Back>>

Cybercrime Treaty Documents

Treaty Reservations

The following chart displays the reservations that are available for each section of the Cybercrime Treaty. A reservation is a part of the treaty that a signatory nation can decide to exclude from what it agrees to. They are included to give participating nations more flexibility in their application of the treaty.  Other areas of flexibility are also listed, such as those created by vague treaty language. The chart was prepared by the ACLU.

Section 1 - SUBSTANTIVE CRIMINAL LAW

 

Article

What Article Requires

 Exemption / Flexibility

 

1. Definitions

Each Party must adopt definitions of computer system, computer data, service provider, and traffic data that are equivalent to those of the Convention.

Parties are not obliged to copy these concepts verbatim provided that domestic laws offer an equivalent framework.

The traffic data definition leaves to national legislatures the ability to introduce differentiation in the legal protection of traffic data in accordance with its sensitivity.

2. llegal Access

the access to the whole or any part of a computer system

Parties can take the wide approach and criminalize mere hacking or Parties may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.

3. Illegal Interception

 interception of non-public transmissions of computer data from or within a computer system

Parties may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.

4. Data Interference

damaging, deletion, deterioration, alteration, or suppression of computer data

Parties may reserve the right to require that such conduct result in serious harm.

5. System Interference
(computer sabotage)

serious hindering of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

Each Party shall determine for itself what criteria must be fulfilled in order for the hindering to be considered “serious.” For example, a Party may require a minimum amount of damage to be caused in order for the hindering to be considered serious.

In addition, the text leaves it to the Parties to determine the extent to which the functioning of the system should be hindered—partially or totally, temporarily or permanently—to reach the threshold of harm that justifies sanction, administrative or criminal, under their law.

 6. Misuse of Devices

the possession, production, sale, procurement for use, import, distribution or otherwise making available of a device designed or adapted primarily for the purpose of committing any Article 2-5 offences and of a computer password, access code, or similar data with intent that it be used to commit any of the offences established in Article 2-5.

Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of a computer password, access code, or similar data.  Each party is obliged to criminalize at least the sale, distribution or making available of a computer password or access date.

7. Computer-related forgery

the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible.

Deception as to authenticity refers at minimum to the issuer of the data, regardless of the correctness or veracity of the contents of the data.  Parties may go further and include under the term “authentic” the genuineness of the data.

A party may further require an intent to defraud, or similar dishonest intent, before criminal liability attaches. 

8. Computer-related fraud

the causing of a loss of property to another by any input, alteration, deletion or suppression of computer data, and any interference with the functioning of a computer system, with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or another.

No exemptions.

9. Offences related to child pornography

1. (a)producing child pornography for the purpose of its distribution through a computer system; (b) offering or making available child pornography through a computer system; (c) distributing or transmitting child pornography through a computer system; (d) procuring child pornography through a computer system for oneself or for another; (e) possessing child pornography in a computer system or on a computer-data storage medium.

2. the above shall include pornographic material that visually depicts: (a) a minor engaged in sexually explicit conduct; (b) a person appearing to be a minor engaged in sexually explicit conduct; (c) realistic images representing a minor engaged in sexually explicit conduct.

Parties may adopt a more specific standard than “intentional.”  For example, liability may be imposed if there is “knowledge and control” over the information which is transmitted or stored.  But, it is not sufficient that a service provider served as a conduit for such material.

The term ‘without right' allows a Party to take into account fundamental rights, such as freedom of thought, expression and privacy.  In addition, a Party may provide a defense in respect of conduct related to “pornographic material” having an artistic, medical, scientific or similar merit.

Although “minor” shall include all persons under 18 years of age, a Party may require a lower age-limit, which shall not be less than 16 years.

In addition, a Party may provide that a person is relieved of criminal responsibility if it is established that the person depicted is not a minor in the sense of this provision.

Further, each party may reserve the right not to apply, in whole or in part, paragraph 1(d) and 1(e), and 2(b) and 2(c).

10. Offences related to infringement of copyrights and related rights

 the willful  infringement of copyright and related rights, as defined under the law of that party pursuant to the obligations it has undertaken (Paris Act, Bern Convention, WIPO…) by means of a computer system

While each party is required to establish as criminal offences such infringements, the precise manner in which such infringements are defined under domestic law may vary from state to state.

A Party may reserve the right not to impose criminal liability in limited circumstances, provided that other effective remedies are available and that such reservation does not derogate from the Party's international obligations. 

The use of the term “pursuant to the obligations it has undertaken” makes it clear that a Contracting Party is not bound to apply agreements cited to which it is not a Party; moreover, if a Party has made a reservation or declaration permitted under one of the agreements, that reservation may limit the extent of its obligation.

11. Attempt and aiding or abetting

1. Aiding or abetting the commission of any of the offences established in accordance with Articles 2-10 with intent that such offence be committed.

2. Attempt to commit any of the offences established in accordance with Articles 3-5,7,8,9(1)(a) and 9(1)(c)

Each State may reserve the right not to apply, in whole or in part, paragraph 2 of this article.  Any Party making a reservation will have no obligation to criminalize attempt at all, or may select the offenses or parts of offences to which it will attach criminal sanctions in relation to attempt.

12. Corporate Liability

Each Party shall adopt measures to ensure that a legal person can be held liable for a criminal offense committed for its benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within the legal person.  Each party shall take measures to ensure that a legal person can be held liable where the lack of supervision or control by a natural person has made possible the commission of a criminal offense for the benefit of that legal person by a natural person acting under its authority.

Subject to the legal principles of the Party, the liability of a legal person may be criminal, civil or administrative as long as the sanction is “effective, proportionate and dissuasive” and includes monetary sanctions.

13. Sanctions and Measures

1. Each Party must ensure that the criminal offenses in Article 2-11 are punishable by effective, proportionate, and dissuasive sanctions, which include deprivation of liberty.

2. Legal persons held liable in accordance with Article 12 shall be subject to effective, proportionate and dissuasive criminal or non-criminal sanctions or measures, including monetary sanctions.

Parties have the discretion to create a system of criminal offenses and sanctions that is compatible with their existing national legal systems.

Section 2 - PROCEDURAL LAW

 

Requirements subject to Article 14 and 15

Exemption / Flexibility

14. Scope of procedural provisions

Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this Section for the purpose of specific criminal investigations or proceedings for the criminal offenses established in Articles 2-11, other criminal offenses committed by means of a computer system, and the collection of evidence in electronic form of a criminal offense.

Each Party may reserve the right to apply the measures referred to in Article 20 only to offenses or categories of offenses specified in the reservation, provided that the range of such offenses is not mor restricted than the range of offenses to which it applies the measures referred to in Article 21.

Each Party shall consider restricting such a reservation so as to enable the broadcast application of the measure referred to in Article 20.

15. Conditions and Safeguards

1.Each Party shall ensure that the establishment, implementation and application of the powers and procedures are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, and which shall incorporate the principle of proportionality.

2.Such conditions and safeguards shall, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation on the scope and the duration of such power or procedure.

The modalities of establishing and implementing these powers and procedures into their legal system, and the application of the powers and procedures in specific cases, are left to the domestic law and procedures of each Party.

16. Expedited preservation of stored computer data

1.Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification.

2.Where a Party gives effect to paragraph 1 by means of an order to a person to preserve specified stored computer data in the person's possession or control, the Party shall adopt such measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of 90 days, to enable to competent authorities to seek its disclosure.

A Party may provide for a paragraph 2 order to be renewed.

17. Expedited preservation and partial disclosure of traffic data

Each Party shall adopt, in respect to traffic data that is to be preserved under Article 16, measures to (a)ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that commission; and (b) ensure the expeditious disclosure to the Party's competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted.

None.

18. Production Order

Each Party shall adopt measures to empower its competent authorities to order:

(a)a person in its territory to submit specified computer data in that person's possession or control, which is stored in a computer system or a computer-data storage medium; and (b) a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider's possession or control.

A Party may wish to prescribe different terms, different competent authorities and different safeguards concerning the submission of particular types of computer data or subscriber information held by particular categories of persons or service providers.

19. Search and Seizure of stored computer data

1.Each party shall adopt measures as may be necessary to empower its competent authorities to search or similarly access: (a) a computer system or part of it and computer data stored therein; and (b) computer-data storage medium in which computer data may be stored, in its territory.

2.Each Party shall adopt measures to ensure that where authorities search or similarly access a specific computer system or part of it and have grounds to believe that the data sought is stored in another computer system or party of it in its territory, and such data is lawfully accessible from or available to the initial system, such authorities shall be able to expeditiously extend the search or similar accessing to the other system….

Each party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures referred to in paragraphs 1 and 2.

20. Real-Time Collection of Traffic Data

Each Party shall adopt measures to empower its authorities to: (a) collect or record through application of technical means on the territory of that Party, and (b) compel a service provider, within its existing technical capability, to: i. Collect or record through application of technical means on the territory of that party, ii. Co-operate and assist the competent authorities in the collection or recording of, traffic data, in real time, associated with specified communications in the territory transmitted by means of a computer system.

Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1(a), it mat instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of traffic data associated with specific communications in its territory through application of technical means on that territory.

21. Interception of Content data

Each Party shall adopt measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to:

(a)collect or record through application of technical means on the territory of that Party, and (b) compel a service provider, within its existing technical capability to (I) collect or record through application of technical means on the territory of that Party, or (ii) co-operate and assist the competent authorities in the collection of recording of, content data, in real-time, or specified communications in its territory transmitted by means of a computer system.

Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of and any information about the execution of any power provided for in this Article.

When a Party, due to the established principles of its legal system, cannot adopt these measures, it may instead adopt measures to ensure the real-time collection or recording of content data of specified communications in its territory through application of technical means on that territory.

22. Jurisdiction

Each party shall adopt measures to establish jurisdiction over any offense established in accordance with Articles 2-11, when the offense is committed: (a) in its territory; or (b) on board a ship flying the flag; or (c) on board an aircraft registered under the laws of that Party; or (d) by one of its nationals, if the offense is punishable under criminal law where it was committed or if the offense is committed outside the territorial jurisdiction of any State.

Each Party shall adopt measures to establish jurisdiction over the ofenses referred to in Article 24(1), in cases where an alleged offender is present in its territory and it does not extradite him/her to another Party, solely on the basis of his/her nationality, after a request for extradition.

When more than one Party claims jurisdiction over an alleged offense, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution.

Each state may reserve the right not to apply or to apply only in specific cases or conditions jurisdiction rules (b)-(d) or any part thereof.

Parties may establish, in conformity with their domestic law, other types of criminal jurisdiction as well.

23. General Principles Relating to International Co-operation

The Parties shall co-operate with each other…to the widest extent possible for the purposes of investigations or proceedings concerning criminal offenses related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense.

None.

24. Extradition

The obligation to extradite applies only to offenses established in accordance with Articles 2-11 that are punishable under the laws of both Parties concerned by deprivation of liberty for a maximum period of at least one year or by a more severe penalty.

Parties are able to provide other requirements for extradition. 

A requested Party need not extradite if it is not satisfied that all of the terms and conditions provided for by the applicable treaty or law have been fulfilled. 

27. Procedures Pertaining to Mutual Assistance requests in the absence of applicable international agreements

Parties are obliged to apply mutual assistance procedures and conditions when there is no mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the requesting and requested Parties.

Each Party may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession inform the Secretary General of the Council of Europe that, for reasons of efficiency, requests made under this paragraph are to be addressed to its central authority.

29. Expedited preservation of stored computer data

A Party may request another Party to order or otherwise obtain the expeditious preservation of data stored by means of a computer system, which is located within the territory of that other Party and in respect of which the requesting Party intends to submit a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of the data.

If a Party requires dual criminality as a condition for responding to a request for mutual assistance for production of the data, and if it has reason to believe that, at the time of disclosure, dual criminality will not be satisfied, it may reserve the right to require dual criminality as a precondition to preservation.

35. 24/7 Network

Each Party shall designate a point of contact available on a 24 hour, 7 day per week basis in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or the collection of evidence in electronic form of a criminal offence.

Each Party is at liberty to determine where to locate the point of contact within its law enforcement structure.  In designating the national point of contact, due consideration should be given to the need to communicate with points of contacts using other languages.

 

Back>>