The law approving the Convention on cybercrime signed in Budapest on 23 November 2001 and its additional protocol on xenophobia and racism signed in Strasbourg on 28 January 2003 was voted into law by the Luxembourg parliament on 4 June 2014 (the "Law"). The Law will be enacted and published in the Mémorial (the official gazette) within the next following weeks after which it will become effective.
In addition to approving the Budapest Convention and its protocol, the Law is adapting the national substantive and procedural criminal law to the specific needs of combating cybercrime.
The Law introduces certain new criminal offences into the Penal Code, including in particular:
- the misuse of identity regardless of whether it occurs in the real world or on online communications networks and as long as the offence is committed either in public or with the intent to harm a third party in one way or another;
- "phishing" describing the manoeuvre to obtain information fraudulently, (such as passwords), by appearing as a trustworthy person in an electronic communication, in order to commit other criminal offences;
- illegal interception of computer data supplementing the legal instrument of computer-related crimes, which includes the illegal access of computer data, the illegal hacking of computer data and the illegal deletion of computer data.
The Criminal Procedure Code is also amended by the Law in order to achieve the requirements of the Convention relating to the prompt preservation of stored computer data and traffic data. For that purpose, new procedural provisions are introduced in the Criminal Procedure Code extending, in particular, the powers of:
- the State prosecutor who may require the investigating judge to carry out tracking of electronic communication of call information and locate the origin or destination of the communication without any preliminary hearing;
- the investigating officer who may, with the authorization of the public prosecutor or the investigating judge, preserve stored computer data where there are grounds to believe that such data is particularly vulnerable to loss or modification, during a period of 90 days.