Octopus Cybercrime Community

Current legal framework in the area of cyber security and cyber crime is fully in line with the Budapest Convention, as well as with other EU and international requirements.

The Criminal Code of Lithuania provides an exhaustive substantive law framework, addressing all offences provided by the Budapest Convention.

Criminal liability for cyber-related offences as defined in the Budapest Convention, is set out in the Criminal Code of the Republic of Lithuania. Relevant offences have already been criminalised in the initial edition of the Code that was adopted on May 1, 2003. However, to fully comply with the provisions of the Budapest Convention, the Code was supplemented on January 29, 2004.

Relevant provisions of the Code criminalize offences against the confidentiality, integrity and availability of computer data and systems, computer-related offences, content-related offences, offences related to infringements of copyright and related rights.

All cyber offences set out in the Code are crimes of intent, meaning that the Code does not impose criminal liability for cybercrime-related acts committed through recklessness. However, the Code does set out liability for attempt and for aiding or abetting.

Also, to fully comply with the requirements of the Budapest Convention, the Criminal Code provides for a corporate liability. Legal person is liable for criminal offences committed by a natural person in a managerial position, provided that the offence was committed for the benefit or in the interests of the legal person.

For more information on the criminalized offences, please see Country legal profile.

Procedural measures as defined in Section 2 of the Budapest Convention are set out in the Law on Criminal Intelligence and the Code of Criminal Procedure of the Republic of Lithuania. Some relevant provisions, including the ones required for expedited preservation of electronic data, are also set out in other laws: Law on Electronic Communications, Law on Cyber Security, Police Law.

For more information on available procedural measures, please see Country legal profile.

While fighting cybercrime, Lithuanian competent authorities act in accordance with the Constitution of the Republic of Lithuania and related legal acts.

Section II of the Constitution of the Republic of Lithuania (‘the Constitution‘) establishes the provisions on immunity of the individual‘s private life; immunity of personal correspondence, telephone conversations, telegraph messages and other communications; collecting of information on the individual‘s private life only by a reasoned court decision and only according to the law; protection of the individual, by the law and the courts, against arbitrary or unlawful interference with his private and family life and against encroachment upon his honour and dignity.

Article 44 ‘Protection of the Rights of the Individual in Criminal Proceedings’ of the Code of Criminal Procedure of the Republic of Lithuania establishes that every person has the right to respect of his and his family‘s private life, to immunity of his living place, and to secrecy of his personal correspondence, telephone conversations, telegraph messages and other communications. Such rights of the individual may be restricted during criminal proceedings in the cases and according to the procedures set out in Code of Criminal Procedure of the Republic of Lithuania (‘CCP’). Article 11 of CCP establishes that procedural coercive measures may be applied only in those cases where the purposes of the proceedings would not be achieved without them. Application of any procedural force must be discontinued immediately as soon as it becomes unnecessary. Using violence, threatening and taking any actions that degrade human dignity and are detrimental to health is prohibited in the application of the procedural coercive measures and performance of the statutory investigation actions. Use of physical force is allowed only to the extent to which it is required in order to remove obstacles to the performance of procedural actions.

In the process of investigation of cybercrime, any criminal intelligence and pre-trial investigation actions are taken only after assessing the need for them, and human rights and freedoms are restricted only to the extent permitted by the law and to the extent necessary for the purposes of investigation of the criminal act.

Article 5 of the Law on Criminal Intelligence of the Republic of Lithuania establishes that the human rights and freedoms shall not be violated in the criminal intelligence process. Individual restrictions of these rights and freedoms may only be applied according to the procedure established by the law, in order to protect the rights and freedoms or property of another individual, or public security, or security of the State. In case of violation of human rights and freedoms, a criminal intelligence entity must restore the infringed rights and indemnify for the damage according to the procedure prescribed by the law.

SDPI is responsible for the implementation of the cyber security policy in the personal data protection area. According to Article 11 of the Law on Cyber Security, in the process of implementation of the cyber security policy, SPDI, acting within the scope of its competence, 1) carries out checks of legal persons according to the procedure established by legal acts where a risk that cyber incidents can affect personal data protection exists; 2) provides to the public and stakeholders information on risks and threats of cyber security related to the personal data protection; 3) establishes procedures for the provision of information on cyber incidents related to violations of personal data security for the public administration entities managing the public information resources, the managers of critical information infrastructure, public communications networks and/or public electronic communications service providers, and electronic information hosting service providers, and on the incident response measures implemented; 4) collects, analyses and evaluated information on cyber incidents related to violations of personal data security and on the incident response measures implemented; 5) checks the lawfulness of personal data processing and makes decisions on violations of personal data processing in cyber space; and 6) performs other functions in the cyber security area, established in the legal acts of the Republic of Lithuania.

According to Article 62 of the Law on Electronic Communications of the Republic of Lithuania, undertakings providing public electronic communications services must take appropriate organisational and technical measures to ensure security of their services, if necessary in conjunction with providers of public communications networks in order to ensure security of public communications networks.

A public communications network and/or public electronic communications service provider must immediately notify any violation of personal data security to SDPI. In case if the violation of personal data security can potentially have a negative impact on the security of personal data or privacy of a subscriber or a registered electronic communications service user or another person, the public communications network and/or public electronic communications service provider must also inform such subscriber or registered electronic communications service user or another person, except for cases where the service provider proves to the Inspectorate that it has implemented appropriate technical measures applicable to the personal data affected by the security violation. Such measures must ensure that unauthorised persons would not have access to personal data.

SDPI exercises supervision, according to the procedures prescribed by the laws and other legal acts, over the implementation of the appropriate organisational and technical measures by public communications network and/or public electronic communications service providers; whether such providers duly discharge their duty to report violations of personal data security.

Furthermore, SDPI provides information to the public, starting from school pupils, in order to increase public awareness of the protection of personal data and privacy, online security, potential threats in cyber space, and protection measures (by organising conferences and the European Data Protection Day events for target audiences, preparing methodological guidance and press releases on data protection and privacy protection issues).

It should be noted that the personal data processing in the mass media is supervised by the Inspector of Journalist Ethics in accordance with Article 8 of the Law on Legal Protection of Personal Data of the Republic of Lithuania.

List of relevant national legislation:

• Constitution of the Republic of Lithuania
• Criminal Code
• Code of Criminal Procedure
• Law on Criminal Intelligence
• Police Law
• Law on Electronic Communications
• Law on e-Money and e-Money entities
• Law on e-Signature
• Law on Information of Public
• Law on Protection of Minors from Negative Effect of Public Information
• Law on Information Society Services

For MLA requests:

According to Art 66 of the Code on Criminal Procedure, Lithuanian courts and prosecutor's offices  send and receive mutual legal assistance requests via the Ministry of Justice of the Republic of Lithuania or the Prosecutor General's Office. Also, MLA requests may be sent / received via the Lithuanian member at Eurojust.

For data preservation and consultations:

In line with Art 35 of the Budapest Convention, Lithuania has a 24/7 Point of Contact. Its functions are implemented by the Lithuanian Criminal Police Bureau.

As a legal basis for international cooperation in cyber criminal cases, Lithuania applies the following legal framework:

• Convention on Mutual Legal Assistance in Criminal Matters between EU Member States and its Additional Protocol of 2001
• Bilateral and multilateral agreements on mutual legal assistance in criminal matters. Valid agreements with: Armenia, Azerbaijan, China, Russia, Belarus, Ukraine, Moldova, Uzbekistan, Kazakhstan, USA.

On a national level, mutual legal assistance is regulated by the Code of Criminal Procedure. Section IV of the Code sets out procedures and requirements for international cooperation between Lithuanian and foreign competent authorities, including courts and prosecutors.