Publication date: January 06, 2026
At the turn of the 21st century, technologies were gaining significant importance. Information technology was the fastest-growing influence on the lives of ordinary people, as more and more services became digitized, automated, and transferred to cyberspace. These included, for example, correspondence and electronic communication, such as email, developed from the mid-1960s to the 1980s. Banking, financial services, were also introduced electronically in the 1970s and 1980s, as were the sharing of works of art and the storage of various data in digital form. These services are linked to key areas of our lives, such as economics, privacy, and security. These same areas also attract criminals of various kinds, many of them members of organized crime groups or terrorist and sabotage groups, but not exclusively. Their activities are referred to, primarily colloquially, as cybercrime. However, this term presents significant challenges in defining its meaning, as it evolves with technological advancements. However, in criminal law, the requirement of legal certainty must be met, linked to the principle that there is no crime without law. For this reason, various attempts are being made to develop such a definition.
The concept of cybercrime
The UN proposed the following division into two concepts: Cybercrime in the narrow sense (computer crime) encompasses all illegal activities directed against the security of computer systems and the electronically processed data within them, performed using electronic operations; and cybercrime in the broad sense (computer-related crime) encompasses all illegal activities committed using or directed against computer systems or networks, including, among others, the illegal possession, sharing, or dissemination of information via a computer or network. To address these challenges, a number of non-binding soft law acts were initially adopted. In the European context, reference can be made to Recommendation No. R(85)10 concerning the practical application of the European Convention on Mutual Assistance in Criminal Matters in relation to letters rogatory concerning the interception of telephone conversations, Recommendation No. R(88)2 on infringements in the field of copyright and related rights, Recommendation No. R(87)15 on the use of personal data in the police sector and, in particular, Recommendation No. R(89)9 on computer crime, which provides guidelines for national legislation on the definition of certain computer crimes; which greatly facilitated the joint prosecution of the same crimes by authorities in different countries, and Recommendation No. R(95)13 on problems of criminal procedural law related to information technology, Resolution No. 1 adopted by the European Ministers of Justice at the conference in Prague on 10-11 June 1997, which recommended that the Committee of Ministers support the work carried out by the European Committee on Crime Problems (CDPC) on cybercrime, in order to approximate criminal law provisions and enable the use of effective means of prosecuting such crimes, as well as the Action Plan adopted by the Heads of State and Government of the Council of Europe at the Strasbourg Summit on 10-11 October 1997, in order to find a common response to the development of new technologies, based on the standards and values of the Council of Europe. Besides the Council of Europe, the Organisation for Economic Co-operation and Development (OECD) was also active in the field of cybersecurity, having developed the “OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security”. In the intercontinental space, we can also mention the High-Level Group of Experts on Organized Crime, known as the “Lyon Group” and operating within the G8 Group, which brings together the 8 largest economies in the world.
As a result of the adoption of subsequent soft law acts, the concept of creating a binding act that would comprehensively organize all the issues raised in subsequent non-binding acts emerged.
Work on the draft text began in 1997. In addition to the Council of Europe member states, countries such as the United States, Canada, Japan, and South Africa were also involved in its development, along with representatives of various European institutions and independent experts. The “Committee of Experts on Cybercrime” developed the draft for almost four years, culminating in the adoption of the text by the Council of Europe Committee of Ministers on 8 November 2001. The Council of Europe Convention on Cybercrime (Journal of Laws of 2015, item 728) (ETS 185) is the first international treaty explicitly focusing on cybercrime. Almost simultaneously with the Convention, the 2001 Agreement on Cooperation in Combating Crimes Related to Digitally Processed Information of the Commonwealth of Independent States was established, followed shortly thereafter by the 2014 African Union Convention on Cybersecurity and Personal Data Protection. However, these instruments have a much smaller scope, so we will not address them here. In addition, only a European treaty specifies not only the method of prosecution but also its basis.
Budapest Convention
Convention The Council of Europe Cybercrime Convention was adopted and opened for signature on November 23, 2001, in Budapest, and entered into force on July 1, 2004. In addition to the Council of Europe member states, with the exception of Ireland, which has not ratified it, many non-European states have acceded. There are currently 84 signatory states. Among them, in addition to the aforementioned participants in the adoption process, with the exception of South Africa, which has observer status despite signing the convention, are Cameroon, Kiribati, and Panama.
The treaty’s objectives are threefold: 1) harmonizing national laws on cybercrime; 2) supporting investigations into these crimes; and 3) strengthening international cooperation in the fight against cybercrime so that a range of cybercrimes, such as denial-of-service (DAS) attacks and the publication of computer viruses, can be prosecuted in multiple countries covered by the treaty. The cross-border nature of the Internet and the potential for perpetrators operating in one country, without appropriate regulations, to violate the laws of other countries, necessitate criminalizing computer abuse in the laws of as many countries as possible. The treaty also serves as a limited Mutual Legal Assistance Treaty when the countries involved in the proposal do not have an existing treaty. The drafters of the Cybercrime Convention emphasized in the preamble that it complements and does not prejudice existing international agreements. Both bilateral and multilateral agreements on cybercrime concluded between CoE member states. The Convention, as is typical of most instruments of international law of this type, establishes a minimum standard for the criminalization of prohibited acts specified in its provisions. Therefore, it does not prevent States Parties from adopting more restrictive solutions regarding both criminal liability and its grounds, which the Cybercrime Convention limits to intent, both direct and consequential. The provisions of the Convention are not enforceable in themselves, as they lack sufficient precision and completeness to derive specific rights and obligations for individuals. One factor determining the attractiveness of the Cybercrime Convention is its open-ended nature and the optional clauses it provides. These provisions allow for the adoption of the Cybercrime Convention with the exclusion of certain provisions, allowing acceding states to transpose it into their legal systems, reconciling its provisions with their legal traditions, cultures, and other existing regulations. It should be noted that many states, while not signing the Cybercrime Convention, actually drew on its provisions to create their own national regulations. These include Egypt and Pakistan, for example.
The Convention on Cybercrime consists of a preamble and four chapters:
Chapter I, which contains only one article, contains definitions of key terms. Among other things, it defines “information system” or computer system in its original language. Paraphrasing the definition, an information system is any computer or other similar device, or a network thereof, that operates automatically thanks to installed software, i.e., performs automatic data processing. “IT data,” in turn, is any representation of facts, information, or concepts in a form suitable for processing in a computer system, including the appropriate program enabling such processing. “Service provider” is any private or public entity that enables customers to communicate via an information system or stores or processes data on behalf of a service provider or recipient of information communication services. “Traffic data” means any information data relating to communication via an information system, generated by the information system. More simply, it is information regarding the time, sender, type of message, and the transmission path. This does not include the content of the message itself. A well-known colloquial term for this data is a “digital footprint.”
Offences covered by the provisions of the Convention
Chapter II of the Convention on Cybercrime consists of three parts: substantive criminal law (Articles 2-13), procedural law (Articles 14-21), and jurisdiction (Article 22). The substantive criminal law section contains definitions of nine types of cybercrimes, divided into four groups and arranged in four titles. The crimes in the convention are formulated to incorporate the suggestions of delegates from all countries that participated in the development of this international agreement, as well as to refer to the legal regulations and practices in force in those countries related to their use. Title 1 is titled “Crimes against the confidentiality, integrity, and availability of computer data and systems.” Data is often colloquially associated with information. According to the Polish dictionary, information means “notification of something, communication of something; message, instruction.” Information is a message intended to reduce uncertainty and increase the likelihood of making the right decision. It is this influence that has led to the modern era of the information society acquiring undeniably great economic value. Data has come to be treated as a commodity, the possession of which enables financial or comparable benefits. Hence, it has come to require special protection and has been recognized as a legal asset. However, the law distinguishes between these two concepts. The aforementioned OECD guidelines define “data” as “the representation of facts, concepts, or instructions in a formalized manner that enables communication, interpretation, or processing by both humans and machines; “information” (…) is the meaning we assign to data through conventions relating to that data.” Mere possession of data does not constitute access to information, although it does pose a direct threat to such access.
The first offense is hacking, which is unlawful access to all or part of an information system. This allows for the commission of further offenses against various legal interests. The article leaves states a margin of discretion, allowing them to limit criminal liability only to cases in which security measures have been breached, thus protecting against the criminalization of accidental access. The purpose and method of action are not among the elements determining criminal liability, even if the perpetrator acted solely with the intention of testing their own capabilities. The Convention does not oblige the parties to extend criminal liability to the stage of attempted criminal activity. Furthermore, it should not be forgotten that modern hackers possess techniques that allow them to gain access to information systems without first having to breach security measures.
Article 3 of the Cybercrime Convention establishes the crime of “intentionally intercepting, by means of technical devices, non-public transmissions of computer data to, from, or within a computer system, including electromagnetic emissions from a computer system transmitting such computer data.” This includes intercepting data directly from computer transmissions and analyzing electromagnetic waves. This includes eavesdropping on data transmissions, both content and traffic. The first method of unauthorized information acquisition is often referred to as traditional computer espionage. Hackers, using special software, not only gain access to content not intended for them but are also able to collect data carriers and monitor network traffic. The use of spyware also enables sound recording and screenshots. High-frequency electromagnetic waves, which emit electromagnetic waves, dominate computer technology, and their state and intensity are directly related to changes in the functionality of the devices being used. However, due to the high cost of the equipment used, this type of eavesdropping is much less frequently used by individual perpetrators. However, it may end up in the hands of members of organized crime groups or business spies. The purpose of this provision is to protect the privacy of users of computer systems communicating using electronic data transmission systems. As with illegal access, the condition for criminalization is the intentionality and unlawfulness of the act. The Convention refers to listening, monitoring, or supervising the content of communications for the purpose of intercepting information, either directly—through access to and use of a computer system—or indirectly—through the use of electronic eavesdropping or listening devices, or recording. The term “non-public transmission” refers to the nature of the transmission process, not the type of data being transmitted. Therefore, Article 3 of the Convention can also be applied to data transmissions over public networks, provided the parties intended to maintain the confidentiality of the transmission. Therefore, the conduct of a person conducting surveillance cannot be considered a criminal offense when acting under authorizations granted by the participants in the intercepted data transmission or under applicable legal provisions—as, for example, in the case of state officials carrying out activities aimed at investigating crimes or ensuring security. As with hacking, State Parties have a free hand in limiting the scope of criminalization by requiring links between the surveilled computer system and one or more other systems. This would criminalize data interception only within the network, excluding situations involving the surveillance of individual systems. Member States may also introduce a condition of criminal liability based on the perpetrator’s “dishonest intent.” In the Polish Penal Code, a conventional offense is defined by Article 267, paragraphs 1, 2, or 4. This offense is committed by anyone who, without authorization, gains access to information not intended for them, or to a system intended for its collection and processing, by opening a sealed letter, connecting to a telecommunications network, or by breaching or bypassing electronic, magnetic, computer, or other special security measures. Merely gaining access is, in principle, not a crime. If information obtained in a manner that meets the criteria for the offense described in this article is disclosed to another person, the perpetrator may be anyone who comes into possession of it (paragraph 4). Therefore, it is material in nature. Paragraph 2 criminalizes gaining access to, narrowly defined, all or part of an IT system. There is no mention of breaching security, so offenses such as bluesnarfing, piggyhacking, or wardriving may be covered. Article 267, paragraph 3, covers wiretapping. Not only the mere use of a listening device, visual device, or other device or software, but also their installation is punishable. As with the preceding paragraph, breaching security is not required. The offense can only be committed “for the purpose of obtaining information,” which indicates a directionality, i.e., the requirement for direct intent. The provision essentially contains two subtypes: the first is the formal offense of using a device. It is worth noting the broad catalog of these devices, which significantly broadens the scope of criminalization. The second type, the act of assembly, is material.
Article 4 of the Cybercrime Convention obliges States Parties to criminalize “the intentional, unlawful destruction, erasure, damage, alteration, or deletion of computer data.” A State Party may condition criminal liability on the perpetrator’s act causing “serious harm,” as simply turning on a computer system can lead to unauthorized modification of data. Criminalization of this conduct is intended to ensure the security of computer data and protect it from the effects of unlawful infringements. Intentional conduct is a condition for committing the offense under Article 4 of the Convention. Therefore, activities involving servicing, replacing software, or testing computer system security, undertaken by authorized persons, as well as activities aimed at anonymizing participants in electronic correspondence and maintaining the confidentiality of its content, will not be criminalized. In the Penal Code, this offense is covered by Article 268 and Article 269. Article 268a of the Penal Code. The first article is intended to protect the integrity, completeness, and accuracy of important information, not necessarily contained in computer systems, and to ensure access to it by authorized persons. This refers to information that has special value in an objective sense, due to the legitimate interest of the information owner, persons authorized to view its content, and, in the case of personal data, also the entity to which the information pertains. The causative actions may include acts that compromise data integrity, primarily involving logical actions, such as deletion and removal, or those intended to hinder or even thwart an authorized person from accessing the information, such as changing a password or concealing a storage medium. The qualified type applies to the IT storage medium. The higher penalty is motivated by the fact that IT data often constitutes the basis for the operation of entire systems, so their absence or damage can pose a serious problem. Another qualified type is distinguished due to the significant financial damage caused by the act. The offenses are material in nature. The second provision is a direct implementation of the convention, as evidenced, for example, by the use of the term “IT data,” which is defined exclusively in this international agreement. It covers behaviors analogous to those in Article 268 of the Penal Code, provided they harm computer data. In addition to the behaviors repeated in the previous article, such as destroying, damaging, deleting, altering, or hindering access , Article 268a criminalizes significant disruption, meaning actions that hinder or prevent the proper operation of the system and the collection, processing, and transmission of data. The offense is material in nature.
Article 5 of the Cybercrime Convention establishes the crime of “intentionally and unlawfully seriously disrupting the functioning of a computer system by entering, transmitting, destroying, erasing, damaging, altering, or deleting computer data.” States Parties are free to define what constitutes “serious disruption.” Based on the Explanatory Report to the Convention, it can be concluded that this article refers to the crime of computer sabotage and is intended to criminalize the deliberate obstruction of the legitimate use of computer systems, regardless of the type and nature of the information associated with them. The legitimate interests of operators and users of computer systems are protected. The updated standard requires the occurrence of an intentional and serious disruption of the system’s operation, resulting from the action of an unauthorized person. Disruption occurs through actions that coincide with the proper functioning of a computer system, i.e., entering, transmitting, destroying, deleting, damaging, or altering computer data. The crime of spamming falls within the scope of this article only if it results in deliberate disruption of the functioning of the system. In the Polish legal system, it is corresponding to two further provisions: Article 269 and Article 269a of the Penal Code. The aim of the first crime is to paralyze a computer system, more specifically, key for national defense, communication security, and the functioning of IT systems administration. This may occur through damage or destruction of material objects, programs, or data sets, as well as disruption or prevention of their processing, collection or transmission. The crime is of a material nature , and is therefore a qualified type of crime under Article 268 § 2, 268a and 269a of the Penal Code – Article 269 of the Penal Code due to the nature of the data. Furthermore, if the result is a threat to the life or health of a significant number of people or to property of a significant size, we can speak of a real confluence with Article 165 § 1, defining the crime of causing a public threat. And as for cumulative confluence, with Article 174 of the Penal Code, Article 269a punishes actions against specific IT systems and networks other than those of strategic significance. More specifically, it refers to significant actions, carried out through: transmission, destruction, damage, deletion, hindering access to, or altering IT data, disrupting the operation of a computer system or IT network.
According to Article 6 of the Convention, each Party shall adopt such legislative and other measures as may be necessary to establish as a criminal offence under its domestic law, when committed intentionally and unlawfully: a. the production, sale, procurement with intent to use, import, distribution or otherwise making available:
b. possession of an item referred to in subparagraphs ai or ii above with the intent that it be used in the commission of any of the offences established in accordance with Articles 2 to 5. A Party may require in its law that criminal liability be based on possession of more than one such item.
Although the above list is very broad, undertaking most of the activities it covers requires specific knowledge or skills. However, as we know, the Internet is such a vast source of information that anyone interested can easily find instructions on the production of devices or computer programs, or acquire knowledge about the vulnerabilities and weaknesses present in the security of specific systems. The provisions of the Convention allow Parties to introduce into their national law a requirement to possess more than one of the items listed in points ai or ii for the criminalization of an act. Furthermore, the conduct listed in the cited provision cannot be criminalized unless it is committed with the intent to commit the offenses specified in Articles 2-5 of the Convention, such as authorized testing or protection of a computer system. The same provision also prohibits the production, sale, and distribution of devices and other means that can be used to commit any of the previously discussed offenses. The Convention limits the scope of criminalization to cases in which devices are objectively designed or intended to commit an offense. Acts involving dual-use items are not punishable. The Parties may exclude from criminalization all acts other than the production, sale, acquisition with the intention of using, importing, distributing or otherwise making available: a computer password, access code or similar data through which all or part of an information system is accessible. Article 269b of the Penal Code expands the scope of criminalization of attacks on the security of electronically processed information to the preparation stage and, implementing Article 6 of the Convention, provides for criminal liability for anyone who “produces, acquires, sells, or makes available to other persons devices or computer programs adapted for committing the offense specified in Article 165 § 1 point 4, Article 267 § 2, Article 286a § 1 or 2 in connection with § 1, Article 269 § 2, or Article 269a, as well as computer passwords, access codes, or other data enabling access to information stored in a computer system or telecommunications network.” The causative act is the production of hacking tools by the perpetrator independently or by adapting devices and programs intended for other purposes. Also criminalized are acquisition, i.e., gaining access to ready-made tools, sale, i.e., transferring ownership to another person, and making available, i.e., merely enabling third parties to use the tools.
The next section is titled “Crimes Committed Using Computers.” These are attacks on long-established legal assets, but carried out using modern technologies. This editorial unit penalizes two crimes: computer forgery and computer fraud. These are classic crimes in their own right, but due to changes related to the use of new technologies, they have begun to require separate regulatory provisions.
Computer forgery, according to Article 7 of the Convention, is defined as the act of “unlawfully inserting, altering, deleting, or removing computer data, resulting in the creation of inauthentic data that the perpetrator intends to be recognized or used for legal purposes as authentic, regardless of whether it is directly readable and understandable.” In other words, it involves manipulating the content of a multimedia document. This can be done by the document owner, for example, to conceal irregularities, or by a third party, for example, to gain access to the victim’s accounts. This can be done using a computer, software, and peripheral devices as tools for falsifying physical documents. The development of forgery techniques has meant that virtually no document is impossible to forge. This crime can also be committed by making changes to computer memory or any data storage media where electronic documents are created and stored, i.e., the content stored on computer hard drives, such as business and tax books, records, and other records. The danger here is the possibility of introducing changes to the system that are so imperceptible that only an expert can detect them. The Convention allows for the punishability of an act to be contingent upon the intent to commit fraud or other dishonest act. A characteristic feature of the offense under the Convention is the creation of “inauthentic data,” which the perpetrator intends to use to influence the outcome of the proceedings. Therefore, to attribute guilt, it is necessary to prove not only that the perpetrator falsified data or computer programs, but also that the intention was to induce a false belief in a specific person regarding the law, legal relationship, or circumstances relevant to the given case. Art. 270 § 1 of the Penal Code penalizes the act of forging, altering, or using as authentic a document that has been forged or altered. The causative act is the forging or altering of a document with the intent to use it as authentic, as well as the use as authentic of a document that has been forged or altered by the perpetrator or someone else. The use must be for a purpose legally attributed to the authentic document. A perpetrator who first forges or alters a document and then uses it as authentic is liable for only one act, unless the conduct occurred within a longer time period. A document is defined in Article 115 § 14 of the Penal Code as any object or other recorded medium of information to which a specific right is attached, or which, due to its content, constitutes evidence of a right, legal relationship, or circumstance of legal significance. The offense is formal in nature, and its elements do not require that the presentation of the forged document to another person lead them to believe in its authenticity. However, it is necessary to act with the purpose, i.e., with direct intent, of using the forgery as a genuine document.
The second offence under this chapter, i.e. computer fraud, will be the act of “intentionally, unlawfully causing loss of property to another person by:
a. entering, making changes, deleting or removing computer data,
b. any interference with the functioning of the computer system,
with the intent to defraud or dishonestly intend to obtain an economic advantage for oneself or another person.”
In practice, the crime of computer fraud takes one of three forms of manipulation: first, data manipulation, second, manipulation of computer programs, and third, manipulation of the results of processed data. The simplest and most common form is data manipulation, which involves entering incorrect data into a system in order to obtain unauthorized financial benefits. The second form is very difficult to detect. In this form, the perpetrator controls an existing program to perform additional operations, allowing for abuse. These operations are generally performed without the program user’s consent, but can also be undertaken by them, for example, for the purpose of double-entry bookkeeping. In the latter case, the perpetrator controls the results of data processing, ultimately obtaining financial benefits. An act that is performed via computer networks but does not include any illegal technical activities in its description of the factual situation should be classified as ordinary fraud. For example, a dishonest employee providing his or her own account number to make a transfer to the company that employs him or her does not constitute computer fraud. Even if the transfer itself is made online via an online banking service. As usual, the criminal act must be characterized by illegality, but in this provision, the element of influencing a person, characteristic of classic fraud, has been replaced by the perpetrator’s influence on the course of automatic processing, collection, or transmission of computer data, or interference with the operation of a computer system. Article 287 of the Penal Code provides for the criminalization of computer fraud, defined differently than in the Convention. It is committed at the moment of taking causative actions affecting data processing devices and technical processes. The causative actions here include: influencing the process of automatic processing, collection, or transmission of computer data, and changing, deleting, or introducing a new record of computer data without the owner’s authorization. The first of these causative actions is an attack on the computer system, the second on computer data. Since the perpetrator acts ” in order to obtain financial benefit or cause harm to another person,” the crime is a directed type, meaning committed solely with direct intent.
The next title is called “Offences due to the nature of the information contained” or: “Offences due to the content”
The unit contains a single article defining a set of acts related to the undoubtedly significant problem of child pornography. Criminalization of previously known forms of child pornography in national legal systems is widespread. However, the exponential growth of internet use in developed societies has necessitated the creation of new regulations, particularly those with a reach comparable to that of the internet itself, i.e., international ones. Under the convention, the following should be prohibited:
-producing for the purposes of its distribution via an IT system;
-offering or making available via an IT system;
-distribution or transmission via an IT system;
-obtaining child pornography via an IT system for oneself or another person;
– possession of child pornography within an IT system or on IT data storage media.
For the purposes of the Convention, “child pornography” includes pornographic material that clearly depicts:
– a minor engaged in explicit sexual activity;
– a person who appears to be a minor engaged in sexually explicit activity;
-a realistic image depicting a minor engaged in sexually explicit activity.
Pornography is the depiction of human sexual activity, neglecting all context. The most important context is the connection between sexual activity and love. The separation of sex from love and the focus solely on the technique of various forms of sexual activity characterize pornography . Although the “concept” of pornographic material is left to the Parties’ internal definition, the Convention precisely enumerates cases of child abuse, which limits the regulatory freedom of States. By requiring explicit depiction, the authors of the Convention excluded audio files from its scope. The phrase “sexually explicit activity” should be understood as, at a minimum, real or simulated: sexual intercourse between minors, and between minors and adults, of the same or opposite sex, bestiality, masturbation, indecent exposure, and masochistic or sadistic abuse in a sexual context. The age of sexual maturity, also adopted in Article 9, paragraph 3 of the Convention, is 18 years, although a Party may impose a lower age requirement, which, however, cannot be less than 16 years. The acquisition and possession of child pornography are punishable. The creators of the convention believed that possession of child pornography stimulates demand for this type of material. They considered imposing criminal liability on each participant, from production to possession, to be an effective way to curb the production of child pornography. Offenses concerning child pornography are found in Article 202, paragraphs 3-5 of the Penal Code. The perpetrator’s conduct under Article 202, paragraph 3, constitutes the production, recording, or importing of pornographic content involving minors for the purpose of dissemination, as well as their possession, storage, and presentation. This is a directed offense. The case of lack of a purpose for dissemination is regulated by the next paragraph. Paragraph 4b, however, extends the prohibition on content depicting a manufactured or processed image of a minor. A manufactured image includes all pornographic content depicting an unrealistic image of a child, e.g., a drawn image. A processed image, on the other hand, should be understood as both adults disguised or dressed as a minor, as well as unrealistic images of adults whose image has been similarly processed. Paragraph 4c, however, makes it illegal to view such content for the purpose of sexual gratification. This constitutes a specific offense. The offense covers media containing pornographic content, i.e., specific products intended to induce sexual gratification or arousal in the recipient. All of these are formal offenses.
The next prohibited acts are infringements of intellectual property rights. If these are not the most common crimes committed online, they are certainly among the most common, particularly when it comes to copyright infringement. Copying and distributing protected works online without the copyright holder’s consent is an extremely common, easy, and large-scale phenomenon, which has necessitated the creation of regulations supporting international cooperation in this area. The Convention requires the criminalization of:
– copyright infringements as defined in the law of a Party in accordance with its obligations under the Paris Act of 24 July 1971 amending the Berne Convention for the Protection of Literary and Artistic Works, the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Copyright Treaty, excluding moral rights as provided for by those Conventions, when committed intentionally, on a commercial scale and by means of a computer system, and
– infringements of related rights as defined in the law of a given Party, in accordance with its obligations under the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organizations concluded in Rome (the Rome Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Performances and Phonograms Treaty, excluding moral rights provided for by these conventions, when committed intentionally, on a commercial scale and by means of an information system.
Parties may, provided this does not violate their international obligations, stipulate that they shall not be liable for breaches as long as other effective remedies, such as civil or administrative remedies, are available.
Criminal liability for the offenses discussed under Polish law is regulated in Articles 115-123 of the Copyright and Related Rights Act. The Act places particular emphasis on protecting the right to authorship, the integrity of the work, and artistic performance. However, due to difficulties in determining whether a given intellectual product is actually a work, problems arise in determining the exact scope of liability, thus creating a certain legal uncertainty. This raises the potential possibility of applying the exclusion or limitation of guilt under Article 30 of the Penal Code, according to which “a person who commits a prohibited act while being justifiably unaware of its unlawfulness shall not commit an offense; if the perpetrator’s error is unjustified, the court may apply extraordinary mitigation of punishment.” Handing over stolen goods in works, artistic performances, phonograms, and videograms is also punishable. Also punishable is the production, possession, storage, and use of “a device or its components intended for the unauthorized removal or circumvention of effective technical protection measures against the playback, recording, or reproduction of works.” This is only prohibited, meaning the perpetrator can be exempt from liability by demonstrating the intended use of the item for lawful purposes, which is difficult to verify. The aggravated type, applicable to each of these offenses, results from the situation in which the offense is treated as a regular source of income or directs such activity. The final type of prohibited act is hindering or preventing control over the use of the work.
Title 5 of the Convention obliges signatories to criminalize intentional aiding and abetting, which is by definition intentional, for all offenses contained in its provisions. The limitation to intentional acts was intended, among other things, to protect Internet service providers who are unable to thoroughly monitor all information transmitted over their networks. Attempts, however, should be criminalized only in certain cases, according to the Convention. This provision does not apply to: hacking, production; sale; obtaining and possessing devices used to commit crimes; offering or making child pornography available via a computer system; obtaining and possessing child pornography via a computer system for oneself or another person; and offenses related to the infringement of copyright and related rights. Polish law does not differentiate between offenses, introducing a general principle of liability for aiding and abetting, and attempt in Articles 13 and 18 of the Penal Code.
Article 12 provides a basis for legal persons to be held liable for offences defined in the convention, committed for the benefit of that legal person by any natural person acting alone or as part of an authority, and having the authority to represent the legal person; the authority to make decisions on behalf of the legal person; or the authority to exercise internal control within the legal person. The above-mentioned persons are also liable for the lack of supervision that enabled the cybercrime to be committed. Depending on the traditions of a given country, liability may be criminal, civil, or administrative. However, it is always independent of the liability of the direct perpetrator. In Poland, there is the Act of 28 October 2002 on the Liability of Collective Entities for Criminally Prohibited Acts.
Penalties prescribed by national law implementing the convention’s provisions must be effective, proportionate, and deterrent. These may include imprisonment and, for legal entities, financial penalties.
Procedural law
The treaty obliges the parties to establish appropriate procedures for the prosecution
– the offences established in accordance with Articles 2 to 11 of this Convention;
-all other crimes committed using an IT system; and
-collecting evidence in electronic form relating to crimes.
These procedures must be proportionate and comply with the requirements of the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and respect the interests of third parties wherever possible. In particular, they should include: judicial or other independent review, justification for their use, and limitations on the scope and duration of such powers and procedures.
Within these limits, states should empower their authorities to ensure that network administrators secure specific data, including traffic data, that is sensitive to change or destruction. In Poland, the equivalent is Article 218a of the Code of Criminal Procedure, which states in paragraph 1: “Offices, institutions, and entities conducting telecommunications activities or providing services electronically, as well as digital service providers, are obligated to immediately secure, upon the request of a court or prosecutor, for a specified period, not exceeding 90 days, computer data stored in devices containing such data, on a carrier or in an IT system.” A court or prosecutor is authorized to make such a request in the form of an order. The order is delivered to the data subject and is appealable, which meets the convention’s requirement to protect individual rights. Offices, institutions, and entities conducting telecommunications activities are obligated. Requests for the security of computer data by individuals, even if they are relevant to a criminal trial, are excluded. Security must be limited solely to data necessary for the investigation and cannot exceed 90 days. Article 218, which allows investigators to correspond, also partially relates to the topic.
Further rights should include the ability to obtain data from their owner and also to obtain subscriber data from the internet service provider.
The authorities should also be given the power to search or access using similar methods: an IT system or part thereof and the IT data stored therein and the medium used for storing IT data on its territory, as well as systems linked to that system in such a way that the data stored in the external system are freely available in the system originally searched.
Under the convention, investigators should also be able to secure or copy data from the system being inspected.
These provisions are reflected in Poland in Article 236a of the Code of Criminal Procedure, which extends the application of provisions regarding searches and seizures to include IT media (devices or the entire system), which are not evidence in themselves, but contain IT data that may constitute, but are not, an item. The obligated entities are: the disposer, i.e., the person authorized to dispose of the system, and the user, i.e., the person using the system.
The final right is the right to collect or record traffic data in real time using existing technical means within its territory, or to intercept the content of telecommunications communications—in other words, to conduct wiretapping. Alternatively, it should also be possible to compel a service provider to collect or record data using existing technical means within its territory, or to cooperate and assist the competent authorities in collecting or recording the same data.
States Parties have the right to limit the list of offences to which the above provisions apply, as well as in relation to a system with a closed group of users and cut off from other computer systems.
These provisions are found in Polish law in Chapter 26 of the Code of Criminal Procedure, which concerns telephone conversations and applies accordingly to other technical means. In accordance with the convention, it lists approximately 20 serious crimes justifying the use of wiretapping: murder, human trafficking, various forms of anti-state activity, weapons accumulation and counterfeiting, as well as war crimes. The act must be necessary to achieve the statutory objective, essential to resolving the subject matter of the proceedings, and adequate, meaning proportionate and subject to judicial review.The legal qualification adopted in the decision initiating preparatory proceedings is decisive for assessing the admissibility of ordering surveillance and recording content. Wiretap may only be ordered by a court at the prosecutor’s request (by order within five days of the request – a preclusive period according to Hofmański; there is a different view), except in urgent cases where obtaining a court order to order wiretapping would prevent or significantly impede the acquisition of evidence of criminal activity. The scope of the initial court authorization may be expanded.
A given state’s jurisdiction applies within its territory; or on board a vessel flying the flag of that Party; or on board an aircraft registered under the laws of that Party; or by one of its nationals, if the offense is punishable under the law of the place where it was committed or if the offense was committed outside the territorial jurisdiction of any state. Jurisdiction also exists when extradition is impossible. Exceptions to these rules must be strictly defined. Article 5 and Chapter XIII of the Penal Code essentially repeat the provisions of the Convention. Article 112 of Chapter XIII extends them even further, allowing for the punishment of a foreigner for an offense detrimental to the interests of the Republic of Poland, a Polish citizen, a Polish legal person, or a Polish organizational unit without legal personality, or in the case of an act of terrorism.
The Parties shall cooperate, in accordance with the provisions of this Chapter and with relevant international instruments, to the widest extent possible, for the purpose of investigating and prosecuting offences relating to computer systems and data or for the purpose of collecting evidence in electronic form relating to offences.
Extradition is possible between two parties to the convention, provided that the offences are punishable under the law of both parties by imprisonment of at least one year or more, unless another treaty in force between the same parties, in particular the European Convention on Extradition (ETS No. 24), establishes a different minimum penalty. The convention itself can be equivalent to an extradition treaty if the national law of the requested party to which the extradition is subject requires such an agreement and no treaty is in force between the requesting and requested states. However, this is merely a possibility, not an obligation. In Poland, the primary extradition treaty is the European Convention on Extradition of 1957. It applies to cases between the Republic of Poland and non-EU European states or Israel. In relations with EU Member States, the Council Framework Decision of 13 June 2002 on the European Arrest Warrant and the surrender procedures between Member States applies. The Polish Code of Criminal Procedure, in Chapters 64 and 65, which regulate extradition, does not contain an absolute requirement for a minimum sentence. Because the Convention was ratified with consent granted by statute, it can apply directly. The provision of Article 24, paragraph 1, letter b, establishing the aforementioned requirement is sufficiently clear, precise, and unconditional to be applicable independently. Article 604, paragraph 1, item 5, prohibits the extradition of a person to a foreign state if it would be contrary to law, so based on an appropriate interpretation, it can be assumed that the minimum sentence requirement applies. Regarding the grounds for refusal in general, Polish law divides them into relative and absolute grounds in the aforementioned article. Absolute grounds are listed in the following closed catalogue:
– taken into account at the time of extradition, the perpetrator’s Polish citizenship and the exercise of the right to asylum in Poland. In accordance with European law, at least in some cases, citizens of Member States permanently residing in another Member State should also be treated as citizens, as well as foreigners who do not enjoy the right of asylum in Poland, if the extradition would involve a violation of human and civil rights and freedoms. If a request for the extradition of a citizen of a Member State is submitted by a third country with which the Member State of residence has concluded an extradition agreement, that Member State should notify the Member State of which the person is a national and, if appropriate, at the request of the latter Member State, surrender the citizen to it in accordance with the provisions of the Framework Decision, provided that the latter Member State has jurisdiction under its national law to prosecute the person for acts committed outside its territory. This obstacle is overridden by international obligations, although the Budapest Convention allows for the refusal of extradition on grounds of nationality, while at the same time obliging the State to punish its citizen for an offence committed abroad.
– double criminality of an act – an obstacle occurs when the Polish legislator does not prohibit a given conduct under penalty as a crime or as a fiscal crime, as well as when failure to meet this requirement is a consequence of committing the act under conditions of contraindication or excusable error, and, moreover, of committing the act by a person protected by material immunity.
-statute of limitations – statute of limitations for the punishability of an act or statute of limitations for the execution of a legally binding sentence under Polish law
ne bis in idem principle means that a person cannot be extradited to a foreign country that is not a member of the EU if a final judgment has been issued in Poland or in any other EU Member State regarding the same act committed by the same person. This is based on the identity of the event that constitutes the basis for the person’s liability, not the identity of the legal classification. This does not apply to judgments in Member States, as they are mutually recognized. However, the legal inadmissibility of extradition does not arise from the fact that the case is pending.
-the already mentioned inconsistency of the issue with Polish law, i.e. the entirety of generally applicable law: the constitution, ratified international agreements, acts, etc.
– Fear of being sentenced or executed by the death penalty and the fear that the freedom and rights of the extradited person may be violated in the country requesting extradition,
-committing a non-violent crime for political reasons
The Republic of Poland has the right to refuse extradition when (open catalogue):
– the person to whom the application relates has a permanent place of residence in the Republic of Poland – This basis for refusing extradition applies to foreigners or stateless persons who have a permanent place of residence in Poland, defined according to the Civil Code: “The place of residence of a natural person is the locality where that person stays with the intention of staying permanently.”
– the offence was committed on the territory of the Republic of Poland or on a Polish vessel or aircraft – because the adjudication of the perpetrator’s liability for the offence committed falls within the jurisdiction of Polish criminal courts
-criminal proceedings are pending for the same act by the same person – as in the case of a final judgment
-the crime is subject to private prosecution;
– under the law of the state that submitted the request for extradition, the offence is punishable by imprisonment for up to one year or a less severe penalty, or such a penalty has been imposed;
– the crime for which extradition is requested is a military or fiscal crime, or a political crime but without the use of violence
-the country that submitted the request for extradition does not ensure reciprocity in extradition matters
International cooperation
The Parties are to provide each other with the greatest possible mutual assistance for the purpose of conducting proceedings relating to cybercrimes, or for the purpose of collecting electronic evidence relating to criminal offences. As a general rule, mutual legal assistance is subject to the conditions set out in the domestic law of the requested Party or in applicable mutual legal assistance treaties, including the grounds for refusal. In addition to domestic law, possible grounds for refusal include: A threat to its sovereignty, security, public order, or other fundamental interests, as well as investigative and operational activities, and the fact that the crime for which the person suspected of being the subject of the extradition request is a political or politically related offense. Under legal assistance, the parties may also share information without a request, but subject to confidentiality or limitations on the use of such information. Assistance is provided through central authorities designated by national governments. In Poland, this is the Ministry of Justice. In urgent cases, requests may be sent directly to the authority of the requested party, bypassing the intermediation of a national authority. In Poland, these matters are primarily regulated by Chapter 62 of the Code of Criminal Procedure and the Act of 16 September 2011 on the exchange of information with law enforcement authorities of European Union Member States, third countries, European Union agencies, and international organizations, which essentially replicate the provisions of the Convention.
A Party may request the other Party, along with a justification, to order or obtain the immediate preservation of data stored in a computer system located in the territory of the other Party for which the requesting Party intends to submit a request for mutual assistance. This may include a requirement of dual criminality.
If, while securing traffic data, the requested country discovers that the data intermediary operates in another country, it is obliged to immediately inform the requesting country, enabling it to track the “path” of the attack.
The next article regulates classic assistance in the search and seizure of data (e.g., a server) at the request of another State Party. The requested Party is obligated to comply with the request in accordance with all applicable international law that may prevent its execution, for example, by providing for procedures other than those in the Convention.
Article 32 allows law enforcement authorities of one country to directly access data stored in another country in two cases: When the data is publicly available or when the voluntary and lawful consent of the person entitled to disclose the data (e.g. the account user) has been obtained.
States also undertake to assist each other in collecting traffic data and intercepting data transmissions in real time, to the extent permitted by their national law.
Each Party shall designate a point of contact, available 24 hours a day, 7 days a week, to provide immediate assistance for the purpose of conducting investigations or proceedings relating to offences involving computer systems and data, or for the purpose of collecting electronic evidence relating to offences. This assistance shall include facilitating or, where permitted by domestic law or practice, directly implementing the following measures:
-providing technical advice;
-data security or disclosure
-collecting evidence, providing information about the law and locating suspects.
First Additional Protocol
Already at the beginning of the Convention’s operation, its parties realized that it unfortunately omitted a significant portion of prohibited acts committed online—racist and xenophobic acts. Negotiations began in 2001 on an additional protocol to the Convention. It was opened for signature in January 2003. To date, 37 countries have ratified it, and another 10 have only signed it. The United States is a significant country that has refused to sign due to its tradition of freedom of expression. The additional protocol expands the scope of the Convention to include crimes of spreading racism and xenophobia committed online. It strengthens cooperation among Council of Europe member states in this regard.
According to the definition in the Protocol, racist and xenophobic material means any written material, any image or any other expression of ideas or theories that incites, promotes or incites hatred, discrimination or violence against any person or group of persons based on race, color, national or ethnic origin, as well as religion if it is used as a pretext for any of the conduct referred to in the act.
The Protocol provides for the following offences:
– publicly making racist and xenophobic materials available on computer systems, unless the materials incite, support or incite discrimination, are not related to violence or hatred, provided that other effective measures exist, or national legal traditions on freedom of speech prevent criminalization
– making punishable threats of a racial or xenophobic nature transmitted via computer systems,
-public insults of individuals on racist or xenophobic grounds, carried out using computer systems. It is possible to stipulate the condition of exposure to hatred, insult, ridicule, or even a clean criminal record.
– publicly sharing, via computer systems, materials that deny or belittle people’s rights on a racist or xenophobic basis, or that glorify or justify crimes of genocide or other crimes against humanity, as defined by relevant international law and established by the judgments of the Nuremberg Tribunal or another international court. It is possible to stipulate the requirement of intent to incite hatred, discrimination or acts of violence against an individual or group, or even a clean criminal record.
– aiding or abetting in the commission of any of the above prohibited acts
The following, among others, apply to the Protocol: definitions from the Convention, liability of legal persons, rules on penalties, jurisdiction.
Polish law provides for one crime exclusively related to racist and xenophobic acts. It concerns Article 257 of the Penal Code: ” Whoever publicly insults a group of people or an individual because of his or her national, ethnic, racial or religious affiliation or because of his or her lack of religious beliefs, or for such reasons violates the bodily inviolability of another person, shall be subject to the penalty of imprisonment for up to 3 years.” The conduct may consist of “publicly insulting a group of people or an individual” or “violating the bodily integrity of another person.” “Insult,” as in Article 216, is a display of contempt that expresses a more profound negative attitude towards the value of a person than disrespect. The perpetrator’s conduct must be public in nature, meaning it should be carried out in such a way as to reach a wide, unspecified circle of people. It may be committed by publicly sharing materials on a computer system. Violation of bodily integrity is interference with a person’s body, for example, by hitting, spitting, or kicking. The perpetrator commits the act because of the national, ethnic, racial, or religious affiliation of the person concerned, or because of their lack of religious beliefs, meaning they act in a targeted manner, i.e., with direct intent. This provision constitutes lex specialis in relation to Articles 216 and 217 of the Penal Code. Article 55 of the Act on the Institute of National Remembrance is also related to the protocol. “Whoever publicly and contrary to the facts denies the crimes referred to in Article 1, point 1, shall be subject to a fine or imprisonment for up to 3 years. The judgment shall be made public.” It penalizes denying crimes identical to those referred to in Article 6 of the Protocol. The doctrine indicates that the perpetrator commits an offense only when they are aware that the facts they deny have been established beyond a doubt . After the amendment to the Act, the provisions penalizing diminishing the truth disappeared. The remaining offense, i.e., threats, are penalized under the general type of Article 190 of the Penal Code.
Second Additional Protocol
To complement the Convention and the First Protocol, a Second Protocol on Enhanced Cooperation and Disclosure of Electronic Evidence was also adopted and accepted, although Poland has not yet acceded to it. The reasons cited for its development include the increasing use of information and communication technologies, including internet services, the growing threat to democracy and the rule of law, which many states also consider a threat to human rights, the growing number of cybercrime victims, and the importance of pursuing justice for these victims. It also aims to provide internet users and providers with certainty regarding the rights that may apply to them.
Between the Parties, the provisions of the Second Protocol are to be applied to the conduct of special investigations and criminal proceedings in cases of offences related to computer systems and data, and to the collection of electronic evidence relating to offences. Between the Parties to the Second Protocol and the Parties to the Second Protocol, the provisions of the Second Protocol are to be applied to the conduct of special investigations and criminal proceedings in cases of offences established in accordance with the First Protocol.
The Protocol uses the Convention definitions as well as a number of specific definitions. Thus: “competent authority” means a judicial, administrative or other law enforcement authority empowered under national law to order, approve or undertake the execution of measures under this Protocol
-“emergency situation” means a situation in which there is a significant and immediate threat to human life or safety
– “personal data” means information relating to an identified or identifiable natural person;
– “Transmitting Party” means the Party transmitting data in response to a request or as part of a joint investigation team or the Party in whose territory the data transmission service provider or domain name registration service provider is located.
Under the Protocol, signatories are obligated to grant their authorities a number of powers, as well as to enable certain activities by other parties’ authorities within their territory. The first is the right to issue a request to an entity providing domain name registration services in the territory of another Party for information in that entity’s possession or control, in order to identify or contact the domain name registrant. There is no direct equivalent in the Polish legal system.
Another right is to issue a reasoned order, to be transmitted directly to a service provider in the territory of another Party, to require the disclosure of specific stored subscriber information held by the service provider, in the possession or control of that service provider, where the subscriber information is needed for the purposes of a special investigation or criminal proceeding. A Party may stipulate that requests executed in its territory must originate from a court or prosecutor, or from notification or consultation. This provision may also be wholly or partially waived due to constitutional requirements of the country in question.
National authorities should be empowered to issue an order, transmitted upon reasoned request to another Party, if that Party so provides to the designated authority, to compel a service provider in the territory of the requested Party to provide specified and stored subscriber information and traffic data held or controlled by that service provider that are necessary for the purpose of conducting special investigations or criminal proceedings in that Party. A Party may require additional information in requests addressed to it.
The Parties are obligated to ensure that a 24/7 network point of contact can transmit to, and receive from, a reasoned request to a point of contact in the territory of another Party requesting immediate assistance in the prompt disclosure by a service provider in the territory of that Party of specific stored computer data held or controlled by that service provider, without the need to request mutual assistance. Application to requests involving only the disclosure of subscriber data may be excluded.
A Party may request mutual assistance in an expedited and appropriately secured electronic format if it determines that an emergency situation exists. A request issued under this Article shall include, in addition to other required elements, a description of the facts indicating the existence of the emergency situation and a description of how the requested assistance addresses that emergency situation.
In the absence of other relevant agreements, the protocol also provides for the following solutions
-examination of a witness via videoconference
– Joint investigation teams and joint investigations by agreement. A Party may require the central authority to be a signatory to such an agreement.
Regarding safeguards, the Protocol does not establish any additional safeguards to those provided for by the Convention. Instead, it establishes specific principles for regulating the protection of personal data. Personal data shall not be processed in a manner incompatible with the purposes of the Protocol, i.e., solely for the purpose of investigating and prosecuting cybercrime, if necessary, nor shall it be further processed unless permitted under its domestic legal framework. A Party must ensure that personal data is accurate, complete, and up-to-date to ensure lawful processing, i.e., to avoid unnecessary processing that violates the rights of the data subject. The processing of personal data revealing racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, genetic data, biometric data deemed sensitive due to the risks involved (e.g., facial data), or personal data concerning health or sexual life shall only be carried out with appropriate safeguards to prevent the risk of unjustified harmful impact of the use of such data, in particular against unlawful discrimination. Each Party shall retain personal data only for as long as is necessary and appropriate for the purposes of the data processing. Decisions that have significant adverse effects on the relevant interests of a data subject may not be based solely on automated processing of personal data, unless permitted by national law and appropriate safeguards, in particular the possibility of human intervention, are in place. Each Party is also obliged to implement appropriate technological, physical, and organizational measures to protect personal data, in particular against loss or accidental or unauthorized access, disclosure, alteration, or destruction, and to inform the other Party of any potential threat to it, unless this would threaten the national or public security of the Party. Cooperation takes place through the previously mentioned central authorities designated to facilitate international cooperation. Similarly, information must be provided to the individual at risk. Each Party must maintain records or otherwise demonstrate how personal data is accessed, used, and disclosed in a given case. Any other authority to which the data is disclosed or transferred must comply with all rules relating to personal data processing. The transferring party has the right to some control over the processing of transferred data, such as the ability to request information or consultation, as well as to consent to the transfer of data to non-signatory countries or to an international organization. Parties processing data are obligated to provide, generally or personally, information on: the legal basis and purpose of processing, the retention or review period (if required by domestic law), the recipients or categories of recipients to whom the data are disclosed, the possibilities of access or rectification, and the available legal remedies. A written or electronic copy of the records maintained on the individual must be made available, along with the information listed in the preceding sentence. Parties are obligated to facilitate the rectification of inaccurate data. Both of these rights may be limited for reasons of public interest. Judicial and non-judicial remedies are necessary, as well as the existence of a data processing supervisory authority. A Party may suspend the transfer of personal data to another Party if it has substantial evidence that the other Party is systematically or substantially violating the terms of this Article or that a substantial breach is imminent. Refusal must be justified and preceded by appropriate consultations. Can only be suspended temporarily immediately.
Due to the lack of ratification, Poland does not have provisions corresponding to the protocol.