Status regarding Budapest ConventionStatus : Party Declarations and reservations : Declarations regarding Articles 24, 27 and 35; no reservations. See legal profile
The government of Portugal published its National Strategy for Cyberspace Security for the period 2019 – 2023 on the 5th of June 2019. The strategy sets an equally strong accent on cybercrime as on cybersecurity and cyberdefence. Cybercrime is understood as the facts corresponding to crimes typified in the Cybercrime Law and other criminal offenses committed using technological means, in which these means are essential to the execution of the crime in question. The strategy is organised around 3 Strategic Objectives:
- 1. Maximize resilience
- 2. Promote innovation
- 3. Generate and guarantee resources
The Objectives should be attained by focusing on the following Axis:
- Axis 1: Cyberspace security structure;
- Axis 2: Prevention, education and awareness;
- Axis 3: Cyberspace and infrastructures protection ;
- Axis 4: Response to threats and combating cybercrime;
- Axis 5: Research, development and innovation;
- Axis 6: National and international cooperation.
Axis 4, on cybercrime, acknowledges the need for a revision and update of existing legislation. It specifies the need to adjust criminal procedure rules to the existing global challenges, in particular in regard with possible transborder access to computer data, cooperation with global internet providers and speeding up online investigative actions, including those related to covert actions. Another mentioned priority is considering the update of the existing legal framework for the seizure of e-mail and other electronic communication.
State of cybercrime legislation
Portugal adopted a specific Cybercrime Law, that is, Cybercrime Law 109/2009 of 15 September 2009. It includes penal substantive rules, procedural rules and also rules on international cooperation. After the introdution of the this legal act, both the substantive penal law and the procedural criminal framework of Portugal are fully in line with the Convention requirements. The same occurs with the legislation on international cooperation.
The Cybercrime Law includes the following crimes: computer forgery (Article 3), computer damage (Article 4), computer sabotage (Article 5), illegal access (Article 6), unlawful interception (Article 7) and illegal reproduction of protected program (Article 8).
In addition, the Penal Code also includes the following infringements: child pornography (Article 176 of Penal Code) and computer and communications fraud (Article 221 of the Penal Code).
Regarding copyright matters, Cybercrime Law provides a specific infringement on illegal reproduction of protected program (Article 8). Besides, Law Nr 45/85, from 17 September (amended by Law Nr 16/2008) – the Código de Direito de Autor -, provides rules on usurpation (Article 195) and counterfeiting (Article 196).
Even if the main general framework applicable to all cybercrime investigations is the Code of Penal Procedure, the Cybercrime Law also includes specific procedural measures, applicable to all the investigations related to cybercrime, to crimes committed by the means of computer systems and to all the criminal investigations where digital evidence is required.
The Cybercrime Law provides rules on expedited preservation of data (Article 12), expedited disclosure of traffic data (Article 13), injunction for providing data or granting access to data (Article 14), search of computer data (Article 15), seizure of computer data (Article 16 – with particular regulation on seizure of email communications and records of communications of similar nature, on Article 17), interception of communications (Article 18) and under covered actions (Article 19).
General rules and safeguards apply. No particular rules on cybercrime, but in particular, Article 32 of the Constitution applies.
Besides, the law mentions sometimes a requirement of intervention of a judge to authorise certain procedural measures, if fundamental rights are in danger (for example in the interception of communications or in obtaining traffic data).
Related laws and regulations
An extensive legal framework on technical aspects is in place. Besides that, there are important acts in this field regarding:
- Data protection – Certainly, GDPR applies (the Portuguese version may be found here: https://eur-lex.europa.eu/legal-content/PT/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN); Besides, two additional acts are in force at this respect: Law No. 59/2019, of 8 August (approves the rules on the processing of personal data for the purpose of preventing, detecting, investigating or prosecuting criminal offenses or executing criminal sanctions, transposing Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 https://www.cnpd.pt/home/legis/nacional/Lei_59_2019.pdf and Law No. 58/2019 of 8 August (ensures the implementation, in the national legal system, of Regulation (EU) 2016/679 of the Parliament and of the Council, of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free circulation of that data - https://www.cnpd.pt/home/legis/nacional/Lei_58_2019.pdf)
- Protection of personal data on telecommunications - Law 41/2004, of 18 August, amended by Law 46/2012, of 29 August (http://dre.pt/pdf1sdip/2004/08/194A00/52415245.pdf and http://dre.pt/pdf1sdip/2012/08/16700/0481304826.pdf);
- Ecommerce and spam - Decree Law 7/2004, of 7 January , amended by Law 46/2012, of 29 August (http://dre.pt/pdf1sdip/2004/01/005A00/00700078.pdf and http://dre.pt/pdf1sdip/2012/08/16700/0481304826.pdf);
- Electronic communications - Law 5/2004, of 10 February, amended by Law 19/2008, of 21 April (http://dre.pt/pdf1sdip/2004/02/034A00/07880821.pdf)
- Data retention - Law 32/2008, of 17 de July (http://dre.pt/pdf1sdip/2008/07/13700/0445404458.PDF).
Within the Prosecution Service, there is a specialized Cybercrime Office, whose scope is to coordinate all the activities of the Prosecutor Service, nationwide. There is no such a structure regarding judges.
Furthermore, Polícia Judiciária, the investigative police, has a National Directorate unit on cybercrime based in Lisbon.
The telecom companies’ activities are submitted to the regulation of ANACOM – National Authority for Telecommunications.
There is also a Data Protection National Commission – CNPD.
Finally, a National Centre for Cybersecurity was established in 2012.
Competent authorities and channels
The legal competence to begin and direct criminal investigations belongs to the Prosecution Service, with the technical support from police. It is also a competence from the Prosecution Service to send and to receive international cooperation requests.
Complying with Article 35 of the Budapest Convention, a 24/7 point of contact was established, since 2009, and it is based in Polícia Judiciária, the investigative police. The same functionality is also used for the G8 network purposes and also for the Interpol Network.
Polícia Judiciária has specific competence to urgent measures regarding expedited preservation of traffic data and to urgent searches and seizure of data. Regarding the rest, depends on the authorisation of the prosecutor (and sometimes, the prosecutor will need an authorisation from a judge).
Practical guides, templates and best practices
Updated jurisprudence on cybercrime and digital evidence is regularly published (in Portuguese, only), on the portal of the Cybercrime Office (http://cibercrime.ministeriopublico.pt/).
Sources and links
PGR - Cybercrime Office (Prosecutor General's Office) http://cibercrime.ministeriopublico.pt/
PJ – Polícia Judiciária http://www.policiajudiciaria.pt/PortalWeb/page/
ANACOM - National Authority for Telecommunications. http://www.anacom.pt/render.jsp?languageId=1
CNPD - Data Protection National Commission http://www.cnpd.pt/english/index_en.htm
FCCN – Foundation for Sciences and Technologies http://www.fccn.pt/en/
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.