The Cybercrime Law, approved by Law No. 109/2009, of 15/12, amended by Law No. 79/2021, of 24/11, transposed into the internal legal order the Framework Decision No. 2005/222/JAI of the Council of the European Union, relating to attacks against information systems, and adapts domestic law to the Convention on Cybercrime of the Council of Europe, signed on 23/11/2001, in Budapest, with entry into force in the international order on 01/07/2004 and on 01/07/2010 in Portugal [Approved by Resolution of the Assembly of the Republic No. 88/2009, of 15/09 and ratified by Decree of the President of the Republic No. 91/2009, of 15/09. At the time of ratification, Portugal made the following reservation to Article 24, No. 5: Portugal will not grant extradition of persons: a) Who are to be tried by a court of exception or serve a sentence decreed by such a court; b) When it is proven that they are subject to a process that does not offer legal guarantees of a criminal procedure that respects the conditions internationally recognized as indispensable for the safeguarding of human rights, or that they serve the sentence in inhuman conditions; c) When claimed for an offense that corresponds to a penalty or security measure with a perpetual character. Portugal only admits extradition for a crime punishable with a custodial sentence of more than one year. Portugal will not grant extradition of Portuguese citizens. There is no extradition in Portugal for crimes that correspond to the death penalty according to the law of the requesting State. Portugal only authorizes transit in national territory of a person who is in the conditions in which his extradition can be granted. The Additional Protocol to the Convention on Cybercrime Relating to the Criminalization of Racist and Xenophobic Acts Committed through Computer Systems, adapted in Strasbourg on 28/01/2003 (approved by Resolution of the Assembly of the Republic No. 91/2009, DR I, No. 179, of 15/09), is the instrument that develops it. Through Notice No. 97/2013, of 29/1, the Portuguese Republic made public that it deposited its instrument of ratification to the Convention].

The law in question, at the same time, repealed the previous legislation on the matter, namely, Law No. 109/1991, of August 17, called the Computer Crime Law.

As expanded in the Constitutional Court Ruling No. 687/2021, Process No. 830/2021, in Plenary, available at https://www.tribunalconstitucional.pt:

“Law No. 109/2009 was innovative, in that it instituted, for the first time, specific legal rules regarding the collection of evidence in electronic format. Until then, the investigation of crimes related to computing was done using the relevant norms, interpreted with the necessary adaptations, from the Code of Criminal Procedure.

With the approval of this law, the legislator sought to gather in a single diploma all the norms pertaining to computer crime: norms of substantive law, norms of procedural law and norms relating to judicial cooperation in criminal matters.

Thus, from a structural point of view, the Cybercrime Law contains introductory provisions and legal definitions, as well as a chapter dedicated to material penal norms, where various penal types specifically related to computer crime are enshrined; in addition, Law No. 109/2009 establishes, in an autonomous chapter, and as already mentioned, a set of norms of adjective nature (designated as “procedural provisions”), consecrating a series of new means of obtaining evidence. Finally, a chapter on international cooperation contains norms that complement the provisions of the Law of Judicial Cooperation in Criminal Matters.

Under the terms of Article 11 of the Cybercrime Law – the first normative provision contained in Chapter III – the procedural provisions therein are presented as being tendentially private in application to the crimes enshrined therein. However, as results from the provisions of the various subparagraphs of paragraph 1 of Article 11 of such a diploma, notably in its subparagraph c), and as it follows from Article 14, paragraph 2, subparagraph c), of the Budapest Convention on Cybercrime, those provisions are, in reality, applicable to any and all crimes, provided that the collection of evidence in electronic format is necessary. Thus, “the rules of probative law provided for in the diploma are not merely procedural norms on cybercrimes or even only related to crimes committed in computer systems, but correspond to a considerably more comprehensive regime on electronic evidence in criminal procedure applicable to any crime” (…). For this reason, an argument in the terms of which the criminal procedural norms contained in the Cybercrime Law would have the nature of exceptional norms, oriented towards the investigation of crimes of special offensiveness cannot proceed. Or, at least, the truthfulness of such an argument cannot be unequivocal, there being room for different interpretations, which allow the extension of the application of the regime provided for in Article 17 to other crimes, provided that the collection of evidence in electronic format is indispensable.

Indeed, the national legislator chose, when approving the Cybercrime Law, to consecrate norms of probative law of general spectrum in an extravagant diploma, instead of revising and adapting the CPP to the new times. (…).

Therefore, taking into account the processes of digitization and dematerialization that dominate contemporary society, the effective scope of application of the adjective norms of Law No. 109/2009 reveals itself to be substantially broader than it might appear at first analysis (…). In fact, evidence in electronic format will tend to be an omnipresent material reality in community life, even more so than was the case when the initial version of the questioned norms was approved; note, among many other factors of digital life increase, the increase in interactions between the State and citizens using the Internet, as well as the growth of teleworking, particularly in the pandemic scenario – and these examples constitute just two of the most recent manifestations of the extension to new domains of life in society of the aforementioned digitization and dematerialization.” – Sic.

Cybercrime or computer crime, integrates a broad concept, in which it is embodied as the fact typified in the law as a crime that is committed through the use of a computer system [understood this, as any device or set of interconnected or associated devices, in which one or more of them develops, in execution of a program, the automated processing of computer data, as well as the network that supports communication between them and the set of computer data stored, processed, retrieved or transmitted by that or those devices, with a view to their operation, use, protection and maintenance]. It is the fact typified in the law as a crime in which the computer system is the object or instrument of the crime or whose commission is significantly linked to the use of a computer system.

In turn, it is important to bear in mind that Law No. 79/2021, of 24/11, amends, among other acts, the Cybercrime Law, approved by Law No. 109/2009, of September 15, as already mentioned above, and it came to create new types of crimes related to counterfeiting of devices that allow access to systems and means of payment (including on virtual currency).

In concrete terms, the following new types of crime are created, applicable to individuals and legal entities: a) Counterfeiting of cards or other payment devices, punishable by a prison sentence of 3 to 12 years; b) Use of counterfeit cards or other payment devices punishable by a prison sentence of 1 to 12 years; c) Acquisition of counterfeit cards or other payment devices, punishable by a prison sentence of 1 to 5 years; d) Preparatory acts of counterfeiting, punishable by a prison sentence of 1 to 5 years; e) Acquisition of cards or other payment devices obtained through computer crime, punishable by a prison sentence of 1 to 5 years. The penalties provided for the mentioned crimes can be aggravated under the terms of Article 3 F of the aforementioned legal diploma.

The new crimes will have an impact on the assessment of suitability for the exercise of certain professions and functions (judicial administrator, lawyer, solicitor, enforcement agent, notary, trusted service providers, business recovery mediator, members of the bodies of IPSS, the board of the Pension Fund for Lawyers and Solicitors and the associative bodies of mutual associations).

The law also makes changes to the crimes of computer fraud and communications, abuse of guarantee card or credit card (“abuse of guarantee card or card, device or payment data”) and money laundering, provided for in the Penal Code.

In the context of cybercrime, it is also important to bear in mind the Penal Code, Law No. 58/2019, of August 8 (Personal Data Protection Law), Law No. 15/2001, of June 5 (General Regime of Tax Infractions), DL No. 252/94, of October 20 (regarding the Legal Protection of Computer Programs) and DL No. 63/85, of March 14 (Code of Copyright and Related Rights), DL No. 7/2004, of 07/01 (E-Commerce in the Internal Market and Processing of Personal Data), Law No. 32/2008, of 17/07 (Conservation of Data Generated or Processed in the Context of Offering Electronic Communications Services), DL No. 123/2009, of 21/05 (Construction, Access and Installation of networks), DL No. 34/2023, of 23/05 ( Cyber Academy and Innovation Hub – CAIH), DL No. 39/2015, of 16/02 ( Statutes of the National Communications Authority), DL No. 12/2021, of 09/02 (Electronic Identification and Trust Services for Electronic Transactions), Law No. 16/2022, of 16/08 (Law of Electronic Communications), Law No. 41/2004, of 18/08 (Protection of Personal Data and Privacy in Telecommunications), DL No. 122/2000, of 04/07 (Legal Protection of Databases), Law No. 46/2018, of 13-/08 ( Legal Regime of Cybersecurity), DL No. 65/2021, of 30/07, (Regulates the Legal Regime of Cybersecurity), Regulation(EU) No. 679/2016, of April 27 (General Regulation on Data Protection (GDPR) of the European Union (EU), Law No. 18/2024, of 05/02 (Regulates access to metadata related to electronic communications for criminal investigation purposes, amending Law No. 32/2008, of July 17, which transposes into the internal legal order Directive 2006/24/EC, of the European Parliament and of the Council, of March 15, on the conservation of data generated or processed in the context of the offer of publicly available electronic communications services or public communications networks, conforming it with the Constitutional Court Rulings Nos. 268/2022 and 800/2023, and the Law of the Organization of the Judicial System).