Approves The Law Of Cybercrime, Transposing To The Internal Legal Order The Framework Decision No. 2005/222/jha Of 24 February Relating To Attacks Against Information Systems, And Adapting National Legislation To The Convention On Cybercrime Of The Cou...

Original Language Title: Aprova a Lei do Cibercrime, transpondo para a ordem jurídica interna a Decisão Quadro n.º 2005/222/JAI, do Conselho, de 24 de Fevereiro, relativa a ataques contra sistemas de informação, e adapta o direito interno à Convenção sobre Cibercrime do Conselho

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now

Read the untranslated law here: http://app.parlamento.pt/webutils/docs/doc.pdf?path=6148523063446f764c3246795a5868774d546f334e7a67774c336470626d6c7561574e7059585270646d467a4c316776644756346447397a4c334277624449344f5331594c6d527659773d3d&fich=ppl289-X.doc&Inline=false

1 PROPOSAL of law No. 289/X/4th explanatory memorandum the expansion of communication networks has made the Internet a reality everywhere. All activities of modern societies and economies use the Internet for their support. Citizens are abetting the Internet in their daily lives and support her its traditional functions. In this context, it was natural the emergence of illegal activities associated with the communication networks, using them and exploring their vulnerabilities, thus creating risks for the daily use of computer media. Cybercrime became, therefore, a threat of modern times. States have adopted measures to prevent and counteract illegal and abusive practices in communication networks. Portugal has, since 1991, by impulse of Recommendation R (89) 9 of the Council of Europe, a regulatory framework that aims to punish what he called the computer crime: the law No 109/91, of 17 August. This diploma, suitable to the reality that was intended to regulate on the date on which it entered into force, by the course of almost two decades, has become a deficit. Information and communication networks have emerged in the meantime new realities that have been described and considered as a crime by many other European laws and international instruments. Is, for example, the case of the production or dissemination of viruses and other malicious programs, realities not yet enshrined in national law: in fact, in the current regulatory framework, who produce and/or spread viruses and other devices of this nature do not incur, by these facts, in practice with any crime, nor will be punished for this Act. Nevertheless, it is well known the harmfulness of the production and dissemination of computer viruses by communications networks. This is the reason why many other laws have opted for the criminalization of this activity, as a result, the provision of article 6 of the Convention on Cybercrime of the Council of Europe. The framework decision No. 2005/222/JHA of 24 February 2005 on attacks against information systems, describes behaviors that should be qualified as a crime, forcing the creation of related standards related to such behavior, for reasons connected with the instigation, aiding, abetting and attempt, liability of legal persons, jurisdiction and even exchange of information. The transposition of the framework decision assumes, for the 2 Portuguese legal system, changing the regime of computer crime, today predicted in computer crime law (the already mentioned law No. 109/91, of 17 August). The November 23 2001, Portugal signed the Convention on Cybercrime of the Council of Europe, whose ratification process is now underway. The Convention is the first and most important international work on crime in cyberspace. Has universal vocation and wants to be accepted by the majority of countries in the world. Plan to harmonise the various national laws on the subject, provide and facilitate international cooperation and facilitate the investigations of criminal nature. Focuses on substantive criminal law (defining crimes against the confidentiality, integrity and availability of computer systems, crimes relating to the contents and crimes committed via computers), but also includes procedural measures and international judicial cooperation. The legislative obligations arising from the Convention will also change the current regime. Adapting the legal framework of the Convention will, in particular, a special advantage of joining a European area of cooperation with police and judicial projection. In particular, will bring also the possibility of ongoing processes, using new forms of research and new avenues of cooperation, when it becomes necessary to resort to international cooperation. These new ways to investigate and to cooperate can be used as the crimes provided for in the Convention, but also to investigate other crimes since committed through computer systems and for any kind of crimes, provided there is evidence thereof in electronic form.

In General, in structural terms, as regards substantive criminal law, it can be said that the transposition of the framework decision No. 2005/222/JHA and the consecration of the legal obligations arising from the Convention assumes only the adjustments current legislation about computer crime. Does the new forms of crime, some of which have already been mentioned and which the Portuguese legislation has been considered deficient. In the field of criminal procedural law, the inadequacy of national legislation to the new realities the implement is superior. The recent revision of the code of criminal procedure opted for limitation, in the abstract, of the possibility of interceptions of telephone and electronic communications, and included special rules for the area of cybercrime. Thus, there is no provision for obtaining 3 traffic data or to conduct interception of electronic communications in the investigation of crimes referred to in article 187 § of the code of criminal procedure. Among them, are crimes provided for in law No 109/91, of 17 August, as well as against intellectual property crimes committed via computer networks. The realization of interceptions of electronic communications and, in particular, to obtain traffic data, are procedural tools essential in criminal proceedings in which they investigate crimes committed by means of communications networks, having this concern stayed in the diploma which requires mirror operators of communications to keep traffic data of your customers, with a view to their possible need in criminal investigation-law No. 32/2008 , 17 July, which regulates the retention of data generated or processed in connection with the provision of electronic communications services. Matter how overcome the current regime, in order to provide the criminal procedural system standards that allow to obtain traffic data and to carry out interceptions of communications in investigations of crimes committed in the virtual environment. That's what you want to do by law now proposes.

We decided to condense in this Decree all standards relating to cybercrime and not proceed with the amendment of several laws on the subject sources – besides the law of computer crime, the Criminal Code, the code of criminal procedure and the law of International Judicial Cooperation (Act No. 144/99 of 31 August, with your changes). It appears to be the more consistent legislative option with the Portuguese tradition, where they exist, specifically in the criminal area, other structural materials in the specialty degrees: so happens with drugs-related crime, with crimes against the economy or fiscal crime, whose criminal and procedural criminal specific frames are set in own diploma. As regards procedural rules, be in favour of this solution, there are two other reasons: on the one hand, the General inconvenience of view structuring criminal planning degrees in special rules, applicable only to a very restricted portion of the illicit types; on the other hand, practical convenience, to judicial operators, see organized all relating to a specific sector regulatory crime. 4 in conclusion, with regard to substantive criminal law, in compliance with the obligations assumed under the framework decision and the Convention, now introduced legislative changes to the current system adjustment. That's how the definitions included in article 2, which introduces the concept of ' computer data ', instead of the more limited concept and nowadays insufficient ' computer program '. Add settings, modern and non-existent in 1991, «service provider» and «traffic data». Changes the concept of ' computer system ', which happens to be more comprehensive, including him, for example, devices such as mobile phones. Delete, for failing to make sense vis-à-vis the latter, the concept of «network». As to the liability of legal persons and various other rules of punishment of natural and legal persons, it was decided to repeal the special scheme created in 1991 in this respect. Instead, reference is made to the general regime of accountability of legal persons provided for in the criminal code. In this way satisfy the undertakings given by the framework decision and the Convention, in the same way that simplifies the regulatory framework, eliminating a special regime of accountability, created in 1991 by the absence of a general scheme, but now no longer justified after the introduction of that general scheme on amendment of the Penal Code operated in 2007. With regard to types of crime of computer damage, computer sabotage, illegal access and illegitimate interception, adjustments have been made in the drafting, in order, on the one hand, updating the legal text and, on the other, establish new modalities of typical action. The purpose of jurisdiction, the Convention provides for an innovation from what ever the result of articles 4 and 5 of the Penal Code, translated to the signatory States to declare yourselves to pursue criminally, regardless of location of the practice of the facts, their nationals, if the offence is punishable in the place where it was committed or is not within the jurisdiction of any State. Although this solution not be previously consecrated in Portuguese law, lays down, for certain crimes the universal competence law. Under the procedural provisions, were introduced expedited preservation data stored on a computer and the expeditious preservation and disclosure of traffic data, in compliance with the obligations resulting from articles 16 and 17 of the Convention. Was introduced the mechanism of the order (cfr. Article 18 of the Convention) and adapted the schemes of searches and seizures, already widely provided for in criminal procedure legislation, 5 investigations of crimes committed in the virtual environment. In fact, the essence of these procedural measures coincides, in the environment of cyberspace, with the classic forms of search and seizure, the criminal process. However, the manner in which the search and seizure are described in the code of criminal procedure required some adaptation to these new realities.

Likewise, it was adapted to this degree the regime of interception of communications, as provided for in the code of criminal procedure for the telephone calls. In fact, the code provides for an extension of the system of telephone intercepts to other communications, for example. However, this extension does not solve the problem of computer crime investigation or related to computer science, because the scope of the scheme, by extension, is the same of the telephone interceptions. However, it is necessary to cover computer crimes in General, as well as those committed via computers, motivating the creation of special standard. This standard adopts in general the rules of the code of criminal procedure, which is adapted according to the specific nature of the crimes to which, by way of this new law, is applicable. The adoption, for the investigation of computer crimes, special procedural measures, means necessarily a compression of civil liberties in cyberspace. It's obvious to everyone the huge advantage of the existence of a clear and virtually unregulated, where everyone can freely communicate, inform and inform, as well as – and perhaps above all – to express and manifest itself without censure or embarrassment. The truth, however, is that no one is oblivious to the realities of emerging criminal opposite sign, benefiting from massive, effective communication capability and cost due, choosing his victims almost indiscriminately throughout the world, safeguarding the authorities behind the border, anonymity and technical complexity. If it is true that the Internet is not owned by anyone, it is that no one is directly responsible for it or that it occurs. Not thirsty, or place, where you can find your responsible. Modern laws have to deal with the new realities as appropriate criminogenic France, framing them, and providing the necessary tools to your investigation and trial.

It should be noted, finally, that in the area of international cooperation refers, as a rule, to legal regimes already in place. In addition, it is assumed that the Portuguese authorities may request international cooperation 6-and also to receive and execute requests for cooperation from foreign authorities, under the same conditions and circumstances in which it would act if the facts were criminals under investigation in Portugal. It creates a permanent point of contact 24 hours/7 days, within the judicial police, which ensure, with regard to the matter the terms of this Bill, an essential role in emerging international cooperation. Were heard the Attorney General of the Republic, the Supreme Council of Magistracy and the National Commission for Data Protection. She was promoted to bar association hearing. Must be triggered to hearing of the High Council of the Public Ministry. So: under d) of paragraph 1 of article 197 of the Constitution, the Government presents to the Assembly of the Republic the following Bill: CHAPTER I subject matter and definitions Article 1 subject-matter this law lays down the material and procedural criminal provisions, as well as the provisions concerning international cooperation in criminal matters relating to the field of cybercrime and the collection of evidence in electronic format , transposing to the internal legal order the framework decision No. 2005/222/JHA of 24 February 2005 on attacks against information systems, and adapting national legislation to the Convention on Cybercrime of the Council of Europe.

Article 2 definitions for the purposes of this law,: a) ' information system ' means any device or group of inter-connected or related devices, one or more of them develops, in 7 execution of a program, the automatic processing of computer data, as well as the network that supports communication between them and the set of computer data stored, processed, retrieved or transmitted by that or those devices with a view to its operation, use, protection and maintenance; b) "computer data" means any representation of facts, information or concepts in a form capable of processing in a computer system, including the programs able to make a computer system to perform a function; c) «traffic data», the computer data relating to a communication made by means of a computer system, generated by this system as part of a chain of communication, indicating the communication's origin, destination, route, time, date, size, duration, or type of underlying service; d) ' service provider ' means any entity, whether public or private, to provide users of its services the possibility of communicating by means of a computer system, as well as any other entity that handles or stores computer data on behalf of that service provider or of the respective users; e) ' Interception», the Act intended to capture information in a computer system, through electromagnetic devices, acoustic, mechanical or other; f) ' Topography ', a series of images with each other, regardless of the way they are fixed or encoded, representing the three-dimensional configuration of the layers that make up a semiconductor product in which each image reproduces the design or part of a surface of the semiconductor product, regardless of the stage of its manufacture; g) ' semiconductor product ' shall mean the final or intermediate form of any product, comprising a substrate that includes a layer of semiconducting material and consisting of one or more layers of conducting materials, semiconductor insulating or, according to a provision as a three-dimensional setting and intended to comply, exclusively or not, an electronic function. 8 CHAPTER II penal provisions article 3 material Falsehood 1-computer Who, with intent to cause deception in legal relations, insert, modify, delete or suppress computer data or otherwise interfere in a computerised data treatment, producing data or non-genuine documents, with the intention that these be considered or used for legally relevant purposes as if they were , is punished with imprisonment up to five years or a fine of 120 to 600 days.

2-when the actions described in the preceding paragraph they cover on the data registered or incorporated in bank payment card or any other device that allows access to system or means of payment, the communications system or conditional access service, the penalty is one to five years in prison. 3-Who, acting with intent to cause loss to another or to obtain an illegitimate benefit for themselves or for third, use document produced from computer data that were covered by the acts referred to in paragraph 1 or card or other device in which are registered or incorporated the data covered by the acts referred to in the preceding paragraph, shall be punished with the penalties provided for in both number , respectively. 4-Who import, distribute, sell, or hold for commercial purposes any device that allows access to system or means of payment, the communications system or conditional access service, which has been practiced any of the actions referred to in paragraph 2, shall be punished with imprisonment of one to five years. 5-If the facts referred to in the preceding paragraphs are committed by an employee in the performance of their duties, the penalty is imprisonment of two to five years. Article 4 Damage on programs or other computer data 1-Who, without legal permission or without to be authorized by the owner, other right holder of the system or part of it, delete, change, destroy, in whole or part 9:00 pm, damage, delete or make unusable or not accessible programs or other computer data of others or in any way affect the ability to use them , is punished with imprisonment up to three years or a fine. 2-in the same sentence incurs who illegitimately produce, sell, distribute or otherwise disseminate or enter one or more computer systems, programs or other computer data intended to produce unauthorized actions described in the preceding paragraph. 3-if damage caused is of value high, the penalty is imprisonment up to five years or a fine up to 600 days. 4-If the damage is considerably high value, the penalty is imprisonment of one to 10 years. 5-with the exception of the cases provided for in paragraph 2, the attempt is punishable. 6-in the cases referred to in paragraphs 1, 3 and 5 criminal proceedings depends on the complaint. Article 5 1 computer Sabotage-Who, without legal permission or without to be authorized by the owner, other right holder of the system or part of it, hinder, impede, interrupt or disrupt the operation of a computer system, by introducing, transmitting, deterioration, damage, alteration, erasure, prevention of access or deletion of programs or other computer data or any other form of interference in computer system , is punished with imprisonment up to five years or with fine penalty up to 600 days. 2-in the same sentence incurs who illegitimately produce, sell, distribute or otherwise disseminate or enter one or more computer systems, programs or other computer data intended to produce unauthorized actions described in the preceding paragraph. 3-the penalty is imprisonment of one to five years if the damage arising out of disturbances is high value. 4-the penalty is imprisonment of one to 10 years: the emerging harm of disturbance) is considerably high value;

10 (b)) the disruption caused to achieve lasting or serious form a computer system that supports an activity designed to ensure critical social functions, including the supply chain, health, safety and economic well-being of the people, or the regular functioning of public services. 5-with the exception of the cases provided for in paragraph 2, the attempt is punishable. Article 6 illegitimate Access 1-Who, without legal permission or without to be authorized by the owner, other right holder of the system or part of it, anyway access a computer system, is punished with imprisonment up to one year or with fine penalty up to 120 days. 2-in the same sentence incurs who illegitimately produce, sell, distribute or otherwise disseminate or enter one or more computer systems, programs, devices, a set of statements, executable code, or other computer data intended to produce unauthorized actions described in the preceding paragraph. 3-the penalty is imprisonment up to three years or a fine if the access is achieved through violation of safety rules. 4-the penalty is imprisonment of one to five years when: a) through access, the agent has knowledge of commercial or industrial secret or confidential information protected by law; or (b)) the benefit or advantage of assets obtained are considerably high value. 5-with the exception of the cases provided for in paragraph 2, the attempt is punishable. 6-in the cases referred to in paragraphs 1, 3 and 5 criminal proceedings depends on complaint. Illegitimate Interception article 7 11 1-Who, without legal permission or without to be authorized by the owner, other right holder of the system or part of it, and through technical means, to intercept transmissions of computer data that is inside of a computer system, he designed or arising, is punished with imprisonment up to three years or with fine penalty. 2-the attempt is punishable. 3-Incurs the same penalty referred to in paragraph 1 who illegitimately produce, sell, distribute or otherwise disseminate or enter one or more computer systems, programs or other computer data intended to produce unauthorized actions described in paragraph 1. Article 8 illegitimate Reproduction of protected program 1-Who illegitimately reproduce, disseminate or communicate to the public a computer program protected by law is punished with imprisonment up to three years or with fine penalty. 2-in the same sentence incurs who illegitimately reproduce topography of a semiconductor product or to commercially exploit or import, for these purposes, a topography or a semiconductor product manufactured from that topography. 3-the attempt is punishable.

Article 9 1 criminal association who promote or founding group, organization or association whose purpose or activity is directed to one or more of the crimes to which this Act applies, is punished with imprisonment of one to five years. 2-in the same sentence incurs who is part of such groups, organisations or associations or who support them, including providing weapons, ammunition, instruments of crime, or guard locations for meetings, or any aid for which they recruit new elements. 3-Who lead or drive groups, organizations or associations referred to in the preceding paragraphs is punished with imprisonment of two to eight years. 12 4-the penalties referred to can be specially mitigated or not take place the punishment if the stop agent or strive seriously to prevent the continuation of groups, organisations or associations, or communicate to their existence so this can prevent crimes. 5-For the purposes of this article, it is considered that there is a group, organization or association when is concerned a set of at least three people acting in concert during a certain period of time. Article 10 criminal liability of legal persons and entities regarded as legal persons and similar entities are held criminally responsible for the crimes provided for in this law in terms and limits of the system of accountability laid down in the criminal code.

Article 11 Loss of goods 1-without prejudice to the provisions of the Criminal Code in respect of the loss of instruments, products and advantages related to a crime, are always reported lost to the State the objects, materials, equipment or devices that have served for the crimes provided for in this law and they belong to person who has been condemned by its practice. 2-the evaluation, use, disposal and compensation for goods seized by the criminal police bodies which are likely to be confiscated in favor of the State shall apply the provisions of Decree-Law No. 11/2007, of 19 January. CHAPTER III procedural provisions article 12 scope of procedural provisions 1-the provisions of this chapter shall apply to proceedings relating to crimes: a) provided for in this law; or 13 b) Committed through a computer system. 2-the provisions of this chapter shall apply to proceedings relating to crimes in respect of which it is necessary to collect evidence in electronic format, with the exception of articles 13 and 20, which only apply to such crimes in so far as the same are provided for in article 187 § of the code of criminal procedure.



Article 13 transmission of traffic and location data and the related data transmission of data retained under law No. 32/2008 of 17 July, can be ordered in the terms, conditions and circumstances provided for in this decree-law. Article 14 expedited data Preservation 1-If in the course of the procedure necessary for the production of evidence, with a view to discovering the truth, get specific computer data stored in a computer system, including traffic data, for which there is no fear that they might lose, change or cease to be available, the competent judicial authority orders who have availability or control of such data in particular the service provider, that preserves the data concerned. 2-the preservation can also be ordered by the criminal police body with the permission of the competent judicial authority or when there is an emergency or danger in delay, and that, in the latter case, give immediate news that judicial authority and deliver the report provided for in article 253.º of the code of criminal procedure. 3-the preservation order discriminates, on pain of invalidity: a) the nature of the data; b) your origin and destination, if known; and (c)) the period of time that should be preserved, to a maximum of 3 14 months.

4-In-compliance with preservation order is directed, who have availability or control over this data, such as service provider, preserves the data in question immediately, protecting and preserving its integrity by the time limit, so as to enable the competent judicial authority to obtain. 5-the competent judicial authority or criminal police body with the permission of that authority, may order the renewal of the measure for periods subject to the limit set out in subparagraph (c)) of paragraph 3, provided that they check their eligibility requirements, up to a maximum of one year. 6-in the case of expedited data preservation order preserved under law No. 32/2008 of 17 July, applies the provisions of this decree-law. Article 15 expeditious Disclosure of traffic data in order to ensure the preservation of traffic data concerning a specific communication, regardless of the number of service providers who participated, the service provider to whom this preservation has been ordered in accordance with the preceding article indicates the judicial authority or criminal police body as soon as you know it , other service providers through which that communication takes place, in order to make it possible to identify all service providers and the path through which that communication was made. Article 16 Order for submission or granting access to data 1-If in the course of the procedure becomes necessary to the production of evidence, with a view to discovering the truth, get data and certain specific computer, stored in a given system, the competent judicial authority orders who have availability or control of such data that discloses to the process or to allow access to the same under penalty of punishment for disobedience. 2-the order referred to in the preceding paragraph shall identify, as far as possible, the data concerned. 3-In compliance with the order described in paragraphs 1 and 2, who have availability or control of such data 15 communicate these data to the competent judicial authority or allows, under penalty of punishment for disobedience, the access to the computer system where they are stored. 4-the provisions of this article shall apply to service providers, who may be ordered to report to process data relating to its customers or subscribers, include any information other than the traffic data or content contained in the form of computer data or in any other manner, owned by service provider, and determine : a) the type of communication service used, the technical measures taken in this regard and the period of service; (b)) the identity, postal address or geographic and the phone number of the Subscriber, and any other number of access, the data relating to the invoicing and payment, available on the basis of a contract or agreement; or c) Any other information about the location of communication equipment, available on the basis of a contract or service agreement. 5-the injunction provided for in this article may not be directed the suspect or defendant in this process. 6-I can also make use of the order referred to in this article as the computer systems used for the exercise of advocacy and medical and banking activities.

Article 17 Research of computer data 1-When in the course of the procedure becomes necessary to the production of evidence, with a view to discovering the truth, get data and certain specific computer, stored in a given system, the competent judicial authority authorizes or orders by order a search in this computer system, and, whenever possible, to preside over the stage. 2-the order provided for in the preceding paragraph has a shelf life of no more than 30 days, 16 under penalty of nullity. 3-the criminal police body can carry out the search, without prior authorisation of the judicial authority, when: a) the same is voluntarily consented by the availability or control of such data, since the consent provided stay, in any way, documented; (b)) in cases of terrorism, violent or highly organized crime, when there are signs of imminent practice based crime that put in serious jeopardy the life or integrity of any person. 4-When the national criminal police conduct the research in accordance with the provisions of the preceding paragraph: a) in the case referred to in point (b)), the coach is, under penalty of nullity, immediately reported to the competent judicial authority and assessed in order to its validation; b) In any case, is prepared and sent to the competent judicial authority the report provided for in article 253.º of the code of criminal procedure.

5-When, in the course of research, emerging reason to believe that the data sought are in another computer system, or in a different part of the system researched, but that such data is lawfully accessible from the initial system, the search can be extended with the permission or order of the competent authority, in accordance with paragraphs 1 and 2. 6-the research referred to in this article shall apply, mutatis mutandis, the rules of the searches provided for in the code of criminal procedure. Article 18 seizure of computer data 1-When, in the course of a computer search or other legitimate access to a computer system, computer data or documents are found necessary for the production of evidence, with a view to the discovery of truth, the competent judicial authority authorizes or orders by order the seizure of the same. 2-the national criminal police can make arrests, without prior authorisation of the judicial authority, in the course of research Informatics legitimately ordained and 17 performed in accordance with the previous article, as well as when there is an emergency or danger in delay. 3-If seized computer documents or data whose content is likely to reveal intimate or personal data, which may jeopardise the privacy of the right holder or of third, under penalty of nullity of such data or documents are presented to the judge, who shall consider the its junction to the proceedings taking into account the interests of the case. 4-The seizures carried out by criminal police body are always subject to validation by the judicial authority, within a maximum of 72 hours. 5-seizures relating to computer systems used for the exercise of advocacy and medical and banking activities are subject, mutatis mutandis, to the rules and formalities laid down in the code of criminal procedure. 6-the seizure of computer data, as is most appropriate and proportionate, having regard to the interests of the case, may in particular be of the following forms: a) seizure of support where is installed the system or seizure of support where are stored the computer data, as well as of the necessary devices to their reading; b) holding a copy of the data, in autonomous support, which will be next to the process; c) preservation, by technological means, data integrity, without realization of copying or removal of same; or (d)) non-reversible or Elimination of blocking access to the data. 7-in the case of the seizure carried out in accordance with point (b)) of the preceding paragraph, the copy is made in duplicate, one copy being sealed and entrusted to the court clerk of the services where the process running your terms and, if technically feasible, the data seized are certified through the digital signature. Article 19 e-mail and records Seizure of communications of a similar nature When, in the course of a computer search or other legitimate access to a computer system, are found, stored in this computer system or another that 18 is allowed access from the first legitimate, e-mail messages or records of communications of a similar nature, the judge may authorize or order by order, the apprehension of those who seem to be of great interest for the discovery of truth or evidence, and correspondingly the seizure of correspondence laid down in the code of criminal procedure. Article 20 interception of communications 1-the interception and recording of computer data transmissions may only be authorised during the investigation if there is reason to believe that the stage is essential to the discovery of the truth or that the evidence would otherwise impossible or very difficult to obtain, by reasoned order of the examining magistrate and upon request of the public prosecutor's Office. 2-the interception can be for the registration of data concerning the contents of communications or target only the collection and recording of traffic data and the order referred to in paragraph 1 specify the scope, in accordance with the specific needs of research. 3-on the other, shall apply to the interception and recording of computer data transmissions the regime of interception and recording of conversations or telephone calls set out in articles 180 of 187 § 188, and code of criminal procedure. Article 21 covert Actions 1-is admissible the use of covert actions provided for in law No. 101/2001 of 25 August, under there referred to, in the course of investigation concerning following crimes: a) provided for in this law; b) committed through a computer system, when appropriate, in the abstract, maximum prison sentence exceeding five years, or that the penalty is lower, and being the intentional crimes against freedom and sexual self-determination in cases where the offended are smaller or incapable, the crimes provided for in articles 218, 221 and 240 of the Penal Code as well as the crimes set out in Title IV of the code of copyright and related rights. 2-being necessary the use of media and computer devices there are, what applies, the rules laid down for the interception of communications. 19 article 22 of CHAPTER IV International Cooperation international cooperation The competent national authorities shall cooperate with the competent foreign authorities for the purposes of investigations or proceedings in respect of crimes related to systems or computer data, as well as for the purpose of collecting evidence, in electronic format, of a crime. Article 23 permanent contact point for international cooperation 1-for the purposes of international cooperation, with a view to providing immediate assistance for the purpose referred to in the preceding article, the judicial police ensures the maintenance of a structure that ensures a point of contact available at all times, 24 hours a day, seven days a week. 2-this contact can be contacted by other points of contact in terms of agreements, treaties or conventions to which Portugal is linked, or in fulfilment of international cooperation protocols with judicial or police bodies. 3-the immediate assistance provided by this permanent contact point includes: a) the provision of technical advice to other contact points; b) expeditious preservation of data in cases of urgency or danger in delay, in accordance with the provisions of the following article; c) the collection of evidence for which is competent in cases of urgency or danger in delay; d) the location of suspects and to provide legal information, in cases of urgency or danger in delay; and immediate transmission to the Ministry) public requests relating to the measures referred to in paragraph 1 (b)) the d), outside the cases there referred to, with a view to its rapid implementation. 4-Always acting under 2(b)) the d) of the preceding paragraph, the judicial police 20 gives immediate news that the Attorney General's Office and the report predicted whereupon pursuant to article 253.º of the code of criminal procedure. Article 24 preservation and resourceful computer data revelation in international cooperation 1-can be requested the expeditious preservation of Portugal computer data stored in computer system located here, relating to crimes provided for in article 12, with a view to the presentation of a request for judicial assistance for research purposes, seizure and disclosure thereof. 2-the specific request: a) the authority which asks the preservation; (b)) the offence which is the subject of investigation or criminal proceedings, as well as a brief statement of the facts; c) The computer data to be preserved and its relationship to the offence; d) all available information allowing identification of the responsible for computer data or the location of the computer system; and the need for the measure) preservation; and (f)) the intention of filing a request for legal assistance for research purposes, seizure and disclosure of the data. 3-the competent foreign authority request pursuant to the preceding paragraphs, the competent judicial authority orders who have availability or control of such data, in particular the service provider, the preserve. 4-the preservation can also be ordered by judicial police with the permission of the competent judicial authority or when there is an emergency or danger in delay, being applicable, in the latter case, the provisions of paragraph 4 of the preceding article. 5-specific preservation order, under penalty of nullity: a) the nature of the data; b) if they are known, the source and destination; and (c)) the time period for which the data should be preserved, up march 21 months. 6-In-compliance with preservation order is directed, availability or control of such data, in particular the service provider preserves immediately the data concerned by the period of time specified, protecting and preserving its integrity. 7-the competent judicial authority, or the judicial police with the permission of that authority, may order the renewal of the measure for periods subject to the limit set out in subparagraph (c)) of paragraph 5, since they occur their admissibility requirements, up to a maximum of one year. 8-when the application for aid referred to in paragraph 1, the competent judicial authority to decide on determines the data preservation until the adoption of a final decision on the request. 9-the data preserved pursuant to this article may only be provided: a) to the competent judicial authority, in execution of the application for aid referred to in paragraph 1, in the same terms in which could be in a similar national case under articles 15 to 19; (b)) to the national authority that issued the order, in the same terms in which they could be, if similar national, pursuant to article 15 10-the national authority to which, in accordance with the provisions of the preceding paragraph, are communicated data traffic service provider identifiers and via through which the communication was made, communicate them quickly to the requesting authority in order to allow the authority to submit new request expeditious preservation of computer data. 11-the provisions of paragraphs 1 and 2 shall apply, mutatis mutandis, to requests made by the Portuguese authorities. Article 25 grounds for refusal 1-the preservation or disclosure request resourceful computer data is refused when: a) The computer data concerned respect the political offence or related offence according to the Portuguese law conceptions; 22 b) threaten the sovereignty, security, ordre public or other interests of the Portuguese Republic, constitutionally defined. 2-the request expedited preservation of computer data can still be refused where there are reasonable grounds for believing that the execution of subsequent legal assistance request for research purposes, seizure and disclosure of such data will be refused for lack of verification of the requirement of double criminality. Article 26 access to computer data in international cooperation 1-the request of competent foreign authority, the competent judicial authority can carry out the search, seizure and disclosure of computer data stored in computer system located in Portugal, concerning the crimes provided for in article 12 when it comes to situation where the search and seizure are permissible in similar national case. 2-the competent judicial authority shall as quickly as possible when there are reasons to believe that the computer data is particularly vulnerable to loss or modification or when fast cooperation is provided for in applicable international instrument. 3-the provisions of paragraph 1 shall apply, mutatis mutandis, to requests made by the Portuguese judicial authorities. Article 27 cross-border access to stored computer data with consent or when publicly available foreign competent authorities, without need for prior request to the Portuguese authorities, may: a) access computer data stored in computer system located in Portugal, when publicly available; b) Receive or access through computer system located within its territory, the computer data stored in Portugal, by legal and voluntary consent of the person legally authorised to disclose them.

23 article 28 interception of communications in international cooperation 1-the request of the competent foreign authority, the judge may be authorized the interception of transmissions of computer data by means of a computer system located in Portugal, provided that this is provided for in the agreement, treaty or International Convention and in the case of a situation in which such interception is permissible pursuant to article 20, in similar national case. 2-is responsible for the receipt of requests to intercept the judicial police, the Public Ministry shall submit to, so that the report to the judge of criminal district of Lisbon for authorization. 3-the order of authorization referred to in the previous article also allows for immediate transmission to the requesting State, if such a procedure is provided for in the agreement, treaty or International Convention to which the request is made. 4-the provisions of paragraph 1 shall apply, mutatis mutandis, to requests made by the Portuguese judicial authorities. Chapter V transitional and final provisions article 29 Application of Portuguese criminal law and jurisdiction of the Portuguese courts 1-in addition to the provisions of the Criminal Code relating to the application of Portuguese criminal law, treaty or International Convention and unless otherwise stated, for the purposes of this law, the Portuguese penal law is even applicable to facts: a) Practiced by the Portuguese If the same does not apply criminal law of any other State; b) Committed on behalf of legal persons based in Portuguese territory; c) practised in Portuguese territory Physically, still aimed at 24 computer systems located outside that territory; or d) aimed at computer systems located in Portuguese territory, regardless of where these facts are physically carried out. 2, according to the applicability of the criminal law, are simultaneously competent to rule of one of the crimes referred to in this law the Portuguese courts and the courts of another Member State of the European Union in any one of them be validly established or pursued the criminal proceedings on the basis of the same facts, the competent judicial authority retains the organs and mechanisms established within the European Union to facilitate cooperation between the judicial authorities of the Member States and the coordination of their actions, in order to decide which of the two States establishes or continues the procedure against the agents of the infringement in order to center it in one of them. 3-the decision of acceptance or transfer of the procedure is taken by the competent judicial authority, having regard, successively, the following elements: a) the place where the offence was committed; b) nationality the author of the facts; and (c)) where the author of the facts was found. 4-apply to crimes provided for in this law the General rules of jurisdiction of the courts provided for in the code of criminal procedure.

5-In case of doubt as to the local jurisdiction shall be determined, in particular do not match the location where physically the agent acted and the place where it is physically installed on the computer system in question with its actions, the competence lies with the Court where first there has been news of the facts. Article 30 General Regime applicable In all not contrary to the provisions of this law shall apply to crimes, procedural measures and international cooperation in criminal matters it provided for, respectively, the provisions of the Penal Code, the code of criminal procedure and Act No. 144/99 of 31 August. Article 31 powers of the judicial police for 25 international cooperation the competence assigned by this law to the judicial police for the purpose of international cooperation is carried out by the organic unit who is committed to the investigation of the crimes provided for in this law. Article 32 protection of personal data the processing of personal data pursuant to this law shall be carried out in accordance with the provisions of law No. 67/98 of 26 October, being applicable, mutatis mutandis, the provisions of Chapter VI of this diploma. Article 33 set Standard is revoked the law No 109/91, of 17 August.

Article 34 entry into force this law shall enter into force 30 days after its publication.

Seen and approved by the Council of Ministers of 14 May 2009 the Prime Minister the Minister of Parliamentary Affairs Minister Presidency 26