Bruno Calabrich (Public Prosecutor (Brazil) | PhD candidate at the University of Brasília (UnB).)
Cybercrime is a growing issue in today’s digital age, with criminals taking advantage of the interconnectedness and dependency on technology for personal and organizational activities. Cybercrime is not a new problem and has been addressed by the Council of Europe with the Budapest Convention on Cybercrime in 2001, which entered into force in 2004 after ratification by five Council member countries. This international treaty was conceived to serve as a framework for nations to coordinate and cooperate in the investigation, prosecution, and prevention of cybercrime. As highlighted in its preamble, the Convention recognizes the crucial importance of establishing common criminal law and criminal procedural law in order to facilitate “detection, investigation and prosecution at both the domestic and international levels and by providing arrangements for fast and reliable international co-operation”.[1] Chang and Grabosky point out that “the Budapest Convention is the first and only international convention to encourage harmonization of cyber laws and regulations, and to build cooperation among nations in controlling cybercrime”.[2] In its core fundamentals, Member States commit to work together to provide quick and effective responses to cyber-attacks, exchange information on emerging threat trends and assist each other in investigating cross-border criminal activities.
Brazil, as a leading South American country in terms of technological advances and digital economy, has also recognised the importance of addressing these issues. Indeed, after a long period in which little importance was given to the topic (particularly when compared to the European tradition), Brazilian legislation has shown significant advances in several matters related to digital law, cybercrime and personal data protection in recent years. Its main normative milestones are Federal Statute No. 12.737/2012,[3] which “establishes the criminal typification of cybercrimes” – also known as the “Carolina Dieckman Act” –, Federal Statute No. 12.965/2014[4] – the Brazilian Internet Civil Rights Framework –, and Federal Statute No. 13.709/2018[5] – the Brazilian General Data Protection Act (“Lei Geral de Proteção de Dados Pessoais”, or LGPD). In Brazilian Courts, there have also been important decisions, such as the ruling by the Federal Supreme Court (STF) on ADC (“Ação Direta de Constitucionalidade”, a declaratory lawsuit of constitutionality of federal laws or normative acts) no. 51,[6] in February 2023, which confirmed the validity of court orders issued in the interest of criminal investigations for technology companies running internet applications in Brazil, even when the requested data is stored on servers located abroad. Prior to that, in May 2020, the STF, in the judgment of ADI (“Ação Direta de Inconstitucionalidade”, a direct lawsuit of unconstitutionality of federal or state laws or normative acts), no. 6387 MC-Ref/DF, recognized for the first time the protection of personal data as an autonomous fundamental right, not explicitly stated, but inferred from an integrated reading of several provisions of the Brazilian Constitution.[7] This decision prepared the grounds for the enactment of Constitutional Amendment no. 115/22, in February 2022, which expressly included the protection of personal data in the wording of the Constitution among the fundamental rights and guarantees.[8]
Public debate on the protection of personal data and cybercrime was the backdrop upon which, in 2021, the Brazilian Senate decided to ratify the Budapest Convention. [9] On 12 April 2023, the Brazilian President signed the corresponding legislative decree,[10] by which Brazil finally adopted, to full effectiveness – that is, for internal and external affairs – the Council of Europe Convention on Cybercrime. This was also the result of years of pleading, by academics[11] and authorities, such as the Brazilian Federal Public Prosecutor’s Office. [12] It is worth mentioning that the former Attorney General was one of the first police authorities to emphasize the importance of ratifying the international treaty, in a letter sent to the Ministry of Foreign Affairs in 2006.
The Convention is neither perfect nor immune to criticism, but it is mostly defended in Brazil as a necessary instrument to fight cybercrime and for international cooperation. The final part of the vote of Justice Gilmar Mendes in the judgment of ADC 51, of which he was rapporteur, is illustrative of this, when he expressly praised the accession to the Budapest Convention “as an important initiative of the Brazilian State”.[13]
By signing the Budapest Convention, Brazil joins over 60 countries – as of today, precisely 68 countries are parties to the Convention and 20 others have signed or been invited to accede.[14] With its participation now ensured by the adoption of the Budapest Convention, Brazil can further bridge regulatory loopholes related to cybersecurity governance domestically, while complying with international commitments towards coordinated efforts against transnational crimes.
The Budapest Convention is over 20 years old now and there have undeniably been immense changes in society and technology in the years since then. The Convention, for example, precedes the large-scale use of social media, with all its associated problems and challenges, for which there are no specific provisions. These circumstances are currently inspiring the United Nations’ attempt to propose its own convention on cybercrime,[15] which has been under discussion since 2019.[16]
Although Brazil’s ratification of the Budapest Convention occurred much later than most developed countries, this landmark decision is expected to contribute to advances in legislation and in the practices of prevention and prosecution bodies. Moreover, with the new legal framework adopted, it is expected that citizens and private sector companies will also join forces and commit to collectively fight cybercrime.
[1] Council of Europe, The Budapest Convention (ETS No. 185) and its Protocols. Available at:https://www.coe.int/en/web/cybercrime/the-budapest-convention.
[2] Lennon YC Chang and Peter Grabosky, “The governance of cyberspace”, in Regulatory theory: foundations and applications, ed. Peter Drahos (Canberra: The Australian National University Press, 2017), 533. Available at: https://library.oapen.org/bitstream/handle/20.500.12657/31596/1/626829.pdf.
[3] Brazil, Law No. 12.737, 30 November 2012. Available at: https://www.planalto.gov.br/ccivil_03/_ato2011-2014/2012/lei/l12737.htm.
[4] Brazil, Law No. 12.965, 23 April 2014. Available at: http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2014/lei/l12965.htm.
[5] Brazil, Law No. 13.709, 14 August 2018. Available at: https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm.
[6] STF, “Autoridades nacionais podem requisitar dados diretamente a provedores no exterior, decide STF”, February 23, 2023. Available at: https://portal.stf.jus.br/noticias/verNoticiaDetalhe.asp?idConteudo=502922&ori=1.
[7] STF, “Ação Direta de Inconstitucionalidade 6387 MC-REF/DF”, 7 May 2020. Available at: https://redir.stf.jus.br/paginadorpub/paginador.jsp?docTP=TP&docID=754357629.
[8] Brazil, Constitutional Amendment no. 115, of 10 February 2022. Available at: http://www.planalto.gov.br/ccivil_03/constituicao/emendas/emc/emc115.htm.
[9] Brazil, “The Federal Senate approves the Budapest Convention on Cybercrime”, Press Release no. 178, December 17, 2021. Available at: https://www.gov.br/mre/en/contact-us/press-area/press-releases/the-federal-senate-approves-the-budapest-convention-on-cybercrime.
[10] Brazil, Decree No. 11.491, of 12 April 2023, which enacts the Convention on Cybercrime, signed by the Federative Republic of Brazil, in Budapest, on November 23, 2001. Available at: http://www.planalto.gov.br/ccivil_03/_ato2023-2026/2023/decreto/D11491.htm.
[11] Bruno Calabrich and Alexandre Veronese, “Crimes na internet e o Brasil no cenário de cooperação jurídica internacional”, Jota, April 24, 2021. Available at: https://www.jota.info/opiniao-e-analise/colunas/judiciario-e-sociedade/crimes-na-internet-e-o-brasil-no-cenario-de-cooperacao-juridica-internacional-24042021.
[12] Brazil; Federal Public Prosecutor’s Office, “Brasil aprova adesão à Convenção de Budapeste, que facilita cooperação internacional para combate ao cibercrime”, December 23, 2021. Available at: https://www.mpf.mp.br/pgr/noticias-pgr/brasil-aprova-adesao-a-convencao-de-budapeste-que-facilita-cooperacao-internacional-para-combate-ao-cibercrime
[13] Besides the accession to the Budapest Convention, which should be praised as an important initiative of the Brazilian State, it is also worth mentioning, as an example, the Clarifying Lawful Overseas Use of Data Act, called CLOUD Act, in the United States, as well as the proposals for negotiations of the e-Evidence Regulation, also in the European Union. See Brazil, “Ação Declaratória de Constitucionalidade 51 Distrito Federal – ADC 51/DF”. Available at: https://www.conjur.com.br/dl/adc-51-voto-ministro-gilmar-versao-lida.pdf.
[14] Council of Europe, “Parties/Observers to the Budapest Convention and Observer Organisations to the T-CY”. Available at: https://www.coe.int/en/web/cybercrime/parties-observers.
[15] United Nations, “Ad Hoc Committee to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes”. Available at: https://www.unodc.org/unodc/en/cybercrime/ad_hoc_committee/home.
[16] United Nations, “Resolution adopted by the General Assembly on 27 December 2019 – Countering the use of information and communications technologies for criminal purposes”, A/RES/74/247. Available at: https://digitallibrary.un.org/record/3847855?ln=en.
Picture credits: by Mati Mango on Pexels.com.