mutual Assistance in Criminal Matters between the EU countries, 12th of July, 2000
  • Convention implementing the Schengen Agreement of 14 June 1985

Spain is also a Party to the United Nations Convention against Transnational Organized Crime and its Protocols, which encompasses provisions on international cooperation.

 

Competent authorities and channels

 

Unless provided otherwise by an international convention ratified by Spain, the central authority is responsible for sending and answering requests for mutual assistance, the execution of such requests or their transmission to the authorities competent for their execution under article 27 of the Budapest Convention. The Spanish Central authority is the Subdirectorate General for International Legal Cooperation of the Ministry of Justice.

 

In principle, incoming requests should be executed by the Public Prosecutor or by judicial police officers mandated to do so, or by the investigative judge under certain circumstances.

 

The authorities responsible for issuing a European Investigation Order are the judges or courts hearing the criminal proceedings where the investigative measure is to be taken or which have admitted the evidence if the proceedings are in progress. The issuing authorities are also the public prosecutors in their proceedings, provided that the measure contained in the European investigation order is not restrictive of fundamental rights.

 

The Public Prosecutor's Office is the competent authority in Spain to receive European investigation orders issued by the competent authorities of other Member States. Once registered and after having reported receipt to the issuing authority, the Public Prosecutor's Office shall take cognisance of the recognition and execution of the European investigation order or shall forward it to the competent judge, depending on its content.

 

Also, in compliance with Article 35 of the Budapest Convention Spain has two 24/7 points of contact. Each point of contact corresponds to one of the national law enforcement forces in charge of fighting cybercrime. In both cases, the e-mail address and office telephone numbers are included for ease of contact in case of absence. Both police forces share competence in this subject. When reporting information, these two points of contact can be used, as the allocation of cases between them is carried out based on rules and criteria previously agreed by them.

In referring to international police cooperation, Guardia Civil and Cuerpo Nacional de Policía taking part in main international police agencies as EUROPOL or INTERPOL. Most noteworthy is the presence in the Joint Cybercrime Action Task Force (J-CAT) of EC3-EUROPOL.

Practical guides, templates and best practices

Specific procedures and best practices for International Cooperation

Jurisprudence/case law 


 

As it is not possible to list all the cases in which the technological crimes listed above apply, below a selection  of judicial decisions as examples, as they expressly mention the Budapest Convention as the reference for the interpretation of the national law.

Relating to crimes of child pornography

  • Supreme Court Judgment of February 24, 2015.- in which the Budapest Convention and the Lanzarote Convention of the Council of Europe are mentioned for the purposes of criminalization of child pornography and Child grooming crimes respectively.
  • Sentence of the Supreme Court of September 14, 2016.- Like the previous, mentions article 9 of the Budapest Convention for the delimitation of the facts that should be considered as crimes of child pornography.
  • Judgment of the Supreme Court of September 14, 2016.- Likewise, in order to define the facts that should be classified as crimes of child pornography, cites article 9 of the Budapest Convention.
  • Judgment of the Provincial Court of Alicante of November 20, 2018.- Used to define the concept of child pornography article 9 of the Budapest Convention.
  • Judgment of the Provincial Court of Girona of March 5, 2015 - Like the previous citation, used article 9 of the Convention for the purpose of defining the concept of child pornography
  • Judgment of the Provincial Court of Zaragoza of December 22, 2017, for the purpose of defining the concept of pornographic material.
  • Judgment of the Provincial Court of Castellón of September 21, 2018 - In a case of possession of child pornography mention the Conventions of Lanzarote and Budapest and their respective explanatory reports to delimit what is to be understood as material of pornographic character .
  • Judgment of the Provincial Court of Madrid of November 27, 2017 which, like the previous one, refers to the explanatory reports of the Lanzarote and Budapest Conventions to interpret what is to be understood by sexually explicit conduct contained in the article 9.2 of the Budapest Convention

 

Relating to crimes of irregular access to computer systems

  • Judgment of the Girona Provincial Court of June 22, 2015.- in which the Budapest Convention is mentioned for the interpretation and application of the crime of illegal access to systems. This is an assumption prior to the reform of the Spanish criminal type that took effect in 2015 and analyses the contraposition of the precept previously in force with article 2 of the Convention.

 

Relating to crimes of attack on the integrity of data and systems

  • Judgment of the Provincial Court of Palencia of July 14, 2016, in which the defendant was condemned for the crime of computer damage, due to a conduct that determined the inaccessibility of computer programs pursuant of article 1 of the Convention.
  • Judgment of the Provincial Court of Madrid of September 4, 2019 in which the defendant was condemned for computer damages, articles 2 to 6 of the Budapest Convention are mentioned for the purposes of interpretation of articles 264-264 quater of the Spanish Criminal Code.

 

Other issues:

  • Judgment of the Provincial Court of Madrid of October 23, 2015 relating to an action consisting of removal of computer equipment, refers to the concept of computer data of the article 1 of the Budapest Convention.

Sources and links

 

Print Spain
Tools on Cybercrime & Electronic Evidence Empowering You!

These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe. 

Contribute

  Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?

  Share this information with us helping to keep this platform up to date.

Useful links