International Journal on Criminology Volume 7, Number 1, Winter 2019/2020 | Page 24
For a More Effective Fight against Cybercrime
tection of personal data. Service providers and persons whose data are requested
will enjoy several safeguards, including scope for the service provider to request
a review if, for example, the order constitutes a clear violation of the Charter of
Fundamental Rights of the European Union.
Service providers will be obliged to appoint a legal representative in the EU.
So that all service providers that offer their services in the EU are subject to the
same obligations, even if their headquarters are located in a third country, the new
rules require them to appoint a legal representative in the EU to receive, comply
with, and execute decisions and orders issued by the member states’ competent
authorities for the purposes of gathering evidence in criminal matters.
Institutional Actors’ Competence
Judicial police officers are becoming specialized, as are customs agents, and judges
will gradually have to follow this path too. The creation in September 2014 of Section
F1 of the Paris prosecutor’s office, which specializes in cybercrime, and the
recent concurrent domestic jurisdiction 13 of the Paris courts in relation to computer
hacking (attacks on automated data-processing systems) facilitate coordination
in the handling of cybercrime. 14 It therefore appears that concurrent competence
over attacks on automated data-processing systems can be understood
based on several objective criteria, some of which are cumulative: the plurality of
perpetrators or victims; the technicality of the means employed or the operating
methods adopted (the “Mirai” case; “black box” attacks targeting ATMs; cybercriminal
forums on a darknet, and so on); the national or transnational dimension
of the facts or infrastructure (requests for international mutual legal assistance in
criminal matters made to China and Russia are frequent in this area; coordination
required in connection with Europol, Eurojust, and Interpol); the nature of
the victims of the cyberattack (automated data-processing systems implemented
by a state, but also by operators of vital importance, or computer systems linked
to high-profile individuals). The competent investigation service is frequently the
French General Directorate for Internal Security (DGSI), sometimes with the benefit
of technical expertise from the National Cybersecurity Agency (ANSSI).
However, staff levels are still insufficient, and training for judges and
prosecutors in charge of these “cyberproceedings” should be mandatory.
Moreover, it should not be forgotten that, in 2020, the European Public
Prosecutor's Office 15 will be a reality, paving the way for enhanced cooperation,
under which twenty states (soon to be twenty-one, with the Netherlands joining
the agreement this summer) have committed to concede some of their sovereignty
13 Law of June 3, 2016.
14 For example, on the handling of ransomware (DACG report of May 10, 2017, no. 2017/0058/
MI2C).
15 “Parquet européen: c'est parti!,” special report, AJ pénal (2018): 275.
19