The 2014 IOCTA emphasised that it is essential for law enforcement to closely observe developments in the field of law. Without criminal legislation the hands of law enforcement agencies are bound – and without adequate procedural law, the prosecution of high-tech offenders can be close to impossible.
Since the publication of the last IOCTA, the European Union has not introduced a new legislative framework to harmonise the cybercrime legislation of the Member States. However, 4 September 2015 is an important date with regard to the 2013 EU Directive on Attacks against Information Systems1. Article 16 requires Member States to bring their legislation, regulations and administrative procedures in line with the requirements of that Directive by that date. With regards to criminalisation, the Directive does not go beyond the 2001 Council of Europe Convention on Cybercrime, which was implemented by most EU Member States; therefore the chances of an EU-wide transposition of the Directive are high.
By August 2015, the number of ratifications/accessions to the 2001 Council of Europe Convention on Cybercrime increased to 47 countries, including eight non-members of the Council of Europe. Outside of Europe, Australia, Canada, the Dominican Republic, Japan, Mauritius, Panama, Sri Lanka and the United States are listed as non-Member States that ratified the Convention. The ratification of the Convention worldwide is an ongoing process with an average of more than three countries joining per year. Some of the fastest growing and most relevant economies outside of Europe, such as the BRIC countries (Brazil, Russia, India and China), with which European law enforcement agencies frequently deal, have not yet been invited to accede to the Convention. Involvement of those countries would be a significant advantage for international law enforcement cooperation.
Data breaches remain a major challenge and are certainly one of the fastest moving forms of what is widely seen as criminal activities. During the first half of 2015, millions of data records were obtained by attackers. CareFirst, Kaspersky Lab, Premera BlueCross, Harvard University and the US Government were just a few prominent victims of this type of attack. Unchanged since the 2014 IOCTA, a strong, harmonised legal approach towards this type of offence - one that includes the criminalisation of trading compromised identities - is still absent in Europe. Neither the 2001 Council of Europe Convention on Cybercrime, nor the existing EU legislative approaches specifically criminalise identity theft and the related transfer of identities. Consequently, the prosecution of such activities depends on the existence of national legislation.
Access to traffic and location data is of great relevance for law enforcement agencies, especially when it comes to the identification of perpetrators. The basis of the harmonisation of legislation with regard to the process of retaining such data was for some years the 2006 EU Data Retention Directive2. It contained an obligation for the providers of publicly available electronic communications services or of the public communications networks to store data, i.e. traffic data and location data and the related data necessary to identify the subscriber or user for the purpose of investigation, detection and prosecution of serious crime, as defined by each EU Member State in its national law. Despite different national approaches within the transposition process of the Directive, especially with regard to the duration of retention, it was an interesting legal harmonisation foundation.
However, on 8 April 2014, the European Court of Justice (ECJ) declared the Directive invalid3. The Court concluded that the retention of data as required by the Directive may be considered to be appropriate for attaining the objective pursued, but the wide-ranging and particularly serious interference of the Directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary. In this respect, the Directive did not comply with the principle of proportionality. As a consequence, the Member States are no longer bound by the Directive. National provisions implementing the Directive are nonetheless not automatically invalid, which lead to very significant discrepancies among EU national data retention provisions. The reactions of Member States have varied very much from one another. Some States have annulled their transposing legislation (e.g. Austria, Belgium, Slovakia and Slovenia), some have not changed their legislation since the ECJ ruling (e.g. Ireland, Spain and Sweden) and some, such as the United Kingdom, have reacted drastically by enacting a new legislation providing for a new legal basis for data retention by service providers4.
Generally, Member States are waiting for the EU to adopt a new Directive. However, it is currently uncertain whether and when the European Union will adopt a new legal instrument on this issue. It is clearly unlikely to happen very soon.
The usefulness of traffic data and location data for criminal investigations is defended by law enforcement agencies and prosecutors. It is true that accessing data after the commission of the offence, when it was not retained originally by service providers, may be more difficult or impossible if the data was deleted in the meantime. Indeed, law enforcement agencies underline that the effectiveness of their work relies increasingly on the availability of data that is already collected, retained and made available by the service providers in a lawful manner. In particular, investigations related to serious crime typically require a more long-term approach as they may be longer than the average time of any other criminal investigation.
The magnitude of the impact of the ECJ ruling on investigations cannot be understated as the detection and investigation of cyber-enabled and cyber-facilitated crime relies extensively on the collection and analysis of telecommunications data. At least seven Member States stated that their data retention regime provides for up to six months of retention. Member States expressed that the inability to access case-relevant telecommunications data has affected a significant part of recent cybercrime investigations, leading to unsuccessful investigations in areas such as computer intrusion, hacking and child abuse.
As criminals are increasingly using the Internet and/or technologies at their disposal, data retention is certainly an interesting means to gather information on typically Internet-related crime such as computer intrusion, hacking and child pornography online.
In addition to the retention period and from a more practical perspective, service providers often take a dysfunctionally long time to satisfy the request. Five Member States reported that a typical waiting period was more than one month. In addition, there is little standardisation in the format of the response. Some States indicated that data may not be provided in electronic format, which leads to a waste of resources spent on the collation and interpretation of hard copy data.