Octopus Cybercrime Community

Portugal adopted a specific Cybercrime Law, that is, Cybercrime Law 109/2009 of 15 September 2009. It includes penal substantive rules, procedural rules and also rules on international cooperation. After the introdution of the this legal act, both the substantive penal law and the procedural criminal framework of Portugal are fully in line with the Convention requirements. The same occurs with the legislation on international cooperation.

The Cybercrime Law includes the following crimes: computer forgery (Article 3), computer damage (Article 4), computer sabotage (Article 5), illegal access (Article 6), unlawful interception (Article 7) and illegal reproduction of protected program (Article 8).

In addition, the Penal Code also includes the following infringements: child pornography (Article 176 of Penal Code) and computer and communications fraud (Article 221 of the Penal Code).

Regarding copyright matters, Cybercrime Law provides a specific infringement on illegal reproduction of protected program (Article 8). Besides, Law Nr 45/85, from 17 September (amended by Law Nr 16/2008) – the Código de Direito de Autor -, provides rules on usurpation (Article 195) and counterfeiting (Article 196).

Even if the main general framework applicable to all cybercrime investigations is the Code of Penal Procedure, the Cybercrime Law also includes specific procedural measures, applicable to all the investigations related to cybercrime, to crimes committed by the means of computer systems and to all the criminal investigations where digital evidence is required.

The Cybercrime Law provides rules on expedited preservation of data (Article 12), expedited disclosure of traffic data (Article 13), injunction for providing data or granting access to data (Article 14), search of computer data (Article 15), seizure of computer data (Article 16 – with particular regulation on seizure of email communications and records of communications of similar nature, on Article 17), interception of communications (Article 18) and under covered actions (Article 19).

General rules and safeguards apply. No particular rules on cybercrime, but in particular, Article 32 of the Constitution applies.

(http://app.parlamento.pt/site_antigo/ingles/cons_leg/Constitution_VII_revisao_definitive.pdf)

Besides, the law mentions sometimes a requirement of intervention of a judge to authorise certain procedural measures, if fundamental rights are in danger (for example in the interception of communications or in obtaining traffic data).

An extensive legal framework on technical aspects is in place. Besides that, there are important acts in this field regarding:

• Data protection – Certainly, GDPR applies (the Portuguese version may be found here: https://eur-lex.europa.eu/legal-content/PT/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN); Besides, two additional acts are in force at this respect: Law No. 59/2019, of 8 August (approves the rules on the processing of personal data for the purpose of preventing, detecting, investigating or prosecuting criminal offenses or executing criminal sanctions, transposing Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 https://www.cnpd.pt/home/legis/nacional/Lei_59_2019.pdf and Law No. 58/2019 of 8 August (ensures the implementation, in the national legal system, of Regulation (EU) 2016/679 of the Parliament and of the Council, of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free circulation of that data - https://www.cnpd.pt/home/legis/nacional/Lei_58_2019.pdf)
• Protection of personal data on telecommunications - Law 41/2004, of 18 August, amended by Law 46/2012, of 29 August (http://dre.pt/pdf1sdip/2004/08/194A00/52415245.pdf and http://dre.pt/pdf1sdip/2012/08/16700/0481304826.pdf);
• Ecommerce and spam - Decree Law 7/2004, of 7 January , amended by Law 46/2012, of 29 August (http://dre.pt/pdf1sdip/2004/01/005A00/00700078.pdf and http://dre.pt/pdf1sdip/2012/08/16700/0481304826.pdf);
• Electronic communications - Law 5/2004, of 10 February, amended by Law 19/2008, of 21 April (http://dre.pt/pdf1sdip/2004/02/034A00/07880821.pdf)
• Data retention - Law 32/2008, of 17 de July (http://dre.pt/pdf1sdip/2008/07/13700/0445404458.PDF).

The legal competence to begin and direct criminal investigations belongs to the Prosecution Service, with the technical support from police. It is also a competence from the Prosecution Service to send and to receive international cooperation requests.

Complying with Article 35 of the Budapest Convention, a 24/7 point of contact was established, since 2009, and it is based in Polícia Judiciária, the investigative police. The same functionality is also used for the G8 network purposes and also for the Interpol Network.

Polícia Judiciária has specific competence to urgent measures regarding expedited preservation of traffic data and to urgent searches and seizure of data. Regarding the rest, depends on the authorisation of the prosecutor (and sometimes, the prosecutor will need an authorisation from a judge).