The following chart displays the reservations that are available for
each section of the Cybercrime Treaty. A reservation is a part of the
treaty that a signatory nation can decide to exclude from what it
agrees to. They are included to give participating nations more
flexibility in their application of the treaty. Other areas
of flexibility are also listed, such as those created by vague treaty
language. The chart was prepared by the ACLU.
|
Section
1 - SUBSTANTIVE CRIMINAL LAW
|
Article
|
What Article Requires
|
Exemption
/ Flexibility
|
|
1.
Definitions
|
Each
Party must adopt definitions of computer system, computer data,
service provider, and traffic data that are equivalent
to those of the Convention.
|
Parties
are not obliged to copy these concepts verbatim provided that
domestic laws offer an equivalent framework.
The
traffic data definition
leaves to national legislatures the ability to introduce differentiation
in the legal protection of traffic data in accordance with its
sensitivity.
|
|
2.
llegal Access
|
the
access to the whole or any part of a computer system
|
Parties
can take the wide approach and criminalize mere hacking or Parties
may require that the offence be committed by infringing security
measures, with the intent of obtaining computer data or other
dishonest intent, or in relation to a computer system that is
connected to another computer system.
|
|
3.
Illegal Interception
|
interception of non-public
transmissions of computer data from or within a computer system
|
Parties may require that the offence
be committed with dishonest intent, or in relation to a computer
system that is connected to another computer system.
|
|
4.
Data Interference
|
damaging,
deletion, deterioration, alteration, or suppression of computer
data
|
Parties may reserve the right
to require that such conduct result in serious harm.
|
|
5.
System Interference
(computer sabotage)
|
serious
hindering of the functioning of a computer system by inputting,
transmitting, damaging, deleting, deteriorating, altering or suppressing
computer data.
|
Each Party shall determine for
itself what criteria must be fulfilled in order for the hindering
to be considered “serious.” For example, a Party may require a
minimum amount of damage to be caused in order for the hindering
to be considered serious.
In addition, the text leaves it
to the Parties to determine the extent to which the functioning
of the system should be hindered—partially or totally, temporarily
or permanently—to reach the threshold of harm that justifies sanction,
administrative or criminal, under their law.
|
|
6.
Misuse of Devices
|
the
possession, production, sale, procurement for use, import, distribution
or otherwise making available of a device designed or adapted
primarily for the purpose of committing any Article 2-5 offences
and of a computer password, access code, or similar data with
intent that it be used to commit any of the offences established
in Article 2-5.
|
Each Party may reserve the right
not to apply paragraph 1 of this article, provided that the reservation
does not concern the sale, distribution or otherwise making available
of a computer password, access code, or similar data. Each party is obliged to
criminalize at least the sale, distribution or making available
of a computer password or access date.
|
|
7.
Computer-related forgery
|
the
input, alteration, deletion, or suppression of computer data,
resulting in inauthentic data with the intent that it be considered
or acted upon for legal purposes as if it were authentic, regardless
whether or not the data is directly readable and intelligible.
|
Deception as to authenticity refers
at minimum to the issuer of the data, regardless of the correctness
or veracity of the contents of the data. Parties may go further and
include under the term “authentic” the genuineness of the data.
A party may further require an
intent to defraud, or similar dishonest intent, before criminal
liability attaches.
|
|
8.
Computer-related fraud
|
the
causing of a loss of property to another by any input, alteration,
deletion or suppression of computer data, and any interference
with the functioning of a computer system, with fraudulent or
dishonest intent of procuring, without right, an economic benefit
for oneself or another.
|
No exemptions.
|
|
9.
Offences related to child pornography
|
1.
(a)producing child pornography for the purpose of its distribution
through a computer system; (b) offering or making available child
pornography through a computer system; (c) distributing or transmitting
child pornography through a computer system; (d) procuring child
pornography through a computer system for oneself or for another;
(e) possessing child pornography in a computer system or on a
computer-data storage medium.
2.
the above shall include pornographic material that visually depicts:
(a) a minor engaged in sexually explicit conduct; (b) a person
appearing to be a minor engaged in sexually explicit conduct;
(c) realistic images representing a minor engaged in sexually
explicit conduct.
|
Parties may adopt a more specific
standard than “intentional.”
For example, liability may be imposed if there is “knowledge
and control” over the information which is transmitted or stored. But, it is not sufficient
that a service provider served as a conduit for such material.
The term ‘without right’ allows
a Party to take into account fundamental rights, such as freedom
of thought, expression and privacy.
In addition, a Party may provide a defense in respect of
conduct related to “pornographic material” having an artistic,
medical, scientific or similar merit.
Although “minor” shall include
all persons under 18 years of age, a Party may require a lower
age-limit, which shall not be less than 16 years.
In addition, a Party may provide
that a person is relieved of criminal responsibility if it is
established that the person depicted is not a minor in the sense
of this provision.
Further, each party may reserve
the right not to apply, in whole or in part, paragraph 1(d) and
1(e), and 2(b) and 2(c).
|
|
10.
Offences related to infringement of copyrights and related rights
|
the willful infringement of copyright
and related rights, as defined under the law of that party pursuant
to the obligations it has undertaken (Paris Act, Bern Convention,
WIPO…) by means of a computer system
|
While each party is required to
establish as criminal offences such infringements, the precise
manner in which such infringements are defined under domestic
law may vary from state to state.
A Party may reserve the right
not to impose criminal liability in limited circumstances, provided
that other effective remedies are available and that such reservation
does not derogate from the Party’s international obligations.
The use of the term “pursuant
to the obligations it has undertaken” makes it clear that a Contracting
Party is not bound to apply agreements cited to which it is not
a Party; moreover, if a Party has made a reservation or declaration
permitted under one of the agreements, that reservation may limit
the extent of its obligation.
|
|
11.
Attempt and aiding or abetting
|
1.
Aiding or abetting the commission of any of the offences established
in accordance with Articles 2-10 with intent that such offence
be committed.
2.
Attempt to commit any of the offences established in accordance
with Articles 3-5,7,8,9(1)(a) and 9(1)(c)
|
Each State may reserve the right
not to apply, in whole or in part, paragraph 2 of this article. Any Party making a reservation
will have no obligation to criminalize attempt at all, or may
select the offenses or parts of offences to which it will attach
criminal sanctions in relation to attempt.
|
|
12.
Corporate Liability
|
Each
Party shall adopt measures to ensure that a legal person can be
held liable for a criminal offense committed for its benefit by
any natural person, acting either individually or as part of an
organ of the legal person, who has a leading position within the
legal person. Each
party shall take measures to ensure that a legal person can be
held liable where the lack of supervision or control by a natural
person has made possible the commission of a criminal offense
for the benefit of that legal person by a natural person acting
under its authority.
|
Subject to the legal principles
of the Party, the liability of a legal person may be criminal,
civil or administrative as long as the sanction is “effective,
proportionate and dissuasive” and includes monetary sanctions.
|
|
13.
Sanctions and Measures
|
1.
Each Party must ensure that the criminal offenses in Article 2-11
are punishable by effective, proportionate, and dissuasive sanctions,
which include deprivation of liberty.
2.
Legal persons held liable in accordance with Article 12 shall
be subject to effective, proportionate and dissuasive criminal
or non-criminal sanctions or measures, including monetary sanctions.
|
Parties have the discretion to
create a system of criminal offenses and sanctions that is compatible
with their existing national legal systems.
|
|
Section 2 - PROCEDURAL LAW
|
|
Requirements subject to Article 14 and 15
|
Exemption / Flexibility
|
|
14. Scope of procedural provisions
|
Each Party shall adopt such legislative
and other measures as may be necessary to establish the powers
and procedures provided for in this Section for the purpose of
specific criminal investigations or proceedings for the criminal
offenses established in Articles 2-11, other criminal offenses
committed by means of a computer system, and the collection of
evidence in electronic form of a criminal offense.
|
Each Party may reserve the right to
apply the measures referred to in Article 20 only to offenses
or categories of offenses specified in the reservation, provided
that the range of such offenses is not mor restricted than the
range of offenses to which it applies the measures referred to
in Article 21.
Each Party shall consider restricting
such a reservation so as to enable the broadcast application of
the measure referred to in Article 20.
|
|
15. Conditions and Safeguards
|
1.Each Party shall ensure that the establishment,
implementation and application of the powers and procedures are
subject to conditions and safeguards provided for under its domestic
law, which shall provide for the adequate protection of human
rights and liberties, and which shall incorporate the principle
of proportionality.
2.Such conditions and safeguards
shall, inter alia, include judicial or other independent supervision,
grounds justifying application, and limitation on the scope and
the duration of such power or procedure.
|
The modalities of establishing and implementing
these powers and procedures into their legal system, and the application
of the powers and procedures in specific cases, are left to the
domestic law and procedures of each Party.
|
|
16. Expedited preservation of stored computer
data
|
1.Each Party shall adopt such legislative
and other measures as may be necessary to enable its competent
authorities to order or similarly obtain the expeditious preservation
of specified computer data, including traffic data, that has been
stored by means of a computer system, in particular where there
are grounds to believe that the computer data is particularly
vulnerable to loss or modification.
2.Where a Party gives effect to
paragraph 1 by means of an order to a person to preserve specified
stored computer data in the person’s possession or control, the
Party shall adopt such measures as may be necessary to oblige
that person to preserve and maintain the integrity of that computer
data for a period of time as long as necessary, up to a maximum
of 90 days, to enable to competent authorities to seek its disclosure.
|
A Party may provide for a paragraph
2 order to be renewed.
|
|
17. Expedited preservation and partial
disclosure of traffic data
|
Each Party shall adopt, in respect to
traffic data that is to be preserved under Article 16, measures
to (a)ensure that such expeditious preservation of traffic data
is available regardless of whether one or more service providers
were involved in the transmission of that commission; and (b)
ensure the expeditious disclosure to the Party’s competent authority,
or a person designated by that authority, of a sufficient amount
of traffic data to enable the Party to identify the service providers
and the path through which the communication was transmitted.
|
None.
|
|
18. Production Order
|
Each Party shall adopt measures to empower
its competent authorities to order:
(a)a person in its territory to
submit specified computer data in that person’s possession or
control, which is stored in a computer system or a computer-data
storage medium; and (b) a service provider offering its services
in the territory of the Party to submit subscriber information
relating to such services in that service provider’s possession
or control.
|
A Party may wish to prescribe different
terms, different competent authorities and different safeguards
concerning the submission of particular types of computer data
or subscriber information held by particular categories of persons
or service providers.
|
|
19. Search and Seizure of stored computer
data
|
1.Each party shall adopt measures as
may be necessary to empower its competent authorities to search
or similarly access: (a) a computer system or part of it and computer
data stored therein; and (b) computer-data storage medium in which
computer data may be stored, in its territory.
2.Each Party shall adopt measures
to ensure that where authorities search or similarly access a
specific computer system or part of it and have grounds to believe
that the data sought is stored in another computer system or party
of it in its territory, and such data is lawfully accessible from
or available to the initial system, such authorities shall be
able to expeditiously extend the search or similar accessing to
the other system….
|
Each party shall adopt such legislative
and other measures as may be necessary to empower its competent
authorities to order any person who has knowledge about the functioning
of the computer system or measures applied to protect the computer
data therein to provide, as is reasonable, the necessary information,
to enable the undertaking of the measures referred to in paragraphs
1 and 2.
|
|
20. Real-Time Collection of Traffic Data
|
Each Party shall adopt measures to empower
its authorities to: (a) collect or record through application
of technical means on the territory of that Party, and (b) compel
a service provider, within its existing technical capability,
to: i. Collect or record through application of technical means
on the territory of that party, ii. Co-operate and assist the
competent authorities in the collection or recording of, traffic
data, in real time, associated with specified communications in
the territory transmitted by means of a computer system.
|
Where a Party, due to the established
principles of its domestic legal system, cannot adopt the measures
referred to in paragraph 1(a), it mat instead adopt legislative
and other measures as may be necessary to ensure the real-time
collection or recording of traffic data associated with specific
communications in its territory through application of technical
means on that territory.
|
|
21. Interception of Content data
|
Each Party shall adopt measures as may
be necessary, in relation to a range of serious offences to be
determined by domestic law, to empower its competent authorities
to:
(a)collect or record through application
of technical means on the territory of that Party, and (b) compel
a service provider, within its existing technical capability to
(I) collect or record through application of technical means on
the territory of that Party, or (ii) co-operate and assist the
competent authorities in the collection of recording of, content
data, in real-time, or specified communications in its territory
transmitted by means of a computer system.
Each Party shall adopt such legislative
and other measures as may be necessary to oblige a service provider
to keep confidential the fact of and any information about the
execution of any power provided for in this Article.
|
When a Party, due to the established
principles of its legal system, cannot adopt these measures, it
may instead adopt measures to ensure the real-time collection
or recording of content data of specified communications in its
territory through application of technical means on that territory.
|
|
22. Jurisdiction
|
Each party shall adopt measures to establish
jurisdiction over any offense established in accordance with Articles
2-11, when the offense is committed: (a) in its territory; or
(b) on board a ship flying the flag; or (c) on board an aircraft
registered under the laws of that Party; or (d) by one of its
nationals, if the offense is punishable under criminal law where
it was committed or if the offense is committed outside the territorial
jurisdiction of any State.
Each Party shall adopt measures
to establish jurisdiction over the ofenses referred to in Article
24(1), in cases where an alleged offender is present in its territory
and it does not extradite him/her to another Party, solely on
the basis of his/her nationality, after a request for extradition.
When more than one Party claims
jurisdiction over an alleged offense, the Parties involved shall,
where appropriate, consult with a view to determining the most
appropriate jurisdiction for prosecution.
|
Each state may reserve the right not
to apply or to apply only in specific cases or conditions jurisdiction
rules (b)-(d) or any part thereof.
Parties may establish, in conformity
with their domestic law, other types of criminal jurisdiction
as well.
|
|
23. General Principles Relating to International
Co-operation
|
The Parties shall co-operate with each
other…to the widest extent possible for the purposes of investigations
or proceedings concerning criminal offenses related to computer
systems and data, or for the collection of evidence in electronic
form of a criminal offense.
|
None.
|
|
24. Extradition
|
The obligation to extradite applies
only to offenses established in accordance with Articles 2-11
that are punishable under the laws of both Parties concerned by
deprivation of liberty for a maximum period of at least one year
or by a more severe penalty.
|
Parties are able to provide other requirements
for extradition.
A requested Party need not extradite
if it is not satisfied that all of the terms and conditions provided
for by the applicable treaty or law have been fulfilled.
|
|
27. Procedures Pertaining to Mutual Assistance
requests in the absence of applicable international agreements
|
Parties are obliged to apply mutual
assistance procedures and conditions when there is no mutual assistance
treaty or arrangement on the basis of uniform or reciprocal legislation
in force between the requesting and requested Parties.
|
Each Party may, at the time of signature
or when depositing its instrument of ratification, acceptance,
approval or accession inform the Secretary General of the Council
of Europe that, for reasons of efficiency, requests made under
this paragraph are to be addressed to its central authority.
|
|
29. Expedited preservation of stored computer
data
|
A Party may request another Party to
order or otherwise obtain the expeditious preservation of data
stored by means of a computer system, which is located within
the territory of that other Party and in respect of which the
requesting Party intends to submit a request for mutual assistance
for the search or similar access, seizure or similar securing,
or disclosure of the data.
|
If a Party requires dual criminality
as a condition for responding to a request for mutual assistance
for production of the data, and if it has reason to believe that,
at the time of disclosure, dual criminality will not be satisfied,
it may reserve the right to require dual criminality as a precondition
to preservation.
|
|
35. 24/7 Network
|
Each Party shall designate a point of
contact available on a 24 hour, 7 day per week basis in order
to ensure the provision of immediate assistance for the purpose
of investigations or proceedings concerning criminal offences
related to computer systems and data, or the collection of evidence
in electronic form of a criminal offence.
|
Each Party is at liberty to determine
where to locate the point of contact within its law enforcement
structure. In designating
the national point of contact, due consideration should be given
to the need to communicate with points of contacts using other
languages.
|