The objective of this section is to provide information on developments in international, EU and national legal instruments in relation to cybercrime and e-evidence in 2019. The main sources of information presented in this section are contributions collected through the EJCN, unless specifically stated otherwise.
2.1. EU level
Directive (EU) 2019/713 of the European Parliament and of the Council of 17 April 2019 on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA
On 9 April 2019, the Council formally adopted the Directive on combating fraud and counterfeiting of non-cash means of payment.
The Directive updates the existing rules to ensure that a more technology-neutral legal framework is in place. In addition to the traditional non-cash means of payments, it covers means that have been developed more recently, such as virtual currencies, electronic wallets and mobile payments.
The Directive establishes minimum rules concerning the definition of criminal offences and sanctions in the areas of fraud and counterfeiting of non-cash means of payment.
Furthermore, the Directive requires Member States to establish jurisdiction over the offences listed in the Directive when certain conditions apply. The Directive also aims to tackle operational obstacles that hamper investigation and prosecution, and foresees actions to enhance public awareness of fraudulent techniques such as phishing and skimming.
Finally, the new instrument facilitates the prevention of the offences that are covered by the Directive, and the provision of assistance to and support for victims.
The Directive was published in the Official Journal of the European Union on 10 May 2019. Member States have two years to implement the Directive.
The full text of the Directive can be found here.
Council conclusions on combating the sexual abuse of children
On 8 October 2019, the Council adopted conclusions on combating the sexual abuse of children.
Although these conclusions do not have legally binding effect, they do underline that the protection of children against sexual abuse, offline and online, remains an important priority within the European Union.
In its conclusions, the Council invites the European Union and its Member States to assess periodically the effectiveness of legislation on combating the sexual abuse and sexual exploitation of children. This assessment should particularly address the prevention, investigation and prosecution of such crimes.
The Council also reiterates the importance of timely action to investigate and prosecute offenders and invites competent authorities to make the widest possible use of the existing tools and mechanisms available at national and EU level, particularly at Europol and Eurojust.
For competent authorities to be able to exploit the data collected during investigations, and conduct effective prosecutions, the Council reiterated that data retention is essential.
The Council encourages Member States to develop and apply innovative investigation methods as well as to consider allocating specialised law enforcement resources to combat child abuse and sexual exploitation. Moreover, the importance of providing law enforcement agencies and other authorities with appropriate training in this context was stressed.
Given the exponential increase in child sexual abuse material online, the Council urges the industry, including online service providers, to ensure lawful access to digital evidence for law enforcement and other competent authorities. The Council invites online service providers to remove or disable access to contents identified as child sexual abuse material online as soon as possible after becoming aware of such content. It calls on the Commission to propose measures to address this growing challenge.
A global, coordinated approach to fight this type of crime is important, including cooperation with third countries and other key stakeholders.
The full text of the Council conclusions can be found here.
2.2. Member States
Finland
Regulations on network traffic intelligence
New regulations concerning network traffic intelligence have come into force since 1 June 2019, accompanied by laws concerning a new authority called ‘Intelligence Ombudsman’, who will supervise the application of intelligence legislation. The new regulations affect the Finnish Security Intelligence Service’s competence in intelligence gathering related to national security. In short, new powers have been granted for combating serious threats against national security.
The regulations stipulate that network traffic intelligence operations are allowed if this can provide further details of a known and serious threat. The threat must be sufficiently serious to jeopardise national security, and the intelligence must be required to safeguard democratic values such as policymaking or freedom of expression. The use of network traffic intelligence is decided by a court of law. Technical screening of messages is not done via message content, but via communication metadata.
Exceptions to this method are malware and the communications of foreign powers that do not enjoy the protection of confidential messages.
Italy
Law of 19 July 2019, n. 69
Article 10 of the Law of 19 July 2019, n. 69 provides for the criminalisation of so-called ‘revenge porn’.
Punishable by imprisonment from one to six years, and fines ranging from EUR 5 000 to 15 000, is anyone who, after having produced or stolen sexually explicit images or videos, intended for private use, sends, delivers, sells, publishes or broadcasts said audiovisual materials without the express consent of the persons concerned. The law also stipulates that the punishment is increased if the offence of illegal dissemination of the material is committed by the spouse, even if separated or divorced, or by a person who is or has been in a relationship with the offended party. The same applies if the material is disseminated through IT or digital tools or if the offence is committed against a person in a condition of physical or mental inferiority or against a pregnant woman. In these cases, the penalty is increased
by one-third to one-half of the abovementioned sentence and is also punishable by way of ex officio indictment, while it is normally prosecuted upon complaint by the offended party.
Netherlands
Computer Crime Act III
The Computer Crime Act III entered into force on 1 March 2019.
The objective of this law is to improve the investigative powers and prosecution of cybercrime. The law includes some changes to the Criminal Code and Code of Criminal Procedure. New or amended provisions are put in place for criminalising the publication of non-public data, the fencing of data and online fraud. The definition of child grooming is also changed so that an undercover agent can now pose as an adolescent online to facilitate the identification and prosecution of groomers who approach minors online for sexual purposes.
The most relevant new investigative method is ‘hacking’, introduced in Article 126nba of the Dutch Code of Criminal Procedure. This provision allows, under certain conditions, a public prosecutor to order a competent law enforcement officer to gain remote access to an automated system/work used by the suspect and to perform an investigation, whether or not using a technical tool. This feature was the most debated aspect of the new law, which was heavily discussed in parliament. Hopefully, it will provide a solution in some cases for encryption, continually changing networks and anonymising tools as well as jurisdiction issues. In addition, the possibility to order a takedown of criminal content is added.