International review of criminal policy - Nos. 43 and 44/Transborder search of computer data banks

C. Transborder search of computer data banks

261. One very specific transborder situation in relation to computer-related offences deserves particular attention. Within the international economic environment, in particular within multinational corporate structures, data are often stored centrally in one country (e.g. where headquarters are located), with on-line access available to company partners (e.g. subsidiary corporations) operating in the territory of other countries.

262. Criminal investigations in such situations are presented with the problem of how to retrieve the data, as potential evidence, that are stored abroad, when investigating by means of on-line access to that data. The question arises whether the investigating authorities may penetrate the database by direct access, without the intervention, knowledge or agreement of the State in which the data are located. Urgent situations compelling the preservation of evidence may require that data be made readily available or, at least, that they be seized and blocked, thereby securing their evidential value. A suspect with sufficient speed and expertise in the access to and the functioning of the system could otherwise interfere with the data and make them unavailable by, for example, erasing them or transmitting them to another data bank.

263. Traditional means for cooperation between States in criminal cases do exist, in the form of conventional mutual assistance agreements, particularly the procedure of the letters rogatory. This procedure, however, by which a State is requested to undertake an investigation on its own territory on behalf of the investigating State, is highly time-consuming. The investigation of crime in the computer environment requires quicker, more efficient action. Another problem arises when a person, natural or legal, is compelled by the investigating State to produce data located in another State, whether or not they are available by on-line access, even though under the law of the State of storage that person is obliged to secrecy.

264. There is no unanimity today on the solution to these problems. However, the view that the deliberate investigation of on-line data constitutes a violation of the sovereignty of the other State is probably correct, whether it is done by the investigating authorities from the premises of the suspect or from their own terminals. In fact, such access might even be considered in the other State as a form of computer crime, such as unauthorized access.

265. The only explicit rule in international public law relevant to this situation seems to be the non-intervention principle, which historically has been applied only when foreign agents have operated physically on a State's territory. Nevertheless, the direct penetration of data banks appears very similar to acts of physical intervention by official foreign agents. The analogy is strengthened if the acts of penetration also constitute an offence in the other State. However, some people will probably resist the analogy and accept the legality of this penetration.

266. There is a definite need to address these questions, which are indeed not hypothetical ones, and to find solutions that balance the requirement of quick action with the appropriate respect for the sovereign rights of the other State in matters of police or investigatory action within its territory. States could, therefore, strive to conclude agreements that make direct penetration acceptable only as an exception. Any exception should, in addition, be subject to a number of stringent conditions, such as the following:

1. The freezing of data, by which any further operation on the data is rendered impossible, would be permissible only for preserving the data for evidentiary purposes;
2. The use of this evidence in the investigating State would be subject to the explicit consent of the State where the evidence was stored;
3. The right to penetrate data banks directly would be limited to serious offences only;
4. Sufficient indication must exist that the usual method of mutual assistance would, for lack of rapidity, compromise the search for evidence;
5. Upon commencement of the investigation, a duty would be imposed to immediately inform the authorities of the State being investigated.

267. The problem of on-line transborder searches of computerized data has not been adequately addressed so far. By virtue of not being cooperative acts, such actions do not fall within the traditional category of mutual assistance in criminal matters. However, the appropriate solution is not to view States as having a complete unilateral freedom to act, provided there is no violation of the non-intervention principle by physical interference. This potential area of conflict between States could be solved by a solution based on the principles mentioned above.