Comparative Law Review
22 2018
24
Nicolaus Copernicus University
http://dx.doi.org/10.12775/CLR.2018.010
Duarte Rodrigues Nunes*
Lipińska
THE MEANS OF OBTAINING EVIDENCE PROVIDED
BY THE PORTUGUESE CYBERCRIME LAW
(LAW NO. 109/2009 OF 15 SEPTEMBER 2009)
Abstract
The Portuguese legislator has provided, for the first time, in the Portuguese legal system,
means of obtaining evidence specific for Cybercrime in Law no. 109/2009, of September
15, in which Framework Decision no. 2005/222/JHA, of the Council of February 24,
concerning attacks against information systems and the Convention on Cybercrime of the
Council of Europe were transposed to the Portuguese legal system. While the legislator’s
options are considered to be mostly correct, there are some critical issues. In the present
Article, the legal regime of these means of obtaining of evidence is critically analyzed.
Keywords
Cybercrime – Criminal investigation – Computer data – Interception of communications –
Seizure – Computer search.
Introduction
The Portuguese legislator has provided, for the first time, in the Portuguese
legal system, means of obtaining evidence specific for Cybercrime in Law
no. 109/2009, of September 151. Through this law, Council Framework
* Judge. PhD in Criminal Law and Criminal Procedure. Investigator (Centre for
Research in Criminal Law
and Criminal
Sciences
and Centre for Legal Research of
Lipińska,
Juris doctor
(PhD),
Cyberspace, Faculty of Law of Lisbon). Author. E-mail: duarterodriguesnunes@hotmail.com.
University in Toruń, Poland; Patent and Trade Mark Attorney. E
ńi piL
250
| 02
Duarte Rodrigues Nunes
Decision 2005/222/JHA of February 24 on attacks against information
systems and the Convention on Cybercrime of Budapest, of November 23,
2001, were transposed to the Portuguese legal system.
Although the 2007 reform1 of the Code of Criminal Procedure (Código
de Processo Penal)2 and the means of obtaining evidence provided by
the Code of Criminal Procedure (clearly designed to obtain “tangible”
evidence) were inadequate to effectively investigate computer-related
crimes, only in 2009 the legislator provided means of obtaining evidence
specific to investigate Cybercrimes.
Thus, until then, means of obtaining evidence provided by the Code
of Criminal Procedure – such as searches and seizure, although they were
designed to focus on tangible realities and not on intangible realities
such as computer data3, or interceptions of telecommunications – , were
the only means of obtaining evidence used to investigate this kind of
criminal offences.
Unlike the majority of states that signed the Convention on Cybercrime,
the Portuguese legislator chose to draft a new law which provided the
means of obtaining evidence instead of providing them in the Code of
Criminal Procedure4.
I. Scope of the rules on the means
of obtaining evidence
In accordance with Article 11 of Law no. 109/2009, except in the case of
the interception of communications and undercover operations (which
Hereinafter referred to as Law no. 109/2009. The text of Law no. 109/2009 available
at: http://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?nid=1137&tabela=leis (in
Portuguese only).
1
Through Law no. 48/2007, of August 29.
2
The text of Portuguese Code of Criminal Procedure is available at: http://www.
pgdlisboa.pt/leis/lei_mostra_articulado.php?nid=199&tabela=leis (in Portuguese only).
3
Defined in Article 2, b) of Law no. 109/2009 as “any representation of facts,
information or concepts in a form susceptible of processing in a computer system, including
programs capable of making a computer system perform a function”.
4
However, there is nothing to prevent the use of means of obtaining evidence
provided by the Criminal Procedure Code in the investigation of Cybercrimes.
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
251
may only be used in the investigation of criminal offences referred to in
Article 18, paragraph 1, and Article 19, paragraph 1, of Law no. 109/2009,
respectively), the other means of obtaining evidence may be used to
investigate criminal offences punishable under Law no. 109/20095 and
any criminal offences committed by means of a computer system6 or
criminal offences which investigation requires the collection of evidence
in electronic form.
And in paragraph 2 of this Article 11, the legislator determines that
the provisions of Articles 12 to 19 of Law no. 109/2009 do not affect the
regime of Law no. 32/2008 of July 17 (on the retention of data generated or
processed in connection with the provision of publicly available electronic
communications services or of public communications networks)7. This
is a rule that raises enormous interpretative difficulties, since it does not
clarify whether Article 9 of Law no. 32/2008 (which regulates the use in the
criminal proceedings of data previously retained8) was or was not revoked
by Articles 12 to 19 of Law no. 109/20099, and Article 9 of Law 32/2008,
which only applies to serious crimes, provides a regime of use of retained
data much more restrictive than the regime of Articles 12 to 19 of Law
no. 109/2009, which apply to a much broader range of criminal offences.
Crimes of computer-related forgery, damage to programs or other computer data,
computer sabotage, illegal access, illegal interception and illegitimate reproduction of
protected program.
6
Defined in Article 2, a) of Law no. 109/2009 as “any device or set of interconnected
or associated devices in which one or more of them develops automated processing of
computer data in connection with a program network that supports the communication
between them and the set of computer data stored, processed, retrieved or transmitted
by that or those devices with a view to their operation, use, protection and maintenance”.
7
Hereinafter referred to as Law no. 32/2008. The text of Law no. 32/2008
available at: http://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?artigo_id=1264
A0004&nid=1264&tabela=leis&pagina=1&ficha=1&so_miolo=&nversao=#artigo (in
Portuguese only).
8
The categories of data that is object of retention are referred in Article 4 of Law
no. 32/2008.
9
In this respect, it is understood mainly that Article 9 of Law no. 32/2008 was not
revoked by Articles 12 to 19 of Law no. 109/2009. A minority opinion (which we endorse)
has the opposite view. On this issue, see Duarte Rodrigues Nunes, Os meios de obtenção
de prova previstos na Lei do Cibercrime [The means of obtaining evidence provided by the Law of
Cybercrime], Gestlegal, Coimbra, 2018, at p. 24–32 (with bibliographic references).
5
Lipińs
ńi piL
252
| 02
Duarte Rodrigues Nunes
II. Expedited preservation of stored computer data
(Article 12 of Law no. 109/200910)
The expeditious preservation of stored computer data consists in giving
an order to who has the availability or control over any specific computer
data, which already exists in a stored form, to take the necessary measures
for protecting them from anything that might alter or deteriorate its
quality or condition, keeping the data safe from any modification, damage
or elimination, in order to enable the competent authorities to seek its
disclosure.
The person who receives the preservation order must immediately
preserve the data in question, protecting and preserving its integrity
for the time set, in order to enable the competent judicial authority to
obtain the data and is obliged to keep confidential the undertaking of
such procedural measure11.
The order must be given by the judicial authority12 or by the criminal
police with the authorization of the competent judicial authority or in
exigent circumstances, in which case the criminal police should inform
The expedited preservation of computer data is also provided by Article 16 of the
Convention on Cybercrime.
11
See Article 12, para. 4, of Law no. 109/2009.
12
Combining Article 12, para. 2, of Law no. 109/2009 with Article 1, b) of the Code
of Criminal Procedure (which contains the legal concept of “judicial authority”), the order
must be issued by the Public Prosecutor in the inquiry phase, by the Examining Judge in
the preliminary judicial phase and by the Judge in the trial phase. The Portuguese criminal
procedure consists of four phases, two obligatory and two optional. The first phase is the
inquiry (Inquérito), after which, a decision will be made to submit (indictment), or not
(discharge), the defendant to trial. This decision may be challenged by means of a request
for the initiation of an preliminary judicial phase, thus initiating an optional phase, the
preliminary judicial phase (Instrução), at the end of which a new decision will be issued,
in order to submit (pronunciation), or not (no pronunciation), the defendant on trial; the
request for the opening of the preliminary judicial phase shall be filed by the defendant
in cases where there has been an indictment or by the assistant (who, as a rule, will be the
victim of the crime) when the case has been closed. If the defendant has been charged and,
if there has been a preliminary judicial phase, has been pronounced, a new mandatory
phase, the trial phase (Julgamento), will be opened. And, at the end of the trial phase,
another optional phase may occur, which is the appeal phase (Recurso).
10
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
253
the judicial authority immediately and forward a report where he briefly
mentions the investigations carried out, the results of the investigations,
the description of the facts found and the evidence gathered13.
The expeditious preservation of computer data is determined whenever it is of relevance to the discovery of the truth and/or for use as
evidence14, in respect of any type of crime15.
The preservation order must discriminate (under sanction of nullity)
the nature of the data to be preserved, its origin and destination (if
known) and the period of time by which they must be preserved, up to
a maximum of three months (extendable up to a maximum of one year)16.
In accordance with Articles 2, b), and 12, both of Law no. 109/2009,
the preservation order may include any type of computer data17.
As the preservation order does not imply any access to preserved
data, it does not restrict any fundamental right18. So, Article 12 of Law
no. 109/2009 does not violate any provision of the European Convention
on Human Rights. In addition, the Portuguese legislator complied fully
with the provisions of Article 16 of the Convention on Cybercrime.
See Article 12, para. 2, of Law no. 109/2009 in conjunction with Article 253 of the
Code of Criminal Procedure.
14
See Article 12, para. 1, of Law no. 109/2009
15
See PAULO DÁ MESQUITA, Processo Penal, Prova e Sistema Judiciário [Criminal
Procedure, Evidence and Judicial System], Coimbra Editora, Coimbra, 2010, at p. 98, and
Judgments of the Court of Appeal of Évora of 06/01/2015 (Case 6793/11.6TDLSB-A.
E1), available at: http://www.dgsi.pt/jtre.nsf/134973db04f39bf2802579 bf005f080b/
847dae6b85353cb880257de10056ff4c?OpenDocument [last accessed 22/06/2018] and 20/01
/2015 (Case 648/14.6GCFAR-A.E1), available at: http://www.dgsi.pt/jtre.nsf/134973d
b04f39bf280 2579bf005f080b/2fbdd21285478f5f80257de10056ff7a?OpenDocument [last
accessed 22/06/2018].
16
See Article 12, paras. 3 and 5, of Law no. 109/2009.
17
See Pedro Verdelho, “A Convenção sobre o Cibercrime do Conselho da Europa –
Repercussões na Lei portuguesa”, in Direito da Sociedade da Informação, VI [The Convention on
Cybercrime of the Council of Europe – Repercussions in Portuguese Law, “Information Society
Law”, VI], Coimbra Editora, Coimbra, 2006, at p. 270, and Benjamin Silva Rodrigues, Da
Prova Penal, II [On Criminal Evidence, II], Rei dos Livros, Lisbon, 2010, at p. 439.
18
See Pedro Verdelho, “A Convenção sobre o Cibercrime do Conselho da Europa –
Repercussões na Lei portuguesa”, in Direito da Sociedade da Informação, VI [The Convention on
Cybercrime of the Council of Europe – Repercussions in Portuguese Law, “Information Society
Law”, VI], Coimbra Editora, Coimbra, 2006, at p. 270.
13
Lipińs
ńi piL
254
| 02
Duarte Rodrigues Nunes
III. Expedited disclosure of traffic data19
(Article 13 of Law no. 109/200920)
In accordance with Article 13 of Law no. 109/2009, a person who has
received an expedited preservation order of computer data must indicate
to the entity that has given the preservation order, as soon as it knows,
other service providers who were involved in the transmission of that
communication, in order to ensure that they are also subject to a preservation order. In fact, often more than one service provider may be involved
in the transmission of a communication and each service provider may
possess only some traffic data related to the transmission of the specified
communication, which either has been generated and retained by that
service provider in relation to the passage of the communication through
its system or has been provided from other service providers. In such
a case, any one of the service providers may possess the crucial traffic
data that is needed to determine the source or destination of the communication or each one of them possesses only one part of the puzzle.
The expedited disclosure of traffic data is ancillary to the expeditious
preservation of data, since its purpose is only to ensure the efficacy of
the expeditious preservation of data21.
As the expedited disclosure of traffic data does not imply any access to
preserved data, it does not restrict any fundamental right22. Thus, Article
13 of Law no. 109/2009 does not violate any provision of the European
Convention on Human Rights. In addition, the Portuguese legislator
Defined in Article 2, c) of Law no. 109/2009 as “computer data related to
a communication made through a computer system generated by this system as part of
a communication chain, indicating the origin of the communication, the destination, the
path, time, date, size, duration or type of the underlying service”.
20
The expedited disclosure of traffic data is also provided by Article 17 of the
Convention on Cybercrime.
21
See Benjamin Silva Rodrigues, Da Prova Penal, II [On Criminal Evidence, II], Rei
dos Livros, Lisbon, 2010, at p. 444.
22
See Pedro Verdelho, “A Convenção sobre o Cibercrime do Conselho da Europa –
Repercussões na Lei portuguesa”, [in:] Direito da Sociedade da Informação, VI [The Convention
on Cybercrime of the Council of Europe – Repercussions in Portuguese Law, “Information Society
Law”, VI], Coimbra Editora, Coimbra, 2006, at p. 270.
19
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
255
complied fully with the provisions of Article 17 of the Convention on
Cybercrime.
IV. The order for submitting or granting access
to data (Article 14 of Law no. 109/200923)
The order for submitting or granting access to data consists in a judicial
authority24 orders a person to submit or allow the access to specified
computer data in that person’s possession or control, whenever it is of
relevance to the discovery of the truth and/or for use as evidence25.
Likewise, service providers may receive an order to submit or allow
access to data relating to their customers or subscribers (other than traffic
data or content) held by them and to determine the type of communication
service used, the technical measures taken thereto and the period of
service, as well as the subscriber’s identity, postal or geographical address
and telephone number and any other access number, data relating to
billing and payment available on the basis of a service agreement or
any other information on the location of the communication equipment
available on the basis of a service agreement26.
The order for submitting or granting of access to data relates to
computer data (other than traffic data or content of communications)
and the key to access the encryption of the data concerned27. The order
must specify which data the submission or access is intended for28, so
The order for submitting or granting access to data is also provided by Article 18
of the Convention on Cybercrime, under the designation of “Production order”.
24
Combining Article 14, para. 1, of Law no. 109/2009 with Article 1, b) of the Code
of Criminal Procedure (which contains the legal concept of “judicial authority”), the order
must be issued by the Public Prosecutor in the inquiry phase, by the Examining Judge in
the preliminary judicial phase and by the Judge in the trial phase.
25
See Article 14, para. 1, of Law no. 109/2009.
26
See Article 14, at para. 4, of Law no. 109/2009.
27
See David Ramalho, Métodos Ocultos de Investigação Criminal em Ambiente Digital
[Covert Methods of Criminal Investigation in Digital Environment], Almedina, Coimbra, 2017,
at p. 170.
28
See Article 14, at para. 2, of Law no. 109/2009.
23
Lipińs
ńi piL
256
| 02
Duarte Rodrigues Nunes
that access only affects the data relevant to the investigation and there
is no indiscriminate access to all data29.
However, pursuant to Article 14, paragraph 5, of Law no. 109/2009,
the order for submitting or granting access to data may not be addressed
to the defendant or to the suspect who has not yet been constituted as
defendant30, in order to safeguard the privilege against self-incrimination31.
The order for submitting or granting access to data relates only to
computer data that has already been collected and stored by its holders,
not including obtaining real-time computer data or the retention of future
traffic data or real-time access to the content of the communications32,
which will have to be obtained by means of interception of communications
provided by Article 18 of Law no. 109/200933.
Failure to comply with the order for submitting or granting access to
data will be treated as the crime of simple disobedience34.
See Pedro Verdelho, Cibercrime” [in:] Direito da Sociedade da Informação, IV [Cybercrime, “Information Society Law”, IV], Coimbra Editora, Coimbra, 2003, at p. 377.
30
See Pedro Verdelho, “A Convenção sobre o Cibercrime do Conselho da Europa –
Repercussões na Lei portuguesa”, [in:] Direito da Sociedade da Informação, VI [The Convention
on Cybercrime of the Council of Europe – Repercussions in Portuguese Law, “Information Society
Law”, VI], Coimbra Editora, Coimbra, 2006, at p. 271.
31
See Rita Castanheira Neves, As Ingerências nas Comunicações Electrónicas em Processo
Penal [The Interferences in Electronic Communications in Criminal Procedure], Coimbra Editora,
Coimbra, 2011, at p. 235.
32
See BENJAMIM SILVA RODRIGUES, Das Escutas Telefónicas, II [On Wiretapping, II],
Rei dos Livros, Lisbon, 2008, at p. 336, and Judgments of the Court of Appeal of Évora
of 06/01/2015 (Case 6793/11.6TDLSB-A.E1), available at: http://www.dgsi.pt/jtre.nsf/134973db04f39bf2802579bf005 f080b/847dae6b85353cb880257de10056ff4c?OpenDocument [last accessed 22/06/2018] and 20/01/2015 (Case 648/14.6GCFAR-A.E1), available
at: http://www.dgsi.pt/jtre.nsf/134973db04f39bf28025 79bf005f080b/2fbdd21285478f5f80257de10056ff7a? OpenDocument [last accessed 22/06/2018].
33
See Carlos Pinho, “Os problemas interpretativos resultantes da Lei n.º 32/2008, de 17 de
Julho”, in Revista do Ministério Público, n.º 129 [The interpretative problems resulting from Law
no. 32/2008, of July 17, “Public Ministry Review”, no. 129], at p. 78, and Judgments of the Court
of Appeal of Évora of 06/01/2015 (Case 6793/11.6TDLSB-A.E1), available at: http://www.
dgsi.pt/jtre.nsf/134973db04f39bf280 2579bf005f080b/847dae6b85353cb880257de10056ff4c?OpenDocument [last accessed 22/06/2018] and 20/01/2015 (Case 648/14.6GCFAR-A.
E1), available at: http://www.dgsi.pt/jtre.nsf/134973db04f39bf2802579 bf005f080b/2fbdd21285478f5f80257de10056ff7a?OpenDocument [last accessed 22/06/2018].
34
See Article 14, at para. 1 and 3, of Law no. 109/2009 and Article 348, par. 1, a), of the
Portuguese Penal Code. Pursuant to Article 348, para. 1, a), of the Portuguese Penal Code,
29
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
257
The order for submitting or granting access to computer data may
be used to investigate any type of crime35.
Regarding professional confidentiality, pursuant to Article 14, paragraph 6, of Law no. 109/2009, the order for submitting or granting access
to data may not be directed to computer systems used for lawyer, medical and banking activities and for the profession of journalist. Although
only some cases of professional confidentiality are specified, we consider
that Article 14, paragraph 6, of Law no. 109/2009, applies to any activity
subject to professional confidentiality.
At first sight, it seems that the use of the order for submitting or
granting access to data is not admissible in such cases. However, Article 14, paragraph 7, provides for the possibility of lifting of professional
confidentiality. Therefore, it is possible to direct the order for submitting
or granting access to data stored on computer systems used for activities
subject to professional confidentiality, provided that professional confidentiality has been lifted, by permission of the Judge or, in the cases
provided by law, by the Public Prosecutor36.
It is not understandable that Article 14 of Law no. 109/2009 does not
provide any special procedure in exigent circumstances as are provided
anyone who fails to comply with a lawful order or mandate, regularly communicated or
emanating from the relevant authorities or official, shall be punished by imprisonment
for up to one year or a fine of up to 120 days if a legal provision sanctions in this case
the simple disobedience.
The text of Portuguese Penal Code is available at: http://www.pgdlisboa.pt/leis/
lei_mostra_articulado.php?nid=109&tabela=leis (in Portuguese only). There is an English
version (outdated) of the General Part of the Code available at: http://www.legislationline.
org/documents/section/criminal-codes/country/9.
35
See Paulo Da Mesquita, Processo Penal, Prova e Sistema Judiciário [Criminal Procedure,
Evidence and Judicial System], Coimbra Editora, Coimbra, 2010, at p. 98, and Judgments of
the Court of Appeal of Évora of 06/01/2015 (Case 6793/11.6TDLSB-A.E1), available at:
http://www.dgsi.pt/jtre.nsf/134973db04f39bf28025 79bf005f080b/847dae6b85353cb880257de10056ff4c?OpenDocument ([last accessed 22/06/2018] and 20/01/2015 (Case
648/14.6GCFAR-A.E1), available at: http://www.dgsi.pt/jtre.nsf/134973db04f 39bf2802579bf005f080b/2fbdd21285478f5f80257de10056ff7a?OpenDocument [last accessed
22/06/2018].
36
On this issue, with more developments, Duarte Rodrigues Nunes, Os meios de
obtenção de prova previstos na Lei do Cibercrime [The means of obtaining evidence provided by the
Law of Cybercrime], Gestlegal, Coimbra, 2018, at p. 73–83 (with bibliographic references).
Lipińs
ńi piL
258
| 02
Duarte Rodrigues Nunes
in Articles 12, paragraph 2, 15, paragraph 4, and 16, paragraph 2. Firstly,
exigent circumstances may also arise in connection with the order for
submitting or granting of access to data. Secondly, such a possibility is
provided by the case of searches of computer data and seizure of computer
data. Such a difference is not understandable, since the order for submitting
or granting access to data is not more damaging to fundamental rights
than the search of computer data or the seizure of computer data (and
may even be less damaging than the search of computer data).
With respect to the restriction of fundamental rights, the order for
submitting or granting access to data restricts the fundamental rights to
privacy and informational self-determination protected by Article 8 of
the European Convention on Human Rights37. Pursuant to Article 8 (2),
there shall be no interference by a public authority with the exercise of
these rights, except such as is in accordance with the law and is necessary
in a democratic society in the interests of national security, public safety
or the economic well-being of the country, for the prevention of disorder
or crime, for the protection of health or morals, or for the protection of
the rights and freedoms of others.
The explanatory report notes that, in the course of a criminal
investigation, subscriber information may be needed mainly in two
situations. Firstly, to identify which services and related technical
measures have been used or are being used by a subscriber, such as
the type of telephone service used, the type of other associated services
used (for example, call forwarding, voicemail), or the telephone number
or other technical address (for example, the e-mail address). Secondly,
where a technical address is known, subscriber information is needed
in order to assist in establishing the identity of the person concerned.
As the ECtHR emphasizes38, “[…] the Convention on Cybercrime obliges
the States to make measures such as the real-time collection of traffic data and
the issuing of production orders available to the authorities […]. However, such
measures are, pursuant to Article 15 of that Convention, “subject to conditions
See ECtHR, Benedik v. Slovenia, Application no. 62357/14, Judgment of 24.04.2018,
available at: https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22\%22production
%20order\%22%22],%22documentcollectionid 2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22], %22itemid%22:[%22001-182455%22]} [last accessed 07/11/2018].
38
Ibid.
37
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
259
and safeguards provided for under [State parties’] domestic law” and must “as
appropriate in view of the nature of the procedure or power concerned, inter alia,
include judicial or other independent supervision, grounds justifying application,
and limitation of the scope and the duration of such power or procedure””.
An order for submitting or granting access to data provides a less
intrusive and less onerous measure which law enforcement authorities
can apply instead of measures such as interception of content data and
real-time collection of traffic data, which must be used only to investigate
serious offences (Articles 20 and 21 of the Convention on Cybercrime)39.
And because Article 14 of Law no. 109/2009 does not include access
neither to traffic data nor to the content of communications, the order
for submitting or granting access to data does not constitute an intense
restriction of fundamental rights. Thus, we consider that neither Articles
15 and 18 of the Convention on Cybercrime nor Article 8 of the European
Convention on Human Rights require that the order for submitting or
granting access to data depend on judicial authorization.
Thus, Article 14 of Law no. 109/2009 empowers the investigating
authorities to order (1) a person in Portugal to submit specified computer
data in that person’s possession or control, which is stored on a computer
system or computer-data storage medium or (2) a service provider offering
its services in the territory of Portugal to submit subscriber information
relating to such services in that service provider’s possession or control. And
respects the safeguards imposed by Articles 14 and 15 of the Convention on
Cybercrime and Article 8 of the European Convention on Human Rights.
V. Search of stored computer data
(Article 15 of Law no. 109/200940)
The search of stored computer data consists in the authorities access
a computer system or part of it and computer data stored therein,
See ECtHR, K.U. v. Finland, Application no. 2872/02, Judgment of 02.12.2008, available at: https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22\%2 2production%20order\%22%22],%22document collectionid2%22:[%22GRANDCHAMBER%22, %22CHAMBER%22],%22itemid%22:[%22001-89964%22]} [last accessed 07/11/2018].
40
The search of computer data is also provided by Article 19 of the Convention on
Cybercrime.
39
Lipińs
ńi piL
260
| 02
Duarte Rodrigues Nunes
whenever it is of relevance to the discovery of the truth and/or for use
as evidence41. Thus, the search may focus on all or part of the computer
system or an independent data storage device.
The search of stored computer data may be used to investigate any
type of crime42.
The search of stored computer data is authorized by the judicial
authority (who, whenever possible, shall be present during the search)43,
and the authorization has a maximum period of validity of 30 days,
under sanction of nullity44.
Pursuant to Article 15, paragraph 3, of Law no. 109/2009, the search
may also be conducted by the criminal police without prior authorization
from the judicial authority in two situations:
a) Upon consent of any person who has the availability or control of
the computer data in question (the consent must be documented); or
b) In cases of terrorism and violent or highly organized crime, when
there is evidence of the imminent commitment of a criminal
offence which seriously endangers the life or integrity of any
person.
In both cases, a report containing a summary of the investigations
carried out, the results of the investigations, a description of the facts found
and the evidence gathered must be submitted to the judicial authority and,
in situation b), the execution of the search must be communicated to the
competent judicial authority in the shortest possible time for validation45.
See Article 15, para. 1, of Law no. 109/2009.
See Paulo Da Mesquita, Processo Penal, Prova e Sistema Judiciário [Criminal Procedure,
Evidence and Judicial System], Coimbra Editora, Coimbra, 2010, p. 98, and Judgments of
the Court of Appeal of Évora of 06/01/2015 (Case 6793/11.6TDLSB-A.E1), available at:
http://www.dgsi.pt/jtre.nsf/134973db04f39bf280 2579bf005f080b/847dae6b85353cb880257de10056ff4c? OpenDocument [last accessed 22/06/2018] and 20/01/2015 (Case
648/14.6GCFAR-A.E1), available at: http://www.dgsi.pt/jtre.nsf/134973db04f39bf280
2579bf005f080b/2fbdd21285478f5f80257 de10056ff7a?OpenDocument [last accessed
22/06/2018].
43
Combining Article 15, para. 1, of Law no. 109/2009 with Article 1, b), of the
Code of Criminal Procedure (which contains the legal concept of “judicial authority”),
the authorization must be issued by the Public Prosecutor in the inquiry phase, by the
Examining Judge in the preliminary judicial phase and by the Judge in the trial phase.
44
See Article 15, para. 2, of Law no. 109/2009.
45
See Article 15, para. 4, of Law no. 109/2009.
41
42
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
261
The paragraph 5 of Article 15 of Law no. 109/2009 provides that
if there are reasons to believe that the data sought is found in another
computer system or in a different part of the system searched, but is
legitimately accessible from or available to the initial system, the search
can be extended upon authorization of the competent judicial authority.
With regard to professional confidentiality, pursuant to Article 15,
paragraph 6, of Law no. 109/2009, computer searches in computer
systems used for activities subject to professional confidentiality46 must be
authorized by the Judge (who must also be present during the search). The
Judge must notify the President of the local council of the Bar Association
or of the Order of Physicians, the president of the regional council of
the Order of Solicitors and Execution Agents, the president of the most
representative trade union organization of journalists or, in the other
cases, a similar entity, so that the same, or a delegate, may be present; in
the case of a search in an official health establishment, the notification
shall be made to the chairman of the board of directors or management
of the establishment or to his/her legal substitute. And the professional
wanted by the search may also be present.
With respect to the restriction of fundamental rights, the search of
stored computer data restricts the fundamental rights to privacy and to
informational self-determination, protected by Article 8 of the European
Convention on Human Rights47. Pursuant to Article 8 (2), there shall be no
interference by a public authority with the exercise of these rights, except
such as is in accordance with the law and is necessary in a democratic
society in the interests of national security, public safety or the economic
well-being of the country, for the prevention of disorder or crime, for
the protection of health or morals, or for the protection of the rights and
freedoms of others.
We consider that, although Article 15, para. 6, of Law no. 109/2009 only mentions
the professional confidentiality of physician, lawyer or journalist, it shall apply to all
cases in which computer research is carried out in a computer system used for an activity
subject to professional confidentiality.
47
See ECtHR, Prezhdarovi v. Bulgaria, Application no. 8429/05, Judgment of 30.09.2014,
available at: https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22 CASE%20OF%20
PREZHDAROVI%20v.%20BULGARIA%22], %22documentcollectionid2%22:[%22JUDGMENTS%22], %22itemid%22:[%22001-146565%22]} [last accessed 07/11/2018].
46
Lipińs
ńi piL
262
| 02
Duarte Rodrigues Nunes
The explanatory report notes that Article 19 of the Convention on
Cybercrime “aims at modernising and harmonising domestic laws on
search and seizure of stored computer data for the purposes of obtaining
evidence with respect to specific criminal investigations or proceedings.
Any domestic criminal procedural law includes powers for search and
seizure of tangible objects. However, in a number of jurisdictions stored
computer data per se will not be considered as a tangible object and
therefore cannot be secured on behalf of criminal investigations and
proceedings in a parallel manner as tangible objects, other than by
securing the data medium upon which it is stored. The aim of Article 19
of this Convention is to establish an equivalent power relating to stored
data”.
The ECtHR analyzed the compliance of Portuguese Law in matter of
search of stored computer data with Article 8 of the European Convention
on Human Rights in the Judgement of the Case Sérvulo & Associados –
Sociedade de Advogados, RL and Others v. Portugal48 and considered
that Portuguese Law did not violate the European Convention on Human
Rights49. Furthermore, pursuant to Article 19 (5) of the Convention on
Cybercrime, the search of stored computer data is subject to Articles 14
and 15 of that Convention.
Like an order for submitting or granting access to data, the search
of stored computer data provides a less intrusive measure which law
enforcement authorities can apply instead of measures such as interception
of content data and real-time collection of traffic data, which must be
used only to investigate serious offences. Although Article 15 of Law
no. 109/2009 may include access to traffic data and even to the content
of communications stored on a computer system, the search of stored
computer data does not constitute an intense restriction of fundamental
rights like, for example, an interception of communications. Thus, we
consider that neither Articles 15 and 19 of the Convention on Cybercrime
ECtHR, Sérvulo & Associados – Sociedade de Advogados, RL and Others v. Portugal,
Application no. 27013/10, Judgment of 03.12.2015, available at: https://hudoc.echr.coe.
int/eng#{%22itemid%22:[%22001-156519%22]} [accessed 07/11/2018].
49
Although the Court did not analyse Articles 15 and 16 of Law no. 109/2009, but,
among others, Articles 174, 176 and 178 of the Code of Criminal Procedure, whose regime
was similar to Articles 15 and 16 of Law no. 109/2009.
48
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
263
nor Article 8 of the European Convention on Human Rights require that
the order for submitting or granting access to data depend on judicial
authorization.
Article 15 of Law no. 109/2009 empowers the investigating authorities
to search or similarly access a computer system or part of it and computer
data stored therein and a computer-data storage medium in which
computer data may be stored and respects the safeguards imposed by
Articles 14 and 15 of the Convention on Cybercrime and Article 8 of
the European Convention on Human Rights. However, there are some
differences between Article 15 of Law no. 109/2009 and Article 19 of the
Convention on Cybercrime.
Thus, pursuant to Article 19 of the Convention on Cybercrime, only
computer data stored on computer systems or computer-data storage
mediums located in the territory of each Party may be searched. However,
in Article 15 of Law no. 109/2009, the Portuguese legislator only refers
to the search of stored computer data without mentioning whether the
computer system is located in the Portuguese territory or abroad.
Therefore, we consider that Article 15 of Law no. 109/2009 allows the
search of computer data in computer systems that are not located in the
Portuguese territory without to resort to international judicial cooperation
mechanisms. Firstly, if the Portuguese legislator wanted to restrict the
search of computer data to the systems that are located in the Portuguese
territory, he would have done it, but he did not. Secondly, computer crime
knows no frontiers and, therefore, the application of criminal procedural
law must be adapted to that reality. And finally, when the authorities
know where data is stored but don’t know in which country the computer
system is located, the rejection of the possibility of Article 15 of Law no.
109/2009 allow remote cross-border access to computer systems located
in foreign countries without resort to international judicial cooperation
mechanisms, would make impossible to carry out such a measure50.
And we find another difference between Article 15 of Law no. 109/
2009 and Article 19 of the Convention on Cybercrime. In fact, the
For further arguments, see Duarte Rodrigues Nunes, Os meios de obtenção de prova
previstos na Lei do Cibercrime [The means of obtaining evidence provided by the Law of Cybercrime],
Gestlegal, Coimbra, 2018, p. 91–94.
50
Lipińs
ńi piL
264
| 02
Duarte Rodrigues Nunes
Portuguese legislator did not empower the authorities to order any person
who has knowledge about the functioning of the computer system or
measures applied to protect the computer data therein to provide, as
is reasonable, the necessary information, to enable the undertaking of
a search of computer stored data. Thus, we consider that, in this aspect,
the Portuguese legislator has not fully complied with Article 19 of the
Convention on Cybercrime51.
VI. Seizure of stored computer data
(Article 16 of Law no. 109/200952)
The seizure of computer data consists in seize or similarly secure
computer data that has been searched or similarly accessed53, as well as
the programs necessary to access such data54.
The explanatory report notes that “This power is not only of benefit to the
investigating authorities. Without such cooperation, investigative authorities could
remain on the searched premises and prevent access to the computer system for long
periods of time while undertaking the search. This could be an economic burden on
legitimate businesses or customers and subscribers that are denied access to data during
this time. A means to order the co-operation of knowledgeable persons would help in
making searches more effective and cost efficient, both for law enforcement and innocent
individuals affected. Legally compelling a system administrator to assist may also relieve
the administrator of any contractual or other obligations not to disclose the data”.
52
The seizure of computer data is also provided by Article 19 of the Convention on
Cybercrime.
53
Where we may include the collection of computer data by a specialist in the place
where the computer system is located, a search in the place where the computer system
is located or the access to the computer system or to the autonomous device by means of
an order for submitting or granting access to data (see David Ramahlo, Métodos Ocultos
de Investigação Criminal em Ambiente Digital [Covert Methods of Criminal Investigation in the
Digital Environment], Almedina, Coimbra, 2017, p. 133–134).
54
The printing by the authorities of what appears on a web page or on a social
network profile constitutes a seizure of computer data [see Judgments of the Court
of Appeal of Oporto of 13/04/2016 (Case 471/15.0T9AGD-A.P1) in http://www.dgsi.pt/
jtrp.nsf/56a6e7121657f91e80257cda00381fdf/ef54d51d3972157d80257fa4002e2d75?OpenDocument [last accessed 22/06/2018] and 04/04/2017 (Case 671/14.0GAMCN.P1), available
at: http://www.dgsi.pt/jtrp.nsf/56a6e7121657f91e80257 cda00381fdf/16ebc99e65fc19038025810c0051991a?OpenDocument [last accessed 22/06/2018].
51
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
265
The seizure of computer data is authorized by the judicial authority55,
whenever it is of relevance to the discovery of the truth and/or for use
as evidence56, and can be used to investigate any type of crime57.
Pursuant to Article 16, paragraphs 2 and 4, of Law no. 109/2009,
the seizure may be carried out by the criminal police in the course of
a computer search legitimately ordered and executed in accordance
with Article 15 of Law no. 109/2009 or in exigent circumstances; and
the police must inform the competent judicial authority, for validation,
within 72 hours.
Pursuant to Article 16, paragraphs 5 and 6, of Law no. 109/2009, the
seizure of stored data in computer systems used for lawyer, medical and
banking activities must be authorized by the Judge (who must also be
present during the seizure)58, without prejudice to the power of the judicial
authority provided by special laws. The Judge or the judicial authority
must notify the President of the local council of the Bar Association or
of the Order of Physicians, the president of the regional council of the
Order of Solicitors and Execution Agents, the president of the most
representative trade union organization of journalists or, in the other
cases, a similar entity, so that the same, or a delegate, may be present; in
the case of a search in an official health establishment, the notification
shall be made to the chairman of the board of directors or management
of the establishment or to his/her legal substitute. And the professional
wanted by the seizure may also be present.
Combining Article 16, paragraph 1, of Law no. 109/2009 with Article 1, b), of the
Code of Criminal Procedure (which contains the legal concept of “judicial authority”),
the authorization must be issued by the Public Prosecutor in the inquiry phase, by the
Examining Judge in the preliminary judicial phase and by the Judge in the trial phase.
56
See Article 16, paragraph 1, of Law no. 109/2009.
57
See Paulo Da Mesquita, Processo Penal, Prova e Sistema Judiciário [Criminal Procedure, Evidence and Judicial System], Coimbra Editora, Coimbra, 2010, p. 98, and Judgments
of the Court of Appeal of Évora of 06/01/2015 (Case 6793/11.6TDLSB-A.E1), available at: http://www.dgsi.pt/jtre.nsf/134973db04f39bf2802579bf005f080b /847dae6b85353cb880257de10056ff4c?OpenDocument (accessed 22/06/2018) and 20/01/2015
(Case 648/14.6GCFAR-A.E1), available at: http://www.dgsi.pt/jtre.nsf/134973db04f39bf280 2579bf005f080b/2fbdd21285478f5f80257de100 56ff7a?OpenDocument (accessed 22/06/2018).
58
See also Articles 180, paragraph 1, 181 and 268, paragraph 1, c), of the Code of
Criminal Procedure.
55
Lipińs
ńi piL
266
| 02
Duarte Rodrigues Nunes
Pursuant to Article 16, paragraph 7, of Law no. 109/2009, the seizure
of computer data may be carried out by means of:
a) Seizure of the device where the system is installed or seizure of
the device where the computer data is stored, as well as the other
devices that are necessary for its reading;
b) Realization of a copy of the data to an autonomous device, that
will be added to the process;
c) Preservation by technological means of the integrity of the data,
without copying or removal thereof; or
d) Non-reversible elimination or blocking of data access.
And, in accordance with paragraph 8 of the same Article, if the seizure
consists in making a copy of the data, the copy must be made in duplicate
and one of the copies must be sealed and entrusted to the judicial clerk of
the Court where the process is taking place and, if technically possible,
the seized data will be certified by digital signature.
The choice of one of the ways of carrying out the seizure is not
arbitrary and the authorities shall choose the one that, being appropriate
to pursue the purposes of the investigation, is less damaging to the
fundamental rights of the people affected by the measure59.
With respect to the restriction of fundamental rights, the seizure of
stored computer data restricts the fundamental rights to privacy and to
informational self-determination, protected by Article 8 of the European
Convention on Human Rights60. Pursuant to Article 8 (2), there shall be no
interference by a public authority with the exercise of these rights, except
such as is in accordance with the law and is necessary in a democratic
society in the interests of national security, public safety or the economic
well-being of the country, for the prevention of disorder or crime, for
the protection of health or morals, or for the protection of the rights and
freedoms of others.
Rita Castanheira Neves, As Ingerências nas Comunicações Electrónicas em Processo
Penal [The Interference in Electronic Communications in Criminal Procedure], Coimbra Editora,
Coimbra, 2011, p. 273, and BENJAMIM SILVA RODRIGUES, Da Prova Penal, II [On Criminal
Evidence, II], Rei dos Livros, Lisbon, 2010, p. 452.
60
See ECtHR, Prezhdarovi v. Bulgaria, Application no. 8429/05, Judgment of 30.09.2014,
available at: https://hudoc.echr.coe.int/eng#{%22fulltext%22:[ %22CASE%20OF%20
PREZHDAROVI%20v.%20BULGARIA%22], %22documentcollectionid2%22:[%22JUDGMENTS%22], %22itemid%22:[%22001-146565%22]} [last accessed 07/11/2018].
59
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
267
The explanatory report notes that Article 19 of the Convention on
Cybercrime “aims at modernising and harmonising domestic laws on
search and seizure of stored computer data for the purposes of obtaining
evidence with respect to specific criminal investigations or proceedings”.
The ECtHR61 analyzed the compliance of Portuguese Law in matter of
seizure of stored computer data with Article 8 of the European Convention
on Human Rights and considered that the Portuguese Law did not violate
the European Convention on Human Rights62. Furthermore, pursuant
to Article 19 (5) of the Convention on Cybercrime, the seizure of stored
computer data is subject to Articles 14 and 15 of that Convention.
The seizure of stored computer data provides a less intrusive measure
which law enforcement authorities can apply instead of measures such
as interception of content data and real-time collection of traffic data,
which must be used only to investigate serious offences. Although Article
15 of Law no. 109/2009 may include access to traffic data and even to
the content of communications stored on a computer system, the search
of stored computer data does not constitute an intense restriction of
fundamental rights like (except when the content of computer data is
likely to reveal personal or intimate data), for example, an interception
(in real-time) of communications. Thus, we consider that neither Articles
15 and 19 of the Convention on Cybercrime nor Article 8 of the European
Convention on Human Rights require that the order for submitting or
granting access to data depend on judicial authorization.
However, pursuant to Article 16, paragraph 3, of Law no. 109/2009,
when the content of computer data is likely to reveal personal or intimate
data, which may jeopardize the privacy of the respective holder or of
a third party, such data or documents shall be submitted to the judge,
who shall decide about their relevance to the case, taking into account
the interests of the particular situation, under sanction of nullity63.
ECtHR, Sérvulo & Associados – Sociedade de Advogados, RL and Others v. Portugal,
Application no. 27013/10, Judgment of 03.12.2015, available at: https://hudoc.echr.coe.
int/eng#{%22itemid%22:[%22001-156519%22]} [last accessed 07/11/2018].
62
Although the Court did not analyse Articles 15 and 16 of Law no. 109/2009, but,
among others, Articles 174, 176 and 178 of the Code of Criminal Procedure, whose regime
was similar to Articles 15 and 16 of Law no. 109/2009.
63
On this issue, with more developments, Duarte Rodrigues Nunes, Os meios de
61
Lipińs
ńi piL
268
| 02
Duarte Rodrigues Nunes
Article 16 of Law no. 109/2009 empowers the investigating authorities
to seize or similarly secure a computer system or part of it or a computerdata storage medium, make and retain a copy of those computer data,
maintain the integrity of the relevant stored computer data or render
inaccessible or remove those computer data in the accessed computer
system and respects the safeguards imposed by Articles 14 and 15 of the
Convention on Cybercrime and Article 8 of the European Convention
on Human Rights.
However, there are some differences between Article 16 of Law
no. 109/2009 and Article 19 of the Convention on Cybercrime.
Thus, pursuant to Article 19 of the Convention on Cybercrime,
the seize of stored computer data can only occur on computer data
stored on computer systems or computer-data storage mediums located
in the territory of each Party. However, in Articles 15 and 16 of Law
no. 109/2009, the Portuguese legislator only refers to the search and
seize of stored computer data without mentioning whether the computer
system is located in the Portuguese territory or abroad.
Therefore, for the same reasons as we referred with regard to the
search of stored computer data, we consider that Article 16 of Law
no. 109/2009 allows the seizure of computer data in computer systems
that are not located in the Portuguese territory without to resort to
international judicial cooperation mechanisms.
And we find another difference between Article 16 of Law no. 109/
2009 and Article 19 of the Convention on Cybercrime. In fact, the Portuguese legislator did not empower the authorities to order any person
who has knowledge about the functioning of the computer system or
measures applied to protect the computer data therein to provide, as
is reasonable, the necessary information, to enable the undertaking of
a seizure of computer stored data. Thus, we consider that, in this aspect,
the Portuguese legislator has not fully complied with Article 19 of the
Convention on Cybercrime.
obtenção de prova previstos na Lei do Cibercrime [The means of obtaining evidence provided by the
Law of Cybercrime], Gestlegal, Coimbra, 2018, p. 120–127 (with bibliographic references).
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
269
VII. Seizure of electronic mail and records
of communications of asimilar nature
(Article 17 of Law no. 109/200964)
Article 17 of Law no. 109/2009 regulates the cases in which, during
a computer search or other legitimate access to a computer system, the
authorities find electronic messages or records of communications of
a similar nature65, subjecting their seizure to the legal regime of seizure
of postal items provided by the Code of Criminal Procedure (Articles 179
and 252)66.
The seizure of e-mails or records of communications of a similar
nature must be authorized by the Judge, whenever such seizure is of great
relevance to the discovery of the truth and/or for use as the evidence67,
and may be used in the investigation of any type of crime68. Due to the
specificity of electronic mail, authorization can only be granted a posteriori
and it will not be possible to return the seized electronic mail that is
irrelevant to the investigation, and therefore, paragraphs 1 and 3 of
Article 179 of the Code of Criminal Procedure will have to be applied
The Convention on Cybercrime does not contain any provision specifically
providing the seizure of electronic mail and communication records of a similar nature.
65
E.g. SMS MMS, conversations in Messenger, voice messages related to
communications via Whatsapp, Viber, Skype, Facebook, etc.
66
This legislative option is subject to strong criticism, being understood that the
seizure should be regulated by Article 16 of Law no. 109/2009 and not by the legal regime
of seizure of postal items. On this issue, with more developments; Duarte Rodrigues
Nunes, Os meios de obtenção de prova previstos na Lei do Cibercrime [The means of obtaining
evidence provided by the Law of Cybercrime], Gestlegal, Coimbra, 2018, p. 141–146 (with
bibliographic references).
67
See Article 17 of Law no. 109/2009.
68
See Paulo Da Mesquita, Processo Penal, Prova e Sistema Judiciário [Criminal Procedure,
Evidence and Judicial System], Coimbra Editora, Coimbra, 2010, p. 98, and Judgments of
the Court of Appeal of Évora of 06/01/2015 (Case 6793/11.6TDLSB-A.E1), available at:
http://www.dgsi.pt/jtre.nsf/134973db04f39bf280 2579bf005f080b/847dae6b85353cb880257de10056ff4c? OpenDocument [last accessed 22/06/2018] and 20/01/2015 (Case
648/14.6GCFAR-A.E1), available at: http://www.dgsi.pt/jtre.nsf/134973db04f39bf280
2579bf005f080b/2fbdd21285478f5f80257de 10056ff7a?OpenDocument [last accessed
22/06/2018].
64
Lipińs
ńi piL
270
| 02
Duarte Rodrigues Nunes
with the necessary adaptations to the seizure of electronic mail or records
of communications of a similar nature.
In exigent circumstances, authorities may use the police measures
provided by Article 252 of the Code of Criminal Procedure69, but only
the measure provided by paragraph 370.
Due to the reference of Article 17 of Law no. 109/2009 to the legal
regime of seizure of postal items pursuant to Article 179, paragraph 1, a),
of the Code of Criminal Procedure, only e-mails or other similar realities
that have been sent by the suspect or addressed to him or her, even if
under a different name or through a different person, may be seized.
With regard to professional confidentiality, in accordance with Article
179, paragraph 2, of the Code of Criminal Procedure, no seizure or other
control of electronic mail and records of communications of a similar
nature between the defendant or suspect and between the defendant and
his defence counsel is allowed unless the judge has reasonable grounds
to believe that the said communication is the object or the constitutive
element of a criminal offence.
Although we disagree with the legislative option to submit the
seizure of e-mails or records of communications of a similar nature to
the legal regime of seizure of correspondence provided by the Code of
Criminal Procedure71, Article 17 of Law no. 109/2009 complies with the
provisions of Article 8 of the European Convention on Human Rights. In
See Pinto De Albuquerque, Comentário ao Código de Processo Penal, 4.ª Edição
[Commentary on the Code of Criminal Procedure, 4th Edition], Universidade Católica Editora,
Lisbon, 2011, p. 510.
70
Due to the specificity of the electronic mail and communications of a similar nature,
which does not include package-equivalent realities, the measure provided by Article 252,
para. 2, of the Code of Criminal Procedure cannot be applied to the seizure of electronic
mail and communications of a similar nature).
71
Because the seizure of electronic mail and communication records of a similar
nature, provided by Article 17 of Law No. 109/2009 applies to obtaining electronic mail,
SMS, etc. that has already been received by the recipient and is stored on a computer
system that has been legitimately accessed by the authorities and not to obtaining, in realtime, electronic mail, SMS, etc. Therefore, unlike the seizure of correspondence provided
by the Code of Criminal Procedure, there is no restriction on the right to confidentiality
of correspondence. In fact, the seizure of electronic mail and communication records of
a similar nature restricts exactly the same fundamental rights as the seizure of computer
stored data provided by Article 16 of Law no. 109/2009.
69
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
271
fact, pursuant to Article 8 (2), there shall be no interference by a public
authority with the exercise of these rights, except such as is in accordance
with the law and is necessary in a democratic society in the interests of
national security, public safety or the economic well-being of the country,
for the prevention of disorder or crime, for the protection of health or
morals, or for the protection of the rights and freedoms of others. Thus,
the ECtHR considers that the seizure of correspondence can only be
justified if the conditions set out in the second paragraph of Article 8
are satisfied: the seizure of correspondence must be “in accordance with
the law”, pursue one or more “legitimate aims” and be “necessary in
a democratic society” in order to achieve them72.
VIII. Interception of communications
(Article 18 of Law no. 109/200973)
Article 18 of Law no. 109/2009 provides for the interception74 of computer
communications, which includes obtaining real-time communication
content data75 (e-mail, SMS, Messenger conversations, news, chats,
See ECtHR, Silver and Others v. The United Kingdom Application no. 5947/72; 6205/73;
7052/75; 7061/75; 7107/75; 7113/75; 7136/75, Judgment of 25.03.1983, available at: https://
hudoc.echr.coe.int/eng#{%22fulltext%22: [%22silver%22],%22documentcollectionid2%22:
[%22GRANDCHAMBER%22,%22CHAMBER%22], %22itemid%22:[%22001-57577%22]}
[last accessed 07/11/2018].
73
This mean of obtaining evidence is also provided by Articles 20 and 21 of the
Convention on Cybercrime.
74
Defined in Article 2, e), of Law no. 109/2009 as “the act intended to capture
information contained in a computer system by means of electromagnetic, acoustic,
mechanical or other devices”.
75
Paulo Da Mesquita, Processo Penal, Prova e Sistema Judiciário [Criminal Procedure,
Evidence and Judicial System], Coimbra Editora, Coimbra, 2010, p. 122, Pedro Dias Venacio,
Lei do Cibercrime [Law of Cybercrime], Coimbra Editora, Coimbra, 2011, p. 119, and Judgments
of the Court of Appeal of Lisbon of 03/05/2016 (Case 73/16.4PFCSC-A.L1-5), available
at: http://www.dgsi.pt/jtrl.nsf/33182fc73231603980 2565fa00497eec/7eafd3bff46e1a1b80257fd400314510? OpenDocument [last accessed 22/06/2018] and 07/03/2017 (Case
1585/16.5PBCSC-A.L1-5), available at: http://www.dgsi.pt/jtrl.nsf/33182fc73231603980
2565fa00497eec/ec0f3a35d90f697d802580ea0056629e?OpenDocument [last accessed
22/06/2018].
72
Lipińs
ńi piL
272
| 02
Duarte Rodrigues Nunes
videoconferences and web conferences, etc.76 and communications carried
out by VoIP77) and traffic data (whether real time or data retained under
the terms of Law 32/2008)78.
The interception of computer data shall only be authorized during
the investigation stage, where there are reasons to believe that this
measure is essential to the uncovering of the truth or that, otherwise, it
would be impossible or very difficult to obtain evidence, on the basis of
a substantiated order from the examining judge, further to a request from
the Public Prosecution79. The authorization shall be limited to a maximum
time-limit of three months, renewable for equal periods, provided that
the respective requirements for admissibility have been met80.
In exigent circumstances, the authorization may be granted by the
Judge with jurisdiction over the locations from where the telephone
conversation or communication is likely to occur, or over the central
office of the entity competent to conduct the criminal investigation, but
only when dealing with one of criminal offences provided by Article 187,
paragraph 2, of the Code of Criminal Procedure81. Likewise, the criminal
police authority may directly request an interception of communications
to the Judge without any intermediation by the Public Prosecutor82.
However, under Article 11, paragraph 2, b), of the Code of Criminal
Procedure, the interception, recording and transcription of conversations
or communications involving the President of the Republic, the President
Pinto De Albuquerque, Comentário ao Código de Processo Penal, 4.ª Edição [Commentary
on the Code of Criminal Procedure, 4th Edition], Universidade Católica Editora, Lisbon, 2011,
p. 542, and Pedro Dias Venancio, Lei do Cibercrime [Law of Cybercrime], Coimbra Editora,
Coimbra, 2011, p. 119.
77
See Pedro Dias Venancio, Lei do Cibercrime [Law of Cybercrime], Coimbra Editora,
Coimbra, 2011, p. 119; different opinion, David Ramalho, Métodos Ocultos de Investigação
Criminal em Ambiente Digital [Covert Methods of Criminal Investigation in Digital Environment],
Almedina, Coimbra, 2017, p. 339 et seq.
78
See Article 18, para. 3, of Law no. 109/2009.
79
See Article 18, para. 1, of Law no. 109/2009.
80
See Article 187, para. 6, of the Code of Criminal Procedure, applicable ex vi Article
18, para. 4, of Law no. 109/2009.
81
See Article 187, para. 2, of the Code of Criminal Procedure, applicable ex vi Article
18, para. 4, of Law no. 109/2009.
82
See Article 269, paras. 1, e), and 2, in conjunction with Article 268, para. 2, both of
the Code of Criminal Procedure.
76
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
273
of the Parliament or the Prime Minister must be authorized by the
President of the Supreme Court of Justice, which includes the interception
of communications provided by Article 18 of Law no. 109/2009.
Pursuant to Article 18, paragraph 1, of Law no. 109/2009, the interception of communications may only be authorized to investigate criminal
offences punishable under Law no. 109/2009 (Articles 3 to 8) and criminal
offences committed by means of a computer or criminal offences which
investigation requires collection of evidence in electronic form, when
criminal offences are referred to in Article 187, paragraphs 1 and 2, of
the Code of Criminal Procedure83. And pursuant to Article 187, paragraph 4, of the Code of Criminal Procedure (applicable ex vi Article 18,
“Article 187: 1 – Interception and tape recording of telephone conversations or
communications may only be authorized during the inquiry where there are grounds for
believing that this step is indispensable for the discovery of the truth or that the evidence
would, by any other means, be impossible or very hard to collect. Such authorization
shall be granted by means of a reasoned order issued by the Examining Judge and upon
the request of the Public Prosecution Service, as regards the following criminal offences:
a) Criminal offences to which a custodial sentence with a maximum limit over three
years applies;
b) Drug-related offences;
c) Possession of a prohibited weapon and illicit trafficking in weapons;
d) Smuggling offences;
e) Insult, threat, coercion, disclosure of private life and disturbance of the peace and
quiet, whenever committed by means of a telephone device;
f) Threat with the commission of a criminal offence or abuse and simulation of
danger signals; or
g) Escape from justice, whenever the defendant has been sentenced for a criminal
offence referred to in the preceding sub-paragraphs.
2 – The authorization provided for in paragraph 1 above may be requested to the
judge with jurisdiction over the locations from where the telephone conversation or
communication is likely to occur, or over the central office of the entity competent to
conduct the criminal investigation, when dealing with the following criminal offences:
a) Criminal offences to which a custodial sentence with a maximum limit over three
years applies;
b) Illegal restraint, kidnapping and taking of hostages;
c) Offences against cultural identity and personal integrity, as provided for in Book II,
Title III, of the Criminal Code and in the Criminal Law on Violations of International
Humanitarian Law;
d) Offences against State security foreseen in Book II, Title V, Chapter I, of the
Criminal Code;
83
Lipińs
ńi piL
274
| 02
Duarte Rodrigues Nunes
paragraph 4, of Law 109/2009), regardless of the entity who owns the
means of communication used, the interception can only be authorised
against (1) the suspect or the defendant, (2) any person acting as an
intermediary, against whom there are grounds to believe that he/she
receives or transmits messages aimed at, or coming from, the suspect
or the defendant or (3) the victim of a crime (upon his/her effective or
alleged consent). Evidence obtained in a process by means of the interception of communications cannot be used in other proceedings (either
ongoing or to be initiated) unless it has resulted from the interception of
a means of communication used by the suspect, defendant, intermediary or victim and insofar as it proves to be indispensable for obtaining
evidence of a criminal offence set out in Article 18, paragraph 1, of Law
no. 109/2009. However, the information obtained can always be used
as notitia criminis84.
Pursuant to Article 187, paragraph 5, of the Code of Criminal
Procedure (applicable ex vi Article 18, paragraph 4, of Law no. 109/2009),
no interception of computer data transmissions between the defendant and
his defence counsel is allowed unless the judge has reasonable grounds
to believe that the said communication is the object or the constitutive
element of a criminal offence, and the evidence may be used against the
accused and the defender85.
e) Counterfeiting of currency or securities equivalent to currency foreseen in articles
262, 264 – to the extent that it refers to article 262 – and article 267 – to the extent that it
refers to articles 262 and 264 – of the Criminal Code;
f) Offences covered by a convention on the safety of air or maritime navigation”.
84
See Article 187, para. 7, of the Code of Criminal Procedure, applicable ex vi
Article 18, para. 4, of Law no. 109/2009.
85
See Lamas Leite, As escutas telefónicas – algumas reflexões em redor do seu regime
e das consequências processuais derivadas da respectiva violação, [in:] Separata da Revista da
Faculdade de Direito da Universidade do Porto, 2004 [The wiretapping – some reflections around
its regime and the procedural consequences derived from the respective violation, “Offprint of
the Journal of the Faculty of Law of the University of Oporto”, 2004], p. 46, Helena Susano,
Escutas Telefónicas [Wiretapping], Coimbra Editora, Coimbra, 2009, p. 39, and Pinto De
Albuquerque, Comentário ao Código de Processo Penal, 4.ª Edição [Commentary on the Code
of Criminal Procedure, 4th Edition], Universidade Católica Editora, Lisbon, 2011, p. 527.
Differently Marcolino de Jesus, Os Meios de Obtenção de Prova em Processo Penal [The Means of
Obtaining Evidence in Criminal Procedure], Almedina, Coimbra, 2011, p. 246, Ana Conceicao,
Escutas Telefónicas [Wiretapping], Quid Juris, Lisbon, 2009, p. 112, and Costa Andre, Das
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
275
Although the law only refers to the communications between the
defendant and his defence counsel, it is discussed whether the rule also
includes other cases of communications involving persons subject to the
duty of professional confidentiality86.
The criminal police that carries out the interception of communications
draws up the respective records and produces a report pointing out the
parts which bear relevance for use as evidence, describing in brief the
respective contents and explaining the respective importance for the
discovery of the truth87.
Pursuant to Article 188, paragraphs 3 to 6, of the Code of Criminal
Procedure, the criminal police that carries out the interception of
communications provides the Public Prosecutor, every fortnight counted
Escutas Telefónicas, [in:] I Congresso de Processo Penal [On Wiretapping, “I Congress of Criminal
Procedure”], Almedina, Coimbra, 2005, p. 221, consider that the evidence can only be used
against the defence counsel, in order not to prejudice the defence.
86
Duarte Rodrigues Nunes, Os meios de obtenção de prova previstos na Lei do Cibercrime
[The means of obtaining evidence provided by the Law of Cybercrime], Gestlegal, Coimbra, 2018,
p. 184–186, and Lamas Leite, As escutas telefónicas – algumas reflexões em redor do seu regime
e das consequências processuais derivadas da respectiva violação, [in:] Separata da Revista da
Faculdade de Direito da Universidade do Porto, 2004 [The wiretapping – some reflections around
its legal regime and the procedural consequences derived from the respective violation, “Offprint
of the Journal of the Faculty of Law of the University of Oporto”, 2004], p. 48, consider that
Article 187, para. 5, of the Code of Criminal Procedure does not apply to such cases. On
the other hand, the Majority Doctrine considers that Article 187, para. 5, of the Code of
Criminal Procedure also applies in these cases (see Costa Andrade, Das Escutas Telefónicas,
[in:] I Congresso de Processo Penal [On Wiretapping, “I Congress of Criminal Procedure”],
Almedina, Coimbra, 2005, p. 220, Pinto De Albuquerque, Comentário ao Código de Processo
Penal, 4.ª Edição [Commentary on the Code of Criminal Procedure, 4th Edition], Universidade
Católica Editora, Lisbon, 2011, p. 527, Germano Marques Da Silva, Curso de Processo Penal,
II, 4.ª Edição [Course on Criminal Procedure, II, 4th Edition], Editorial Verbo, Lisbon, 2008,
p. 252, Rita Castanheira Neves, As Ingerências nas Comunicações Electrónicas em Processo
Penal [The Interference in Electronic Communications in Criminal Procedure], Coimbra Editora,
Coimbra, 2011, p. 295 et seq., Helena Susano, Escutas Telefónicas [Wiretapping], Coimbra
Editora, Coimbra, 2009, p. 41, Benjamin Silva Rodrigues, Das Escutas Telefónicas, I [On
Wiretapping, I], Rei dos Livros, Lisbon, 2008, p. 291 et seq., Ana Conceicao, Escutas Telefónicas
[Wiretapping], Quid Juris, Lisbon, 2009, p. 111, and Guedes Valente, Escutas Telefónicas, 2.ª
Edição [Wiretapping, 2nd Edition], Almedina, Coimbra, 2008, p. 92).
87
See Article 188, para. 1, of the Code of Criminal Procedure, applicable ex vi
Article 18, para. 4, of Law no. 109/2009.
Lipińs
ńi piL
276
| 02
Duarte Rodrigues Nunes
from the first interception made, with the respective technical material,
as well as with the respective records and reports88. Then, the Public
Prosecutor submits those elements to the judge within a maximum time
limit of forty-eight hours89. The Judge, in order to become acquainted with
the content of the communications, is assisted, whenever appropriate, by
a criminal police body and shall appoint, if necessary, an interpreter90 and
orders the immediate destruction of the technical materials and reports
clearly bearing no interest to the case and concerning communications
between persons who could not be subject to an interception of communications, covering matters under professional confidentiality, under
confidentiality binding officials or under State confidentiality or which
disclosure may seriously affect rights, liberties and guarantees91.
With respect to the restriction of fundamental rights, the interception
of communications restricts the fundamental rights to privacy, to
informational self-determination, to confidentiality of communications
and, in the case of the interception of communications by means of VoIP,
the right to confidentiality and to integrity of information technology
systems, protected by Article 8 of the European Convention on Human
Rights92. Pursuant to Article 8 (2), there shall be no interference by a public
authority with the exercise of these rights, except such as is in accordance
with the law and is necessary in a democratic society in the interests of
national security, public safety or the economic well-being of the country,
for the prevention of disorder or crime, for the protection of health or
morals, or for the protection of the rights and freedoms of others.
See Article 188, para. 3, of the Code of Criminal Procedure, applicable ex vi
Article 18, para. 4, of Law no. 109/2009.
89
See Article 188, para. 4, of the Code of Criminal Procedure, applicable ex vi
Article 18, para. 4, of Law no. 109/2009.
90
See Article 188, para. 5, of the Code of Criminal Procedure, applicable ex vi
Article 18, para. 4, of Law no. 109/2009.
91
See Article 188, para. 6, of the Code of Criminal Procedure, applicable ex vi
Article 18, para. 4, of Law no. 109/2009.
92
See ECtHR, Valenzuela Contreras v. Spain, Application no. 58/1997/842/1048,
Judgment of 30.07.1998, available at: https://hudoc.echr.coe.int/eng#{%22fulltext%22:
[%22valenzuela%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%
22CHAMBER%22],%22itemid%22:[%22001-58208%22]}[last accessed 07/11/2018].
88
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
277
According to ECtHR’s case-law, the interception of communications
constitutes an interference by a public authority in the right to respect
for private life and correspondence and such an interference will be in
breach of Article 8 (2) of the European Convention on Human Rights
unless it is in accordance with the law, pursues one or more legitimate
aims under paragraph 2 and is necessary in a democratic society to
achieve those aims. “In accordance with the law” require firstly that the
impugned measure should have some basis in domestic law. However,
that expression does not merely refer back to domestic law but also relates
to the quality of the law, requiring it to be compatible with the rule of law.
The expression thus implies that there must be a measure of protection in
domestic law against arbitrary interference by public authorities with the
rights safeguarded by paragraph. From that requirement stems the need
for the law to be accessible to the person concerned, who must, moreover,
be able to foresee its consequences for him. Especially where a power of
the executive is exercised in secret the risks of arbitrariness are evident.
In the context of interception of communications by public authorities,
the requirement of foreseeability implies that the domestic law must
be sufficiently clear in its terms to give citizens an adequate indication
as to the circumstances in and conditions on which public authorities
are empowered to take any such secret measures. It is essential to have
clear, detailed rules on the subject, especially as the technology available
for use is constantly becoming more sophisticated. ECtHR’s case-law
mentions the following minimum safeguards that should be set out in the
statute in order to avoid abuses of power: a definition of the categories
of people liable to have their telephones tapped by judicial order, the
nature of the offences which may give rise to such an order, a limit on
the duration of telephone tapping, the procedure for drawing up the
summary reports containing intercepted conversations, the precautions
to be taken in order to communicate the recordings intact and in their
entirety for possible inspection by the judge and by the defence and the
circumstances in which recordings may or must be erased or the tapes
destroyed, in particular where an accused has been discharged by an
investigating judge or acquitted by a court93.
About the analysis of ECtHR’s case-law, see ECtHR, Valenzuela Contreras v. Spain,
Application no. 58/1997/842/1048, Judgment of 30.07.1998, available at: https://hudoc.
93
Lipińs
ńi piL
278
| 02
Duarte Rodrigues Nunes
Thus, as we can see, Article 18 of Law no. 109/2009 complies with the
provisions of Article 8 of the European Convention on Human Rights.
With regard to the Convention on Cybercrime, Articles 20 and 21
empower the investigating authorities to collect or record through the
application of technical means on the territory of that Party and compel
a service provider, within its existing technical capability to collect or
record through the application of technical means on the territory of that
Party or to co-operate and assist the competent authorities in the collection
or recording of content data and traffic data, in real-time, associated
with specified communications in its territory transmitted by means of
a computer system. However, pursuant to Articles 20 (4) and 21 (4) the
collection or recording of content data and traffic data in real-time is,
pursuant to Article 15 of that Convention, “subject to conditions and
safeguards provided for under domestic law” and must “in view of the
nature of the procedure or power concerned, inter alia, include judicial
or other independent supervision, grounds justifying application, and
limitation of the scope and the duration of such power or procedure”.
And the explanatory report notes that “the conditions and safeguards
applicable to real-time interception of content data may be more stringent
than those applicable to the real-time collection of traffic data, or to the
search and seizure or similar accessing or securing of stored data”.
Thus, as we can see, Article 18 of Law no. 109/2009 also complies with
the conditions and safeguards of Articles 14 and 15 of the Convention
on Cybercrime.
IX. Undercover operations
(Article 18 of Law no. 109/200994)
The Portuguese legislator defines undercover operations as “any
operations conducted by criminal investigation officers, or third persons
echr.coe.int/eng#{%22fulltext%22:[%22valenzuela%22],%22documentcollection
id2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%2200158208%22]} [last accessed 07/11/2018].
94
The Convention on Cybercrime does not contain any provision specifically
providing for the use of undercover agents in digital environment.
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
279
subject to the scrutiny of the Judiciary Police (Polícia Judiciária), acting
under undisclosed capacity and identity for the purpose of preventing
or punishing the offences specified in this Act”95, regulating in Article 19
of Law no. 109/2009 the undercover operations in digital environment.
Pursuant to Article 3, paragraphs 3 to 5, of Law 101/2001, undercover
operations within the framework of the inquiry are subjected to prior
authorisation of the competent member of the Public Prosecution, to
mandatory communication to the investigating judge, and will be deemed
to be ratified if no order refusing permission is issued within seventytwo hours and if the operation is carried out in the framework of crime
prevention, it falls within the competence of the investigation judge of
the Criminal Instruction Central Court to give the required authorisation
upon proposal by the Public Prosecution.
Pursuant to Article 19, paragraph 1, of Law no. 109/2009, undercover
operations in a digital environment may only be used to investigate:
a) Criminal offences punishable under Articles 3 to 8 of Law no. 109/
2009;
b) Criminal offences committed by means of a computer system,
to which correspond, in abstract, a term of imprisonment with
a maximum band of over 5 years; and
c) Regardless of the applicable penalty, intentional criminal offences,
those against freedom and sexual self-determination, in case
victims are minors or incapacitated adults (Articles 163 to 176
A of the Penal Code), qualified swindling (Article 218 of the
Penal Code), computer-related fraud (Article 221 of the Penal
Code), racial, religious or sexual discrimination (Articles 240 to
245 of the Penal Code), criminal offences laid down in title IV of
the Code of Copyright and Related Rights (Articles 195 to 199)
and economic and financial infringements when committed by
means of a computer system96.
See Article 1, paragraph 2, of Law no. 101/2001, of August 25, hereinafter referred
to as Law no. 101/2001. The text of Law no. 101/2001 available at: http://www.pgdlisboa.
pt/leis/lei_mostra_articulado.php?nid=89&tabela=leis (in Portuguese only).
96
The catalogue of criminal offences of Article 19, paragraph 1, of Law no. 109/2009
is of dubious constitutionality by allowing the use of undercover operations to investigate
criminal offences of small or medium gravity such as the crimes punishable under Article 4,
95
Lipińs
ńi piL
280
| 02
Duarte Rodrigues Nunes
Pursuant to Article 19, paragraph 2, of Law no. 109/2009, when it is
necessary to use computer means and devices in the context of undercover
operations, Article 18 of Law no. 109/2009 shall apply.
Pursuant to Article 4, paragraph 4, of Law no. 101/2001, when the
judge, should, on grounds of evidential indispensability, order the
undercover officer to attend the hearing, the public must be excluded
and, as a rule, the undercover agent will give his testimony without its
identity being revealed and using image concealment, voice distortion
and videoconference, to protect the agent from being influenced by
possible pressures and reprisals and to allow the agent to be used in
future investigations97. In such cases, pursuant to Article 19, paragraph
2, of Law no. 93/99, of July 1498, no conviction may be based, exclusively
or decisively, on the testimony or statements produced by one or more
witnesses whose identity was not revealed.
Pursuant to Article 6, paragraph 1, of Law no. 101/2001, any conduct
of an undercover agent which, in the framework of an undercover
operation, amounts to the commission of preparatory or instrumental
acts in any form of participation other than incitement shall not be
punishable whenever due proportionality is kept with regard to the
aim to be achieved.
Finally, pursuant to Article 3, paragraph 6, of Law no. 101/2001,
the Judiciary Police will report the undercover agent operation to the
competent judicial authority within 48 hours at the latest as from the
date on which the operation was completed.
paragraphs 1 and 3, Article 6, paragraphs 1,2 and 3, Article 7 and Article 8 of Law
no. 109/2009 – related to crimes of damage caused to programmes or other computer data,
illegal access, illegal interception and illegal reproduction of protected programmes – (see
PAULO DÁ MESQUITA, Processo Penal, Prova e Sistema Judiciário [Criminal Procedure,
Evidence and Judicial System], Coimbra Editora, Coimbra, 2010, p. 126, and Pinto De
Albuquerque, Comentário do Código de Processo Penal, 4.ª Edição [Commentary on the Code of
Criminal Procedure, 4th Edition], Universidade Católica Editora, Lisbon, 2011, p. 681–682).
97
See David Ramalho, Métodos Ocultos de Investigação Criminal em Ambiente Digital
[Covert Methods of Criminal Investigation in Digital Environment], Almedina, Coimbra, 2017,
p. 304–305.
98
The text of Law no. 93/99 is available at: http://www.pgdlisboa.pt/leis/lei_
mostra_articulado.php?nid=234&tabela=leis (in Portuguese only).
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
281
With respect to the restriction of fundamental rights, undercover
operations in a digital environment restrict the fundamental rights to
privacy, to informational self-determination and to confidentiality and
to the integrity of information technology systems. However, the ECtHR
usually analyses the admissibility of undercover operations in the context
of the right to a fair trial [Article 6(1) of the Convention on Human Rights.
In Ramanauskas v. Lithuania99, the ECtHR set out the general
principles concerning the issue of undercover operations and entrapment:
“49. The Court observes at the outset that it is aware of the difficulties
inherent in the police’s task of searching for and gathering evidence for
the purpose of detecting and investigating offences. To perform this
task, they are increasingly required to make use of undercover agents,
informers and covert practices, particularly in tackling organised crime
and corruption.
50. Furthermore, corruption – including in the judicial sphere – has
become a major problem in many countries, as is attested by the Council
of Europe’s Criminal Law Convention on the subject […]. This instrument
authorises the use of special investigative techniques, such as undercover
agents, that may be necessary for gathering evidence in this area, provided
that the rights and undertakings deriving from international multilateral
conventions concerning “special matters”, for example human rights,
are not affected.
51. That being so, the use of special investigative methods – in
particular, undercover techniques – cannot in itself infringe the right to
a fair trial. However, on account of the risk of police incitement entailed
by such techniques, their use must be kept within clear limits […].
53. More particularly, the Convention does not preclude reliance,
at the preliminary investigation stage and where the nature of the
offence may warrant it, on sources such as anonymous informants.
However, the subsequent use of such sources by the trial court to found
a conviction is a different matter and is acceptable only if adequate and
sufficient safeguards against abuse are in place, in particular a clear and
ECtHR, Ramanauskas v. Lithuania, Application no. 74420/01, Judgment of 05.02.
2008, available at: https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22Ramanauskas
%20v.%20Lithuania%22],%22documentcollectionid2%22:[%22GRANDCHAMBER
%22,%22CHAMBER%22],%22itemid%22:[%22001-84935%22]} [last accessed 07/11/2018].
99
Lipińs
ńi piL
282
| 02
Duarte Rodrigues Nunes
foreseeable procedure for authorising, implementing and supervising
the investigative measures in question (…). While the rise in organised
crime requires that appropriate measures be taken, the right to a fair
trial, from which the requirement of the proper administration of justice
is to be inferred, nevertheless applies to all types of criminal offence,
from the most straightforward to the most complex. The right to the
fair administration of justice holds so prominent a place in a democratic
society that it cannot be sacrificed for the sake of expedience […].
54. Furthermore, while the use of undercover agents may be tolerated
provided that it is subject to clear restrictions and safeguards, the public
interest cannot justify the use of evidence obtained as a result of police
incitement, as to do so would expose the accused to the risk of being
definitively deprived of a fair trial from the outset […].
55. Police incitement occurs where the officers involved – whether
members of the security forces or persons acting on their instructions – do
not confine themselves to investigating criminal activity in an essentially
passive manner, but exert such an influence on the subject as to incite the
commission of an offence that would otherwise not have been committed,
in order to make it possible to establish the offence, that is, to provide
evidence and institute a prosecution […].
56. In Teixeira de Castro […] the Court found that the two police
officers concerned had not confined themselves “to investigating
Mr Teixeira de Castro’s criminal activity in an essentially passive manner,
but [had] exercised an influence such as to incite the commission of the
offence”. It held that their actions had gone beyond those of undercover
agents because they had instigated the offence and there was nothing to
suggest that without their intervention it would have been committed […].
In reaching that conclusion the Court laid stress on a number of
factors, in particular the fact that the intervention of the two officers had
not taken place as part of an anti-drug trafficking operation ordered and
supervised by a judge and that the national authorities did not appear
to have had any good reason to suspect the applicant of being a drug
dealer: he had no criminal record and there was nothing to suggest that
he had a predisposition to become involved in drug trafficking until he
was approached by the police […].
More specifically, the Court found that there were no objective
suspicions that the applicant had been involved in any criminal activity.
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
283
Nor was there any evidence to support the Government’s argument that
the applicant was predisposed to commit offences. On the contrary,
he was unknown to the police and had not been in possession of any
drugs when the police officers had sought them from him; accordingly,
he had only been able to supply them through an acquaintance who
had obtained them from a dealer whose identity remained unknown.
Although Mr Teixeira de Castro had potentially been predisposed to
commit an offence, there was no objective evidence to suggest that he had
initiated a criminal act before the police officers’ intervention. The Court
therefore rejected the distinction made by the Portuguese Government
between the creation of a criminal intent that had previously been absent
and the exposure of a latent pre-existing criminal intent […]
60. The Court has also held that where an accused asserts that he was
incited to commit an offence, the criminal courts must carry out a careful
examination of the material in the file, since for the trial to be fair within
the meaning of Article 6 § 1 of the Convention, all evidence obtained as
a result of police incitement must be excluded. This is especially true
where the police operation took place without a sufficient legal framework
or adequate safeguards […]
61. Lastly, where the information disclosed by the prosecution
authorities does not enable the Court to conclude whether the applicant
was subjected to police incitement, it is essential that the Court examine
the procedure whereby the plea of incitement was determined in each
case in order to ensure that the rights of the defense were adequately
protected, in particular the right to adversarial proceedings and to
equality of arms […]”.
Thus, in its case-law in matter of entrapment, the Court has developed
criteria to distinguish entrapment breaching Article 6 (1) of the Convention
from permissible conduct in the use of legitimate undercover techniques
in criminal investigations, developing the examination of complaints of
entrapment on the basis of two tests: the substantive and the procedural
test of incitement100.
See ECtHR, Bannikova v. Russia, Application no. 18757/06, Judgment of 04.02.2011,
available at: https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22bannikova%22],
%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],
%22itemid%22:[%22001-101589%22]} [last accessed 07/11/2018].
100
Lipińs
ńi piL
284
| 02
Duarte Rodrigues Nunes
However, since undercover operations in a digital environment is
a mean of obtaining evidence that restricts fundamental rights protected by
Article 8 of the European Convention on Human Rights, its admissibility
must be analyzed also in the light of these fundamental rights. Therefore,
we consider that the requirements referred to in Judgment Valenzuela
Contreras v. Spain101 (and quoted above) apply mutatis mutandis to
undercover operations in a digital environment.
Thus, as we can see, Article 19 of Law no. 109/2009 and Law no. 101/
2001 comply with the provisions of Articles 6 and 8 of the European
Convention on Human Rights, except when the use of undercover
operations is allowed to investigate criminal offences of small or medium
gravity102.
X. Online search of stored computer data
(Articles 15 and 18 of Law no. 109/2009)
The online search consists in a “clandestine infiltration into a computer
system to observe its use and access stored data”103, which is carried out
online using technical means and by means of the surreptitious installation
of a computer program of the type Trojan horse in the computer system104,
which may consist of a single access or occur continuously and over time.
ECtHR, Valenzuela Contreras v. Spain, Application no. 58/1997/842/1048, Judgment
of 30.07.1998, available at: https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22valenzuela%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],
%22itemid%22:[%22001-58208%22]} [last accessed 07/11/2018].
102
Such as criminal offences punishable under Article 4, paras. 1 and 3, Article 6,
paras. 1, 2 and 3, Article 7 and Article 8 of Law no. 109/2009, that are punishable with
imprisonment up to 3 years (Article 4, paras. 1 and 3, 6, para. 3, and Article 8) and 1 year
(Article 6, paras. 1 and 2, and Article 7). In fact, this possibility violates the principle of
proportionality, that regulates the restriction of fundamental rights.
103
See Costa Andrade, Bruscamente no Verão Passado [Suddenly Last Summer], Coimbra
Editora, Coimbra, 2009, p. 166, and Pinto De Albuquerque, Comentário ao Código de Processo
Penal, 4.ª Edição [Commentary on the Code of Criminal Procedure, 4th Edition], Universidade
Católica Editora, Lisbon, 2011, p. 502 and 541.
104
See Costa Andrade, Bruscamente no Verão Passado [Suddenly Last Summer], Coimbra
Editora, Coimbra, 2009, p. 166, and Pinto De Albuquerque, Comentário ao Código de Processo
101
The Means of Obtaining Evidence Provided by the Portuguese Cybercrime Law
20 |
285
In the absence of express legal provisions in our legal system105, the
admissibility of this means of obtaining evidence in Portuguese law is
discussed106. However, we consider that Article 15 of Law no. 109/2009
is the legal basis of the online search in Portuguese Law. However, when
the online search is carried out in a continuous and prolonged way in
time, it will be prejudicial to fundamental rights similar to the interception
of communications. Therefore, operating an interpretation according to
the Constitution, even if this form of execution of the online search is
admissible in the light of Article 15 of Law no. 109/2009, the legal regime
(much more restrictive) of the interception of communications provided
by Article 18 of Law no. 109/2009107 shall apply to such cases.
Penal, 4.ª Edição [Commentary on the Code of Criminal Procedure, 4th Edition], Universidade
Católica Editora, Lisbon, 2011, p. 502 and 541.
105
We can find cases of express legal provisions of online searches in German Law
(online Durchsuchung) [§100b of the Strafprozessordnung (Criminal Procedure Code)], in
Spanish Law (registros remotos sobre equipos informáticos) [Article 588csepties a of the Ley
de enjuiciamiento criminal (Criminal Procedure Code)] and in Italian Law (captatore
informatico) [Article 266 (2) of the Codice di Procedura Penale (Criminal Procedure Code)].
106
See Pinto De Albuquerque, Comentário ao Código de Processo Penal, 4.ª Edição
[Commentary on the Code of Criminal Procedure, 4th Edition], Universidade Católica Editora,
Lisbon, 2011, p. 502 and 545, and Conde Correia, Prova digital: as leis que temos e a lei que
devíamos ter, [in:] Revista do Ministério Público, n.º 139 [Digital Evidence: The Laws We Have
and the Law We Should Have, “Public Ministry Review”, no. 139], p. 42 et seq., consider
that it is admissible. Differently, Rita Castanheira Neves, As Ingerências nas Comunicações
Electrónicas em Processo Penal [The Interference in Electronic Communications in Criminal
Procedure], Coimbra Editora, Coimbra, 2011, p. 196 et seq., 248 and 273, David Ramalho,
Métodos Ocultos de Investigação Criminal em Ambiente Digital [Covert Methods of Criminal
Investigation in Digital Environment], Almedina, Coimbra, 2017, p. 346 et seq., Benjamin
Silva Rodrigues, Da Prova Penal, II [On Criminal Evidence, II], Rei dos Livros, Lisbon,
2010, p. 474–475, Marcolino De Jesus, Os Meios de Obtenção de Prova em Processo Penal [The
Means of Obtaining Evidence in Criminal Procedure], Almedina, Coimbra, 2011, p. 196, and
Armando Ramos, A prova digital em processo penal: O correio eletrónico [The digital evidence
in criminal proceedings: Electronic mail], Chiado Editora, Lisbon, 2014, p. 91, consider that
it is inadmissible.
107
About our opinion, with more developments, see Duarte Rodrigues Nunes, Os
meios de obtenção de prova previstos na Lei do Cibercrime [The means of obtaining evidence
provided in the Law of Cybercrime], Gestlegal, Coimbra, 2018, p. 226–234.
Lipińs
286
20 |
Lipińs
Duarte Rodrigues Nunes
XI. Final remarks
The Portuguese legislature has regulated, for the first time in the
Portuguese legal system, the means of obtaining evidence specific for
Cybercrime in Law no. 109/2009, with which we cannot fail to agree.
However, not all legislative options deserve this approval as, for
example the option of subjecting the seizure of electronic mail or records
of communications of a similar nature to the legal regime of seizure
of postal items provided by the Code of Criminal Procedure. And the
same applies to the catalogue of criminal offences that allow the use
of undercover actions in the digital environment (because it includes
criminal offences of small and medium gravity) and the lack of provision
for a special procedure in exigent circumstances in matter of an order for
submitting or granting access to data.