-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- I. General
- II. Access to publicly available data stored in another contracting state ("open source") (lit. a)
- III. Access to other data stored in another contracting state (lit. b)
- IV. Preservation of evidence beyond Art. 32 CCC according to the access principle.
- V. Consequences of the Violation of Foreign Sovereignty Law
- VI. Need for Reform
- Bibliography
- Materials
I. General
A. Introduction, genesis, purpose, and critique.
1 Given the ever-increasing shift of communications to Internet services (such as email, social media, and Internet telephony) and the technological evolution away from local storage to "cloud computing," the investigative focus of law enforcement has also changed. Their work is becoming increasingly complex as a result of this shift of evidence to the digital world. This complexity is due, on the one hand, to the fact that data is volatile in nature, can easily be moved across borders (which can also be done automatically, for example, to improve the utilization of computer systems), and is accessible to encryption. On the other hand, leading providers of Internet services that can hardly be dispensed with (such as Google, Facebook or Meta, WhatsApp, X or Microsoft) usually operate from abroad (especially the USA) and offer their services from there to natural and legal persons in Switzerland, while their user data is stored abroad. As a result, investigating authorities regularly have to turn their attention beyond national borders, even in domestic cases. In EU member states, a cross-border request to obtain electronic data is already made in over 50 percent of all criminal investigations. This poses some challenges for law enforcement authorities, not least of an international law nature, since extraterritorial evidence gathering constitutes prima vista an interference with the sovereignty of the other state (see below, n. 10 ff.).
2 In this cross-border context, authorities must be provided with effective powers of intervention that enable them to secure the evidence necessary for domestic criminal proceedings. Meanwhile, mutual legal assistance as a traditional mechanism of international cooperation is considered inefficient and sluggish, especially when it comes to volatile data or data that can be moved, deleted, or manipulated without particular effort. Investigators usually do not know in which country the data is stored or, depending on the Internet service provider, in which country the data is stored at all, which means that at the time of access they can often neither judge whether they are crossing the "digital state border", nor can they see in which country mutual assistance is to be sought at all - and even if the investigators have identified a country, they need a minimum of information (e.g. a user account or an IP address) to justify a request for mutual assistance in a promising way. a user account or IP address), which can also prove difficult at times.
3 The need for cross-border preservation of evidence was already recognized in the 1990s, and on September 11, 1995 - at a time when today's technical possibilities were only foreseeable in some popular literature - the Council of Europe adopted Recommendation No. R (95) 13 on the problems of criminal procedure law in connection with information technologies. Its para. 17 reads as follows: "The power to extend a search to other computer systems should also be applicable when the system is located in a foreign jurisdiction, provided that immediate action is required. In order to avoid possible violations of state sovereignty or international law, an unambiguous legal basis for such extended search and seizure should be established. Therefore, there is an urgent need for negotiating international agreements as to how, when and to what extent such search and seizure should be permitted." In implementation of this recommendation, negotiations then began on a convention on cybercrime. The acceleration of international cooperation and the possible granting of cross-border powers in violation of the principle of sovereignty were among the key issues.
4 Article 32 of the Cybercrime Convention ("CCC"), which was ultimately adopted, permits access to data stored in other contracting states in two constellations, without the need for a request for mutual legal assistance addressed to the authorities of the other state: first, if publicly accessible data are involved (lit. a), and second, if the authorized person has given his consent to the access (lit. b). In other words, Art. 32 CCC allows in these cases a direct seizure of data stored abroad without first obtaining the consent of the state concerned and without having to go through the (rocky) legal assistance route before or after collection. The administrative ballast is completely eliminated, since the other state does not have to be informed about the collection of evidence. If the requirements of Art. 32 CCC are not met, namely if the authorized person does not cooperate, or if a collection is technically not possible or cannot be enforced for other reasons, then, in application of Art. 31 CCC, the ordinary legal assistance route must be taken as a subsidiary measure, if necessary combined with a request for immediate preservation of evidence within the meaning of Art. 29 CCC, if a loss of evidence threatens to occur.
5 In the consultation and legislative process for the implementation of the CCC in Switzerland, Art. 32 CCC did not give rise to any comments, despite the terms used therein that are subject to interpretation and the associated encroachment on sovereignty.
6 The thrust of Art. 32 CCC has not remained uncriticized elsewhere, on the one hand because of the accompanying abolition of the protection of fundamental rights guaranteed by territorial sovereignty, without the domestic authorities even becoming aware of such encroachments on fundamental rights. Art. 32 CCC allows uncontrolled foreign sovereign acts on the territory of the state, which interferes with the constitutional rights of the affected persons and third parties, and is disproportionate and sensitive, especially with regard to states with a clouded human rights situation. However, the facilitation of the collection of evidence in criminal proceedings associated with Art. 32 CCC is indispensable in the prosecution of crimes with a digital component: Our lives - and thus those of suspects - have become digital and increasingly do not take place in the digital space attributable to Swiss territory. It is true that most electronic devices today still have their own, often generous, local memory which, if the device can be seized in Switzerland, can be seized, searched (Art. 246 CrimPC) and confiscated (Art. 263 CrimPC) on the basis of the general rules of criminal procedure. The trend, however, is moving away from local storage to cloud-based or dislocal solutions, the storage location of which will be somewhere in the world, or at least only a fraction in Switzerland (with the exception of special industries such as banking and consulting). Communication nowadays also regularly takes place via social media and comparable Internet services, with the content sometimes not even being stored locally on the user's own device. By allowing the domestic law enforcement authorities of a contracting state, in particular, to request foreign Internet service providers to hand over data directly, avoiding the mutual legal assistance route (cf. below, n. 48, 55), Art. 32 CCC ensures, at least in part, that the substantive establishment of truth in the case of crimes with a digital component does not become entirely illusory.
7 On the other hand, law enforcement circles in particular consider Art. 32 CCC to be too restrictive: as the "lowest common denominator," Art. 32 CCC represents an ultimately unrevolutionary compromise. Discussions on the admissibility of cross-border evidence gathering beyond Art. 32 CCC failed, however, due to the lack of consensus within the Council of Europe. Even in the discussions that have continued since then, there has largely been no consensus, although the majority of states consider the transfer of evidence beyond national borders to be one of the central challenges of territorial state criminal prosecution. Even with the II. Nevertheless, it is to be permitted to request service providers abroad directly and without detour via mutual legal assistance to hand over registration information on domain names as well as inventory data (Art. 6 and 7 ZP II-CCC). Switzerland has not yet signed or ratified ZP II-CCC, which, according to sources in the Federal Office of Justice, is not expected to happen in the near future - on the one hand, because the new regulation would again affect the principle of sovereignty, and on the other hand, because discussions on this topic are being held at the level of the United Nations, which would have to wait. In fact, discussions on a United Nations Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes ("UN Treaty on Cybercrime") are at an advanced stage. However, the current draft, which is supported by the majority, does not provide for the cross-border collection of evidence, which is why it does not seem appropriate to wait until ZP II-CCC has been signed and ratified.
8 One step further than Art. 32 CCC is the recently adopted EU Regulation (EU) 2023/1543 on European surrender orders and European preservation orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings of 12.7. 2023 ("e-Evidence Regulation"), according to which judicial authorities of a Member State may request electronic evidence directly from a service provider in another Member State (Art. 1 para. 1 e-Evidence Regulation) and the service providers are legally obliged to redact the data within 10 days or the set time limit (Art. 10 e-Evidence Regulation). Art. 32 CCC, on the other hand, relies on the voluntary nature of foreign service providers - if they do not comply with the request or do not comply completely, the mutual assistance route must be taken, even in the case of arbitrary, opaque or unfounded refusal to cooperate. Art. 18 para. 1 lit. b CCC at least provides that the Internet service provider that offers its services "in the territory of the contracting party" must hand over inventory data in connection with these services upon request. However, the Federal Supreme Court does not permit an order to disclose data to a foreign provider on the basis of Art. 18 para. 1 CCC, or at most considers such an order to be lawful if it is addressed to its Swiss branch, provided that the latter either possesses or controls the data.
9 The criticism of the limitations of Art. 32 CCC, which was voiced primarily in law enforcement circles, has become somewhat quieter in Switzerland. This is because the fact that the international community has so far failed to find a consensual solution has not prevented the Federal Supreme Court (probably for reasons of practicability, albeit in disregard of the principle of sovereignty) from also permitting transnational collection of evidence from data without the consent of the authorized persons, with implicit recourse to the so-called access principle (see below, n. 63 ff.).
B. International Law Foundation: Principles of Territoriality and Sovereignty (Art. 31 CCC) and their Breach (Art. 32 CCC)
10 The principle of territoriality represents a barrier to state action that is removed from sovereignty under international law. It not only serves to limit the applicability of domestic criminal law to foreign situations - although there are exceptions to this - but also limits state action to its own territory. The performance of official acts on foreign territory is not completely prohibited. However, unless such conduct is expressly permitted by international (mutual legal assistance) agreements, bilateral treaties or at least ad hoc authorizations, it constitutes an inadmissible encroachment on state sovereignty and may be punished accordingly under foreign law. Unauthorized official acts on foreign territory are also sanctioned under Swiss law (Art. 299 SCC; see also Art. 271 SCC). Evidence gathered in violation of the principle of territoriality may also not be used in domestic criminal proceedings (see below, n. 69 ff.).
11 In particular, "arbitrary acts of coercion and intervention on foreign territory" violate state sovereignty and are therefore contrary to international law. Thus, unless the legal assistance of the foreign state is used for this purpose, arrests of persons abroad by Swiss officials are inadmissible, as is the conduct of interrogations, the taking of visual examinations or the direct execution of judgments. The same applies, according to the Federal Supreme Court, to the sending of summonses to accused persons domiciled abroad, which may not be accompanied by threats of coercion, i.e. they are to be designed as mere invitations. It thus seems clear that the prosecution authorities may not physically collect evidence abroad or carry out procedural acts there without going through the legal assistance channel or without such acts being explicitly permitted in an agreement. Unauthorized house searches or the seizure and search of electronic devices or documents on foreign territory are thus undoubtedly prohibited.
12 Evidence-gathering situations in which the criminal authorities are not physically present on foreign territory but carry out investigative actions in Switzerland that affect the foreign territorial sovereignty are no different. This includes, for example, the observation of persons on the German side of the Rhine by Swiss police officers from Schaffhausen, as well as the video interrogation of a defendant abroad by a Swiss court. Such conduct also violates international law, since its effects are equivalent to an act of sovereignty directly on foreign territory.
13 Access to computer systems abroad from a location in Switzerland and thus the seizure of data stored abroad also qualify as such extraterritorial acts of sovereignty. The community of states also claims sovereignty with regard to data processing systems stationed on its own territory and the data stored there. National search powers cannot legitimize such encroachments on foreign sovereign rights. This has once been recognized in principle by the Federal Supreme Court (cf. however below, n. 63 ff.) and is also reflected in particular in the (intensive) discussions on the content or further development of the CCC.
14 As soon as the sovereignty of a foreign state is to be encroached upon in such a sense, the state must consequently consent, either by providing mutual legal assistance upon individual request or by granting international partners the authority to act accordingly by treaty or on an ad hoc basis. Examples of the partial surrender of Swiss sovereignty can be found in agreements with neighboring countries on police "hot pursuit" or, to a limited extent, in the context of the Cybercrime Convention. This is because the creation of Art. 32 CCC dispensed with the need for a request for mutual legal assistance in two constellations: On the one hand, access to publicly accessible stored computer data is permissible, regardless of where the data is geographically located (lit. a). On the other hand - and very broadly compared to other mutual legal assistance accords - according to Art. 32 lit. b CCC, a Party may "access or receive stored computer data located in the territory of another Party by means of a computer system in its territory if it obtains the lawful and voluntary consent of the person lawfully authorized to disclose the data to it by means of that computer system." This legitimizes not only a direct request to foreign providers to hand over information, but also the authorities' own access through existing user accounts (see below, n. 55). In other words, the CCC sets out in binding terms for the contracting states under which circumstances authorities can directly access data located abroad (i.e. under the conditions of Art. 32 CCC) and when they are obliged to make a formal request for mutual assistance (in all other cases; Art. 31 CCC). This shows that access to foreign data, regardless of the fact that members of law enforcement agencies are not physically present on foreign territory during such evidence-gathering measures, is considered an intrusion on sovereignty in principle. Indeed, in the course of drafting the CCC, it just emerged "that no consensus could be reached for more far-reaching rules under which conditions unilateral access by one State to data located in another State Party may occur without authorization by that State Party."
C. Materials and Interpretation
15 The terms used by Art. 32 CCC and the constellations covered by them were only partially explained in more detail in the Explanatory Report to the CCC - mutatis mutandis the Council of Europe's "message" on the CCC - which risks being interpreted differently by the authorities of the Contracting States. However, this seems to have been a deliberate decision. After all, a working group on transborder access to data ("T-CY Transborder Group") of the Committee of the Parties ("Cybercrime Convention Committee, "T-CY") issued a Guidance Note on December 3, 2014 on transborder access to data under Art. 32 CCC, which can be used as an interpretative aid. However, the prerequisites of Art. 32 CCC - such as the question of who is entitled to grant consent under Art. 32 lit. b CCC - are ultimately to be determined according to domestic law (cf. below, n. 41 f.); in this respect, a domestic definition and thus possible differing views between the contracting states are unavoidable.
16 According to the Federal Council, the provision should be interpreted narrowly "in order to counteract the danger of abuse by circumventing mutual assistance or in violation of the privacy of third parties." However, if one takes into account the effect intended by Art. 32 CCC - the acceleration of proceedings or the simplified collection of evidence - this leaves room for interpretations that are practical and fit for purpose.
D. Legal Nature
17 Art. 32 CCC is a "self-executing" norm of international law that is directly applicable upon ratification. The contracting parties thereby grant the other contracting states the right to directly access data in their territory bypassing the mutual legal assistance channel. In other words, the provision standardizes a "waiver of the domestic procedure in the requested state." The prosecuting authorities of the Contracting States may directly rely on Art. 32 CCC, both in domestic criminal proceedings in order to legitimize corresponding evidence gathering abroad (while still having to comply with domestic procedural rules, see below, n. 56) - Art. 32 CCC does not constitute an original coercive measure in this respect - and, in relation to the Contracting State concerned, they may rely on the absence of unlawful interference with foreign sovereignty. In relation to the IMAC, the provisions of the CCC take precedence over those of the IMAC in any case (Art. 1 para. 1 IMAC).
E. Scope of Application
18 Art. 32 CCC permits the seizure of computer data stored in another contracting state.
19 According to Art. 1 lit. b CCC, computer data are all representations "of facts, information or concepts in a form suitable for processing in a computer system, including a program capable of initiating the execution of a function by a computer system." Article 32 of the CCC thus covers access to inventory, traffic or peripheral data as well as content data that is either stored or in the transmission stage at the time of access. Due to its legal qualification as electronic data, crypto assets, for example, can also be seized in application of Art. 32 lit. b CCC, provided that the authorized persons grant their authorization.
20 Art. 32 CCC explicitly focuses on the location of the specifically envisaged data (Art. 32 lit. b CCC: "[...] stored computer data located in the territory of another Party"; cf. also Art. 31 CCC: "[...] stored by means of a computer system located in the territory of the requested Party"). In the case of data stored in several locations, the location of the data set that is to be specifically seized is decisive. Consequently, access in application of this provision is only permissible if the CCC is applicable at the place where the data is stored. Since none of the 68 contracting states has made a reservation to Art. 32 CCC, the examination can be limited to whether the state at the storage location to be affected is a party to the Cybercrime Convention, i.e. whether it has signed and ratified it.
21 Art. 32 CCC is not applicable to purely domestic circumstances: If the data are stored locally on a terminal or server located in Switzerland and secured here, Swiss national law is applicable in this regard (in particular Art. 246, Art. 263 and Art. 265 CrimPC, for marginal data see Art. 273 CrimPC). This is also the case if foreign data records are in the cache of the device seized here at the time of access. However, if the device is used as a "key" or "gateway" to gain access to services that have stored their data abroad (e.g. cloud, webmail, etc.) without these being stored locally on the device, this is a transnational data seizure in this respect and Art. 32 CCC must be observed (cf. however below, n. 63 ff.). Swiss national law is also applicable if foreign providers have Swiss subsidiaries or partners that store the data in Switzerland. In this case, access can take place at the latter. However, data centers are not usually included in this category, since the data stored with them is often encrypted and can hardly be read out without the cooperation of or forced collection from the persons authorized to receive the data. The foreign persons must then be requested to hand over the data or keys either in application of Art. 32 lit. b CCC or subsidiarily by way of mutual legal assistance. Art. 32 lit. b CCC is also applicable if domestic subsidiaries or partners of foreign providers are ordered by the public prosecutor to hand over data they have stored abroad. Correctly, a domestic person may not be ordered under threat of coercion to obtain evidence available to the prosecuting authorities abroad, even if this should involve data with respect to which he or she is entitled to access. The Federal Supreme Court held that an order to disclose data pursuant to Art. 265 CrimPC to a Swiss branch of an Internet service provider was admissible if it had access to the data in question and was authorized to do so ("pouvoir de disposition, en fait et en droit, sur ces données"). This is not inconsistent with what has just been said, since the disclosure order does not yet constitute a coercive measure and can be understood and assessed in this context as a request under Art. 32 CCC for voluntary disclosure.
22 With regard to third countries that have not signed up to the Convention, it must be assumed that state sovereignty prohibits any online access to (non-public, cf. below, n. 35) data and therefore the only option is to use the mutual legal assistance route.
23 It is obvious to base this on the storage location, because the states can also invoke the principle of sovereignty with regard to the IT infrastructure located on their territory. However, it is problematic that at the time of access, it is not uncommon for neither the law enforcement agency nor the data controller or even the data custodian to know where the data is stored at any given moment. For example, Internet service providers sometimes store their customers' data not in their country of domicile, but elsewhere. The storage location may also change over time due to technical restructuring or relocation to other (cheaper) locations. In any case, the storage location often cannot be determined conclusively at the time the data is accessed. This raises the question of how to deal with the standard case in which the law enforcement authority cannot determine at the time of the intended seizure whether the data is stored in a CCC contracting state, a third country or even in its own country. The materials to Art. 32 CCC do not address this conclusively; the T-CY Guidance Note only, but nonetheless, provides that in situations where the location of storage is unknown or uncertain, States Parties should evaluate for themselves the legitimacy of access in light of domestic law, relevant international law principles, or considerations of international relations ("[...] Parties may need to evaluate for themselves the legitimacy of a search or other type of access in light of domestic law, relevant international law principles, or considerations of international relations"). In the case of unknown location, the following suggests itself: If for the applicability of Art. 32 CCC the certain knowledge would be required that the storage location is in a Contracting State, Art. 32 lit. b CCC would lose its meaning and the seizure of cloud data would be reduced to absurdity. "The mere possibility of a location in a third country can also not trigger a mutual legal assistance obligation, especially since it is not even clear which country should be addressed for this." Detailed clarifications of the storage location are often impossible before access or take too much time - admittedly: if there is no urgency and the storage location can be determined technically without special effort, efforts should be made. In view of the CCC's idea of acceleration, however, it would not be advisable to generally wait until certain knowledge is available, especially if there is a risk of loss of evidence. If it turns out in retrospect that the storage location was actually in a third country, a subsequent authorization for data access will have to be obtained through mutual legal assistance (see below, n. 71).
24 In relation to the large social media providers, the situation is somewhat more complicated. They have their headquarters in the USA, but their European headquarters are often in Ireland and, according to their own information (which is not necessarily correct in view of the U.S. Cloud Act), they only have access to the data of European and Swiss customers from Ireland (which the providers justify with the European General Data Protection Regulation of 27 April 2016 ["DSGVO"]), although the data is regularly stored in other countries (e.g. Sweden). However, Ireland has not ratified the CCC to date. Accordingly, the question arises whether requests under Art. 32 lit. b CCC for European data for the attention of the Irish branch are permissible at all and whether the collected data are usable. Alternatively, should Sweden be addressed as a possible storage location, even though the data may be accessed there, but it is likely to be encrypted and thus unusable? Or should the American parent company be affected, which should obtain the data from its European subsidiary? In practice, the explosiveness of this question is mitigated by the fact that requests for information can be made via "law enforcement portals" provided by Internet service providers - it is up to them to decide from which group company the providers then make the requested data available to the authorities or how they have organized themselves internally, and this does not need to be examined further, especially since the law enforcement authorities have no way of verifying where the edited data has actually been stored and exactly which group company has had access to it anyway.
25 In view of all these difficulties, the storage location makes little sense as a decisive criterion. De lege ferenda, therefore, the criterion of the place of storage should be dispensed with for Art. 32 CCC and instead be linked to the registered office or place of residence of the person who has lawful access to the data. Alternatively (in line with the EU e-Evidence Regulation and Art. 18 para. 1 lit. b CCC), it may be sufficient that the respective company offers its services in the relevant state.
F. Practical Relevance
26 Art. 32 CCC has emerged as an indispensable means of prosecuting crime with a digital component. Swiss law enforcement authorities regularly rely on Art. 32 CCC, be it through the collection of open source information ("OSINF") in application of Art. 32 lit. a CCC, be it through access to data upon voluntary disclosure of login data by the Swiss data subject pursuant to Art. 32 lit. b CCC or in particular by direct requests ("information requests") to foreign Internet service providers for the disclosure of inventory, marginal or content data (whereby in practice usually only inventory and marginal data are supplied and for content data the legal assistance route must be taken, if necessary in combination with a "preservation request" under Art. 29 CCC). The numbers of direct requests for information are remarkable: in the first half of 2022, Google alone received over 422,000 direct requests, including 1,357 from Swiss law enforcement agencies, 90% of which were approved. However, providers are not accountable for denying a request; they can set the conditions for surrender on their own, keep changing them, and moreover, the conditions vary considerably depending on the provider. This is acceptable under the current regime, since Art. 32 CCC is based on voluntariness.
II. Access to publicly available data stored in another contracting state ("open source") (lit. a)
A. Publicly accessible data
27 The collection and analysis of "open source information" is referred to in the intelligence sector as "OSINT" ("Open Source Intelligence"). The use of publicly available data has also emerged in law enforcement as a useful and non-invasive investigative method. This is supported by the tech industry, which has developed tools that eliminate the need to manually gather data and instead automate it: For example, by providing software that can pull all publicly available information from Facebook and display it in relationship trees and on the timeline, or technical tools to track the flow of money from cryptocurrencies (whose blockchain is publicly accessible). The use of artificial intelligence is also no longer a pipe dream.
28 Data are public if they are freely accessible via a data processing system and are not withdrawn from general access by special security precautions. It is sufficient if they are made accessible to an undefined circle of users, even if a login is required, "but this is in principle granted to every user if an appropriate login form has been completed." A system may also be merely partially public. By contrast, data that "can only be accessed by means of an interface of a terminal device located in the - not publicly accessible - search object" are not "open source."
29 Examples of publicly accessible data are - in the sense of a non-exhaustive list - freely accessible mass media (print media [even if protected by a paywall], broadcasting), all information that can be found on the Internet (clearnet as well as darknet), web-based applications (such as Google Earth), information on the publicly viewable blockchain (e.g. Bitcoin), data that can be publicly accessed on the website at the domain address of a company or an administration, freely accessible webcams, a mailing list that is open to all interested parties, data that is freely available on a sharing platform, the retrieval of technical data from a web server, the determination of domain information via "WhoIs" databases, debtor, land register, commercial register and residents' control information freely accessible abroad or against payment or available records from criminal, administrative and civil proceedings, observing public chats, open Internet forums and publicly switched social networks (the use of public data, photos and relationships on Facebook, information from X, Instagram, LinkedIn, etc.). ). Even a post in a closed group (online forum, Facebook or similar) can be qualified as public in the case of groups with a high number of members or with de facto unrestricted access, unless the group of persons is specifically delimited and the persons are personally connected to each other. Accordingly, "closed user groups in which case-by-case verification of users' identities is performed by administrators of the site and an investigator would only gain access, for example, by feigning a legend, can no longer be qualified as public."
30 Depending on the circumstances, not only content data (personal or other data), but also inventory data (e.g., registration information from "WhoIs" databases) or (rarely) even marginal data may be public and consequently collected in application of Art. 32 lit. a CCC.
31 For the qualification as publicly accessible data, it is irrelevant whether the data were published without authorization or with the consent of the data subject. If the publication was made unlawfully (e.g., by violating legal confidentiality obligations), the data can be used in domestic criminal proceedings if they could have been lawfully obtained by the law enforcement authorities and a balancing of interests speaks in favor of their use. Consequently, it must be clarified for the first criterion whether the data could hypothetically also have been seized if they had not been public - i.e. whether they could have been obtained within the meaning of Art. 32 lit. b CCC or via mutual legal assistance.
B. Legal Nature: Qualification as Interference with Fundamental Rights?
32 It is questionable to what extent the collection and analysis of publicly accessible data should be qualified as an interference with fundamental rights and, as a consequence, as a coercive measure within the meaning of Art. 196 CrimPC. The answer to this question is central, firstly in order to determine the extent to which public data located in a third country can also be accessed, and secondly because if the answer is yes, there must be a sufficiently concrete legal basis (Art. 197 para. 1 lit. a CrimPC). The latter, however, has already been implemented by Art. 95 CrimPC (acquisition of personal data).
33 According to Art. 196 CrimPC, coercive measures are defined as procedural acts by the criminal authorities that serve, among other things, to secure evidence insofar as they interfere with the fundamental rights of the persons concerned. Art. 196 CrimPC thus (in contradiction to the wording ["coercive" measure]) does not necessarily presuppose coercion, but rather relies decisively on whether the measure is to be considered an encroachment on the fundamental rights of the persons concerned. In the foreground, in addition to the right to personal freedom and the guarantee of property, is the protection of privacy under Article 13 FC and Article 8 ECHR, or more specifically the right to informational self-determination enshrined therein. Interventions in this constitutional right include telephone surveillance, the collection of telecommunications data, the collection and analysis of DNA and fingerprints, observation (including systematic surveillance by private detectives), video recordings by the police, the use of an IMSI catcher and password-protected online searches or seizure of chat messages.
34 With regard to automated traffic surveillance, the Federal Supreme Court once held that the protection of privacy is not limited to private premises, but also extends to the private-public sphere; Article 13 FC also covers matters of life with personal content that occur in the public sphere. According to the German Federal Constitutional Court, access to "communication content and information available on the Internet that is directed at everyone or at least at a group of persons that is not further delimited" cannot yet be correctly characterized as an encroachment on the right to informational self-determination. Content that is reserved for a specific group of users on blogs, forums or in social media and is thus directed at an environment characterized by personal relationships or special trust can be attributed to the private sphere within the meaning of Article 13 para. 1 FC and its access can be considered an encroachment on fundamental rights. Data that can be accessed by any Internet user without any preconditions or that can be viewed by all users registered on a platform (irrespective of a close relationship to the person disclosing the information) can no longer be classified as "private", regardless of the content. There is correctly no longer any interest worth protecting in information that is already publicly known (with the exception of the "right to be forgotten" under data protection law).
35 If access to generally accessible data is not a coercive measure, this also means that Art. 32 lit. a CCC is not constitutive but purely declaratory in nature: If access to public sources does not violate state sovereignty due to the lack of an actual exercise of coercion, no intergovernmental agreement is required. Accordingly, publicly available data from third countries that have not ratified the CCC can also be accessed without any problems. The latter is sometimes also justified by the fact that transnational access to "open source data" is customary international law; such acts of investigation are considered to be so uncontested.
36 Even if this were not followed in such absoluteness, in any case the tapping of voluntarily disclosed data - such as communication content in social media - could not be characterized as an encroachment on fundamental rights. This is because by consciously deciding to share personal information, the individuals concerned are relinquishing their informational self-determination with respect to that specific data, or in other words, by releasing it into the public domain, they have just exercised their informational self-determination. The same applies to the public data trail left by their own inputs, such as transactions made with Bitcoin that are traceable on the public blockchain. Next, data that cannot be directly attributed to a specific person is not worthy of protection under any fundamental rights title. This includes, for example, the use of "Google Earth" or technical data disclosed by a web server. Consequently, the tapping and analysis of personal information that has not been disclosed voluntarily is the most that can be considered a coercive measure; in this case, it could legitimately be argued that the individuals concerned have no control over what information is available about them on the Internet. However, even then it would have to be taken into account that OSINT is a comparatively less invasive and thus proportionate intervention, since it is limited to information that can be accessed by anyone without special access restrictions.
C. Prerequisites for permissible data access under Swiss criminal procedure law
37 The tapping of "open source" data is permissible for any criminal offense (felony, misdemeanor or infraction) to the extent that the collection of evidence available in electronic form is useful for its prosecution (cf. Art. 25 para. 1 and Art. 14 para. 2 lit. c CCC). To the extent permitted by cantonal police law, public information may also be accessed in the context of preventive police activity.
38 Due to the lack of interference with fundamental rights, "open source" investigations are not to be classified as coercive measures within the meaning of Art. 196 et seq. CrimPC (cf. above, n. 32 et seq.). As a result, neither the formal and substantive provisions on searches (Art. 246 et seq. CrimPC) nor on seizures (Art. 263 CrimPC) are applicable. "OSINF" or "OSINT" is rather deemed to be a permissible collection of evidence based on Art. 95 CrimPC within the meaning of Art. 139 para. 1 CrimPC.
39 Logging on by members of law enforcement authorities under a false identity in social media or in a chat in order to gain access to the content published there is not to be classified as an undercover search (Art. 298a CrimPC) or undercover investigation (Art. 285a CrimPC), as no direct contact with the target person is established here. The situation would be different if the investigator were to actively send the target a friend request or the like in order to also take note of the target's (private) contributions, or if he were to gain access to a chat or forum that is not generally accessible by creating a legend.
40 The evidentiary value of publicly available data must be examined in detail within the framework of the free assessment of evidence (Art. 10 para. 2 CrimPC). Various considerations play a role here, first and foremost the origin of the evidence, its authenticity and reliability, the relationship of its author to the parties to the proceedings, and above all whether the source is anonymous or known, especially since doubts are great in the case of unknown origin and data are relatively easy to manipulate. It is also important that the data are forensically secured in accordance with the current state of the art, since metadata can be used to draw conclusions about the probative value; simply taking screenshots will hardly suffice for this purpose.
III. Access to other data stored in another contracting state (lit. b)
A. Lawful and voluntary consent of the person lawfully authorized to disclose the data
1. Authorization to disclose
41 Art. 32 CCC only regulates the permissibility of data access under international law; "the domestic rules against which the transfer of data is to be measured, i.e., according to which it is to be decided whether consent to the transfer has been lawfully given by a person authorized to do so, are not affected by the Convention." The Council of Europe has refrained from further defining the concept of transfer authorization in the CCC. The Explanatory Report states that who can give consent "may vary depending on the circumstances, the nature of the person and the applicable law concerned."
42 The question of who is "lawfully authorized to disclose the data [...]" is determined by the domestic law of the requesting state, i.e., the one in which the investigation takes place. This also appears to make sense because it is often not possible, or not possible without great effort, to precisely locate the data prior to access. Moreover, it would be impracticable and incompatible with the CCC's idea of acceleration to require Swiss authorities to check the authorization situation for each contracting state separately before they would be allowed to back up data.
43 What is necessary is the authorization to pass on data. Necessary, but also sufficient, is the consent of a person who is lawfully authorized to disclose it to law enforcement authorities. The authorization may be of a legal or mandatory nature.
44 Contrary to the message, it is not an additional requirement that consent must be given by "a person within the country"; Art. 32 lit. b CCC knows no such restrictive criterion, which, moreover, would run counter to the spirit and purpose of the Convention.
45 The Explanatory Report and the Dispatch cite as eligible for consent, by way of example, persons who have their e-mails stored with a service provider in another state or otherwise have their data stored abroad. In the literature, the customer renting the storage space is referred to as the authorized person in the case of data stored on cloud servers, the bank in the case of data on financial transactions, the employer in the case of the business e-mail account, and the persons declared internally responsible for this in the case of legal entities, or the board of directors (AG) or the management (GmbH) in the absence of such internal regulations; administrators or other persons authorized to access data are likely to lack this authorization on a regular basis.
46 One aspect not conclusively discussed in the Explanatory Report concerns the question of whether consent must always be given by the data subjects (data controllers) or whether the authorization of other entities that process the personal data (first and foremost the Internet service provider as data controller) is sufficient. An extension to Internet service providers is viewed critically, because they would merely exercise data custody and would therefore not be in a position to be able to give legally valid consent.
47 The question of the right to pass on data must be considered in the broader context that, under the current legal situation, there is no property-like right to data in Switzerland: The property right under Article 641 CC extends only to the "thing," which the doctrine understands to mean "a corporeal object, distinct from others, which is amenable to actual and legal control." Since data are immaterial goods, no ownership within the meaning of Art. 641 CC can be established in them (but certainly not in data processing systems or data carriers). Copyright law also extends only to intellectual creations with an individual character in data form and is applicable only in exceptional cases. Nevertheless, a right of access to data is recognized in data protection law, at least with regard to personal data, with respect to which a right of access is standardized in Art. 25 of the Federal Data Protection Act of 25.9.2020 ("FADP", SR 235.1). Art. 28 FADP also grants data subjects the right to data surrender and transfer of personal data (data portability) if certain conditions are met, provided that they have disclosed such data to the data controllers. Furthermore, personal data "may only be obtained for a specific purpose that is apparent to the data subject; it may only be processed in a manner that is compatible with that purpose" (Art. 6 para. 3 FADP). In this context, the surrender of personal data to law enforcement authorities constitutes a form of data processing (cf. Art. 5 lit. d FADP). This means: The authorized person can consent to the disclosure by the data processor.
48 Switzerland, in line with other contracting states, therefore allows the consent of Internet service providers to suffice as a consequence of their relationship under private law with the data subject if the service providers have stipulated a right of onward transmission to foreign law enforcement authorities in their general terms of use or data usage guidelines. The majority of Internet service providers stipulate in their user agreements that data can be disclosed not only in the presence of a valid court order, but also upon simple request by law enforcement authorities, or that the providers cooperate with law enforcement authorities. Disclosure in these cases is in compliance with the law.
2. Consent
49 The fact that a foreign provider company concerned would in principle be entitled to declare its consent to direct data disclosure in the sense described is not yet sufficient (according to the clear wording of Art. 32 lit. b CCC) for cross-border access: Rather, it must be further examined whether the requesting law enforcement agency has obtained a legally effective "lawful and voluntary consent."
50 As seen, the person capable of giving consent is the legal entity or natural person capable of judgment who may dispose of the data on the basis of legal or obligatory authorization and grant third parties access to it (cf. also above, n. 43 ff.). If there are several persons authorized to disclose data, the consent of one person is sufficient. If, for example, the account holder has given her authorization, no additional consent is required from the foreign provider company. Conversely, it is sufficient if the foreign provider, based on a corresponding authorization by the customer in the General Terms and Conditions of Use, releases the data (for consent by Internet service providers, see above, n. 46 ff.).
51 In accordance with general principles of criminal procedure, consent can either be expressly declared (for which there is no formal requirement) or implied. The latter is the case, in particular, if the person requested by the criminal prosecution authorities - for example, a service provider or the owner of the account in question - surrenders the data upon request.
52 At the same time, this means that corresponding "information requests" may be made abroad without this qualifying as an inadmissible act in a foreign state. In practice, direct requests to foreign providers have become an international standard, which can either be entered via law enforcement portals operated by the providers themselves or, in the case of other (smaller) providers, can also be delivered through the police (via Interpol). Various international treaties also permit direct service of official documents abroad, at least in principle, most notably Art. 52 para. 1 of the Schengen Convention of 19 June 1990 ("CISA"). However, the latter provides that each state may or must make a declaration as to which documents may be sent to persons in its territory. Consequently, it must be checked separately for each contracting state whether direct service is permitted and, if so, to what extent. Insofar as it is pointed out to the addressees that any cooperation is voluntary and that no direct negative consequences are attached to a refusal to cooperate, it is, however, not apparent to what extent this can be seen as a violation of foreign territorial sovereignty and thus a case of application of Art. 52 para. 1 of the Schengen Convention - it is a matter of mere invitations without any threat of coercion and without any negative consequences attached to a possible refusal to cooperate. It would therefore make little sense if the exception in Art. 32 lit. b CCC were intended to increase the efficiency of the cumbersome formal mutual assistance procedure, but at the same time this were to be torpedoed by the requirement to clarify the willingness of the persons concerned to cooperate voluntarily via this same formal mutual assistance procedure. In this respect, Art. 32 lit. b CCC takes precedence over Art. 52 CISA.
53 Consent must be voluntary; the data subject must not be deceived or coerced into handing over data. There is often an indirect pressure situation, because in the event of refusal, the public prosecutor's office may demand the seizure and transfer of the data in question by way of mutual legal assistance. However, this is not sufficient to impair the formation of wills. The same applies, for example, in the case of a detention situation, where the accused person could subjectively feel compelled by the circumstances to cooperate and provide the data stored abroad in order to be released from detention as quickly as possible. However, even a pressure situation of this general nature does not prevent the person from giving consent in accordance with the law. What is prohibited, however, is the concrete threat of possible further disadvantages. Accordingly, a person domiciled in Switzerland cannot be forced to produce data stored abroad to which he has access. However, he or she can be requested to do so by means of an editing order (Art. 265 CrimPC).
54 Finally, consent can be revoked at any time, although revocation is only ex nunc. Revocation after data backup has taken place is therefore irrelevant.
B. Consequence of legally valid consent
55 If the person authorized to dispose voluntarily discloses his login data to foreign derived Internet services or consents to the online search, it is open to the law enforcement authorities in application of Art. 32 lit. b CCC to directly access and secure the information by using the login data. Also, any private individual is free to make copies of his or her own data stored with a foreign provider (such as e-mails or chat messages) available to the law enforcement authorities. It is also permissible for the law enforcement authority to directly request an Internet service provider domiciled abroad to hand over data (see above, n. 48, 51 f.).
C. Prerequisites for permissible data access under Swiss criminal procedure law
56 Access to non-public data in Switzerland is not possible without preconditions. If it is content data, the data must be seized (for example, by an edition order [Art. 265 CrimPC] or on the occasion of a house search [Art. 244 CrimPC]), searched (Art. 246 CrimPC), and subsequently seized if relevant to the evidence (Art. 263 CrimPC). For traffic data, a retroactive marginal data collection (Art. 273 CrimPC) must be ordered and approved by the compulsory measures court (Art. 274 CrimPC). Now, Art. 32 lit. b CCC does not constitute an independent evidence preservation or evidence collection measure that would override the domestic requirements. The provision only regulates that if a legally valid consent exists, a mutual assistance procedure can be waived. Data access, even if transnational, therefore constitutes a domestic coercive measure that must satisfy domestic legalities. The seizure of data abroad must therefore - in addition to the consent described above - fulfill the same conditions as if the data had been stored in Switzerland. An "information request" to an Internet service provider must therefore be qualified as an order for disclosure within the meaning of Art. 265 CrimPC.
57 First of all, it follows that in principle the opening of a criminal investigation within the meaning of Art. 309 para. 1 CrimPC and thus sufficient suspicion of a crime are a prerequisite, whereby criminal proceedings that have not yet been formally opened are automatically deemed to have been opened with the data interception (Art. 309 para. 1 lit. b CrimPC). In independent police investigation proceedings, Art. 32 lit. b CCC may not be relied upon. Intelligence services may not invoke it either.
58 The CCC serves to collect evidence of a criminal act that is available in electronic form (cf. Art. 25 para. 1 and Art. 14 para. 2 lit. c CCC). In principle, reasonable suspicion can thus extend to any criminal act, provided there is at least criminological suspicion that it was committed with a technical aid. The severity of the offense is irrelevant: transnational data access is in principle open to felonies, misdemeanors and infractions (in minor cases, however, the proportionality of data access may be open to discussion).
59 For content data to be seized, it must be suspected that it contains information that is subject to seizure (Art. 246 CrimPC). According to Art. 263 para. 1 lit. a CrimPC, objects belonging to an accused person or a third party may be seized specifically if they are needed as evidence. For the seizure and search of records, a potential relevance as evidence is sufficient, which is given if the data "may be of importance for the clarification of the alleged criminal offence" or does not appear "obviously unsuitable". Case law does not place high demands on this. Finally, the seizure and search must be proportionate (Art. 197 para. 1 lit. c and d CrimPC) and thus suitable, necessary and appropriate. Proportionality may be questionable, especially in the prosecution of misdemeanors. From a formal point of view, the seizure and search by the public prosecutor must as a rule be ordered in a written warrant (Art. 241 para. 1 CrimPC). For the collection of inventory data, on the other hand, the only requirement is that there is a suspicion that an offense has been committed via the Internet (Art. 22 para. 1 of the Federal Act on the Interception of Postal and Telecommunications Traffic of 18 March 2016 ["BÜPF"; SR 780.1]).
60 If the IP history/log data or other marginal data are collected abroad, the question arises as to whether the public prosecutor's office may make these records available on its own authority or whether, in application of Art. 273 para. 2 CrimPC, permission must be obtained from the compulsory measures court. The Federal Supreme Court once held that Art. 273 CrimPC only permits retroactive marginal data collection of telecommunications traffic "against telecommunications service providers or Internet access providers domiciled in Switzerland and subject to Swiss law." It thus ruled out its applicability to international situations, with the consequence that no authorization by the compulsory measures court should be required for the collection; in other words, Art. 32 lit. b CCC allows "a facilitated international exchange of marginal data." In another decision, however, the Federal Supreme Court rejected an application for approval by the public prosecutor's office on the grounds that the requirements of Art. 32 lit. b CCC had not been met in this case, adding that direct cross-border access would have had to be approved by the compulsory measures court under Art. 273 CrimPC. Even more, it explicitly stated in a further ruling that permission from the compulsory measures court must also be obtained for IP histories queried from foreign providers, and because this had not been done in the specific case, the findings derived from the queries were absolutely unusable. The fact that the Federal Supreme Court dealt with Art. 273 CrimPC here may seem understandable at first glance if one considers the legal nature of Art. 32 lit. b CCC, which only declares transnational access permissible under international law, but does not affect domestic regulations, especially with regard to the competence to collect data. However, it must be taken into account that the provisions on retroactive marginal data collection are not activated solely by the type of data to be collected (traffic or marginal data), but the data must be obtained from a telecommunications provider or be protected by telecommunications secrecy (Art. 321ter SCC and Art. 43 of the Telecommunications Act of 30.4.1997 ["TCA"; SR 784.10]). However, telecommunications secrecy applies (insofar as it is of interest here) only to providers who offer Internet access or telecommunications transmission. Internet service providers or providers of derived communications services that do not offer Internet access but only services provided via the Internet ("over-the-top services") are not considered telecommunications providers. For this reason, neither the seizure of edge data from such companies in Germany nor abroad is subject to a licensing requirement. Rather, an editing order issued to the Internet service provider is sufficient for this purpose (Art. 265 CrimPC). Consequently, if IP histories and other marginal data are collected from non-telecommunications providers abroad on the basis of Art. 32 lit. b CCC, no approval must be obtained from the compulsory measures court.
61 Finally, the question arises as to the extent to which the other requirements for mutual assistance, namely grounds for refusal and the need for double criminality, also apply to Art. 32 lit. b CCC. Art. 25 para. 4 CCC provides, under the 3rd title ("General Principles of Mutual Legal Assistance"), that unless the CCC expressly provides otherwise, "mutual legal assistance shall be subject to the conditions provided for in the law of the requested Party or in the applicable mutual legal assistance treaties, including the grounds on which the requested Party may refuse to cooperate." However, Art. 32 lit. b CCC allows direct access prior to mutual assistance; a "request" to the other contracting state, as it is based on Art. 25 para. 4 CCC, is not required here. Consequently, the voluntarily granted access does not require double criminality, nor are further conditions to be met that would otherwise apply in mutual legal assistance proceedings. This softening is justified, on the one hand, by the voluntary nature of the consenting persons and, on the other hand, in view of the legal nature of Art. 32 lit. b CCC, which extends the territorial arm of the law enforcement authorities, while it continues to be a domestic evidence preservation measure. If the attempt to seize the records on the basis of Art. 32 lit. b CCC fails, then the ordinary mutual assistance route must be taken, for which the corresponding limitations apply again.
62 The person concerned cannot defend himself against the direct seizure as such or the provider inquiry; nevertheless, the legal remedy of sealing (Art. 248 CrimPC) is open to him against the search, insofar as he can credibly demonstrate a prohibition of seizure (Art. 264 CrimPC). The effect of sealing is that the prosecution authorities may not search the records for the time being until the compulsory measures court has ruled on the admissibility of the data collection and search.
IV. Preservation of evidence beyond Art. 32 CCC according to the access principle.
63 In friction with the principle of territoriality, which is based on the place of storage of the evidence and thus, in the case of data, on the physical place of storage, the Federal Supreme Court allows access even in the absence of consent, regardless of where the data is stored at the time of access; the decisive factor is that the data can be accessed from Switzerland: "Anyone who uses a derived Internet service offered by a foreign company via Internet access in Switzerland is not acting abroad. Even the mere fact that the electronic data of the relevant derived internet service are managed on servers (or cloud storage media) abroad does not make an online search conducted from Switzerland in compliance with the law appear to be an inadmissible investigative act on foreign territory (within the meaning of the practice set out) [...]."
64 The subject of the assessment was the access to the Facebook account of a person accused of qualified narcotics trafficking, whose access data had been made available by the prosecution authorities. The public prosecutor's office then had the Facebook account sifted through using the identified login data and seized chat messages relevant to the evidence. The storage location of this data was not in Switzerland at the time - and still is not. In the cited ruling, the Federal Supreme Court held that accounts of defendants or third parties on foreign Internet services may be accessed directly if the general requirements of a search under the Swiss CrimPC are met and the investigators act "from computers, servers and IT infrastructures located in Switzerland", i.e. remain physically in Switzerland.
65 Practice has gratefully accepted this case law. It is applicable not only to Facebook, but to a wide range of domestic and foreign services such as host providers, communication services, cloud services, data outsourcing providers, chat forums, document exchange platforms, shopping portals, and email service providers. Crypto assets held in a hot wallet can also be seized (i.e., usually transferred to a law enforcement wallet) in application of this case law. Federal court case law is also gaining momentum. The general trend for electronic devices is to move away from individual storage to cloud backup. Cell phones in particular are now often used by users for various services only as "keys", with the data in question no longer stored on the physical device. If a cell phone or tablet is seized during a house search or police stop and it turns out that the data is not stored on the device but in the cloud, or if apps from communication services or web e-mail providers are found on the device, all of this data can be seized based on federal court case law. This procedure is facilitated in practice by the fact that users often save their login data for Internet services in the password manager or in an Internet browser for reasons of convenience or use the same password for different services. Also, during house searches at companies, it is increasingly found that they no longer host or store their data themselves at their headquarters or place of management, but have outsourced data processing and storage to external service providers. In such situations, the cited Federal Court decision also helps, as it allows data backup in such cases as well.
66 Implicitly, the Federal Supreme Court invoked the so-called "access principle" in the cited decision. According to this, in the case of computer data, it is not the location of the data carrier on which the information is stored that is relied upon, but rather who has access to the data relevant to the proceedings from where. The control over the data lies with the person who has the access authorization and not with the person who is in physical possession of the data carrier. Some authors cite this as a reason why the search and seizure of data stored abroad by Swiss authorities in Switzerland should not be seen as a violation of sovereignty. In other words, the admissibility of online access should depend solely on the legality of the domestic investigative act.
67 However, if foreign sources that are not publicly accessible, in particular those that are password-protected or protected by other barriers, are accessed, this has a high impact on the foreign ("digital") territory. For this reason, access by investigative authorities to data abroad is sometimes seen as an encroachment on the sovereignty of the state in question; such evidence can only be obtained via international mutual legal assistance or directly if this is explicitly provided for in international agreements. In fact, the access principle does not change the effects of state online access on foreign sovereignty, where the actual success of the measure occurs. It is true that the lack of physical action by officials on foreign territory should not yet exceed the limits drawn by Art. 299 SCC. However, in terms of the intensity of their intervention, they in no way take a back seat to equivalent physical investigative activities (the search of the storage medium abroad by Swiss officials), which would clearly be inadmissible. In addition, the online retrieval triggers data processing operations abroad; the access leaves traceable traces in the target state. In the worst case, depending on national legislation, the investigating officer may be liable to prosecution there for unauthorized intrusion into a data processing system, unauthorized data acquisition or disregard for foreign sovereign rights. Moreover, digital evidence gathering from Switzerland is carried out secretly for the foreign state, which - in view of the intelligence scandals of the recent past - makes it even more dangerous from the latter's point of view. Remarkably, according to a UN study, the national law of various states nevertheless permits a kind of direct access to data stored abroad, while the proportion of states that permit such direct access by foreign law enforcement agencies is noticeably smaller, according to the same study. Consequently, the international law sensorium seems to be greater when one's own sovereignty is affected than when one is dependent on obtaining evidence abroad. In any case, the Cybercrime Convention already allows direct access to foreign data in a limited way in Art. 32 CCC; obtaining evidence beyond this - at least in the relationship between the convention states - is to be seen e contrario as an encroachment on state sovereignty. It is not for nothing that the Council of Europe has expressly provided for the subsidiary Art. 31 CCC entitled "Mutual assistance in accessing stored data". A proposal put forward by EU member states in the context of the negotiations, according to which transnational online searches should be permissible in urgent cases, was therefore not included - for lack of consensus, it was decided not to regulate such situations. Efforts that have been resumed since then have also been largely fruitless; the 2nd Additional Protocol to the CCC is not a great success in this respect either. Direct transnational access to data without the consent of an authorized person is thus still not covered by an international consensus, violates the sovereignty of the state concerned, and is thus contrary to international law as long as no further development of the current bilateral or multilateral agreements has taken place.
68 This result is unsatisfactory. First, especially when there is a risk that the data may be lost without immediate action. It is therefore conceivable to allow the temporary transnational preservation of data in exceptional circumstances where there is a risk of collusion or loss of evidence, if even a "preservation request" within the meaning of Art. 29 CCC would be made too late. In this case, the preserved data would have to be kept separately and would not be allowed to be searched until the Contracting State concerned has been asked for subsequent permission. Second, the foregoing critique is premised on the understanding that law enforcement authorities have positive knowledge at the time of access that the data are not stored in their own country. However, it is often not clear from the outset where the data is stored, whether locally on the device or in the cloud after all. In these cases, too, it must be permissible to preserve evidence, if necessary with a subsequent request for legal assistance in the event that the data is subsequently found to be stored abroad (cf. above, n. 23).
V. Consequences of the Violation of Foreign Sovereignty Law
69 If the powers of the CCC are exceeded, if mutual assistance in criminal matters is circumvented by direct access to foreign data carriers, and if the principle of territoriality or sovereignty is thus violated, the question of the unusability of evidence obtained in this way arises. In principle, the circumvention of the mutual legal assistance channel can be objected to in domestic criminal proceedings.
70 Cantonal courts have so far advocated a relative prohibition of exploitation within the meaning of Art. 141 para. 2 CrimPC, whereby the evidence in question may be exploited insofar as it is necessary to clarify a serious criminal offense. It is questionable, however, whether the principle of territoriality under international law and the requirement to use the legal assistance channel are in fact merely valid provisions or whether, in view of their importance, an absolute prohibition of exploitation must be assumed (e.g. in the form of a violation of public policy). The Federal Supreme Court has decided in this direction when it considered a secret surveillance measure (GPS tracker and listening devices in a vehicle that was also used for trips abroad) to be absolutely unusable with regard to the trips abroad. However, it seems possible and sensible to adopt the view held in Germany, according to which the question of usability depends on whether the investigator was aware at the time of the data collection that the access would not be in accordance with international law. If it was not aware of this, it must be possible to have a subsequent formal mutual legal assistance procedure (in the sense of an approval procedure) carried out for the evidence (which was objectively obtained in an unlawful manner) in order to avert the inusability of the evidence.
71 The latter is particularly applicable to those cases in which it is not clear from the outset where the data are stored: If a domestic storage location cannot be ruled out, access to preserve evidence must be permitted; positive knowledge of the storage location is not a prerequisite. "The mere possibility of a location abroad cannot trigger an obligation to provide mutual legal assistance, especially since in these cases it cannot be determined which country will actually be affected." If it subsequently turns out (e.g., also in response to corresponding complaints by the defense) that the tapped data were not stored domestically and also not in a contracting state, subsequent authorization will have to be obtained in the state in question by way of mutual legal assistance.
VI. Need for Reform
72 The Council of Europe recognized early on the need to soften territorial principles due to technological developments and enacted a progressive provision in Art. 32 CCC compared to traditional mutual legal assistance conventions. Further-reaching ideas were just as visionary as they were not (yet) capable of gaining majority support due to the strongly anchored idea of sovereignty. However, if the community of states wants effective criminal prosecution that can also perform its tasks in the 21st century, it seems necessary and sensible to completely give up sovereignty with regard to networked data. Today, it is no longer just a question of cross-border crime, which has always been difficult for national law enforcement agencies to grasp; as a result of the shift of evidence across national borders, it will soon no longer be possible to investigate purely domestic cases, let alone in an appropriate cost-benefit ratio.
73 Admittedly, it seems to be more promising to bake smaller rolls for the time being: First, Switzerland should sign and ratify the 2nd Additional Protocol to the CCC as soon as possible, even if it is not the big one. Secondly, much would already be done if, in the context of Art. 32 lit. b CCC, one would keep pace with legal reality and no longer only link the storage location, but rather (also) to the domicile of the person entitled to access or to the fact that a company offers its services in the state in question (cf. above, n. 25). Third, Switzerland should seek to associate itself with the EU's e-Evidence system (although this will be politically difficult to implement). Fourth, the recurring discussions on unilateral access to data abroad should be resumed and brought to a conclusion. At the very least, a domestic access location should be considered sufficient in the future so that data access no longer has to be classified as violating the sovereignty of the state at the storage location. In particular, protective measures and guarantees (e.g. an obligation to inform the state concerned about the access, the need for subsequent authorization, requirements regarding the rule of law and the protection of fundamental rights, etc.) could be included to increase the acceptance of such a solution.
Bibliography
Abo Youssef Omar, Smartphone-User zwischen unbegrenzten Möglichkeiten und Überwachung, ZStrR 130 (2012), S. 92 ff.
Aepli Michael, Die strafprozessuale Sicherstellung von elektronisch gespeicherten Daten, Unter besonderer Berücksichtigung der Beweismittelbeschlagnahme am Beispiel des Kantons Zürich, Zürich 2004.
Bangerter Simon, Hausdurchsuchungen und Beschlagnahmen im Wettbewerbsrecht unter vergleichender Berücksichtigung der StPO, Zürich 2014.
Bär Wolfgang, Transnationaler Zugriff auf Computerdaten, ZIS 2 (2011), S. 53 ff., abrufbar unter https://www.zis-online.com/dat/artikel/2011_2_525.pdf, besucht am 17.10.2023.
Biaggini Elena, Strafrechtlicher Schutz des E-Mail-Verkehrs post mortem?, sui generis 2021, S. 321 ff., abrufbar unter https://doi.org/10.21257/sg.196, besucht am 17.10.2023.
Bonnici Jeanne Pia Mifsud et al., The European Legal Framework on Electronic Evidence: Complex and in Need of Reform, in: Biasiotti Maria Angela/Bonnici Jeanne Pia Mifsud/Cannataci Joe/Turchi Fabrizio (Hrsg.), Handling and Exchanging Electronic Evidence Across Europe, 2018, S. 189 ff., abrufbar unter https://link.springer.com/chapter/10.1007/978-3-319-74872-6_11, besucht am 17.10.2023.
Bottinelli Nicolas, L’obtention par l’autorité pénale des données informatiques situées à l’étranger, AJP 2016, S. 1327 ff.
Brodowski Dominik, Der «Grundsatz der Verfügbarkeit» von Daten zwischen Staat und Unternehmen, ZIS 8-9/2012, S. 474 ff., abrufbar unter https://zis-online.com/dat/artikel/2012_8-9_703.pdf, besucht am 17.10.2023.
Brodowski Dominik/Eisenmenger Florian, Zugriff auf Cloud-Speicher und Internetdienste durch Ermittlungsbehörden, Sachliche und zeitliche Reichweite der «kleinen Online-Durchsuchung» nach § 110 Abs. 3 StPO, ZD 2014, S. 119 ff.
Burgermeister Daniel, Beweiserhebung in der Cloud, Luzern 2015, abrufbar unter https://www.unilu.ch/fileadmin/fakultaeten/rf/institute/staak/MAS_Forensics/dok/Masterarbeiten_MAS_5/Burgermeister_Daniel.pdf, besucht am 17.10.2023.
Capus Nadja, Strafrecht und Souveränität: Das Erfordernis der beidseitigen Strafbarkeit in der internationalen Rechtshilfe in Strafsachen, Basel 2010.
Cartner Anna/Schweingruber Sandra, Strafbehörden dürfen googeln, AJP 2021, S. 990 ff.
De Busser Els, Open Source Data and Criminal Investigations: Anything You Publish Can and Will Be Used Against You, Groningen Journal of International Law 2/2 (2014): Privacy in International Law, S. 90 ff., abrufbar unter https://www.researchgate.net/publication/328962642_Open_Source_Data_and_Criminal_Investigations_Anything_You_Publish_Can_and_Will_Be_Used_Against_You, besucht am 17.10.2023.
Dombrowski Nadine, Extraterritoriale Strafrechtsanwendung im Internet, Potsdam 2011/2012.
Donatsch Andreas/Lieber Viktor/Summers Sarah/Wohlers Wolfgang (Hrsg.), Schulthess Kommentar zur Schweizerischen Strafprozessordnung, 3. Aufl., Zürich 2020 (zit. SK-Bearbeiter/in, Art. … StPO N. …).
Eckert Martin, Digitale Daten als Wirtschaftsgut: digitale Daten als Sache, SJZ 112 (2016), S. 245 ff.
Forster Marc, Marksteine der Bundesgerichtspraxis zur strafprozessualen Überwachung des digitalen Fernmeldeverkehrs, in: Gschwend Lukas/Hettich Peter/Müller-Chen Markus/Schindler Benjamin/Wildhaber Isabelle (Hrsg.), Recht im digitalen Zeitalter, Festgabe Schweizerischer Juristentag 2015 in St. Gallen, Zürich/St. Gallen 2015, S. 613 ff.
Fröhlich-Bleuler Gianni, Eigentum an Daten?, Jusletter 6.3.2017.
Geiser Thomas/Wolf Stephan (Hrsg.), Basler Kommentar zum Zivilgesetzbuch II, Art. 457-977 ZGB, Art. 1-61 SchlT ZGB, 7. Aufl., Basel 2023 (zit. BSK-Bearbeiter/in, Art. ... ZGB N. …).
Gercke Björn, Straftaten und Strafverfolgung im Internet, GA 2012, S. 474 ff.
Glassey Ludwiczak Maria, Mesures de surveillance suisses et résultats obtenus à l’étranger, Remarques à propos de l’ATF 146 IV 36, forumpoenale 5 (2020), S. 410 ff.
Gless Sabine, Beweisverbote in Fällen mit Auslandsbezug, JR 2008, S. 317 ff.
Graf Damian K. (Hrsg.), Annotierter Kommentar zum Schweizerischen Strafgesetzbuch, Bern 2020 (zit. AK-Bearbeiter/in, Art. … StGB N. …).
Graf Damian K., Praxishandbuch zur Siegelung, StPO inklusive revidierter Bestimmungen – VStrR – IRSG – MStP, Bern 2022 (zit. Praxishandbuch).
Graf Damian K., Strafverfolgung 2.0: Direkter Zugriff auf im Ausland gespeicherte Daten?, Jusletter IT 21.9.2017 (zit. Strafverfolgung 2.0).
Graf Jürgen-Peter (Hrsg.), BeckOK StPO mit RiStBV und MiStra, 47. Edition, München, Stand: 1.1.2023 (zit. BeckOK-Bearbeiter/in, § … StPO N. …).
Grassle Christian/Hiéramente Mayeul, Praxisprobleme bei der IT-Durchsuchung, CB 2019, S. 191 ff.
Grave Carsten/Barth Christoph, Von «Dawn Raids» zu «eRaids», Zu den Befugnissen der Europäischen Kommission bei der Durchsuchung elektronischer Daten, EuZW 2013, S. 360 ff.
Hansjakob Thomas, Die Erhebung von Daten des Internetverkehrs – Bemerkungen zu BGer 6B_656/2015 vom 16.12.2016, forumpoenale 4 (2017), S. 252 ff.
Heimgartner Stefan, Die internationale Dimension von Internetstraffällen, in: Schwarzenegger Christian/Arter Oliver/Jörg Florian (Hrsg.), Internet-Recht und Strafrecht, Bern 2005, S. 117 ff. (zit. Internationale Dimension).
Heimgartner Stefan, Strafprozessuale Beschlagnahme, Wesen, Arten und Wirkungen, Zürich 2011 (zit. Strafprozessuale Beschlagnahme).
Hess-Odoni Urs, Die Herrschaftsrechte an Daten, Jusletter 17.5.2004.
Hiatt Keith, Open Source Evidence on Trial, 125 Yale Law Journal Forum (2016), S. 323 ff., abrufbar unter https://www.yalelawjournal.org/pdf/Hiatt_PDF_zxz3ufoz.pdf, besucht am 17.10.2023.
Hürlimann Daniel/Zech Herbert, Rechte an Daten, sui-generis 2016, S. 89 ff., abrufbar unter https://doi.org/10.21257/sg.27, besucht am 17.10.2023.
Karagiannis Christos/Vergidis Kostas, Digital Evidence and Cloud Forensics: Contemporary Legal Challenges and the Power of Disposal, Information 12 (2021), 181, S. 1 ff., abrufbar unter https://www.mdpi.com/2078-2489/12/5/181, besucht am 17.10.2023.
Knauer Christoph/Kudlich Hans/Schneider Hartmut (Hrsg.), Münchener Kommentar zur Strafprozessordnung, Band 1: §§ 1-150 StPO, 2. Aufl., München 2022 (zit. MK-Bearbeiter/in, § … StPO N. …).
Kohler Patrick, Rechte an Sachdaten, sic! 2020, S. 412 ff.
Largiadèr Albert, Vorladungen ins Ausland nur Einladungen?, forumpoenale 5 (2014), S. 293 f.
Marberth-Kubicki Annette, in: Auer-Reinsdorff Astrid/Conrad Isabell (Hrsg.), Handbuch IT- und Datenschutzrecht, 2. Aufl., München 2016.
Moreillon Laurent/Parein-Reymond Aude, Petit commentaire du Code de procédure pénale, 2. Aufl., Basel 2016.
Niggli Marcel Alexander/Wiprächtiger Hans (Hrsg.), Basler Kommentar zum Strafrecht II, 4. Aufl., Basel 2019 (zit. BSK-Bearbeiter/in, Art. … StGB N. …).
Niggli Marcel Alexander/Heer Marianne/Wiprächtiger Hans (Hrsg.), Basler Kommentar zur Strafprozessordnung/Jugendstrafprozessordnung, 3. Aufl., Basel 2023 (zit. BSK-Bearbeiter/in, Art. … StPO N. …).
Obenhaus Nils, Cloud Computing als neue Herausforderung für Strafverfolgungsbehörden und Rechtsanwaltschaft, NJW 2010, S. 651 ff.
Osula Anna-Maria, Remote search and seizure in domestic criminal procedure: Estonian case study, International Journal of Law and Information Technology 24 (2016), S. 343 ff.
Pfeffer Kristin, Die Regulierung des (grenzüberschreitenden) Zugangs zu elektronischen Beweismitteln, abrufbar unter https://eucrim.eu/articles/die-regulierung-des-grenzuberschreitenden-zugangs-zu-elektronischen-beweismitteln/, besucht am 17.10.2023.
Riedi Claudio, Auslandsbeweise und ihre Verwertung im schweizerischen Strafverfahren, Zürich 2018.
Roth Simon, Die grenzüberschreitende Edition von IP-Adressen und Bestandesdaten im Strafprozess, Direkter Zugriff oder Rechtshilfe?, Jusletter 17.8.2015.
Ryser Dominic, «Computer Forensics», Eine neue Herausforderung für das Strafprozessrecht, in: Schwarzenegger Christian/Arter Oliver/Jörg Florian (Hrsg.), Internet-Recht und Strafrecht, Bern 2005, S. 553 ff.
Sampson Fraser, Intelligence evidence: Using open source intelligence (OSINT) in criminal proceedings, The Police Journal 90(1) 2017, S. 55 ff.
Schmid Alain/Schmidt Kirsten Johanna/Zech Herbert (Hrsg.), Rechte an Daten – zum Stand der Diskussion, sic! 11/2018, S. 627 ff.
Schmid Niklaus, Strafprozessuale Fragen im Zusammenhang mit Computerdelikten und neuen Informationstechnologien im allgemeinen, ZStrR 111 (1993), S. 81 ff.
Schomburg Wolfgang/Lagodny Otto (Hrsg.), Internationale Rechtshilfe in Strafsachen, Beck’scher Kurz-Kommentar, 6. Aufl., München 2020 (zit. Schomburg/Lagodny-Bearbeiter/in).
Schweingruber Sandra, Cybercrime-Strafverfolgung im Konflikt mit dem Territorialitätsprinzip, Jusletter 10.11.2014.
Seger Alexander, «Grenzüberschreitender» Zugriff auf Daten im Rahmen der Budapest Konvention über Computerkriminalität, Praxisbericht zum Stand der Arbeiten des Europarats, Zeitschrift für öffentliches Recht 73 (2018), S. 71 ff.
Seitz Nicolai, Transborder Search: A New Perspective in Law Enforcement?, Yale Journal of Law & Technology 2004-2005, S. 24 ff., abrufbar unter https://yjolt.org/transborder-search-new-perspective-law-enforcement, besucht am 17.10.2023.
Singelnstein Tobias, Möglichkeiten und Grenzen neuerer strafprozessualer Ermittlungsmassnahmen – Telekommunikation, Web 2.0, Datenbeschlagnahme, polizeiliche Datenverarbeitung & Co., NStZ 2012, S. 593 ff.
Svantesson Dan, Preliminary Report: Law Enforcement Cross-Border Access to Data, 12.11.2016, abrufbar unter https://ssrn.com/abstract=2874238, besucht am 17.10.2023.
Unseld Lea, Internationale Rechtshilfe im Steuerrecht, Akzessorische Rechtshilfe, Auslieferung und Vollstreckungshilfe bei Fiskaldelikten, Zürich 2011.
Velasco Cristos, Cybercrime jurisdiction: past, present, future, ERA Forum (2015) 16, S. 331 ff., abrufbar unter https://rm.coe.int/16806b8a7a, besucht am 17.10.2023.
Wabnitz Heinz-Bernd/Janovsky Thomas (Hrsg.), Handbuch des Wirtschafts- und Steuerstrafrechts, 4. Aufl., München 2014 (zit. Wabnitz/Janovsky-Bearbeiter/in).
Walden Ian, Accessing Data in the Cloud: The Long Arm of the Law Enforcement Agent, Queen Mary School of Law Legal Studies Research Paper No. 7 (2011), abrufbar unter https://papers.ssrn.com/abstract=1781067, besucht am 17.10.2023.
Walder Stephan, Grenzüberschreitende Datenerhebung: Ist und Soll, Kriminalistik 8-9/2019, S. 540 ff.
Weber Amalie M., The Council of Europe’s Convention on Cybercrime, Berkeley Technology Law Journal 18 (2003), S. 425 ff., abrufbar unter https://lawcat.berkeley.edu/record/1118718, besucht am 17.10.2023.
Wicker Magda, Durchsuchung in der Cloud, Nutzung von Cloud-Speichern und der strafprozessuale Zugriff deutscher Ermittlungsbehörden, MMR 2013, S. 765 ff.
Zerbes Ingeborg/El-Ghazi Mohamad, Zugriff auf Computer: Von der gegenständlichen zur virtuellen Durchsuchung, NStZ 2015, S. 425 ff.
Materials
Botschaft des Bundesrates an die Bundesversammlung zu einem Bundesgesetz über internationale Rechtshilfe in Strafsachen und einem Bundesbeschluss über Vorbehalte zum Europäischen Auslieferungsübereinkommen vom 8.3.1976, BBl 1976 II 444 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/1976/2_444_430_443/de, besucht am 17.10.2023.
Botschaft über die Genehmigung und die Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität vom 18.6.2010, BBl 2010 4697 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2010/813/de, besucht am 17.10.2023.
Botschaft zum Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs (BÜPF) vom 27.2.2013, BBl 2013 2683 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2013/512/de, besucht am 17.10.2023.
Botschaft zur Vereinheitlichung des Strafprozessrechts vom 21.12.2005, BBl 2006 1085 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2006/124/de, besucht am 17.10.2023.
Bundesamt für Justiz, Zusammenfassung der Ergebnisse des Vernehmlassungsverfahrens zum erläuternden Bericht und zum Vorentwurf über die Änderung des Schweizerischen Strafgesetzbuches und des Rechtshilfegesetzes, Genehmigung und Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität, Bern, 10.4.2010, abrufbar unter https://www.bj.admin.ch/bj/de/home/sicherheit/gesetzgebung/archiv/cybercrime-europarat.html, besucht am 17.10.2023.
Europäische Union, Common Position of 27 May 1999 adopted by the Council on the basis of Article 34 of the Treaty on European Union, on negotiations relating to the Draft Convention on Cyber Crime held in the Council of Europe, Official Journal of the European Communities, L 142/1 vom 5.6.1999, abrufbar unter https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1999:142:0001:0002:EN:PDF, besucht am 17.10.2023.
Europarat, Cybercrime Convention Committee (T-CY), The Budapest Convention on Cybercrime: benefits and impact in practice, Strassburg, 13.7.2020, abrufbar unter https://rm.coe.int/t-cy-2020-16-bc-benefits-rep-provisional/16809ef6ac, besucht am 17.10.2023 (zit. T-CY, Benefits).
Europarat, Cybercrime Convention Committee (T-CY), T-CY Guidance Note # 3, Transborder access to data (Article 32), Strassburg, 3.12.2014, abrufbar unter https://www.ccdcoe.org/uploads/2019/09/CoE-141203-Guidance-Note-on-Transbprder-access-to-data.pdf, besucht am 17.10.2023 (zit. T-CY Guidance Note # 3).
Europarat, Cybercrime Convention Committee (T-CY), Ad-hoc Sub-group on Jurisdiction and Transborder Access to Data, Transborder Access and jurisdiction: What are the options?, Strassburg, 6.12.2012, abrufbar unter https://rm.coe.int/16802e79e8, besucht am 17.10.2023 (zit. T-CY, Transborder Access).
Europarat, Cybercrime Convention Committee (T-CY), T-CY Cloud Evidence Group, Criminal justice access to electronic evidence in the cloud: Recommendations for consideration by the T-CY, Final report, Strassburg, 16.9.2016, abrufbar unter https://rm.coe.int/16806a495e, besucht am 17.10.2023 (zit. T-CY, Cloud).
Europarat, Cybercrime Convention Committee (T-CY), T-CY assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, Strassburg, 3.12.2014, abrufbar unter https://rm.coe.int/16802e726c, besucht am 17.10.2023 (zit. T-CY, Assessment Report).
Europarat, Draft Explanatory Memorandum Regarding on Draft Recommendation No. R (95) Concerning Problems of Criminal Procedural Law Connected with Information Technology vom 31.7.1995 (zit. Explanatory Memorandum).
Europarat, Economic Crime Division, Project on Cybercrime, Cloud Computing and cybercrime investigations: Territoriality vs. the power of disposal?, Discussion Paper, Strassburg, 31.8.2010, abrufbar unter https://rm.coe.int/16802fa3df, besucht am 17.10.2023 (zit. Economic Crime Division).
Europarat, Explanatory Report to the Convention on Cybercrime, Budapest, 23.11.2001, abrufbar unter https://rm.coe.int/16800cce5b, besucht am 17.10.2023 (zit. Explanatory Report).
United Nations, Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purposes, Consolidated negotiating document on the general provisions and the provisions on criminalization and on procedural measures and law enforcement of a comprehensive international convention on countering the use of information and communications technologies for criminal purposes vom 21.1.2023, abrufbar unter https://www.unodc.org/documents/Cybercrime/AdHocCommittee/4th_Session/Documents/CND_21.01.2023_-_Copy.pdf, besucht am 17.10.2023 (zit. United Nations, Consolidated Negotiating Document).
United Nations, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, Note by the Secretary-General vom 24.6.2013, UN Doc A/68/98, abrufbar unter https://documents-dds-ny.un.org/doc/UNDOC/GEN/N13/371/66/PDF/N1337166.pdf, besucht am 17.10.2023 (zit. Developments).
United Nations Office on Drugs and Crime (UNODC), Comprehensive Study on Cybercrime, Draft February 2013, abrufbar unter https://www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf, besucht am 17.10.2023 (zit. UNODC).