Bruno Calabrich (Public Prosecutor (Brazil) | PhD candidate at the University of Brasília (UnB).)

▪           

Cybercrime is a growing issue in today’s digital age, with criminals taking advantage of the interconnectedness and dependency on technology for personal and organizational activities. Cybercrime is not a new problem and has been addressed by the Council of Europe with the Budapest Convention on Cybercrime in 2001, which entered into force in 2004 after ratification by five Council member countries. This international treaty was conceived to serve as a framework for nations to coordinate and cooperate in the investigation, prosecution, and prevention of cybercrime. As highlighted in its preamble, the Convention recognizes the crucial importance of establishing common criminal law and criminal procedural law in order to facilitate “detection, investigation and prosecution at both the domestic and international levels and by providing arrangements for fast and reliable international co-operation”.^[1] Chang and Grabosky point out that “the Budapest Convention is the first and only international convention to encourage harmonization of cyber laws and regulations, and to build cooperation among nations in controlling cybercrime”.^[2] In its core fundamentals, Member States commit to work together to provide quick and effective responses to cyber-attacks, exchange information on emerging threat trends and assist each other in investigating cross-border criminal activities.

Brazil, as a leading South American country in terms of technological advances and digital economy, has also recognised the importance of addressing these issues. Indeed, after a long period in which little importance was given to the topic (particularly when compared to the European tradition), Brazilian legislation has shown significant advances in several matters related to digital law, cybercrime and personal data protection in recent years. Its main normative milestones are Federal Statute No. 12.737/2012,^[3] which “establishes the criminal typification of cybercrimes” – also known as the “Carolina Dieckman Act” –, Federal Statute No. 12.965/2014^[4] – the Brazilian Internet Civil Rights Framework –, and Federal Statute No. 13.709/2018^[5] – the Brazilian General Data Protection Act (“Lei Geral de Proteção de Dados Pessoais”, or LGPD). In Brazilian Courts, there have also been important decisions, such as the ruling by the Federal Supreme Court (STF) on ADC (“Ação Direta de Constitucionalidade”, a declaratory lawsuit of constitutionality of federal laws or normative acts) no. 51,^[6] in February 2023, which confirmed the validity of court orders issued in the interest of criminal investigations for technology companies running internet applications in Brazil, even when the requested data is stored on servers located abroad. Prior to that, in May 2020, the STF, in the judgment of ADI (“Ação Direta de Inconstitucionalidade”, a direct lawsuit of unconstitutionality of federal or state laws or normative acts), no. 6387 MC-Ref/DF, recognized for the first time the protection of personal data as an autonomous fundamental right, not explicitly stated, but inferred from an integrated reading of several provisions of the Brazilian Constitution.^[7] This decision prepared the grounds for the enactment of Constitutional Amendment no. 115/22, in February 2022, which expressly included the protection of personal data in the wording of the Constitution among the fundamental rights and guarantees.^[8]