Adhésion / Renouvelement

Menu connexion

Resolutions of the last Congress

(Río de Janeiro, 31st August – 6th September 2014)*


Topic: “Information society and penal law


Section I: Criminal Law. General Part


The participants in the XIXth International Congress of Penal Law, held in Rio de Janeiro from 31 August to 6 September 2014:

Considering that people’s lives in the 21st century are heavily influenced and shaped by information and communication technology (ICT), as well as by the opportunities and risks offered by information society and cyberspace, and that therefore crimes in these areas affect important personal and collective interests;

Building on the draft resolutions prepared by the participants of the Preparatory Colloquium for Section I held in Verona on 28 – 30 November 2012;

Recognizing that states and international organisations have made considerable efforts to define and prosecute offenses that may affect the confidentiality, integrity and availability of ICT networks and cyberspace, as well as the interests of persons in these areas;

Keeping in mind that any overextension of criminal repression in these areas creates risks, especially for the freedom of expression and of receiving, collecting, processing and disseminating information;

Defining ICT networks as systems that make possible the acquisition, processing, storage and dissemination of audio, visual, textual, and numeric information through computer or telecommunication networks; and cyberspace as any space of communication conducted with the aid of such ICT networks; 

Referring to valuable international instruments seeking to guide and coordinate efforts and to harmonize legislation, for example, the Budapest Convention on Cybercrime of 23 November 2001, the E-Commerce Directive 2000/31/CE, and the EU Directive 2013/40 of 12 August 2013, the Arab Convention on Combating Information Technology Offences of 2010, the Shanghai Cooperation Organization Agreement on Cooperation in the Field of International Information Security of 2010, and the draft African Union Convention on the Establishment of a Legal Framework Conducive to Cybersecurity in Africa of 2012;

Recalling the importance of protecting human rights, as well as of respecting basic principles of criminal legislation and adjudication, such as the principle of ultima ratio, the principle of legality, the harm principle limiting criminalization to conduct that is directly harmful or concretely dangerous to personal or collective interests, the principle of culpability, and the principle of proportionality;

Building on the debates and resolutions of past International Congresses of Penal Law, especially the resolutions of the XVth International Congress 1994 in Rio de Janeiro, Section II, on computer crimes and other crimes against information technology;

Have adopted the following resolutions:

A. General considerations for criminal legislation

1. ICT networks and cyberspace have created specific interests that need to be respected and protected, for example, privacy of individuals, confidentiality, integrity and availability of ICT networks, and integrity of personal identities in cyberspace. Perpetrators of some traditional crimes, for example, fraud, forgery and copyright violations, make use of ICT networks and cyberspace, thereby increasing the dangerousness of their conduct. Legislatures, courts and criminal justice systems need to accept the challenge of continuously adapting to this situation.

2. Because confidentiality, integrity and availability of ICT networks and of cyberspace are vital for individuals, as well as for the media, and harmful or dangerous conduct in these areas can affect important interests, states and international organisations should continue to devise effective policies with respect to protecting ICT networks and the interests affected. Such policies should respect human rights and be consistent with basic principles of criminal legislation, including the principle of proportionality. They should continually be kept up to date in order to prevent new forms of harmful or dangerous conduct. Empirical and technical research should be encouraged and funded in order to assist legislatures in these areas.

3. On the other hand, excessive regulation and overcriminalization of cyberspace should be avoided because it jeopardizes the very freedom of communication that is the hallmark of cyberspace. Legislatures should be aware that the regulation of conduct, the establishment of criminal laws and the imposition of disproportionately restrictive control measures in cyberspace may interfere with human rights, especially the freedom of expression and of receiving, processing and disseminating information.

4. Legislatures should not criminalize conduct that only violates religious or moral norms. Criminal policy should be consistent with the harm principle. Legislatures should therefore not criminalize conduct that does not harm or create a concrete danger to any interest of a person or a collective interest, including the confidentiality, integrity and availability of ICT networks.

B. Prevention of offenses and alternatives to criminal sanctioning

5. ICT network users and system providers should be encouraged to protect the safety of networks, including by self-regulation of providers. Neglect of safety measures should not lead to criminal liability on the part of users. Legislatures may, however, make punishable the violation of specific obligations to ensure the security of other persons’ data.

6. If necessary for purposes of prevention, legislatures may, in accordance with the principle of proportionality, allow the storing of data that permits, under effective judicial control, the identification of users.

7. Because criminal prohibitions carry strong moral reprobation and can stigmatize offenders, states should carefully examine whether non-criminal measures can be equally effective in preventing attacks on ICT networks and abuses of cyberspace. Judicial orders and the award of damages to victims in accordance with civil law, as well as instruments of restorative justice, may be viable alternatives to criminal sanctioning. Administrative measures, for example, blocking access to illegal material or removing it from websites, may also have a sufficient preventive effect and make the use of criminal law unnecessary. However, administrative measures should not be disproportionate or turn into censorship practices applied by executive authorities.

C. Defining offenses

8. In accordance with the principle of legality, legislatures should define ICT offenses in functional terms as precisely as possible. When technology changes, the law may have to be adapted. The principle of legality also applies to the definition of duties and obligations of natural or legal persons to the extent that their violation can lead to criminal responsibility. Courts should not expand the wording of statutory criminal prohibitions beyond their plain meaning.

D. Extension of criminal laws

9. Incrimination of mere preparation for attacks on ICT networks and cyberspace, such as the production, distribution and possession of malware, are legitimate only to the extent that preparatory acts as such cause harm or create concrete danger to the protected interests of others or the confidentiality, integrity and availability of ICT networks. Where preparatory acts are made punishable, the penalty should be less than the penalty for the completed offense (see in this regard the resolutions of the XVIIIth International Congress of Penal Law in Istanbul 2009, Section I (A)).

10. Possession of software should not be criminalized only in order to facilitate proof of wrongdoing. Such criminalization should not unduly restrict the legitimate use of software.

11. The mere possession and viewing of data may be made punishable only where possession and viewing are intentional and cause direct or indirect harm or concrete danger to protected interests.


a) Internet access providers should not be made criminally liable for failing to control contents that they process.

b) Criminal liability of host service providers should be limited to instances where

- they are specifically obliged by law to control certain contents before they are made available to users, it is reasonably feasible for them to do so, and they knowingly fail to fulfil this obligation


- they have been alerted, in a reliable and specific manner, to the fact that they make illegal contents available, and knowingly fail to promptly take all reasonable measures to make such contents unavailable.

E. International harmonization of laws

13. Policies for the protection of ICT networks and cyberspace and the interests of users should be harmonized worldwide in order to avoid serious discrepancies between regulations of the same matter, to improve international cooperation, and to avoid conflicts of jurisdiction.


Section II: Criminal Law. Special Part


The participants in the XIXth International Congress of Penal Law, held in Rio de Janeiro from 31 August to 6 September 2014:

Noting that the global rapid growth of information and communications technology (ICT) networks in cyberspace leading to global connectivity is providing ample opportunities for various criminals in planning and perpetrating crime by taking advantage of online vulnerabilities and by threatening countries’ critical information and communications infrastructures,

Building on the draft resolutions as established by the Preparatory Colloquium for Section II held in Moscow, April 24th to 27th, 2013,

Realizing that the advent of the cyber world has created new legal interests that are at stake and deserve recognition and protection while, at the same time, existing legal interests face new challenges and new vulnerabilities, and new core cyber crimes arise,

Noting from the national reports convergence and harmonization on the one hand, but also some lack of implementation of the existing international legal standards on the other hand, resulting in a need for further work on converging and harmonizing the national legal frameworks, mindful of the subsidiary and ultima ratio role of criminal law (see recommendation #4, Section I),

Taking into account the strong importance and global impact of the cyber world on the daily life of people, on society as a whole, on international trade and commerce, on financial transactions, on political interactions and even on warfare, that give rise to new and challenging legal issues, including ones related to criminal justice,

Noting that in a globalized, interconnected and interdependent world, critical information and communications infrastructures play a vital role in governmental functions and services, national security, civil defence, public health and safety, and banking and financial services,

Aware that the promise of freer, more rapid, worldwide communications by electronic means also carries the risk for limitations on content and form and for widespread control and infringements on human rights and privacy,

Recognizing that at times society’s response to new challenges and threats posed by developments and change in technology, way of life and values leads to over-criminalization and the excessive use of criminal law protection,

Mindful of the importance to be vigilant and to protect and defend core legal values and principles, especially those related to human rights and the integrity, dignity, and value of human beings,

Taking into account the importance, usefulness, and critical role played by the social media in private and public life, maximum freedom of communication and expression should be ensured, balanced by the recognition and respect of mutual responsibilities,

Expressing its preoccupation that information and communications technology advances have created a serious need to develop and adopt a comprehensive legal policy for the cyber world in order to ensure its orderly and positive development, which should utilize technique-neutral legal norms to keep up with the pace of technical development,

Concerned by the potential over-reliance on repressive policies and criminal law protection instead of innovative approaches, and regulatory and administrative solutions, and public education, as well as technical, organizational and personal security measures,

Committed to contributing solutions to the problems and challenges presented by information and communications technology, especially new forms and types of crimes, while ensuring no-less online than offline protection of human rights, fundamental freedoms and legal interests,

Taking into account the important role that civil society, non-governmental organizations and business actors can play to address in a positive and constructive way new problems and new threats and their repercussions on the legal system,

Convinced of the importance of collaborating and cooperating with both the private and public sector, reminding them of their role and responsibilities in securing cyberspace and preventing cybercrimes for the overall benefit of society,

Stressing the need for a common understanding of cybercrime and cyber security and for collaborative efforts by the international legal community that may support and ensure a secure cyber world by shaping frameworks applicable across borders and inter-operable with international and national legal regimes and systems in place,

Noting with appreciation the work of international and regional organizations, and in particular the work of the Council of Europe in elaborating the Convention on Cybercrime (2001); the appropriate legal standards of the European Union; the contributions of the Organization of American States, the Arab League, the Economic Community of West African States, the Community of Independent States, the World Bank, the OECD, the United Nations and that of other organizations in initiating fruitful interaction between government and the private sector on security and anticrime measures in cyberspace,

Mindful of the main aim of the AIDP to uphold the rule of law and support the development of the law in addressing current trends and phenomena and in responding efficiently and positively to the constant need to raise the standards of protection of the individual and the community,

Underlining previous work by the AIDP in this crucial area, such as the conclusions of the Congress of the AIDP Young Penalists (Noto, June 2001, topic 3), the International Preparatory Colloquium on International Trafficking in Women and Children (Río de Janeiro, April 2002) and the Round Table on international trafficking in women and children held on the occasion of the XVIIth AIDP Congress (Beijing, September 2004),

Have adopted the following resolutions:

1. In addressing the threat and reality of cybercrime and the necessity of cyber security, the legal and criminal justice system should balance individual, collective, private sector and public interests. Over reliance on criminal law protection should be avoided in favour of robust prevention, active defence, public education and awareness, and alternative sanctions.

2. Legal interests to be protected include the confidentiality, integrity and availability of data and ICT systems, authenticity of information, life and limb, integrity of children, privacy, protection from harm and loss of property (including virtual property), copyright and reputation, freedom of expression, and other fundamental human rights.

3. Consumer protection, informed consent, purpose limitation, right to erasure, correction and notification, shall be paramount values in guiding the formulation of laws and regulations on data collection, selling and buying on the Internet, financial transactions and investments, and marketing and promotional campaigns.

4. Commercial personal data processors, like Internet and telecommunications providers, social media platforms, and application developers, should be required to adopt privacy by design and by default policies, if necessary by compelling measures. The violation thereof should be redressed through non-criminal or criminal sanctions.

5. A concerted effort is essential to prevent and combat illegal access to ICT systems; the illegal interception of non-public transmissions of electronic data; data and system interference without right; the misuse of devices, software, passwords, and codes; computer-related forgery and fraud; and unauthorized access by government agencies. This includes a minimum standard of criminal law protection against intentional and harmful acts violating the confidentiality, integrity and accessibility of data and of ICT systems.

6. Appropriate legal measures should be adopted to provide aggravating circumstances or specific offenses with more-severe penalties for interfering with the functioning of critical information and communications infrastructures.

7. The production and the knowing distribution, dissemination, importing, exporting, offering, selling, purchasing, possessing, and accessing of child pornography and any complicity and participation in any of these acts shall be firmly and consistently prevented and criminalized with appropriate sanctions, especially when involving real children, unless for their own private use in case they have reached the age of sexual majority.

8. Identity theft, including through phishing, as a whole or in their components, should be criminalized, if not otherwise provided for by other criminal law provisions. If States choose to criminalize the mere possession of identity-related information or impersonating non-existing persons, it should be limited to acts committed with criminal intent to cause damage. Such provisions should neither restrict nor criminalize freedom of thought and expression, in particular, literary and artistic activities.

9. Given the growing concern about the frequency and seriousness of cyber stalking, cyber bullying, and cyber grooming, special attention shall be given to effectively respond to the problem, emphasizing positive approaches, prevention, public education and awareness, and alternative sanctions, rather than only applying criminal law protection.

10. The protection of intellectual property rights should focus on intentional violations with a significant commercial purpose or that produce serious damages.

11. Reckless or grossly negligent management of critical ICT infrastructure and of large amounts of sensitive data, such as credit card data, should be redressed through non-criminal or criminal sanctions. Likewise, failing to adopt reasonable security measures and/or to disclose required information about security breaches in a timely manner by ISPs may be grounds for civil or criminal action.


Section III: Criminal Procedure


The participants in the XIXth International Congress of Penal Law, held in Rio de Janeiro from 31 August to 6 September 2014:

Building on the draft resolutions as established by the Preparatory Colloquium for Section III held in Antalya from 24 to 27 September 2013,

Considering that the use of information and communications technologies (ICT)

- generates new social, cultural, economic and legal realities;

- poses new challenges for national and transnational criminal justice systems in the field of prevention, investigation and prosecution of crimes in general and cybercrime in particular;

- has the capacity to endanger in an unprecedented way human rights and freedoms, and particularly the right to privacy;


- that the rapid development of ICTs has led to an extensive use by law enforcement authorities both in criminal proceedings, including the criminal investigation, and in the building of information positions for preventive purposes;

Taking into account that

- the AIDP Congresses of Penal Law have already addressed several aspects of these new challenges for criminal investigations resulting from the information society, especially:

- the XVth International Congress of Penal Law (Rio de Janeiro, 1994) on “Reform Movements in Criminal Protection and the Protection of Human Rights”;

- the XVIth International Congress of Penal Law (Budapest, 1999) on “The Criminal Justice System Facing Challenges of Organized Crime”; and

- the XVIIIth International Congress of Penal Law (Istanbul 2009) on “Special Procedural Measures and Respect of Human Rights”;


- to set out principles and rules of criminal procedure in line with the rule of law and human rights in the use of ICT in criminal proceedings and in the building of information positions for law enforcement purposes;[13]

- to guarantee that the use of ICT in criminal proceedings and in the building of information positions does not impair the right to privacy and data protection;

- to guarantee that the use of ICT does not violate defence rights and the fairness of criminal proceedings;

- to seek the efficient implementation of the new technologies in the fight against sophisticated serious crimes involving the use of information and communications technologies (ICT);

Have adopted the following resolutions:

A. The use of ICT and the protection of human rights

The use of ICT in criminal proceedings and in the building of information positions may represent a significant intrusion into fundamental rights. The following principles should be particularly respected:

1. Any restriction on the right to privacy shall be provided by law and be proportionate, legitimate and necessary in a democratic society.

2. The use of ICT in criminal proceedings and in the building of information positions should respect the right to data protection. The aims of criminal prevention and investigation should be proportionate to the encroachment on the fundamental right to data protection.

3. The purpose limitation principle should be respected in general, and, as a rule, when transferring electronic personal data to law enforcement authorities. The purpose limitation principle means that personal data can only be collected for an explicit, specified and legitimate purpose, and not further processed in a way incompatible with those purposes.

4. Derogation from the purpose limitation should only be permitted, according to the law, in exceptional cases, where the transfer of data to law enforcement authorities is necessary for the prevention, investigation, or prosecution of serious crimes and respects the proportionality principle.

5. The legal framework should ensure that adequate means and thresholds for the access and disclosure of stored data are established and that they are controlled by an independent authority. Any obligation of public and/or private companies to retain, preserve, and transfer computer data must respect the right to data protection.

6. The use of ICT in criminal proceedings shall not infringe fair trial rights, inter alia, the right to a public hearing, to cross-examination and confrontation, to access the file and to obtain the assistance of experts, specialized in the field of electronic evidence to ensure the equality of arms.

B. ICT intelligence and the building of information positions

7. The law shall regulate which measures can be used by law enforcement authorities for building information positions and determine the aim, scope and requirements of these measures, including the conditions for deletion of this data and/or destruction of the storage media.

8. Coercive measures should not be allowed to collect data for building information positions, unless there is court authorization. Court authorization should also be required for building information positions by means of non-open source data mining and/or data matching.

9. No surveillance powers used for building information positions should infringe the right to privacy or other fundamental rights.

10. Adequate technical means should be used to control the access to data for the purpose of building information positions. An independent authority should control the access to sensitive data.

11. The law should establish in which cases and under what conditions data collected for building information positions may be transferred to another authority.

C. ICT in the criminal investigation

12. ICT investigative measures, such as electronic surveillance, geo-location monitoring, real-time or stored data collection, covert on-line investigations, computer data seizures and searches, extended searches on connected networks, orders for providing or decoding computer data, access to and/or analysis of communication data stored on mobile devices, use of remote forensic tools and interception of any kind of communications carried out with the aim of a criminal investigation shall only be allowed in the cases specified by law when the desired information cannot be gathered through less-intrusive means. The law shall define the scope of the investigative powers, the maximum duration of any investigative act and requirements for the storage and/or deletion of the data obtained, and/or the destruction of the storage media. It should be ensured that the laws are adapted to the search and seizure of intangible data.

13. ICT investigative measures that seriously intrude on the right to privacy, such as those which access the content of communications, involve the real-time interception or collection of data, or the use of remote forensic tools, should, as a rule, only be granted under court authorization and only in cases where there is reasonable suspicion of the commission of serious crimes, and that the target is linked to the commission of such crimes.

14. Persons whose right to privacy has been affected by investigative measures involving ICT should be informed of the measures as soon as this disclosure does not jeopardize the purpose of the measure and/or the results of the criminal investigation. The law shall provide for effective judicial remedies to challenge the legality of the use of ICT investigative measures and protect their right to confidentiality.

15. Those carrying out ICT investigative measures that allow access to computer data and electronic communications must respect the right of confidentiality and professional privilege. The disclosure of data not related to the criminal proceedings should be prevented.

16. States have a positive obligation to ensure that law enforcement agents have the necessary technical means, capacities and expert training in the use of ICT to deal with sophisticated forms of cybercrime and electronic evidence in general. Best practice guidelines should be developed and applied in investigations involving the use of ICT.

17. The cooperation of private companies and ICT service providers with law enforcement authorities in the criminal investigation that may infringe fundamental rights shall be regulated by law. The scope, conditions and requirements for such cooperation must be set out in the law. Compliance with such legal obligations should not trigger any civil liability in relation to the company’s clients.

D. Evidence and ICT

18. Due to the volatile nature of electronic evidence the law should facilitate the expeditious preservation and storage of digital data. Forensic tools for preventing alterations of the stored data should be available and routinely employed.

19. If the reliability of ICT evidence is challenged, the “evidence continuity” or “chain-of-custody” must be established. The defence should be guaranteed access to digital data so as to be able to verify its authenticity, and to present it at trial in an effective and not unduly restricted manner.

20. Electronic evidence obtained directly or indirectly by means that constitute a violation of fundamental rights and freedoms that jeopardize equality of arms and the fairness of the proceedings shall be inadmissible.[14]

E. The use of ICT at trial

21. Courtrooms should be equipped for the use of ICT during criminal trial proceedings. Financial resources to achieve this goal should be provided.

22. Video-conferencing should be available to transmit the testimony of vulnerable or unavailable witnesses, warranting the identity of the witness and to allow their examination in those situations permitted by law.

23. The examination and cross-examination of child victims during the pre-trial stage should be video-recorded in case the child is unavailable to testify at trial for reasons relating to protection of the child’s well-being.

24. The defendant, as a rule, should always be physically present during court proceedings. In the rare cases where presence through video-conferencing is allowed, it should be realized in a manner that adequately protects the privilege against self-incrimination, the right to counsel (including that of confidential communication with counsel) and the right to cross-examine witnesses.


Section IV: International Criminal Law


The participants in the XIXth International Congress of Penal Law, held in Rio de Janeiro from 31 August to 6 September 2014:

Building on the draft resolutions as established by the Preparatory Colloquium for Section IV held in Helsinki from 9 to 12 June 2013,

Considering that people’s lives in the 21st century are heavily influenced and shaped by information and communication technology (ICT), as well as by the opportunities and risks that accompany information society and cyberspace, and that therefore crimes in these areas affect important personal and collective interests;

Noting that states share sovereignty in cyberspace and have a common interest in its regulation and protection;

Recognizing that states have made considerable efforts to vest jurisdiction and determine the locus delicti of offences that may affect the integrity of ICT systems and cyberspace, as well as the related interests of persons and society;

Keeping in mind the particularities of cyberspace, such as the speed at which data flows, its volatility, and the fact that it can be accessed anywhere in the world;

Recognizing further the difficulties in localizing information and evidence in cyberspace;

Stressing the fundamental importance of the protection of human rights, in particular the principle of legality, the right to privacy and to data protection, the right to a fair trial, the principle of proportionality in the investigation and prosecution of offences, and in general the rules and principles regarding due process;

Referring to international and regional instruments that seek to guide and coordinate efforts and to harmonize legislation, such as the Budapest Convention on Cybercrime of 23 November 2001, EC E-Commerce Directive 2000/31/CE, EU Directive 2013/40 on attacks against information systems, the Commonwealth of Independent States Agreement on Cooperation in Combating Offences related to Computer Information of 2001, the Arab Convention on Combating Information Technology Offences of 2010, the Shanghai Cooperation Organization Agreement on Cooperation in the Field of International Information Security of 2010, and the draft African Union Convention on the Establishment of a Legal Framework Conducive to Cybersecurity in Africa of 2012;

Building on the debates and resolutions of past International Congresses of Penal Law, especially the resolutions of Section II of the XV International Congress (1994) held in Rio de Janeiro, on computer crimes and other crimes against information technology, and the resolutions of Section III on Special Procedural measures and respect of Human rights and the resolutions of Section IV on universal jurisdiction of the XVIII International Congress (2009) held in Istanbul;

Defining for the purpose of this resolution that coercive measures means measures against the will of the subject or infringing upon their right to privacy;

Have adopted the following resolutions:

A. General Considerations

1. States should develop a coherent response to the challenge of cybercrime, in particular by keeping their legislation and practice under review in order to ensure that their criminal law, criminal procedure and mutual legal assistance regimes meet the needs of today’s interconnected globalised world, while respecting fundamental and human rights.

2. States should consider acceding to existing international instruments on cybercrime. States and the international community shall work to develop further international legal mechanisms, including compliance standards for multinational enterprises, in order to establish the rule of law in cyberspace and avoid potential conflicts between states on the enforcement of their legislation and policies in cyberspace.

B. Substantive Jurisdiction and Locus Delicti

3. While the principle of territoriality remains the primary principle of jurisdiction also in cyberspace, it produces adverse effects when applied to offences in cyberspace, in that it de facto allows states to localise offences on their territory almost on a universality basis and leaves individuals in doubt as to which states may claim jurisdiction. States should exercise restraint in exercising jurisdiction in situations in which the effect is not “pushed” by a perpetrator into the state, but “pulled” into it by an individual in that state.

4. In determining effects, states shall consider the existence of a particular nexus with the offence, such as the intent of the perpetrator as it may appear from the use of a given language, the provision of domestic payment facilities, a service offer in specific cities, etc.

5. When a state localizes the effects of an offence within its borders, the principle of legality requires that the perpetrator could have had a reasonable expectation that his or her conduct would cause effects in that country.

6. A state may exercise its jurisdiction over an individual on its territory who “pulls” content that is prohibited under its own legal system, even though it is legal under the legal system of the producer.

7. States and the international community should consider establishing corporate compliance requirements and liability for criminal offences by legal entities with regard to cybercrime.

C. Investigations in Cyberspace

8. No state has exclusive sovereignty over the publicly accessible ICT networks.

9. Except in cases where coercive or undercover measures are applied, law enforcement agencies may access (and operate in) freely accessible ICT networks without permission from providers and/or states, and regardless of where the content looked at is stored.

10. In order to prevent cybercrime and make the investigation accountable, states and the international community should consider establishing upon service providers, software and application developers and other relevant private ICT stakeholders an obligation to enhance data protection, privacy friendly technology and setting.

11. States should consider establishing, under national law, an obligation upon service providers to cooperate, subject to authorisation by an independent judicial authority, with law enforcement agencies (e.g. by making data transfer in the cyberworld traceable, giving access to passwords, decrypting content or installing search devices for investigative purposes). This obligation is subject to the principle of proportionality and compliance with fundamental and international human rights.

12. States pursuing investigations must afford all persons involved the protection that would accrue to them in a similar domestic case, while also affording them the protection that accrues to them under the national legal system of the state where the investigative measures are taken or where the persons concerned are situated when the investigative measures are taken.

D. International Cooperation and Enforcement in Criminal Matters

13. States must make sure that, in granting mutual legal assistance with respect to cyber offences, they can take all investigative measures that could be lawfully taken in a similar domestic case.

14. States should in particular be able to provide fast assistance and to execute a provisional order to preserve or freeze information and evidence during a reasonable time and without unduly affecting the rights of parties.

15. States may not refuse mutual legal assistance based on a lack of dual criminality for cybercrime offences, the criminalisation whereof is required under an international legal obligation incumbent upon them.

16. A (provisional) decision by an independent judicial authority to close down a server or website or a request of a state to take down a botnet may be enforced directly if provided for by an international agreement or by the law of the state in which the service provider or the botnet command and control server is located. Wherever possible, preference should be given to make the website inaccessible on the territory of the requesting state only, thus avoiding unnecessary limitation of cyber freedom.

17. The later use of information gathered by intelligence services in criminal matters is only allowed where the information concerned could have been obtained through regular mechanisms for judicial or law enforcement cooperation in criminal matters.

E. Real Fundamental and Human Rights in a Virtual World

18. States shall respect internationally recognized fundamental and human rights standards applicable to them also in the context of the digital world.

19. If states act extraterritorially while investigating in cyberspace, they shall comply with the fundamental and human rights standards applicable to their jurisdiction (agent control standard), as well as those applicable to the state where the extraterritorial investigations are taking place and when the persons concerned are situated when the extraterritorial investigations are taking place.

20. States should record investigations in cyberspace with a view to ensuring state accountability in the event of violations of fundamental or human rights. They should also disclose such recordings to the defence with a view of ensuring a fair trial and seeking a remedy before supervisory mechanisms.

21. The responsibilities of a specific state for violations of fundamental or human rights should be decided after a finding of a violation and not as a condition for admissibility of a complaint with supervisory mechanisms.

F. Virtual Court Room

22. Communications may be digitally sent by the authorities directly to the suspects, accused, witnesses, victims and experts who are physically present in another state, subject to the acceptance of the latter of this method of communication. The communications must be accompanied by a translation into a language understood by the addressee and by a statement spelling out the rights and obligations of the addressee with regard to the communication received, in particular in so far as entitlement to assistance by a lawyer, a duty to appear, contempt of court and perjury are perceived.

23. The possibilities of making use of digital technology, such as videolinks, in international criminal justice should be expanded in order to lessen the need for coercive measures like extradition, as well as in order to avoid unnecessary temporary transfer of a detained person or the physical appearance of witnesses and experts before authorities abroad.

24. States should be encouraged to consider the possibility of and conditions for the presentation of evidence through digital technology during the trial stage, even where the accused is not physically present at the hearing.

25. The security, integrity and reliability of the digital communication in use by the authorities must be of the highest standard.

26. States must provide adequate facilities to enable direct client-lawyer digital communications, especially when the client is detained.

27. The confidentiality of digital communications used in international criminal justice must be sacrosanct.



* RIDP, vol. 85 (3-4), 2014, p.603-623 (French), p. 625-643 (English), p. 645-665 (Spanish).

[13] “Building information positions“ or “intelligence-led policing“ refers to the proactive or preventive collection, storage, processing and analysis of information by law enforcement agencies for strategic, tactical and operational purposes.

[14] For the admissibility of intelligence as evidence, see point 22 of the resolution adopted at the XVIIIth International Congress of Penal Law (Istanbul 2009) on “Special Procedural Measures and Respect of Human Rights.”