1. It is commonly recognised, regarding cybercrime investigations, that one of the most important issues is the access to information stored outside the borders of the country that manages the investigation. Most of the concrete investigations require information physically stored in a computer in another country.
Obtain that kind of information in each particular case requires, from law enforcement agents, one of two possible procedures: the first one, as classically, is to request formally mutual legal assistance to the authorities of the other State; the second is to ask informally and directly the data to those who have the power of disposal of that information. The first option is, in most cybercrime investigations, requiring highly volatile evidence, unreal and useless, because it is longstanding, making it inefficient. On the other hand, the second option is not always covered by national laws, regarding both the way of obtaining the information and the validity of the obtained evidence.
2. The provisions of Budapest Convention already provide some help, on Article 32, allowing to obtain “open source” information and, above all, allowing the access to “non open” information if the authorised person to disclose it gives a proper consent. However, it is nowadays felt that this 2001 provision need to be updated to the “cloud” reality, as it is limited to information stored within one of the Parties of the Convention and the legal requirement of obtaining the consent reduce the practical scope of the rule.
3. Portuguese legal provisions don’t cover all the aspects on cross-border access to data, leaving a wide range of questions open to the jurisprudence discussion. However, some important solutions were already described on the Portuguese Cybercrime Law (Law 109/2009, from 15 September).
It is there recognised the need that law enforcement agencies, the prosecution service and the courts feel to access data stored somewhere, on the Internet, in another country or in a physically unknown place. Besides, the legal internal text translates to the domestic regulation Article 32 of Budapest Convention: it is thus allowed, according to Portuguese law, to a Portuguese officer, to obtain information outside the country, if it is openly obtainable, or if it was obtained the consent of the legally authorised person to disclose the data. On the other hand, it is permitted to an officer from any other country (being or not a Party to Budapest Convention) to obtain information physically stored in Portugal (Article 25 of Law 109/2009), in equivalent situations (“open source” or with consent of the authorised person). The law does not clarify some details, which are left to the jurisprudence, such as who is and where physically must be the authorised person. Anyways, Article 32 of Budapest Convention is fully covered by Portuguese law.
4. However, Article 32 does not allow any kind of coercive access to data, against the will of the owner of those data – in other words, obtaining evidence under Article 32 requires the voluntary cooperation of the person who has the power of disposal of it. Besides, Article 32 just entitles law enforcement from a State to obtain evidence if that State is a Party from Budapest Convention and the data are also located within the territory of a Party. These are serious limitations – in fact, these are the reasons why the Committee of the Cybercrime Convention (T-CY) is developing efforts in view of drafting some kind of additional instrument to the Convention, updating this particular detail.
5. Concerning this aspect, Portuguese law goes beyond Budapest. In fact, Portuguese internal rules allow law enforcement to virtually access data stored in any other country in the world, even if the actual location of the data is unknown. Article 15, paragraph 1, from the Cybercrime Law allows the judicial authority (the prosecutor, during the investigation and the judge after that) to authorise a search to a computer if, during the investigation, it becomes necessary to the collection of evidence. Furthermore, paragraph 5 of Article 15 allows the same authority to extend that search to another computer or another computer system, if there are reasons to believe that the sought information is stored in the other computer or computer system and if they are legally accessible from the initially searched computer or computer system. The clear inspiration of this provision is Article 19, paragraph 2 of Budapest Convention. However, there is a remarkable difference between the Convention and Portuguese law: Article 19 allows the extension of the search just within the borders of the Party; Portuguese law does not include any geographic limit and entitles the competent authorities to extend the search both to systems located within the Portuguese borders or outside them. The provision also covers situations when the location of the computer system or of the data are unknown.
6. In practical terms, the extension of Article 15, paragraph 5, envisages primarily searches to big computer systems (for example, searches to a particular department of a large company, which can then be extended to other computers in the same company in another physical location). But it also covers, for example, access to webmail accounts. In both cases, as mentioned, it applies to access systems physically located inside or outside the Portuguese borders if, of course, the initial access to the system was legally authorized.
According to this regulation, it is clear that Portuguese law enforcement agents can access data physically stored on a remote system, even if that system is physically abroad. There is no specific rule regarding the validity of the evidence obtained by this particular process but, in the absence of specific regulation, the general rule of Article 125 of the Criminal Procedure Code applies: all evidence is admissible if it is not prohibited by law.
7. A final note, regarding safeguards: according to Portuguese system, all the investigative powers belong to the prosecutor, including the power to authorise searches and seizure of computer data. However, if in such a search email communications or records of communications of similar nature are found, the intervention of the investigative judge is required, to validate the seizure (Cybercrime Law, Article 17). The same requirement applies when during the search it is found data which content is likely to disclose personal or intimate information, that would jeopardize the privacy of its owner or a third party (Cybercrime Law, Article 16, paragraph 3). In both cases, the submission of the obtained evidence to the investigative judge is required under penalty of nullity.