Skip to main content

Advertisement

SpringerLink
Log in

The European legal framework on cybercrime: striving for an effective implementation

  • Published:
Crime, Law and Social Change Aims and scope Submit manuscript

Abstract

This article analyzes the European legal framework on cybercrime. Initially, it argues the challenges of cybercrime to traditional criminal justice systems. Subsequently, it focuses on the criminal law framework on cybercrime with a mainly European perspective. The European legal framework provides a three-path solution: the reduction of frictions among national legislations, the introduction of new investigative powers and the facilitation of international cooperation. The article presents and discusses each solution. Further, it argues that the effective implementation of the main legal instruments does not seem to depend on the legal enforceability of these international measures. Contrarily, other, non legal, factors such as national security, politics, the economy and the public opinion appear to stimulate the spontaneous implementation of the European legal framework. In this context, the added value of the EU action is rather low, although the Treaty of Lisbon and the Stockholm Programme may improve this situation in the long term.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. For detailed information about the initiatives of international institutions and organizations on cybercrime, see [22], [38] and [29].

  2. The Council of Europe is an international organization, established in 1949 and composed now by 47 member states, with the aim of promoting democracy and protecting human rights and the rule of law in Europe. The European Union is an international organization founded in 1993 with the aim of extending the economic cooperation established under the European Economic Community (founded in 1957). It has 27 Member States (MSs). On 1 December 2009 a new treaty, the Treaty of Lisbon, has entered into force. The new treaty has brought significant changes to the EU and in particular to the area of freedom security and justice (AFSJ), the EU sector relevant for the cooperation in criminal matters (see infra “Striving for effective implementation: uncertain perspectives”). The Treaty of Lisbon has reframed the European treaties into a Treaty on European Union (TEU) and a Treaty on the Functioning of the European Union (TFEU). Until the entry into force of the Treaty of Lisbon, it has been common to refer to the EU as to a structure with three pillars. These were the European Community (first pillar, regulated by the Treaty establishing the European Community (TEC)), the Common Foreign and Security Policy (second pillar) and the Police and Judicial Co-operation in Criminal Matters, formerly Justice and Home Affairs until the Treaty of Amsterdam, entered into force in 1999 (third pillar) (both regulated by the former Treaty on European Union (TEU)). Since the Treaty of Amsterdam, the objective of the III pillar has been the establishment of an AFSJ through police cooperation, judicial cooperation and approximation of legislation (Articles 2 and 29 of the former TEU).

  3. Although the two legal instruments share a common goal, they differ in their nature and scope. The CoE Convention is an international treaty. In order for a treaty to become binding, a state must show its intention to be bound by it (becoming a party to the treaty) and the treaty must have entered into force according to the provisions set by the treaty itself (e.g. deadline, minimum number of adhesions). The treaty only binds the nations that have become a Party to it ([26], 20–22). The CoE Convention has been adopted in Budapest on 23 November 2001. Although drafted by the CoE, the Convention is open for accession to non-CoE countries. As to April 2010, 46 states have signed the CoE Convention. The Convention has entered into force for 29 countries, including the United States of America. Five additional countries have been invited to accede (Chile, Costa Rica, Dominican Republic, Mexico, Philippines). Some scholars recognize that the drafting process of the CoE Convention was “unusually open” ([28], 2; [14], 711); others show opposite opinions, arguing that “the development of the convention has been secretive and characterised as lacking in public consultation on the cybercrime issues” ([26], 22). Whatever the truth, the Convention has been partially amended in order to address some of the criticisms moved against the first drafts ([28], 3).

    The FD is a legal instrument exclusive of the EU action in the III pillar. Its objective is the approximation of national legislations of EU MSs. According to Article 34, “framework decisions shall be binding upon the MSs as to the result to be achieved but shall leave to the national authorities the choice of form and methods”. This obliges any EU MS to comply and implement EU Framework Decision within its legal system as an automatic consequence of being an EU MS ([33], 382–383). FD may thus appear as powerful measures allowing to overcome the length and red tape involved in the process of entry into force of international treaties. However, the possibility to sanction an EU MS for a failure to implement and comply with a framework decision is rather theoretical than actual. This is because, in the framework of the III pillar, the European Commission did not have the power to bring a Member State before the European Court of Justice for failure to fulfil the obligations under a framework decisions, contrarily to what happens in the I pillar. Therefore, this power only rested within the action of other MSs, making this an unlikely and politically inconvenient possibility ([2], 723). For the innovations of the Treaty of Lisbon on this issue, see infra (Striving for effective implementation: uncertain perspectives).

  4. According to Article 1 b of the CoE Convention (and Article 1 b of the FD), the term ‘computer data’ denotes “any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function”.

  5. It is necessary to recall the Additional Protocol to the Convention on cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems [9]. The CoE Convention does not include offences covering these acts. This is because the drafters could not find an agreement on the criminalization of these behaviours [9]. Consequently, the drafters opted for an additional Protocol, which was signed on 28 January 2003 and entered into force, after the fifth ratification, on 1 March 2006. To date, 34 countries have signed the protocol, but only 17 have ratified it. The main problem related to the Protocol is its possible conflict with the freedom of expression [42].

  6. According to Article 1 d of the CoE Convention, traffic data are “any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service”.

  7. The 1950 European Convention for the Protection of Human Rights and Fundamental Freedoms (also known as European Convention on Human Rights) was the first treaty of the Council of Europe. All new CoE members must ratify the Convention. The Convention sets up a number of basic rights and freedoms and creates the European Court of Human Rights, sitting in Strasbourg, France. The Court judges cases of infringement of the right enshrined in the Convention and is entitled to issue judgements which are binding for the concerned states. Within the European Union, the Charter of Fundamental Rights of the European Union sets up the rights of every EU citizen. The Charter was signed in 2000, but it has legal Since the entry into force of the Treaty of Lisbon, the Charter has the same legal value as the EU Treaties. Consequently, all EU MSs and institutions must respect the Charter. Since the entry into force of the Treaty of Lisbon, the EU is enabled to accede to the European Convention on Human Rights.

  8. Except when this is incompatible with the law of the requested Party and when refusals are based on political offence or ordre public reasons.

  9. Information provided by e-mail by Albert C. Rees Jr,, Computer Crime & Intellectual Property Section (CCIPS), Criminal Division, U.S. Department of Justice, 2 April 2010.

  10. Council Framework Decision of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States, (2002/584/JHA), OJ L 190 of 18/7/2002; Council Framework Decision 2003/577/JHA of 22 July 2003 on the execution in the European Union of orders freezing property or evidence, OJ L 196 of 2/8/2003; Council Framework Decision 2003/577/JHA of 6 October 2006 on the application of the principle of mutual recognition to confiscation orders, OJ L 328 of 24/11/2006.

  11. Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ L 350 of 30.12.2008, 60–71; Council Framework Decision 2008/978/JHA of 18 December 2008 on the European evidence warrant for the purpose of obtaining objects, documents and data for use in proceedings in criminal matters, OJ L 350 of 30.12.2008, p. 72–92.

  12. Among the first 10 countries per internet users only 3 countries have ratified the Convention (United States, Germany and France). United Kingdom and Japan have only signed the treaty, while China, Brazil, India, Russia and South Korea have not even signed it (for further information, see http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG).

  13. See, for example, the Commonwealth’s Model Law on Computer and Computer Related Crime which has been expressly drafted to comply with the CoE Convention ([38], 13; [29]) and may potentially influence the legislation of more than 50 countries.

  14. In a recent Conference Cooperation against Cybercrime hosted by the CoE in Strasbourg (23–25 March 2010), the Head of Economic Crime Division (Directorate General of Human Rights and Legal Affairs) of the CoE stated that the convention is a guideline, reference standard or model law for more than 100 countries [39].

  15. Although this is not the aim of this paper, criticisms to the harmonization and approximation processes within the III pillar of the EU have been heavy (for further discussion and references, see [5]). Scholars have highlighted the lack of reliable assessment of the level of harmonization and approximation of EU MSs legislation (both before and after the implementation) ([30], 72; [45], 71; [44], 84).

References

  1. Archick, K. (2006). Cybercrime: The Council of Europe Convention. http://www.usembassy.it/pdf/other/RS21208.pdf. Updated September 28, 2006.

  2. Bernardi, A. (2007). Le rôle du troisième pilier dans l’européanisation du droit pénal: Un bilan synthétique à la veille de la réforme des traitées. Revue de Science Criminelle et de Droit Pénal Comparé, 4, 713–737.

    Google Scholar 

  3. Brenner, S. W. (2006). Cybercrime jurisdiction. Crime, Law and Social Change, 46(4–5), 189–206.

    Google Scholar 

  4. Brenner, S. W., & Clarke, L. L. (2005). Distributed security: preventing cybercrime. John Marshall Journal of Computer & Information Law, 13(4), 659–709.

    Google Scholar 

  5. Calderoni, F. (2008). A definition that could not work: the EU framework decision on the fight against organised crime. European Journal of Crime, Criminal Law and Criminal Justice, 16, 265–282.

    Article  Google Scholar 

  6. Calderoni, F. (2010). Organized crime legislation in the European Union. Heidelberg: Springer.

    Book  Google Scholar 

  7. Chaikin, D. (2006). Network investigations of cyber attacks: the limits of digital evidence. Crime, Law and Social Change, 46(4–5), 239–256.

    Google Scholar 

  8. Council of Europe. (2001). Convention on Cybercrime: Explanatory Report. http://conventions.coe.int/Treaty/en/Reports/Html/185.htm.

  9. Council of Europe. (2003). Additional Protocol to the Convention on cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems : Explanatory Report. Council of Europe. http://conventions.coe.int/Treaty/en/Reports/Html/185.htm.

  10. Council of Europe. (2005). Organised Crime in Europe: The Threat of Cybercrime., Situation Report 2004. Strasbourg: Council of Europe Publishing.

  11. Council of the European Union. (2007). Doc. 9913/07 of 25 May 2007.

  12. Council of the European Union. (2010). The Stockholm Programme - An open and secure Europe serving and protecting citizens. Doc. 5731/10 of 3 March 2010.

  13. Csonka, P. (2004). The Council of Europe Convention on cyber-crime: A response to the challenge of the new age? In G. Ilarda & G. Marullo (Eds.), Cybercrime: Conferenza internazionale. La Convenzione del Consiglio d’Europa sulla Criminalità Informatico (pp. 3–29). Milano: Giuffrè.

    Google Scholar 

  14. Downing, R. W. (2005). Shoring up the weakest link: what lawmakers around the world need to consider in developing comprehensive laws to combat cybercrime. Columbia Journal of Transnational Law, 43(3), 705–762.

    Google Scholar 

  15. European Commission. (2008). Report from the Commission to the Council based on Article 12 of the council Framework Decision of 24 February 2005 on attacks against information systems. COM(2008) 448 final, Brussels, 14.07.2008.

  16. European Union. (2001). Council Recommendation of 25 June 2001 on contact points maintaining a 24-hour service for combating high-tech crime, OJ C 187 of 3.7.2001.

  17. European Union. (2005). Council Framework Decision 2005/22/JHA of 24 February 2005 on attacks against information systems, OJ L 69 of 16.3.2005.

  18. European Union. (2008). Council Framework Decision 2008/978/JHA of 18 December 2008 on the European evidence warrant for the purpose of obtaining objects, documents and data for use in proceedings in criminal matters, OJ L 350, 30.12.2008.

  19. Flanagan, A. (2005). The law and computer crime: reading the script of reform. International Journal of Law and Information Technology, 13(1), 98–117.

    Article  Google Scholar 

  20. Gercke, M. (2009). Europe’s legal approaches to cybercrime. ERA-Forum 10, 10(3), 409–420.

    Article  Google Scholar 

  21. Gordon, S., & Ford, R. (2006). On the definition and classification of cybercrime. Journal in Computer Virology, 2(1), 13–20.

    Article  Google Scholar 

  22. International Telecommunication Union. (2008). ITU Global Cybersecurity Agenda (GCA) - High- Level Experts Group (HLEG): Global Strategic Report. http://www.itu.int/osg/csd/cybersecurity/gca/global_strategic_report/global_strategic_report.pdf. 23 february 2009.

  23. International Telecommunication Union. (2009). Understanding Cybercrime: A Guide for Developing Countries. http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-understanding-cybercrime-guide.pdf.

  24. Kerr, O. S. (2003). Cybercrime’s scope: interpreting ‘access’ and ‘authorization’ in computer misuse statutes. New York University Law Review, 78(5), 1596–1668.

    Google Scholar 

  25. Keyser, M. (2003). The council of Europe convention on cybercrime. Journal of Transnational Law & Policy, 12(2), 287–326.

    Google Scholar 

  26. Kierkegaard, S. (2007). Cybercrime convention: narrowing the cultural and privacy gap? International Journal of Intercultural Information Management, 1(1), 17–32.

    Article  Google Scholar 

  27. Lemos, R. (2001, June 22). International cybercrime treaty finalized. CNET News http://news.cnet.com/2100-1001-268894.html.

  28. Lewis, J. A. (2006). The Council of Europe Convention Entered into force January 2004. Http://www.csis.org/media/csis/pubs/060804_coecybercrime.pdf.

  29. Li, X. (2007). International Actions against Cybercrime: Netwroking Legal Systems in the Networked Crime Scene. Webology, 46(3).

  30. Manacorda, S. (2005). Le mandat d’arrêt européen et l’harmonisation substantielle: Le rapprochement des incriminations. In G. Giudicelli-Delage & S. Manacorda (Eds.), L’intégration pénale indirecte: Interactions entre droit pénal et coopération judiciaire au seins de l’Union européenne. Paris: Société de législation comparée.

    Google Scholar 

  31. Marler, S. (2002). The convention on cyber-crime: should the United States Ratify? New England Law Review, 37(1), 183–219.

    Google Scholar 

  32. McQuade, S. C., III. (2006). Understanding and managing cybercrime. Boston: Allyn and Bacon.

    Google Scholar 

  33. Mercado Kierkegaard, S. (2006). Here comes the ‘cybernators!’. Computer Law & Security Report, 22(5), 381–391.

    Article  Google Scholar 

  34. Miquelon-Weismann, M. F. (2005). The convention on cybercrime: a harmonized implementation of International Penal Law: what prospects for procedural due process? John Marshall Journal of Computer & Information Law, 23(2), 329–361.

    Google Scholar 

  35. Peers, S. (2004). Mutual recognition and criminal law in the European Union: has the council got it wrong? Common Market Law Review, 41, 5–36.

    Google Scholar 

  36. Picotti, L., & Salvadori, I. (2008). National legislation implementing the convention on cybercrime - comparative analysis and good practices. Strasbourg: Council of Europe. August 28.

    Google Scholar 

  37. Polakiewicz, J. (2010). Update on Council of Europe standard-setting activities. Paper presented at the Conference Cooperation against Cybercrime, March 23–25, in Strasbourg. http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/cy-activity-Interface-2010/Presentations/Update/Jorg%20Polakiewicz.pdf.

  38. Schjolberg, S. (2008). The History of Global Harmonization on Cybercrime Legislation – The Road to Geneva. Http://www.cybercrimelaw.net/documents/cybercrime_history.pdf.

  39. Seger, A. (2010). The Budapest Convention on Cybercrime as a global framework: Introduction to panel discussions. Paper presented at the Conference Cooperation against Cybercrime, March 23–25, in Strasbourg. http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/cy-activity-Interface-2010/Presentations/Ws%203/cyber_octopus_WS_3_alexander_CCC_global_frame.pdf.

  40. Smith, R. G., Grabosky, P., & Urbas, G. (2004). Cyber criminals on trial. Cambridge: Cambridge University Press.

    Book  Google Scholar 

  41. U.S. Department of Justice. (2004). Meeting of G8 Justice and Home Affairs Ministers http://www.usdoj.gov/criminal/cybercrime/g82004/g8_background.html.

  42. U.S. Department of Justice. Council of Europe Convention on Cybercrime Frequently Asked Questions and Answers. http://www.justice.gov/criminal/cybercrime/COEFAQs.htm#QE1.

  43. Valeri, L., Somers, G., Robinson, N., Graux, H., & Dumortier, J. (2006). Handbook of legal procedures of computer and network misuse in EU Countries. Santa Monica: Rand Corporation.

    Google Scholar 

  44. van der Wilt, H. (2002). Some critical reflections on the process of harmonisation. In A. H. Klip & H. G. van der Wilt (Eds.), Harmonisation and harmonising measures in criminal law (pp. 77–86). Amsterdam: Royal Netherlands Academy of Science.

    Google Scholar 

  45. Vermeulen, G. (2002). Where do we currently stand with harmonisation in Europe? In A. H. Klip & H. G. van der Wilt (Eds.), Harmonisation and harmonising measures in criminal law (pp. 65–76). Amsterdam: Royal Netherlands Academy of Science.

    Google Scholar 

  46. Weber, A. M. (2003). The council of Europe’s convention on cybercrime. Berkeley Technology Law Journal, 18(1), 425–446.

    Google Scholar 

  47. Weyembergh, A. (2005). Approximation of criminal laws, the constitutional treaty and The Hague Programme. Common Market Law Review, 42, 1567–1597.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Università Cattolica del Sacro Cuore and Transcrime - Joint Research Centre on Transnational Crime, Milano, Italy

    Francesco Calderoni

Authors
  1. Francesco Calderoni
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Francesco Calderoni.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Calderoni, F. The European legal framework on cybercrime: striving for an effective implementation. Crime Law Soc Change 54, 339–357 (2010). https://doi.org/10.1007/s10611-010-9261-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10611-010-9261-6

Keywords

Search

Navigation