Cybercrime regulation across BRICS countries

Scope

1. What national laws (or other types of normative acts) regulate cybercrime?

Brazil

Cybercrime is regulated by law 12.737/2012, by the penal code, the ChildProtection Law (8069/1990), the Marco Civil da  Internet (12.965/2014) and the Data Protection law (13.709/2018).
Law 12.735/2012 regulates the establishment of police units investigating cybercrime.

Russia

Chapter 28 “Crimes in the field of computer information” of the Criminal Code of the Russian Federation. Criminal legislation of the Russian Federation consists of only the Criminal Code of the Russian Federation. New laws providing for criminal liability are subject to inclusion in this Code.

Criminal Code of the Russian Federation of 13.06.1996 N63-FZ (as amended on 23.04.2019).

India

The main act in India to specifically regulate cybercrime is the Information Technology (Amendment) Act, 2008. Other laws include relevant sections as well, however, such as, for example, the Copyright Act, 1957, and the Protection of Children from Sexual Offences (Amendment) Act, 2019. In addition, the Indian Penal Code and the Indian Evidence Act, 1872 too, continue to apply.

China

Cybercrime in China is regulated by a series of laws and policies at the following levels:

National-level laws and decisions:

  1. Articles 253-1, 285, 286, and 287 of the Criminal Law (1997)
  2. Amendments VII (2009) and IX (2015) to the Criminal Law
  3. Decision of the Standing Committee of the National People’s Congress on Preserving Computer Network Security (2000)
  4. Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks (2012)
  5. Anti-Terrorism Law of the People’s Republic of China (2015)
  6. Cybersecurity Law of the People’s Republic of China (2017)

Judicial interpretations:

  1. Interpretations (II) of Several Issues on Application of Law in Handling Criminal Cases about Producing, Reproducing, Publishing, Selling and Disseminating Pornographic Electronic Information via the Internet, Mobile Communication Terminals and Sound Message Stations (2010)
  2. Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Internet Gambling (2010)
  3. Interpretations on Several Issues concerning the Application of Law in Hearing Civil Dispute Cases Involving Infringement of the Right of Dissemination on Information Networks (2012)
  4. Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Specific Application of Law in the Handling of Defamation through Information Networks and Other Criminal Cases (2013)
  5. Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security on Several Issues concerning the Application of Criminal Procedures in the Handling of Cyber Crime Cases (2014)
  6. Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement on Citizens’ Personal Information (2017)

Ministerial regulations:

  1. Measures for Security Protection in the Administration of the International Networking of Computer Information Networks (1997) issued by the Ministry of Public Security
  2. Regulations on Internet Security Supervision and Inspection by Public Security Organs (2018) issued by Ministry of Public Security
  3. Rules of Obtainment of Electronic Data as Evidence by Public Security Authorities in Handling Criminal Cases (2019) issued by the Ministry of Public Security

South Africa

The Electronic Communication and Transaction Act, 25 of 2002 regulates a handful of cybercrimes.
Cybercrimes Bill [B 6B—2017]

2. Is the country a part of any international cybercrime agreement?

Brazil

Brazil has not signed any international cybercrime agreement.

Russia

The Russian Federation is a party to the Agreement on Cooperation of the Member States of the Commonwealth of Independent States in Combating Computer Information Offenses (concluded in Minsk on 06/06/2001). The Russian Federation ratified the Agreement with the following reservation:

“The Russian Federation reserves the right to refuse execution of the request, in whole or in part, if the execution of the request is likely to prejudice its sovereignty or security.”

Federal law of 01.10.2008 N 164-ФЗ “On ratification of the Agreement on cooperation of the States members of the Commonwealth of Independent States in the fight against crimes in the field of computer information”. Order of the President of the Russian Federation of 15.11.2005 N 557-rp “On the signing of the Convention on Cybercrime”. Order of the President of the Russian Federation of March 22, 2008 No. 144-rp “On declaring the decree of the President of the Russian Federation of November 15, 2005 No. 557-rp “On Signing the Convention on Cybercrime”.

India

India has not signed any international cybercrime agreement.

China

Yes. As a member state of the Shanghai Cooperation Organization, China agreed in 2012 at a Meeting of the Council of the Heads of Member States to participate in efforts to fight against terrorism, separatism, extremism, and international cybercrime. China is also a member of the Interpol.

South Africa

Signatory/observer to the Budapest convention

3. What cybercrimes are regulated?

Brazil

Law 12.737 and the penal code address illicit access (hacking) of IT equipment and networks. Law 8069 addresses pornographic material of children and adolescents.

Russia

a) implementation of unauthorised access to computer-protected information by law, if this actresulted in the destruction, blocking, modification or copying of information, disruption of the operation of a computer, computer system or their network;

b) the creation, use or distribution of malicious programs;

c) violation of the rules of operation of a computer, computer system or their network by a person having access to a computer, computer system or their network, resulting in the destruction, blocking or modification of information protected by law of a computer, if this act caused significant harm or serious consequences;

d) illegal use of computer programs and databases that are objects of copyright, as well as the assignment of authorship, if this act has caused significant damage;

Agreement on cooperation of the States members of the Commonwealth of Independent States in the fight against crimes in the field of computer information (concluded in Minsk 01.06.2001).

India

The IT (Amendment) Act addresses a wide range of cybercrimes, from hacking-related offences over crimes related to impersonation and fraud, and from violations of privacy concerning the private areas of any person to offences related to obscenity and sexually explicit material, including child sexual abuse images.

Other laws, such as the Copyright (Amendment) Act, 2012 and the Protection of Children from Sexual Offences (Amendment) Act, 2019, address crimes specific to the domain they cover (in the case of these examples, copyright violations and child sexual abuse images respectively).

While most provisions of the Indian Penal Code have general applicability, some recognise cyberspace related aspects of a crime specifically. For example, the offence of stalking is defined in the Indian Penal code to explicitly include monitoring ‘the use by a woman of the internet, email or any other form of electronic communication’.

China

First, cybercrime is covered under the Criminal Law (1997) and two amendments (VII and IX) including the following offences mainly:

  1. Illegally infringing on or selling personal information resulting in serious harm (Article 253-1),
  2. illegally accessing computer systems to interfere with state affairs, defence, and cutting-edge technology areas (Article 285), 
  3. illegally accessing, changing or controlling data held on computer systems (Article 285),
  4. providing programs and tools to access or illegally control computer systems (Article 285, Amendment VII),
  5. disabling or destroying computer systems (Article 286),
  6. deleting, modifying memory, data transmission and programs in computer systems resulting in damage (Article286),
  7. intentionally creating and disseminating computer virus resulting in damage (Article 286), 
  8. ISPs repeatedly failing to fulfil their responsibility to safely manage information and network security according to laws and administrative regulations resulting in wide spread of illegal information, serious data leak, serious loss of criminal evidence, and other serious situations (Article 286-1, Amendment IX),
  9. committing various crimes using computers including financial fraud, theft, corruption, embezzlement of public funds, stealing state secrets (Article 287),
  10. creating websites or online groups to commit fraud, teach methods of committing crimes, make and sell goods forbidden by law (Article 287-1, Amendment IX),
  11. distributing information about making or selling illegal drugs, guns, pornography and other prohibited products (Article 287-1, Amendment IX),
  12. distributing information to facilitate illegal activities such as fraud (Article 287-1, Amendment IX),
  13. being an accomplice to computer crimes resulting in serious damage, e.g. providing Internet access, server custody, network storage, communication transmission or any other technical support, or provides advertising, payment settlement (Article 287-1, Amendment IX),
  14. an entity committing any crime described above (Article 287-2, Amendment IX)
  15. fabricating or deliberately spreading, on the Internet or other media, false information regarding dangerous situations, epidemics, disasters or police emergencies, which seriously disturb social order (Article 291-1, Amendment IX) Cybersecurity Law (2017) carries articles similar to the above.

In addition, a series of judicial interpretations provide detailed explanations for online pornography, online defamation, online gambling, and infringements of right to disseminate information online.

South Africa

The ECTA provides for cybercrimes in sections 86, 87 and 88.

  • Section 86: Unauthorised access to, interception of or interference with data
  • Section 87: Computer-related extortion, fraud and forgery
  • Section 88: Attempt, and aiding and abetting

The Cybercrimes Bill provides for cybercrime in sections 2 to 13, 17-19

  • Section 2: Unlawful access
  • Section 3: Unlawful interception of data
  • Section 4: Unlawful acts in respect of software or hardware tool
  • Section 5: Unlawful interference with data or computer program
  • Section 6: Unlawful interference with a computer data storage medium or computer system
  • Section 7: Unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device
  • Section 8: Cyber fraud
  • Section 9: Cyber forgery and uttering
  • Section 10: Cyber extortion
  • Section 11: Aggravated offences
  • Section 12: Attempting, conspiring, aiding, abetting, inducing, inciting, instigating, instructing, commanding or procuring to commit offence
  • Section 13: Theft of incorporeal property
  • Section 17: Data message which incites damage to property or violence
  • Section 18: Data message which threatens persons with damage to property or violence
  • Section 19: Distribution of data message of intimate image

4. To whom do the laws apply?

Brazil

The law does not address this question.

Russia

An individual may be subject to a crime and criminal liability, if he has the minimum necessary set of features: has reached the legal age and is sane. These signs are mandatory to establish the responsibility of all persons involved in the crime – the performers, organizers, instigators and collaborators. Criminal liability comes as a rule from the age of 16.

Commentary to the Criminal Code of the Russian Federation: in 4 volumes (itemised) /A.V. Brilliantov, A.V. Galakhova, V.A. Davydov et al.; ed. by V.M. Lebedev. M.: Yurayt, 2017. T. 1: General part. 316 p.

India

The IT (Amendment) Act applies to the whole of India as well as to any offence or contravention under the Act committed outside India by any person, irrespective of their nationality, provided the suspected offence involves a computer, computer system or computer network located in India.

China

Provisions dealing with cybercrime are in the Criminal Law. Hence, the jurisdiction principles for the Criminal Law (see Articles 6 to 11) apply tocybercrime.

South Africa

ECTA:

The provision refers to a person which is defined as including a public body.

Cybercrimes Bill:

Any person who commits offences in chapter 2.

5. Do the laws apply to foreign entities that do not have physical presence in the country?

Brazil

The law does not address this question.

Russia

Foreign citizens and stateless persons who are not permanently residing in the Russian Federation who have committed a crime outside the Russian Federation are subject to criminal liability under this Code in cases where the crime is directed against the interests of the Russian Federation or a citizen of the Russian Federation or a stateless person residing in the Russian Federation as well as in cases stipulated by an international treaty of the Russian Federation or another document of an international character, containing liabilities recognised by the Russian Federation.

Criminal Code of the Russian Federation of 13.06.1996 N63-FZ (as amended on 23.04.2019).

India

Yes, see above.

China

Yes, in some instances. Article 8 of the Criminal Law states: “This law may be applicable to foreigners, who outside PRC territory, commit crimes against the PRC state or against its citizens, provided that this law stipulates a minimum sentence of not less than a three-year fixed term of imprisonment for such crimes; but an exception is to be made if a crime is not punishable according the law of the place where it was committed.”

South Africa

Not directly. According to the rules of jurisdiction of the courts, a foreign entity would only be held liable only as far as the effects of the conduct is felt in the Republic.

ECTA:

Section 90(b) any act of preparation towards the offence or any part of the offence was committed in the Republic, or where any result of the offence has had an effect in the Republic.

Cybercrime Bill:

Yes, in accordance with ordinary criminal law.

Definitions

6. How is cybercrime generally defined by the national law?

Brazil

The law does not address this question.

Russia

In the legislation there is no definition of a group of crimes, only individual crimes are defined. Computer-related crimes are defined as socially dangerous acts under criminal law that cause harm or create a danger of harm to the safety of the production, storage, use or dissemination of information or information resources.

Criminal Code of the Russian Federation of 13.06.1996 N63-FZ (as amended on 23.04.2019).

India

The IT (Amendment) Act does not define cybercrime.

China

While the Criminal Law outlines different types of cybercrime, in the Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security on Several Issues concerning the Application of Criminal Procedures in the Handling of Cyber Crime Cases (2014), cybercrime is defined as:

  1. cases concerning crimes of endangering the security of a computer information system;
  2. cases concerning crimes of theft, fraud, and extortion that are committed by endangering the security of a computer information system;
  3. cases concerning crimes of publishing information on the network or establishing a website or a communication group mainly for committingcrimes, committingcrimesonanunspecific majority of people, or organizing, instigating, or assisting an unspecific majority of people in committing crimes; and
  4. other cases in which major criminal activities are committed on the network.

South Africa

Cybercrime is not defined in the ECT Act National Cybersecurity Policy Framework:

“Cybercrime” means illegal acts, the commission of which involves the use of information and communication technologies;

Cybercrime Bill:

Chapter 2 There is no single definition for cybercrime.

7. What are the cybercrimes provided for by the law and how are they defined?

Brazil

The cybercrime law addresses illicit access to IT devices and electronic communications.

Russia

Unauthorised access to the protected by the law computer information is unlawful or unauthorised use of the possibility of obtaining computer information by the owner or another of its legal owners.

Creation, distribution or use of computer programs or other computer information, which are intended for unauthorised destruction, blocking, modification, copying of computer information or neutralisation of computer information protection tools.

Violation of the rules for the use of storage, processing or transmission of protected computer information or information and telecommunication networks and terminal equipment, as well as rules for access to information and telecommunication networks, resulting in the destruction, blocking, modification or copying of computer information, which caused major damage.

Creation, distribution and (or) use of computer programs or other computer information, which are intended to improperly influence the critical information infrastructure of the Russian Federation, including for destroying, blocking, modifying, copying the information contained in it, or neutralizing the means of protecting this information.

Unauthorised access to protected computer information contained in the critical information infrastructure of the Russian Federation, including using computer programs or other computer information that are deliberately intended to improperly affect the critical information infrastructure of the Russian Federation, or other malicious computer programs, if it entailed causing damage to the critical information infrastructure of the Russian Federation.

Violation of the rules for the operation of the storage, processing or transmission of protected computer information contained in the critical information infrastructure of the Russian Federation, or information systems, information and telecommunication networks, automated control systems, telecommunication networks relating to the critical information infrastructure of the Russian Federation, or the rules for access to these information, information systems, information and telecommunication networks, automated systems management, telecommunication networks, if it resulted in damage to the critical information infrastructure of the Russian Federation.

Criminal law of Russia. General and Special parts: textbook /A.A. Aryamov, TB Basova, E.V. Blagovetal.; ed by Yu. V. Gracheva, A.I. Chuchaev. M.: CONTRACT, 2017. 384 p.

India

The IT (Amendment) Act includes offences such as:

  • tampering with computer source documents;
  • computer related offences such as damaging computers and computer systems;
  • dishonestly receiving stolen computer resources or communication;
  • identity theft and cheating by personation;
  • violating the privacy of the private area of anyperson;
  • publishing ortransmitting obscene or sexually explicit material, or material depicting children in a sexually explicit act;
  • publishing an electronic signature certificate while knowing it to be false in certain particular or publishing it for a fraudulent or unlawful purpose.

While constituent elements of the crime are at times defined in detail, the crimes as such are not.

China

No specific definitions are provided for various cybercrimes. See the answer to Question 3 in this section on Cybercrime.

South Africa

ECTA defines

Section 85: “access” includes the actions of a personwho, after taking note of any data, becomes aware of the fact that he or she is not authorised to access that data and still continues to access that data.

Section 86: Unauthorised access to, interception of or interference with data.

  1. Subject to the Interception and Monitoring Prohibition Act, 1992 (Act No. 127 of 1992), a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence.
  2. A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence.
  3. A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence.
  4. A person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence.
  5. A person who commits any act described in this section with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial, of service to legitimate users is guilty of an offence.

Section 87: Computer-related extortion, fraud and forgery

  1. A person who performs or threatens to perform any of the
    acts described in section 86, for the purpose of obtaining any unlawful proprietary advantage by undertaking to cease or desist from such action, or by undertaking to restore any damage caused as a result of those actions, is guilty of an offence.
  2. A person who performs any of the acts described in section 86 for the purpose of obtaining any unlawful advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic, is guilty of an offence.

Section 88: Attempt, and aiding and abetting

  1. A person who attempts to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89 (1) or (2), as the case may be.
  2. Any person who aids and abets someone to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89 (1) or (2), as the case may be.

Note: These provisions will be repealed by the Cybercrimes Bill if/when it comes into force.

Cybercrime Bill: Chapter 2 – see above

8. How is a computer system defined?

Brazil

The law does not address this question.

Russia

Information system is a set of information contained in databases and information technologies and technical means ensuring its processing.

Federal Law of 27.07.2006 N 149-ФЗ (as amended on 18.03.2019) “On Information, Information Technologies and on Information Protection”.

India

The IT (Amendment) Act defines a ‘computer system’ as ‘a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programs, electronic instructions, input data, and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions’.

China

There is no specific definition for “computer system.” However, Article 76-1 of Cybersecurity Law (2017) defines “network” as: “a system comprised of computers or other information terminals and related equipment that follows certain rules and procedures for information gathering, storage, transmission, exchange, and processing.”

South Africa

The ECT Act does not define it.

Cybercrime Bill:

Chapter 1, Section 1: ‘‘computer system’’ means:

  • (a) one computer; or
  • (b) two or more inter-connected or related computers, which allow these inter-connected or related computers to: (i) exchange data or any other function with each other; or (ii) exchange data or any other function with another computer or a computer system;

9. How are computer data defined?

Brazil

The law does not address this question.

Russia

Computer information refers to information (messages, data) presented in the form of electrical signals, regardless of their means of storage, processing, and transmission.

Criminal Code of the Russian Federation of 13.06.1996 N63-FZ (as amended on 23.04.2019).

India

The IT (Amendment) Act defines data as ‘a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer’.

China

There is no specific definition for “computer data”. However, Article 76-4 of Cybersecurity Law (2017) defines “network data” as: “all kinds of electronic data collected, stored, transmitted, processed, and produced through networks.”

South Africa

ECTA:

“data” means electronic representations of information in any form;

“data message” means data generated, sent, received or stored by electronic means and includes: (a) voice, where the voice is used in an automatedtransaction; and (b) a stored record;

Cybercrime Bill:

There is a definition of “computer data storage medium” on Chapter 1, Section 1: ‘‘computer data storage medium’’ means any device or location from which data or a computer program is capable of being reproduced or on which data or a computer program is capable of being stored by a computer system, irrespective of whether the device is physically attached to or connected with the computer system;

10. How are forensic data defined?

Brazil

The law does not address this question.

Russia

Judicial computer-technical expertise is an independent type of forensic examinations conducted to determine the status of an object as a computer tool, determine its role in an investigated crime, and access information on electronic media with its subsequent comprehensive investigation.

Letter of the Federal Bailiff Service of Russia dated September 18, 2014 No. 00043/14/56151-BB “On Methodological Recommendations” (together with the “Methodological Recommendations on the Order of Appointment and Proceeding of Legal Expertise in Pre-Investigation and Investigation of Crimes Subject to the Federal Bailiff Service” approved by the FBS of Russia 15.09.2014 N 0004/22).

India

The IT (Amendment) Act does not define forensic data, nor does the Indian Evidence Act. The IT (Amendment) Act does define ‘electronic form evidence’ as ‘any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cellphones, digital fax machines’.

China

Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security on Several Issues concerning the Application of Criminal Procedures in the Handling of Cyber Crime Cases (2014) defines “forensic data” as two types of data during cybercrime investigations:

  1. Electronic data that can be displayed directly such as electronic documents, images and webpages;
  2. Electronic data that cannot be displayed directly such as computer programs, tools and virus in computer information systems illegally attacked and controlled.

South Africa

The ECT Act does not define Forensic Data.

It is not defined in the Cybercrimes Bill.

11. How are service providers defined?

Brazil

The law does not address this question.

Russia

Hosting provider – a person providing services for the provision of computing power for placing information in an information system that is constantly connected to the Internet.

Federal Law of 27.07.2006 N 149-ФЗ (as amended on 18.03.2019) “On Information, Information Technologies and on Information Protection”.

India

The IT (Amendment) Act does not define the term ‘service providers’. However, it defines ‘intermediary’, ‘with respect to any particular electronic records’, as ‘any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes’.

China

They are not, but Article 76-3 of Cybersecurity Law (2017) defines “network operators” as “network owners, managers, and network service providers.”

South Africa

The ECT Act does not define service provider.

The Cybercrime Bill only defines an electronic communication service provider:

Electronic communications service provider means any person who provides an electronic communications service under and in accordance with an electronic communications service licence issued to such person under Chapter 3 of the Electronic Communications Act, 2005 (Act No. 36 of 2005), or who is deemed to be licensed or exempted from being licensed as such in terms of the Electronic Communications Act, 2005;

12. Does the national law provide any other definitions instrumental to the application of cybercrime legislation?

Brazil

The cybercrime law does not provide further definitions.

Russia

The destruction of information is the reduction of information or its part into an unusable state, regardless of the possibility of its recovery. The destruction of information is not the renaming of the file where it is contained, as well as the automatic “wipe out” of the old versions of the files by the latest.

Blocking information is the result of exposure to computer information or equipment, the consequence of which is the impossibility for some time or to constantly perform the required operations on computer information completely orin the required mode, that is, performing actions that lead to restriction or closure of access to computer equipment and resources, the obstruction of the access of legitimate users to computer information not related to its destruction.

Information modification – making changes to computer information (or its parameters).

Copying information – creating a copy of existing information on another medium, that is, transferring information to a separate carrier while maintaining the original information unchanged, reproducing information in any material form – by hand, photographing text from the display screen, as well as reading the information by any interception of information, etc.

A computer program is an objective form of representing a set of data and commands intended for the functioning of a computer device in order to obtain a certain result.

Creation of programs is an activity aimed at developing, preparing programs that are capable of unauthorised destruction, blocking, modifying, copying of computer information or neutralizing computer information protection tools.

The distribution of such programs means the provision of access to any unauthorised person in any of the possible ways, including selling,renting, sending free of charge via the electronic network, that is, any actions to provide access to the program via network or other means.

Using the program is working with the program, applying it for its intended purpose and other actions to introduce it into economic circulation in its original or modified form. Under the use of malicious programs refers to their use (by any person), in which their harmful properties are activated.

Guidelines for the implementation of prosecutorial supervision over the implementation of laws in the investigation of crimes in the field of computer information (approved by the Prosecutor General’s Office of Russia).

India

The IT (Amendment) Act also defines ‘access’, ‘addressee’, ‘affixing [electronicsignature]’, ‘asymmetric cryptosystem’, ‘communication device’, ‘computer’, ‘computer network’, ‘computer resource’, ‘cybercafé’, ‘cyber security’, ‘digital signature’, ‘electronic form’, ‘electronic record’, ‘electronic signature’, ‘function’ in relation to a computer, ‘information’, ‘key pair’, ‘originator’, ‘private key’, ‘public key’, ‘secure system’, ‘security procedure’, ‘subscriber’ and ‘verify’ as well as a number of terms related to the implementation and enforcement of the Act, including to the institutions involved and their roles and functions.

China

No.

South Africa

Cybercrime Bill:

“information system” means a system for generating, sending, receiving, storing, displaying or otherwise processing data messages and includes the Internet;

“Internet” means the interconnected system of networks that connects computers around the world using the TCP/IP and includes future versions thereof.

‘‘computer’’ means any electronic programmable device used, whether by itself or as part of a computer system or any other device or equipment, or any part thereof, to perform predetermined arithmetic, logical, routing, processing or storage operations in accordance with set instructions and includes any data, computer program or computer data storage medium that are related to, connected with or used with such a device;

‘‘computer data storage medium’’ means any device from which data or a computer program is capable of being reproduced or on which data or a computer program is capable of being stored, by a computer system, irrespective of whether the device is physically attached to or connected with a computer system;

‘‘computer program’’ means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function; ‘‘computer system’’ means:

  • (a) one computer; or
  • (b) two or more inter-connected or related computers, which allow these inter-connected or related computers to: (i) exchange data or any other function with each other; or (ii) exchange data or any other function with another computer or a computer system.

Rights

13. Is the cybercrime law based on fundamental rights (defined in Constitutional law or International binding documents)?

Brazil

The cybercrime law does not provide further definitions.

Russia

The provision on its highest legal force enshrined in the Constitution of the Russian Federation means that all constitutional norms have the supremacy over laws and other regulatory legal acts.

In accordance with Art. 18 of the Constitution of the Russian Federation, the rights and freedoms of a person and a citizen are directly applicable. They determine the meaning, content and application of laws, the activities of the legislative and executive authorities, local self-government and are ensured by justice.

Generally recognised principles and norms of international law enshrined in international covenants, conventions and other documents (in particular, the Universal Declaration of Human Rights, the International Covenant on Civil and PoliticalRights, the International Covenant on Economic, Social and Cultural Rights), and international treaties of the Russian Federation are in accordance with Part 4 of Art. 15 of the Constitution of the Russian Federation an integral part of its legal system. The same constitutional norm determines that if an international treaty of the Russian Federation establishes other rules than those provided by law, then the rules of the international treaty apply.

Taking this into account, the court does not have the right to apply the norms of the law regulating the legal relations that arose, if an international agreement entered into force for the Russian Federation, the decision on consent to which the Russian Federation was made in the form of federal law, establishes other rules than those provided by law . In these cases, the rules of the international treaty of the RussianFederation.

Constitution of the Russian Federation (adopted by popular vote on 12.12.1993, with the amendments made by the Laws of the Russian Federation on amendments to the Constitution of the Russian Federation of 30.12.2008 No. 6-FKZ, of 30.12.2008 No. 7-FKZ, of 02.05.2014 N2-FKZ, of21.07.2014N11-FKZ). Resolution of the Plenum of the Supreme Court of the Russian Federation of October 31, 1995 N 8 (ed. 03/03/2015) “On some issues of the application by courts of the Constitution of the Russian Federation in the administration ofjustice”.

India

The IT (Amendment) Act does not explicitly address this question.

China

Cybercrime laws in China do not explicitly reference the Chinese Constitution or international binding documents.

South Africa

The ECT Act does not specify one.

The Cybercrimes Bill has not specified one nor is one immediately clear from the Constitution of the Republic of South Africa, 1996.

14. What are the rights of the victim and the accused?

Brazil

The law does not address this question.

Russia

The most significant rights granted to a victim are the following:

  1. to know about the accusation against the accused.
  2. to testify.
  3. to get acquainted with the decision on the appointment of a forensic examination and with the expert opinion.
  4. the special right of victims is the receipt of copies of the procedural and judicial acts of the criminal case.
  5. to know about complaints and representations brought in a criminal case and to file objections tothem.
  6. the victim’s special right is his participation in the court hearing.

Everyone charged with a criminal offence is presumed innocent until his guilt is established by law.

Everyone charged with a criminal offence has at least the following rights:

  • a) to be immediately and in detail notified in a language understandable to him of the nature and cause of the accusation against him;
  • b) to have adequate time and facilities for the preparation of his defence;
  • c) to defend himself personally or through a defender chosen by him or, with a lack of funds to pay for counsel, to use the services of his appointed defender for free when the interests of justice so require;
  • d) Interrogate witnesses who testify against him or have the right to be interrogated by these witnesses, and have the right to call and interrogate witnesses in his favour under the same conditions as for witnesses against him;
  • e) use the free help of a translator if he does not understand the language used in court or does not speak that language.

The Criminal Procedure Code of the Russian Federation has significantly expanded the rights of the victim of a crime, making it a more active participant in the criminal process.

However, analysis of legislation and law enforcement practice shows that in Russia, victims both legally and in fact are in a disadvantaged position, the level of legal protection of the victim is significantly lower than the suspect and the accused.

The constitutional principle of legal proceedings on the basis of adversarial and equal rights of the parties implies parity of the rights of the victim and the accused (suspect) as parties to the criminal dispute.

G.I. Zagorsky. M .: Prospect, 2016. 1216 p. “Convention for the Protection of Human Rights and Fundamental Freedoms” (concluded in the city of Rome on November 4, 1950, as amended on May 13, 2004). Smirnova I.S. Asymmetry of the rights of the victim and the accused (suspect) // Bulletin of the Omsk Law Academy. 2016. N 2. P. 59 – 62.

India

The IT (Amendment) Act specifies that no compensation awarded, penalty imposed, or confiscation made under theAct shall prevent the award of compensation or imposition of any other penalty or punishment under any other law for the time being in force. It allows for the compounding of contraventions or offences insome circumstances, and also specifies that offences with up to three years of imprisonment are available. Beyond this, rights that are specific to cybercrime are not specified in either the IT (Amendment) Act or the Indian Evidence Act.

China

Rights of the victim and accused should comply with other pre- existing Chinese laws and regulations including all the rights and responsibilities of citizens outlined in Chapter II of the Constitution.

South Africa

The ECT Act does not specify them.

Cybercrimes Bill:

Part VI: Orders To Protect Complainants From The Harmful Effect Of Malicious Communications.

Procedures

15. Is there a specific procedure to identify, analyse, relate, categorize, assess and establish causes associated with forensic data regarding cybercrimes?

Brazil

The cybercrime law does not define any of these procedures.

Russia

The objects of the study of forensic computer technical expertise are computing equipment, software products, and information objects. In this regard, within the framework of this forensic examination, hardware-computer, software-computer, information-computer research can be conducted.

The purpose of software and computer research is to study the functional purpose, characteristics, structural features, and the current state of the computer system software presented for the study.

Information-computer research is key in the production of forensic computer-technical expertise, as it allows you to complete the holistic construction of the evidence base by final resolution of most issues related to computerinformation.

The main objectives of this study are the search, detection, analysis and evaluation of information prepared by the user or created by programs for organizing information processes in a computer system.

In the production of information and computer research in the framework of computer-technical expertise can distinguish the following tasks:

  • establishing the properties and type of information presented in a computer system when it is used directly;
  • determination of the actual state of information;
  • establishing the initial state of information on the data carrier;
  • determination of time, chronological sequence of impact on information;
  • determination of conditions for changing the properties of the studied information.

00043/14/56151-BB “On Methodological Recommendations” (together with the “Methodological Recommendations on the Order of Appointment and Proceeding of Legal Expertise in Pre-Investigation and Investigation of Crimes Subject to the Federal Bailiff Service” approved by the FBS of Russia 15.09.2014 N 0004/22). Order of the FSS of Russia of 23.06.2011 N 277 (ed. 04.12.2017) “On the organisation of the production of forensic examinations in expert divisions of the federal security service” (together with the “Instructions on the organisation of the production of forensic examinations in expert divisions of the federal security service”).

India

The Indian Evidence Act was amended by the IT(Amendment) Act to include electronic records explicitly in the definition of ‘documentary evidence’, as well as to include terms such as ‘digital signature’, ‘electronic form’ and ‘secure electronic record’, as defined by the IT (Amendment) Act, in the evidentiary mechanisms that the Indian Evidence Act provides for. This includes a lengthy section on the admissibility of electronic evidence (section 65B of the Indian EvidenceAct).

China

Section V (Articles 13-18) of the Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security on Several Issues concerning the Application of Criminal Procedures in the Handling of Cyber Crime Cases (2014) and Rules of Obtainment of Electronic Data as Evidence by Public Security Authorities in Handling Criminal Cases (2019) outline the detailed procedure to obtain forensic date regarding cybercrime.

South Africa

The Cybercrimes Bill does not provide specific procedures for this however, it provides in section 55 that the cabinet minister responsible for policing must (a) establish and maintain sufficient human and operational capacity to detect, prevent and investigate cybercrimes; (b) ensure that members of the South African Police Service receive basic training in aspects relating to the detection, prevention and investigation of Cybercrimes.

16. In case of transnational crimes, how is cooperation between the national law enforcement agency and the foreign agents regulated?

Brazil

Brazil (e.g. the Federal Police) is cooperating with foreign agents
based on cooperation agreements including MLATs. In 2016,
the Federal Police inaugurated the cooperation centre CCPI to
enhance its international joint investigations.

Russia

The parties within the framework of this Agreement on cooperation of the States members of the Commonwealth of Independent States in the fight against crimes in the field of computer information shall cooperate in the following forms:

  • a) the exchange of information, including: on upcoming or committed crimes in the field of computer information and individuals and legal entities involved in them; on the forms and methods of prevention, detection, suppression, detection and investigation of crimes in this area; methods of committing crimes in the field of computer information; on national legislation and international treaties governing the prevention, detection, suppression, disclosure and investigation of crimes in the field of computer information;
  • b) the execution of requests for operational investigations, as well as legal proceedings in accordance with international treaties on legal assistance;
  • c) planning and conducting coordinated activities and operations for the prevention, detection, suppression, disclosure and investigation of crimes in the field of computer information;
  • d) assisting in the training and professional development of personnel, including through the training of specialists, the organisation of conferences, seminars and training courses;
  • e) creation of information systems ensuring the fulfilment of tasks for the prevention, detection, suppression, disclosure and investigation of crimes in the sphere of computerinformation;
  • f) conducting joint scientific research on issues of mutual interest in combating computer-related crime;
  • g) the exchange of regulatory legal acts, scientific and technical literature on the fight against crimes in the field of computer information;
  • h) in other mutually acceptable forms.

In accordance with a number of agreements on legal assistance in criminal matters, in cases that are not delayed, requests may be sent directly by the competent authorities of the requesting state to the competent authorities of the Russian Federation, including through Interpol. In this case, a copy of the order is simultaneously transmitted to the relevant central competent authority.

Agreement on cooperation of the States members of the Commonwealth of Independent States in the fight against crimes in the field of computer information (Concluded in Minsk 01.06.2001). UNODC Cybercrime Repository.

India

The IT (Amendment) Act does not address this question. Most commonly, requests to foreign agents for the content of stored electronic communication are made through the MLAT process. As specified in the Allocation of Business Rules of the Government of India, the Ministry of Home Affairs is the nodal Ministry and the Central authority for seeking and providing mutual legal assistance in criminal law matters. Section 105 of the Criminal Procedure Code speaks of reciprocal arrangements to be made by the Central Government with foreign governments with regard to the service of summons/warrants/judicial processes. Accordingly, the Ministry of Home Affairs (MHA) has entered into Mutual Legal Assistance Treaties/Agreements on criminal Matters with 39 countries, which provide for the serving of documents. Requests can also be made through the letters rogatory process, which involves the courts in both countries. Such requests can be based on MLATs, MoUs or reciprocity and they, too, need approval from the MHA. Investigating agencies can take the help of the International Police Cooperation Cell(IPCC) of the Central Bureau of Investigation (CBI), an Indian intelligence agency, in preparing such requests.The IPCCis also the nodal pointin India for cooperation with and through INTERPOL. Finally, the Indian Computer Emergency Response Team (CERT-IN) also has signed Memorandums of Understanding with agencies in a number of countries to further cooperation on cybersecurity.

China

Although China is not a party or observer of the Budapest Convention (or Convention on Cybercrime), it is a signee of the World Intellectual Property Organization Copyright Treaty (WIPO Copyright Treaty) in 1985 and the U.N. Convention Against Transnational Organized Crime in 2000. In addition, China actively explores regional (e.g. through Shanghai Cooperation Organization) and international (e.g. through UN anti-crime framework) avenues to seek cooperation against transnational crimes including cybercrime. Through the Shanghai Cooperation Organization, China actively pursues avenues to conduct cybersecurity exercises.

South Africa

The ECT Act does not provide for that but it refers to the general provisions for jurisdiction of the courts (Section 90).

Cybercrimes Bill: Chapter 6 provides for Mutual assistance.

17. Are there any exceptions to the use of mutual legal assistance procedure to investigate the crime?

Brazil

The law does not address this question.

Russia

The law does not address this question. According to the European Convention on Mutual Legal Assistance in Criminal Matters, assistance may be refused:

  • a) if the request concerns an offence which the requested Party considers a political offence, an offence connected with a political offence or a financial offence;
  • b) if the requested Party considers that the execution of the request may prejudice sovereignty, security, public order or other essential interests of its country.

The execution of a request under the Agreement on Cooperation of the States Parties of the Commonwealth of Independent States in the Fight against Computer Crime Offenses can be denied in full or in part if the requested Party believes that its execution is contrary to its national law.

The requesting Party shall be notified in writing of the complete or partial refusal to execute the request, indicating the reasons for refusal.

European Convention on Mutual Legal Assistance in Criminal Matters (ETS N 30) Concluded in the city of Strasbourg 04/20/1959, as amended on 08.11.2001). Agreement on cooperation of the States members of the Commonwealth of Independent States in the fight against crimes in the field of computer information (concluded in Minsk 01.06.2001).

India

There are. For example, the India-US MLAT excludes political offences as well as offences under military law, subject to some exceptions, while the India-Malaysia MLAT excludes, among other things, requests where there is substantial ground to believe that these were made for the purpose of investigating, prosecuting, punishing or otherwise causing prejudice to a person on account of the person’s race, religion, sex, ethnic origin, nationality or political opinions.

China

According to Article 14 of International Criminal Judicial Assistance Law of the People’s Republic of China (2018), mutual legal assistance can be refused in the following circumstances:

  1. According to the laws of the People’s Republic of China, the requested act is not a crime;
  2. At the time of receipt of the request, the inquiry, investigation, prosecution, and trial of the crime in the request are under way within the territory of the People’s Republic of China, an effective judgment has been made, the criminal procedure has been terminated, or the limitation of the offence has expired;
  3. The crime against which the request is made is a political offence;
  4. The crime against which the request is made is purely a military offence;
  5. The purpose of the request is to examine, investigate, prosecute, sue, or execute a sentence based on race, ethnicity, religion, nationality, gender, political opinion or identity, or the parties may be unfairly treated for the above reasons;
  6. There is no substantive link between the requested matter and the case of assistance;
  7. Other circumstances under which the request can be refused.

South Africa

The ECT Act does not provide for Mutual Legal Assistance.

Chapter 5 of the Cybercrimes Bill provides for Mutual Assistance National Executive may enter into agreements

57. (1) The National Executive may enter into any agreement with any foreign State regarding: (a) the provision of mutual assistance and cooperation relating to the investigation and prosecution of… [the offences provided for in the Cybercrimes Bill]

18. Does the national law require the use of measures to prevent cybercrimes? If so, what are they?

Brazil

The law does not address this question.

Russia

The organizer of information dissemination in the Internet is obliged to store in the territory of the Russian Federation:

  1. information on the facts of reception, transmission, delivery and (or) processing of voice information, written text, images, sounds, video or other electronic messages of Internet users, and information about these users within one year from the end of the implementation of such action;
  2. text messages of Internet users, voice information, images, sounds, video, other electronic messages of Internet users up to six months from the moment they have finished receiving, transmitting, delivering and (or) processing.

The organizer of the dissemination of information on the Internet is obliged to provide relevant information to authorised state bodies carrying out operational investigative activities or ensuring the security of the Russian Federation in cases established by federal laws.

The organizer of the dissemination of information on the Internet is obliged to ensure the implementation of the requirements for equipment and software and hardware used by the specified organizer in the field of communication established by the federal executive body in the field of communications in coordination with the authorised state bodies carrying out operational and investigative activities information systems operated by him, for these bodies to conduct in cases established by the federal bubbled laws and measures in order to implement the tasks assigned to them, and to take measures to prevent the disclosure of organisational and tactical methods of carrying out these activities.

In order to counteract the use in the Russian Federation of software and hardware access to information resources, information and telecommunication networks, access to which is restricted, the federal executive body that performs the functions of control and supervision in the field of media, mass communications, information technology and communication:

  1. carries out the creation and operation of a federal state information system containing a list of information resources, information and telecommunication networks, access to which is restricted in the territory of the Russian Federation;
  2. in accordance with the procedure established by the Government of the Russian Federation, interacts with federal executive bodies carrying out operational investigative activities or ensuring the security of the Russian Federation in order to obtain information about software and hardware access to information resources, information and telecommunication networks, access to which limited;
  3. on the basis of a request from the federal executive body carrying out operational investigative activities or ensuring the security of the Russian Federation, determines the hosting provider or other person who provides the placement on the Internet of software and hardware access to information resources, information and telecommunication networks, access to which is limited.
  4. sends a notification to the hosting provider in electronic form in Russian and English about the need to provide data to identify the owner of the corresponding software andhardware;
  5. fixes the date and time of sending the notification in the federal state information system of information resources, information and telecommunication networks, access to which is restricted.

Federal Law of 27.07.2006 N149-ФЗ(as amended on 18.03.2019) “On Information, Information Technologies and on Information Protection”.

India

Specific measures are specified in the rules attendant to several provisions of the IT (Amendment) Act, such as those made under section 16, regarding secure procedures and practices for electronic records and signatures, and under section 43A, regarding compensation for failure to protect data. Further, under section 70B, CERT-IN can provide guidance that needs to be adhered to. Under section 89, the Controller is granted the power to make regulations on matters such as standards.

China

Apart from specifying punishments for various parties implicated in cybercrime through the Criminal Law and other related laws to deter cybercrime (see Question #3 above), China’s national law (e.g. Cybersecurity Law) also requires network owners, operators, and ISPs to bolster cybersecurity measures and report crimes. In addition, Article 24 of the Cybersecurity Law (2017) effectively implements the “Real Name Registration” policy requiring users to provide real identity information to network operators upon signing agreements for products and services online.

South Africa

The ECT Act does not describe any.

The Cybercrimes Bill does not detail measures specifically aimed at preventing cybercrime, rather, it incorporates that must be taken to prevent cybercrimes.

Obligations and sanctions

19. What obligations do law enforcement agencies have to protect the data of the suspect, the accused and the victim?

Brazil

The cybercrime law does not address this question. Further processes are defined in the data protection law.

Russia

In exceptional cases related to the proceedings in another criminal, civil or administrative case, information about the protected person may be submitted to the preliminary investigation authorities, the prosecutor’s office or the court based on the written request of the prosecutor or the court (judge) with the permission of the authority that made the decision protection.

The procedure for implementing security measures in the form of ensuring the confidentiality of information about a protected person is established by the Government of the Russian Federation.

Federal law of 20.08.2004 N 119-FZ (as amended on 07.02.2017) “On state protection of victims, witnesses and other participants in criminal proceedings”.

India

The Information Technology (Procedure and Safeguard for Monitoring and Collection Traffic Data or Information) Rules,2009, made under section 69B of the IT (Amendment) Act, prohibit the disclosure or use of traffic data or information by the agency authorised to monitor or collect traffic data for any purpose other than the forecasting of imminent cyber threats or general trends of port-wise traffic on the Internet, or general analysis of cyber incidents, or for investigation or in judicial proceedings before a competent court in India. Section 69B provides the Central Government with the power to authorise the monitoring and collection of traffic data through any computer resource for cyber security. Beyond this, neither the IT (Amendment) Act nor the Indian Evidence Act address this question explicitly in the context of cybercrime. In the draft Personal Data Protection Bill, 2018, processing for the prevention, detection, investigation and prosecution of contraventions of law or for the purpose of legal proceedings are included in the exemptions, severely restricting law enforcement agencies’ obligations to protect personal data.

China

Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement on Citizens’ Personal Information (2017) provides legal protection for citizens’ personal information investigated in criminal cases.

More specifically, according to Rules of Obtainment of Electronic Data as Evidence by Public Security Authorities in Handling Criminal Cases (2019) issued by the Ministry of Public Security, law enforcement agencies protect “state secrets, police work secrets, trade secrets, individual privacy, and confidentiality” (Article 4) while collecting and processing forensic electronic data. Procedurally, for instance, two or more inspectors are supposed to gather electronic evidence supervised by technical experts (Article 6), ask data owners or witnesses to provide signature when appropriate (Article 9), and soon.

South Africa

There is no such obligation in the ECT Act.

Chapter 5, cybercrime bill.

20. What are the duties and obligations of the National Prosecuting Authorities in cases of cybercrime?

Brazil

The law does not address this question.

Russia

The prosecution authorities carry out prosecutorial supervision at the stage of initiating criminal proceedings for crimes in the sphere of computer information, as well as for investigating crimes in the sphere of computer information.

The prosecutor must carefully check the legality of the initiation of criminal cases and evaluate the submitted materials. Studying the submitted materials, the prosecutor must make sure that the facts stated in statements, materials of the departmental and other verification of the violation of the integrity (confidentiality) of information in the computer system, network are objectively confirmed; about the presence of a causal link between the illegal actions and the consequences provided for by the disposition of Art. 272 and 274 of the Criminal Code of the Russian Federation, in the form of copying, destruction, modification, blocking of information (to initiate a criminal case under Article 273 of the Criminal Code of the Russian Federation, the onset of such consequences is not necessary); about the preliminary amount of damage caused by criminal acts.

The supervising prosecutor needs to verify the completeness of the materials, the legitimacy of their receipt and subsequent submission to the investigating authority.

Given the complexity of investigating computer-related crimes, the low qualifications of investigators, the need to use special knowledge in investigations, prosecutorial oversight of investigating these crimes should be carried out throughout the entire period of investigation.

Given the characteristics of the category of crimes under consideration, the prosecutor should carefully examine the evidence gathered during the preliminary investigation, which should be fully established by all the circumstances provided for in Art. 73 Code of Criminal Procedure. At the same time, as noted earlier, the composition of the crimes provided for by Chapter 28 of the Criminal Code of the Russian Federation, in addition to the main features of a crime, determines the causal link between the act and theconsequences.

Studying a criminal case during the investigation, the prosecutor must establish whether these expert opinions fully answer the questions put by the investigator, whether all the necessary questions are put to the expert and whether the information contained in the expert’s opinion is enough to confirm the circumstances of the crime. Undoubtedly, the supervising prosecutor should have special knowledge of the types of forensic examinations conducted in criminal cases of this category, and give appropriate recommendations to the head of the investigative body.

If the prosecutor reveals a violation that has already been committed during the preliminary investigation, he must use the powers granted to him by the Criminal Procedure Code of the Russian Federation and make a request to eliminate the violations committed during the preliminary investigation.

In accordance with Art. 221 of the Criminal Procedural Code of the Russian Federation, the prosecutor or his deputy must consider the received criminal case within a period not exceeding ten days and take one of the following decisions:

  • on the approval of the indictment and the direction of the criminal case to the court;
  • on the return of the criminal case to the investigator for additional investigation, changing the scope of the prosecution or qualifying the actions of the accused or re-drafting the indictment and eliminating the identified deficiencies with their written instructions;
  • on the direction of the criminal case to a higher prosecutor for the approval of the indictment, if it is subject to the jurisdiction of the higher court.

The prosecutor in accordance with paragraph. 2 h. 1 Article 221 of the Code of Criminal Procedure has the right to return the criminal case to the investigator for additional investigation, changing the scope of the prosecution or qualifying the actions of the accused or reconsidering the indictment and eliminating the identified deficiencies with their written instructions.

Currently, the court does not have such a right, but it can return the criminal case to the prosecutor, if there are grounds provided for by Art. 237 Code of Criminal Procedure, which, as a rule, testifies to inadequate prosecutor’s supervision over the course of the preliminary investigation.

The hosting provider is obliged to provide data that allows identifying the owner of the news aggregator or audio-visual service.

The hosting provider is obliged to notify the site owner serviced by him on the Internet about the need to remove a web page containing information whose distribution in the Russian Federation is prohibited.

If information is found in information and telecommunication networks, including the Internet, expressing in an indecent form that offends human dignity and public morality, obvious disrespect for society, the state, official state symbols of the Russian Federation, the Constitution of the Russian Federation or to the authorities exercising state power in the Russian Federation, the hosting provider is obliged to inform the information resource owner that they serve ask him to immediately remove such information.

In case of failure or inaction of the owner of an information resource, the hosting provider is obliged to limit access to the relevant information resource immediately after the expiration of the day from the date of receipt of the notification about it. The hosting provider is obliged to limit access to the information resource that disseminates information that violates copyright and related rights no later than the expiration of three working days from the date of receipt of the relevant notice.

Within one working day from the date of receipt from Roskomnadzor of a notice of cancellation of measures to restrict access to an information resource, the hosting provider is obliged to inform the owner of the information resource and notify about the possibility of lifting the access restriction.

In the case of detection in information and telecommunication networks, including the Internet, the information disseminated in violation of the law, i.e. containing calls for mass riots, extremist activities, participation in mass (public) events held in violation of the established procedure, inaccurate socially important information distributed under the guise of reliable messages, which createsa threat of harm to life and / or citizens’ health, property, the threat of mass violation of public order and (or) public safety or the threat of interfering with the functioning or termination of the functioning of life transport or social infrastructure, credit organisations, energy facilities, industry or communications, information materials of a foreign or international non-governmental organisation whose activity is considered undesirable in the territory of the Russian Federation, the hosting provider is obliged to inform the hosting provider about the information owner of the information resource served by them and notify him of the need to immediately remove unlawfully distributed information.

The hosting provider is obliged to notify the owner of the information resource serviced by him about the need to immediately take measures to eliminate violations of the legislation of the Russian Federation in the field of personal data, or take measures to restrict access to information processed in violation of the legislation of the Russian Federation in the field of personal data.

At the request of Roskomnadzor, the hosting provider is obliged to provide data allowing identification of the owner of software and hardware access to information resources, information and telecommunication networks, access to which is restricted.

Federal Law of 27.07.2006 N 149-ФЗ (as amended on 18.03.2019) “On Information, Information Technologies and on Information Protection”.

India

Section 80 of the Act outlines the power of police officers and other officers to enter, search, etc. Procedural guidelines under section 69B of the Act are provided in the Information Technology (Procedure and Safeguard for Monitoring and Collection Traffic Data or Information) Rules, 2009. Further details on the duties and obligations of the prosecuting authorities specifically in cases of cybercrime are not provided in either the IT (Amendment) Act or the Indian Evidence Act.

China

Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security on Several Issues concerning the Application of Criminal Procedures in the Handling of Cyber Crime Cases (2014) outlines the duties of the Supreme People’s Procuratorate, China’s national prosecuting authorities in terms of jurisdiction (Article 2), data collection and prosecution (Article 5) and its relationships with the court and the police.

South Africa

There are none. Presumably, the general rules pertaining to the National Prosecution Authority would apply. The prosecutor must carefully check the legality of the initiation of criminal cases and evaluate the submitted materials.

Cybercrimes Bill:

Section 52 (5) The National Director of Public Prosecutions must make available members of the National Prosecuting Authority: (a) who have particular knowledge and skills in respect of any aspect dealt with in this Act; and (b) to whom a security clearance has been issued by the State Security Agency in terms of section 2A of the National Strategic Intelligence Act, 1994, to the satisfaction of the National Director of Public Prosecutions, to provide legal assistance to the designated Point of Contact as maybe

National Director of Public Prosecutions must keep statistics of prosecutions

56. (1) The National Director of Public Prosecutions must keep statistics of the number of prosecutions instituted in terms of Part I or Part II of Chapter 2, the outcome of such prosecution and any other information relating to such prosecutions, which is determined by the Cabinet member responsible for the administration of justice. (2) The statistics or information contemplated in subsection (1) must be included in the report of the National Director of Public Prosecutions referred to in section 22(4)(g) of the National Prosecuting Authority Act, 1998.

21. Does the law impose any obligations on service providers in connection with cybercrime?

Brazil

The law does not address this question.

Russia

The hosting provider is obliged to provide data that allows identifying the owner of the news aggregator or audio-visual service.

The hosting provider is obliged to notify the site owner serviced by him on the Internet about the need to remove a web page containing information whose distribution in the Russian Federation is prohibited.

If information is found in information and telecommunication networks, including the Internet, expressing in an indecent form that offends human dignity and public morality, obvious disrespect for society, the state, official state symbols of the Russian Federation, the Constitution of the Russian Federation or to the authorities exercising state power in the Russian Federation, the hosting provider is obliged to inform the information resource owner that they serve ask him to immediately remove such information.

In case of failure or inaction of the owner of an information resource, the hosting provider is obliged to limit access to the relevant information resource immediately after the expiration of the day from the date of receipt of the notification about it.

The hosting provider is obliged to limit access to the information resource that disseminates information that violates copyright and related rights no later than the expiration of three working days from the date of receipt of the relevant notice.

Within one working day from the date of receipt from Roskomnadzor of a notice of cancellation of measures to restrict access to an information resource, the hosting provider is obliged to inform the owner of the information resource and notify about the possibility of lifting the access restriction.

In the case of detection in information and telecommunication networks, including the Internet, the information disseminated in violation of the law, i.e. containing calls for mass riots, extremist activities, participation in mass (public) events held in violation of the established procedure, inaccurate socially important information distributed under the guise of reliable messages, which creates a threat of harm to life and/or citizens’ health, property, the threat of mass violation of public order and (or) public safety or the threat of interfering with the functioning or termination of the functioning of life transport or social infrastructure, credit organisations, energy facilities, industry or communications, information materials of a foreign or international non-governmental organisation whose activity is considered undesirablein the territoryoftheRussianFederation, the hosting provider is obliged to inform the hosting provider about the information owner of the information resource served by them and notify him of the need to immediately remove unlawfully distributed information.

The hosting provider is obliged to notify the owner of the information resource serviced by him about the need to immediately take measures to eliminate violations of the legislation of the Russian Federation in the field of personal data, ortake measures to restrict access to information processed in violation of the legislation of the Russian Federation in the field of personal data.

At the request of Roskomnadzor, the hosting provider is obliged to provide data allowing identification of the owner of software and hardware access to information resources, information and telecommunication networks, access to which is restricted.

Federal Law of 27.07.2006 N 149-ФЗ (as amended on 18.03.2019) “On Information, Information Technologies and on Information Protection”.

India

Section 79 of the IT (Amendment) Act and the attendant rules provide intermediaries with exemption from liability, provided that they, among other things, observe due diligence while discharging their duties under the Act. This includes warning users, in their rules and regulations, privacy policy and user agreement, about content that violates the law; taking prompt action when informed about the presence of violative content on their platform; and providing any assistance required to government agencies when required by a lawful order to do so.

Intermediaries are also required to take allreasonable measures to secure their computer resources and the information they contain, as outlined in Section 43A of the IT (Amendment) Act and the attendant rules; to report and share information on cybersecurity incidents with CERT-IN; and to ensure that technical or infrastructural modifications do not facilitate circumvention of the law. Proposed changes to the Intermediary Guidelines Rules 2011, under discussion at the time of writing, would add further obligations. Cyber cafés are subject to an additional set of rules, with their own set of requirements. Intermediaries are also required to provide any assistance necessary to assist the government in exercising its powers to intercept, monitor, or decrypt any information through any computer resources (Section 69 of the IT (Amendment) Act and the attendant rules); to block for public access information through any computer resource (Section 69A of the IT (Amendment) Act and the attendant rules); or to monitor and collect meta data through any computer resource for cyber security (section 69B of the IT (Amendment) Act and the attendant rules).

In addition, Section 67C of the IT (Amendment) Act requires intermediaries to preserve and retain information forthe duration and in the manner prescribed by the Central Government.

China

Network operators are obliged under the Cybersecurity Law (2017) to keep logs for no less than six months. Operators are also expected to report cybercrime threats, attacks and breaches to relevant authorities, initiate contingency plans, and take remedial measures (Article 25).

South Africa

ECTA: It does not.

Cybercrimes Bill:

Chapter 9 – S54 Electronic communication service providers or financial institutions that become aware that their systems are involved in the commission of any offences in the Cybercrimes Bill are obligated to report offences no later than within 72 hours. They must also preserve evidence as far as possible.

22. To which extent can a legal person be held liable for actions in connection with cybercrimes?

Brazil

The law does not address this question.

Russia

The provisions of the current law exclude the possibility of criminal liability of legal entities. For damage caused as a result of the activities of legal entities, only the administrative responsibility of this legal entity and the administrative or criminal liability of a specific individual who acted in the interests and on behalf of this legal entity is possible.

Commentary to the Criminal Code of the Russian Federation: in 4 volumes (itemised) /A.V. Brilliantov, A.V. Galakhova, V.A. Davydov et al.; ed. by V.M. Lebedev. M.: Yurayt, 2017. T. 1: General part. 316 p.

India

Section 85 of the IT (Amendment) Act holds that where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly. Liability of companies is also addressed in select other provisions in the Act. For example, Section 43A provides for compensation where a body corporate fails to protect data. Section 70B specifies that body corporates who do not comply with directions issued by CERT-IN are punishable with imprisonment and fine.

China

Depending on the cybercrime, the relevant offence may incur a penalty of life imprisonment and/or a maximum fine of 500,000 RMB (Articles 285, 286 and 287 of the Criminal Law). Under the Cybersecurity Law (2017), engaging in activities that jeopardize cybersecurity, or providing programs or tools specifically used to engage in activities that jeopardize cybersecurity, is punishable by a fine of up to 500,000 RMB.

South Africa

The ECT Act applies to “a person” which is defined to include a public body. Presumably, the ordinary meaning of a person is understood to apply, which is both a natural and a juristic person. Person means a natural or juristic person, section 1. Penalties (section 14, 22) apply to persons.

Actors

23. What bodies implement the cybercrime legislation?

Brazil

Brazil has established a number of cybercrime police agencies as defined in law 12735/2012

Russia

Bodies of the Federal Security Service, being authorised bodies, interact with the organizers of information dissemination during operational investigative activities carried out as part of operational investigative activities related to the use of software and hardware (including in the interests of other authorised bodies).

The Ministry of Digital Development, Communications and Mass Communications of the Russian Federation is a federal executive body that is authorised, in coordination with the authorised state bodies carrying out operational investigative activities or ensuring the security of the Russian Federation, to establish requirements for equipment and software and hardware used by the dissemination organizer. Information in the information and telecommunication network “Internet” in the information it uses Discount systems.

In accordance with the Note of the Ministry of Foreign Affairs of Russia of 03.08.2015 N 6839 / 1dsng and the Note of the CIS Executive Committee of 10.08.2015 N 3-1 / 919, the Investigative Committee of the Russian Federation is the competent authority under the Cooperation Agreement of the Member States of the Commonwealth of Independent States in Combating computer crimes.

“Agreement on cooperation of the states – participants of the Commonwealth of Independent States in the fight against crimes in the field of computer information” (concluded in Minsk on 01.06.2001). Decree of the Government of the Russian Federation of July 31, 2014 N 743 (ed. November 20, 2017) “On approval of the Rules for interaction of information dissemination organizers in the Internet information and telecommunications network with authorised state bodies carrying out operational investigative activities or ensuring the security of the Russian Federation”. Decree of the Government of the Russian Federation of July 31, 2014 N 741 (ed.September 25, 2018) “On the definition of a federal executive body authorised to establish requirements for equipment and software and hardware used by the information dissemination organizer in the Internet information and telecommunications network information systems operated init.”

India

The IT (Amendment) Act designates CERT-IN as the national agency for incident response. CERT-IN, the Controller of the Certifying Authorities for electronic signature certificates, and a number of government bodies and agencies can all issue directions. The Controller and adjudicating officers to be appointed by the government can investigate contraventions of the Act or specific sections of it. Appeals to orders made by the Controller or an adjudicating officer can be made to the Cyber Appellate Tribunal. Further appeals need to be made to the High Court. Although India has a growing number of cybercrime police cells, any police officer not below the rank of Inspector can investigate offences under the Act. Further, the Central Government has appointed a number of government bodies as
Examiners of Electronic Evidence, to provide expert opinion on
electronic evidence before any court or other authority.

China

Presumably a wide range of governmental actors are involved in implementation including Ministry of Public Security, the Supreme Court, the Supreme People’s Procuratorate, State Security, and Cyber Administration of China (the country’s top authority of cybersecurity). More specifically, Regulations on Internet Security Supervision and Inspection by Public Security Organs (2018) issued by the Ministry ofPublicSecurity gives police forces considerable latitude to inspect network operators, internet service providers and organizational users to prevent cybercrime.

South Africa

Section 80 – 84

The Cyber Inspector provided for in chapter XII of the ECT Act.

Cybercrimes Bill:

Section 26 (1)

The Cabinet member responsible for policing, in consultation with the National Commissioner, the National Head of the Directorate, the National Director of Public Prosecutions and the Cabinet member responsible for the administration of Justice.

24. Is there a special public prosecutor office for cybercrime? If so, how is it organised?

Brazil

The law does not address this question.

Russia

There is no special prosecutorial supervision authority on cybercrime, but given the complexity of investigating computer information crimes and the low qualification of investigators, the need to use special knowledge in investigating, the supervising prosecutor should have special knowledge about the types of forensic examinations conducted in criminal cases of this category make recommendations to the head of the investigative body.

Guidelines for the implementation of prosecutorial supervision over the execution of laws in the investigation of crimes in the field of computer information (approved by the Prosecutor General’s Office of Russia).

India

The IT (Amendment) Act does not address this question.

China

Article 6 of People’s Police Law of the People’s Republic of China (1995) assigns the police to protect the security of computer information systems. Between 2015 and 2017, the Ministry of Public Security has quickly established 1116 “cybersecurity police units” including “level one” units within major Chinese Internet companies such as Baidu, Tencent and Sina tasked mainly to police online content and prevent cybercrime.

South Africa

ECTA: There is none.

Cybercrimes Bill: There is no special public prosecutor office. The Cabinet member responsible for policing is required to work closely the National Director of Public Prosecutions for all matters relating to public prosecutions of cybercrime.

25. Does the cybercrime legislation create any specific body?

Brazil

Law 12735/2012 has established cybercrime police agencies.

Russia

To identify crimes in the field of so-called high technologies (which include crimes in the field of computer information), as well as to identify persons and criminal groups engaged in criminal activities in this area, the “K” Department of the Ministry of Internal Affairs of Russia was created.

The “K” Department of the Ministry of Internal Affairs of Russia, within its competence, carries out the detection, prevention, suppression and disclosure of

  1. crimes in the field of computer information:
    1. unlawful access to legally protected computer information;
    2. the creation, use and distribution of malicious computer programs;
    3. violation of the rules of operation of the means of storing, processing or transmitting computer information or information and telecommunication networks;
    4. fraud in the field of computer information.
  2. crimes committed with the use of information and telecommunication networks (including the Internet) against minors’ health and public morality:
    1. production and distribution of materials or items with pornographic images of minors;
    2. the use of a minor in the manufacture of pornographic materials or objects.
    3. crimes related to the illicit trafficking of special technical equipment intended for secretly obtaining information.
    4. crimes related to the illegal use of objects of copyright or related rights.

Official website of the Ministry of Internal Affairs of Russia. “Guidelines for the implementation of prosecutorial supervision over the execution of laws in the investigation of crimes in the field of computer information” (approved by the Prosecutor General’s Office of Russia).

India

The IT (Amendment) Act establishes CERT-IN, the Controller of Certifying Authorities for electronic signatures and the Cyber Appellate Tribunal.

China

No.

South Africa

ECTA: No.

Cybercrimes Bill: Chapter 10, Section 53: Cyber response committee