COE Convention

COE Convention on Cyber Crime

Published under Risk Management
Title: Council of Europe Convention on Cybercrime, Budapest, 23.XI.2001, European Treaty Series-No. 185
Source reference: http://conventions.coe.int/Treaty/EN/
Topic: General treaty aiming to harmonise national provisions in the field of cybercrime, encompassing material criminal law (i.e. definitions of specific crimes), procedural criminal law (including investigative measures and international cooperation), liability issues and data retention.
Direct / indirect relevance Indirect. The liability and cooperation rules imply an indirect obligation to implement adequate RM/RA practices to ensure that one’s legal liability can be assessed and controlled.
Scope: Convention which is binding to the signatory states (which includes all E.U. Member States) after the entry into force of the convention, which occurred on 1 July 2004.
Legal force: Requires signatory states to update their national regulatory frameworks to include certain anti-cybercrime provisions.
Affected sectors: Generic; the provisions can be relevant to any entity involved with information systems and data processing, in view of the topic of the normative text.
Relevant provision(s): Article 12 – Corporate liability

1    Each Party shall adopt such legislative and other measures as may be necessary to ensure that legal persons can be held liable for a criminal offence established in accordance with this Convention, committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within it, based on:

a     a power of representation of the legal person;
b     an authority to take decisions on behalf of the legal person;
c     an authority to exercise control within the legal person.

2    In addition to the cases already provided for in paragraph 1 of this article, each Party shall take the measures necessary to ensure that a legal person can be held liable where the lack of supervision or control by a natural person referred to in paragraph 1 has made possible the commission of a criminal offence established in accordance with this Convention for the benefit of that legal person by a natural person acting under its authority.

3    Subject to the legal principles of the Party, the liability of a legal person may be criminal, civil or administrative.

4    Such liability shall be without prejudice to the criminal liability of the natural persons who have committed the offence.

Article 13 – Sanctions and measures

[…]

2    Each Party shall ensure that legal persons held liable in accordance with Article 12 shall be subject to effective, proportionate and dissuasive criminal or non-criminal sanctions or measures, including monetary sanctions.

Title 2 – Expedited preservation of stored computer data

Article 16 – Expedited preservation of stored computer data

1    Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification.

2    Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored computer data in the person’s possession or control, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed.

3    Each Party shall adopt such legislative and other measures as may be necessary to oblige the custodian or other person who is to preserve the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law.

4    The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

Article 17 – Expedited preservation and partial disclosure of traffic data

1    Each Party shall adopt, in respect of traffic data that is to be preserved under Article 16, such legislative and other measures as may be necessary to:

a    ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that communication; and

b    ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted.

2    The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

Title 3 – Production order

Article 18 – Production order

1    Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:

a    a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and
b    a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control.

[…]

Title 5 – Real-time collection of computer data

Article 20 – Real-time collection of traffic data

1    Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to:

a    collect or record through the application of technical means on the territory of that Party, and
b    compel a service provider, within its existing technical capability:
i    to collect or record through the application of technical means on the territory of that Party; or
ii    to co-operate and assist the competent authorities in the collection or recording of,
traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system.

2    Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of traffic data associated with specified communications transmitted in its territory, through the application of technical means on that territory.

3    Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.

4    The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

Article 21 – Interception of content data

1    Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to:

a    collect or record through the application of technical means on the territory of that Party, and
b    compel a service provider, within its existing technical capability:
i    to collect or record through the application of technical means on the territory of that Party, or
ii    to co-operate and assist the competent authorities in the collection or recording of,
content data, in real-time, of specified communications in its territory transmitted by means of a computer system.

2    Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of content data on specified communications in its territory through the application of technical means on that territory.

3    Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.

4    The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

Section 3 – Jurisdiction

Article 22 – Jurisdiction

1    Each Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention, when the offence is committed:

a    in its territory; or
b    on board a ship flying the flag of that Party; or
c    on board an aircraft registered under the laws of that Party; or
d    by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State.

[…]
Relevance to RM/RA: Apart from the definitions of a series of criminal offences in articles 2 to 10, the Convention is relevant to RM/RA because it states the conditions under which legal liability can be imposed on legal entities for conduct of certain natural persons of authority within the legal entity. Thus, the Convention requires that the conduct of such figures within an organisation is adequately monitored, also because the Convention states that a legal entity can be held liable for acts of omission in this regard.

Furthermore, articles 16 and following of the Convention establish an early form of data retention requirements.

Additionally, article 22 defines a series of criteria under which jurisdictional competence can be established. These include the competence of a jurisdiction when a criminal act is conducted by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State (art.22, 1, (d)). Thus, legal entities need to be aware of the applicable laws in any countries with which they have a formal link, even if they conduct no specific business there.

It should be noted that these same obligations were also encapsulated in a number of E.U. initiatives, specifically the Framework decision commented directly above, and the Data Retention Directive, commented elsewhere in this text.

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more