-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- I. General information
- II. Legally protected property
- III. Basic constituent elements
- IV. Optional additional constituent element
- V. Comparison with Swiss law
- Bibliography
- Materials
I. General information
1 Over the past twenty years, society as a whole has made the transition to a digital world. A large proportion of commerce is conducted online, financial transactions are carried out via e-banking, and authorities, companies and private individuals store large quantities of information on personal computers, servers or even clouds. Despite the scale of change already achieved, this evolution seems far from over. Indeed, it is highly likely that society will continue to become even more digitalized in the decades to come.
2 Digital documents are gradually replacing paper documents. In line with this trend, more and more documents are in electronic format.
3 In view of the growing importance of computer data in the digital world, it was justified to protect them against malicious acts. While art. 2 and 3 CCC protect data confidentiality, art. 4 CCC aims to ensure data integrity and availability.
II. Legally protected property
4 The purpose of art. 4 CCC is to provide computer data and programs with protection similar to that afforded to tangible property against intentional damage. The legal interests protected by this provision are, on the one hand, the integrity of data and computer programs and, on the other, the proper functioning or use of data and computer programs.
III. Basic constituent elements
A. Computer data
5 According to art. 1 let. b CCC, "the term 'computer data' means any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program designed to cause a computer system to perform a function". The notion of computer data is therefore very broad, encompassing in particular all letters, symbols or programming codes that can be entered, processed and stored by a computer system.
6 For further details on this concept, please refer to art. 1 CCC above.
B. Punishable conduct
7 For a computer system to function properly, the data it processes must be available and intact. In order to guarantee these two aspects, art. 4 CCC lists five punishable acts. The suppression and deletion of data is intended to protect data availability. The criminalization of damage, deterioration and alteration is designed to protect data integrity. This list of behaviors is exhaustive. It does, however, cover all possible harmful behaviors.
1. Deleting and erasing data
8 In computer terms, data is expressed in binary language as a succession of "0s" and "1s". This is the form in which data is processed and stored. When the user records data, the computer system saves the series of "0 "s and "1 "s corresponding to this data to an empty space on the recording medium (e.g. hard disk, DVD, USB stick, etc.). In order to be able to find this data when the user needs it again, the computer system has a kind of map which tells it where the data is located on the medium.
9 Data deletion involves destroying the means of locating the data. The data still exists, but the user can no longer determine its location on the medium and therefore can no longer access it. The computer system considers the space on the media to be free, and therefore saves the new data on top of the deleted data. The only way to recover deleted data is to use a data recovery program as quickly as possible. This program reads the entire media and reconstructs a map of the recording medium to locate the data. This enables data to be recovered before others are recorded over it.
10 Unlike deletion, data erasure is the definitive destruction of data. The data no longer exists on the storage medium. In principle, they can no longer be recovered.
2. Damage, deterioration and alteration of data
11 Data integrity is just as essential to the smooth operation of information systems as data availability. Its importance is so great that it is even the subject of an ISO standard. Data integrity refers to the reliability, accuracy and completeness of data. In other words, data whose integrity is guaranteed is data that has not been modified since it was first recorded. The notion of data integrity concerns both data content and data form.
12 In the real world, the notion of guaranteed data integrity can be compared to sending a parcel through the post, where it is certified that it really comes from the sender indicated on the parcel, that it was sent on the date and in the place indicated on the postmark, that the parcel has not been opened, that its contents are indeed those sent by the sender, and that nothing has been removed or added to the parcel after it has been sent.
13 In this context, data "damage" and "deterioration" are overlapping concepts. They describe negative damage to the form or content of data or programs. Damaged or deteriorated data is therefore no longer reliable, accurate or complete. It is no longer possible to be sure that they originate from the sender from whom they appear to originate, that they are in fact the data that was sent by the sender, and that no data has been deleted, added to or altered.
14 "Alteration" refers to the modification of existing data. This modification may concern both the form and content of the data. This is a very broad term, encompassing all actions carried out on data by which one or more elements are added, replaced or deleted.
3. Commission mode
15 The various types of behavior we have just examined can be committed directly by the perpetrator. However, it is also possible to use a bot to carry out these acts. This has the advantage that the perpetrator only has to give instructions once to the program, which then automatically repeats the requested actions as many times as necessary. It is to be feared that the development of artificial intelligence will make this task even simpler and more efficient in the future. WormGPT is undoubtedly the forerunner of a new form of infringement, as it enables content generated by artificial intelligence to be implemented in other IT systems, whereas the latter has until now been confined to an IT sandbox.
16 That said, even without using a bot, artificial intelligence already offers countless possibilities for modifying data. For example, it can easily be asked to rewrite a text by replacing one idea with another, or to modify an image by substituting one element with another. In future, therefore, it will become increasingly difficult to distinguish between genuine and modified data.
17 In the vast majority of cases, data breaches are achieved through punishable conduct. However, data breaches can also occur as a result of inadequate protection of the IT system. In our opinion, in such cases, there may be commission by omission on the part of the IT system administrator, since, by virtue of his function, he has a legal duty to act, and is therefore in a position of guarantor vis-à-vis the data owner.
C. Unlawfulness
18 To be punishable, the author must have acted without right. It is the rightful owner of the data who determines who is authorized to modify it. Anyone who has not been authorized to modify the data is therefore liable to prosecution. On the other hand, persons who have been expressly authorized by the rightful owner to modify the data, or who are authorized to do so by law or contract, are not liable to prosecution.
19 Nowadays, it is common for data to be modified by conclusive act. This is the case, for example, whenever messages are exchanged via instant messengers such as WhatsApp, Telegraph or Threema. All these applications encrypt data before it is sent, and decrypt it when it is received. This is data modification. It is, however, lawful, firstly because it is accepted by users by means of a conclusive act and, secondly, because it ensures data confidentiality.
20 Another case of data modification by conclusive act is application updates. During an update, a new version of the program is installed in place of the old one. Existing data is erased, and new data is written and recorded on the storage medium. This process is lawful, provided that the user has the choice of whether or not to install the update. In our opinion, the application publisher who forces the user to install a new version of the application, failing which it becomes unusable, or the data unreadable, makes himself punishable.
21 With regard to acts authorized by law, certain national legislations contain exceptions to the data integrity guarantee. In particular, they allow prosecuting authorities or intelligence services to install govware in computer systems in order to monitor the activity of those using them, for example to discover the perpetrator of a crime or to obtain information useful for the protection of the state. The installation of such spyware is not illegal, as long as it is carried out within the strict framework laid down by law. However, surveillance may only be carried out in serious cases, and must be subject to subsequent judicial review.
22 The modification of data is also not unlawful where it has been contractually authorized. This applies in particular to the computer system administrator, who is responsible for maintenance. He is not punishable if he updates the programs installed in the computer system. On the other hand, he is punishable if he takes advantage of his status to delete or modify a user's data without his authorization.
23 Similarly, a computer specialist commissioned to carry out penetration tests on a computer system is not punishable if he modifies data to create a breach in the defences put in place to protect access to the computer system. On the other hand, a hacker who acts in the same way without authorization is punishable.
D. Intention
24 A breach of data integrity must be intentional. Intention must cover all the objective elements of the offence. The perpetrator must therefore be aware that he or she is unduly damaging data, and have the will to do so. Any intent on the part of the perpetrator is sufficient.
IV. Optional additional constituent element
25 Art. 4 § 2 CCC authorizes States parties to make a reservation and to prosecute only conduct that has caused serious harm.
26 The text does not define the notion of "serious harm". As for the explanatory report, it simply states that each State is free to interpret this notion as it wishes. However, the Parties have opted for the notion of "harm" rather than "damage". It is therefore clear that harm is not limited solely to the economic aspect. Harm can therefore also correspond to the work time required to recover or recreate the data, as well as to the consequences of the disappearance or impossibility of using the data.
27 The parties also specified that the damage must be serious. This adjective, in conjunction with the notion of prejudice, means that it must be of a certain magnitude. It is therefore conceivable that the damage must represent a substantial sum of money, a significant number of working hours or have serious consequences.
28 Azerbaijan, Lithuania, the Slovak Republic, Chile and the United States of America have made use of the possibility offered by art. 4 § 2 CCC. Azerbaijan, Lithuania, the Slovak Republic and the United States of America have clarified that in their domestic law, the notion of serious injury must be interpreted as having caused serious damage. The Slovak Penal Code has since been amended. Section 247 has been replaced by section 247b. In its simple form, the occurrence of serious harm is no longer required (§ 247b par. 1). On the other hand, the occurrence of serious harm has become a qualified form of the offence (§ 247b par. 2 let. a). Chile, for its part, spoke of serious damage. It can thus be seen that, even if the letter of the Convention allows for a very broad interpretation, all the States that have availed themselves of the possibility offered by art. 4 § 2 CCC have limited the notion of harm to the economic aspect alone.
29 In this respect, it is interesting to note the original way in which Swiss law has dealt with the question of serious prejudice. Instead of limiting criminal prosecution to conduct that has caused serious harm, art. 144bis ch. 1 para. 2 of the Swiss Penal Code provides for a qualified form of prosecution when the harm caused by the perpetrator is considerable.
V. Comparison with Swiss law
30 In Swiss law, data interference (art. 4 CCC) has its counterpart in art. 144bis ch. 1 PC. The legal interests protected by these two standards are not strictly identical, however, since art. 4 CCC protects the integrity and proper functioning or use of stored data or computer programs, whereas art. 144bis ch. 1 PC protects the right to intact data. They are, however, very similar and overlap in their purpose.
31 As far as the conduct punishable under art. 4 CCC is concerned, it is all covered by art. 144bis ch. 1 PC. The concepts of "damage", "deterioration" and "alteration" in art. 4 CCC are covered by the term "modifies", which includes all forms of transformation. The concept of "erasure" referred to in the Convention, i.e. the definitive destruction of data, is identical in Swiss law. Finally, the "deletion" of data referred to in art. 4 CCC is covered by the term "puts out of use", which encompasses all forms of behaviour by which the rightful owner is prevented from making proper use of his or her data.
32 Lastly, art. 144bis ch. 1 of the Swiss Penal Code establishes an offence that can only be prosecuted on the basis of a complaint. However, when an offence is only prosecuted on the basis of a complaint, a criminal authority cannot take action itself. Since there is a conflict of opinion as to whether a complaint lodged in the requesting state is sufficient to implement international cooperation, it would be prudent to prosecute data deterioration ex officio in all cases, or else to lodge a declaration limiting prosecution to cases where the damage caused is considerable.
The technical IT concepts contained in this contribution were drafted with the help of Mr. Yannick Jacquey, ICT Manager with a federal diploma. Our warmest thanks to him.
Bibliography
Corboz Bernard, Les infractions en droit suisse, vol. I, 3. éd., Berne 2010
Schmid Niklaus, Computer- sowie Check- und Kreditkartenkriminalität, Zurich 1994
Schwarzenegger Christian, Die internationale Harmonisierung des Computer- und Internetstrafrechts durch die Convention on Cybercrime, in : Strafrecht, Strafprozessrecht und Menschenrechte, Festschrift Trechsel, Zurich 2002
Trechsel Stefan / Crameri Dean, in : Trechsel Stefan / Pieth Mark (éditeurs), Schweizerisches Strafgesetzbuch, Praxiskommentar, 4. éd., Zürich, 2021
Weissenberg Philippe, in : Niggli Marcel Alexander / Wiprächtiger Hans (éditeurs), Basler Kommentar, Strafrecht II, 4. éd., Bâle 2018
Materials
Conseil de l’Europe, Explanatory Report to the Convention on Cybercrime, Budapest 23.11.2001, disponible à https://rm.coe.int/16800cce5b, visité le 21.1.2024 (cité : Rapport explicatif de la Convention sur la cybercriminalité)