Implementing the Provision of the European Council Convention on Cybercrime în the Romanian Legislation

• Author: Gheorghe-Iulian Ionia
• Position: Romanian-American University Bucharest

1. Introduction

Although it only sets certain standards and allows them to be adjusted according to the needs of each state, the CoE's Convention on Cybercrime (CETS no: 185)¹ still remains the most important international instrument used in fighting cybercrime. For this reason, there is not a global consensus with respect to the implementation of the convention provisions.

Romania has been among the first countries to sign² the convention and, through Title III of Romanian Law no. 161/2003³, it regulated (in Article 34) „the prevention of and fight against cybercrime through specific measures, in order to prevent, discover and sanction the crimes committed by means of computer systems, ensuring the observance of human rights and personal data protection" by adopting (to a considerable extent) the convention provisions. Romanian Law no. 8/1996⁴ and the new Romanian Criminal Code (Romanian Criminal Code 2009)⁵ also adopted (more or less faithfully) such incrimination recommendations (Ionită, 2009).

2. Comparative analysis of the manner to define the terms used

We have to specify that the parties do not have to adopt in their internal legislation the same definitions as presented in the CoE's Cybercrime Convention, having the authority to decide on how to implement these concepts. Nevertheless, the concepts formulated in the internal legislations have to be consistent with the principles set through this article 1 of the CoE's Cybercrime Convention.

The Romanian lawgiver went beyond the convention provisions, presenting the meaning of certain terms such as „automatic data processing", „software", „user data", „security measures", „acts illegally".

Unfortunately, the convention also uses other terms whose meaning is not specified and which already generate problems both to experts and to law enforcing authorities: „security measures", „access", „unauthorized", „illegal", „unjustified", etc.

In order to eliminate such problems, it is necessary, as the Romanian lawgiver did, to identify and explain the meaning of the terms used, since each national legislation system has its own traditions and certain terms may be interpreted and applied differently.

3. Comparative analysis of the manner to incriminate crimes against data confidentiality, integrity and availability

3.1. Illegal access

We can note that Article 2, thesis I of the CoE's Cybercrime Convention presents the recommendation to incriminate the illegal access, and the second thesis of the same article indicates the possibility that national lawgivers condition the incrimination for the „infringing security measures", „the intent of obtaining computer data or other dishonest intent", or „in relation to a computer system that is connected to another computer system".

The internal legislation exceeded the convention recommendations, incriminating as aggravated variants the situations where the act is committed „with the intent of obtaining computer data" or „by infringing the security measures".

It is desirable that such means to commit the act („by infringing the security measures", „with the intent of obtaining computer data or other dishonest intent", „in relation to a computer system connected to another computer system") represent aggravating situations, and not requirement of the material/subjective element.

The final paragraph of Article 360 in the future Romanian Criminal Code no longer uses the term „security measures" (whose meaning is not specified in the title „The meaning of terms and expressions in the criminal legislation" either). But it takes over (to a considerable extent) meaning it has in Article 35 paragraph (1) letter h) of Romanian Law no. 161/2003. The limits of the punishment stipulated (in Article 360) for this method to commit the crime (imprisonment for 2 to 7 years) are under those stipulated in the special law (Article 42) for the same manner to commit the crime (imprisonment for 3 to 12 years).

3.2. Illegal interception

By analyzing the texts we can observe that Article 3, thesis I of the CoE's Cybercrime Convention stipulates the recommendation to incriminate illegal interception, and the second thesis of the same article indicates that national lawgivers may condition the incrimination on committing „with dishonest intent" or „in relation to a computer system that is connected to another computer system".

This time, the Romanian lawgiver did not incriminate as aggravated variants the situations where the act is committed „with dishonest intent" or „in relation to a computer system that is connected to another computer system".

As in the case of the previous article, it is recommendable that such means to commit the crime („with dishonest intent" or „in relation to a computer system that is connected to another computer system") represent aggravating...