Belgium - Octopus Cybercrime Community

Back Belgium

Status regarding Budapest Convention

Status : Party Declarations and reservations : declarations regarding articles 2, 7 (interpretations of these articles), 24, 27 and 35 (designation of responsible authorities). Reservations regarding articles 22.1.c. and 22.1.d. See legal profile

Cybercrime policies/strategies

Belgium introduced for the first time in 2000 a specific law on cybercrime. In 2012, the government established a cyber-strategy to meet the growing threat of cybercrime in the country. This strategy aimed to target a secure and reliable cyberspace that respects the values and rights of a modern society; to ensure optimal protection against cyber- threat of public systems and critical infrastructures; develop national cybersecurity capabilities for independent security policy and a suitable response to security incidents. This strategy, which promotes a centralized and integrated approach with the cooperation of all stakeholders, lays the foundation for a legal framework. Following this strategy, a Centre for Cybersecurity Belgium (or CCB) was established (the Royal decree of 10 October 2014 formalizing its creation was published in the Belgian Official Gazette of 21 November 2014). This Centre oversees online security in the country and educate users. It is in charge of the service management of the Computer Emergency Response Team (CERT) responsible for detecting, observing and analysing online security issues (previously under the responsibility of the Ministry in charge of Information and Communication technology). In January 2015, another organization, the Cybersecurity Coalition was created, with over 80 actors from the academic world, public and private sector for the fight against cybercrime. Its mission is to bolster Belgium’s cyber security resilience by building a strong cyber security ecosystem at national level, by bringing together the skills and expertise of the academic world, the private sector and public authorities on a trust-based platform aimed at fostering information exchange and implementing joint actions. The coalition focuses on four strategic domains: experience sharing, operational collaboration within a trusted community, policies recommendations and awareness raising campaigns.

Cybercrime legislation

State of cybercrime legislation

Prior to the Law of 28 November 2000 on computer crime, Belgium did not have any specific legislation for the criminalization of computer offenses. The general provisions of the Criminal Code were used to prosecute those kind of offenses.

Both substantive and procedural criminal law framework of Belgium, as amended several times since adoption of the Law of 28 November 2000 on Computer Crime, with most recently amendments to the Criminal Procedure Code in 2016, are fully in line with the Convention requirements.

Substantive law

The law of 28 November 2000 on computer crime includes a series of provisions designed to fight against computer crime. The Penal Code introduces four new offenses for this purpose: forgery in the computer field (Article 210bis Penal Code), computer fraud (Article504ter PC), piracy/hacking (Article 550bis PC) and illegal data and system interference (article 550 ter.). Articles 550bis and 550ter of the Penal Code also covers the use of cyberspace for terrorist purposes.

These are in addition to previously identified general offenses that may be committed using computer systems or networks including child pornography (art. 383bis Penal Code), racism (Law of 30 July 1981), holocaust denial (Law of 23 March 1995), scamming (art. 496 Penal Code), and certain violations of intellectual property rights.

Procedural law

The law of 28 November 2000 on computer crime modifies the Code of Criminal Procedure to allow the judiciary to better operate in the organization of the instruction by introducing the seizure of electronic data and networks search. Since 2000, there have been several amendments to the provisions that were introduced by the 2000 Law, and also new provisions have been introduced. Most recently, the law of 25 December 2016 has introduced specific articles on expedited preservation and partial disclosure of traffic data. The network search has also been modified to include remote and secret searches in electronic networks, and a provision on online undercover methods was introduced.

The Law of 29 May 2016 on the retention of data in the electronic communications sector compels providers of electronic communication services to retain, during a specified period, subscriber, traffic and location data. This law is actually under review by the Constitutional Court.

Safeguards

Guarantees to fundamental civil rights are provided for by the Belgian Constitution. All Belgians are equal before the law. No citizen shall be deprived of his liberty without the order of a judge. Regarding the retention of electronic communications data, access to these data is strictly limited and depends on the seriousness of the offense (proportionality). Providers must guarantee that data are retained in a safe and secure manner, that, to be able to reply to the requests of judicial authorities; only members of its Coordination Cell are able to access the data, and that the use of these data can be held in a log that is accessible by the Belgian Institute for Postal services and Telecommunication Services (BIPT) and the Data Protection Authority.

Related laws and regulations

Law of 28 November 2000 on computer crime
Law of 15 May 2006 modifying the articles 259bis, 314bis, 504quater, 550bis and 550ter of the Criminal Code.
Law of 29 May 2016 on the retention of data in the electronic communications sector.
Law of 25 December 2016 containing several modifications of the Criminal Code and the Criminal Procedure Code with the aim to improve the special investigation methods and several other methods concerning the Internet and electronic communications.
Law of 13 April 1995 containing provisions to combat trafficking in human beings and child pornography
The Code of Economic Law of 23 February 2013
Law of 7 May 1999 on gambling games.
Law of 30 July 1981 on the punishment of racism and xenophobia.
Law of 23 March 1995 on the punishment on the denying, minimizing, justifying or approving of the genocide committed by the German National Socialist regime during the Second World War.

Specialised institutions

Centre for Cybersecurity Belgium (CCB)
Cybersecurity Coalition
Federal Computer Crime Unit (FCCU): police specialized in the analysis of computer and telecommunication systems.
Federal Cyber Emergency Team CERT .be is the first Belgian contact point when it comes to dealing with threats and vulnerabilities of cybersecurity affecting Belgian interests. Professionals in information technology and communication (ICT) can go to CERT.be for free and confidentially for cyber-incident reports (pirated data and network infrastructures, phishing, cyber-attacks, etc.) . CERT.be also gives advice to citizens and businesses on how to use the internet safely.
Safeonweb: Safeonweb wants to quickly and accurately inform Belgian citizens and advise on cyber security high-end digital threats and online security.
Office for Criminal policy within the Ministry of Justice.
BOSA/Digital Administration: as a federal public service, BOSA defines and implements the federal e-government strategy. It uses innovative information and communication technology (ICT) to help the various federal public services to improve their service portfolios and tailor them to meet the needs of the general public, businesses and civil servants.
The Belgian Institute for Postal Services and Telecommunications (BIPT) oversees both the postal sector and the telecommunications sector, now called electronic communications. The BIPT perform tasks of economic regulation, technical organization and compliance with regulatory frameworks. The BIPT is involved in the safety of public networks and publicly accessible electronic communications services.
The State Security department. The State Security department is the civilian and security intelligence service of Belgium. Its functions include the protection of fundamental rights and state interests. The State Security department assists belgian businesses in their protection against cyber-attacks.
Febelfin: Febelfin, the Belgian financial sector federation, assist its 268 members in the fight against cybercrime through information sharing and cooperation with all stakeholders involved. Febelfin has a dedicated website, www.safeinternetbanking.be, and launched several campaigns regarding the security of internet banking with “shocking” videos
The Data Protection Authority: the Data Protection Authority (DPA) is an independent body ensuring the protection of privacy when personal data are processed. The DPA is the successor of the Commission for the protection of privacy as of 25/05/2018 and was established by the Belgian Federal House of Representatives with the Act of 3 December 2017 establishing the Data Protection Authority.

International cooperation

Competent authorities and channels

Belgium, as a member of the European Union and the Council of Europe, signed most of the treaties and conventions on international judicial cooperation. The Belgian police cooperates with other European and international judicial and police forces within Europol, Eurojust and Interpol. Moreover, Cert.be cooperates with other CERT teams globally through the Forum of Incident Response and Security Teams (FIRST) network.

Competent authorities and channels:

The Office for International Collaboration of the Ministry of Justice
The Federal Prosecution Office
Federal Computer Crime Unit (FCCU)
The Federal Cyber Emergency Team CERT.be

Jurisprudence/case law

Order of the Court of First Instance of Bruges (21 April 2004). The use of spoofing techniques to misuse a specified email address that we can no longer dispose after a contract is deemed illegitimate and constitutes a breach of contract.
Judgment of the Criminal Court of Hasselt – 15th Chamber (21 January 2004). In assessing the qualification of hacking into a computer system for which it has no access authorization, no good intentions of the attacker nor the system protection should be considered.
Judgment of the Court of First Instance of Furnes (13 August 2004). The abusive registration of domain names should not be seen as freedom of expression.
Judgment of the Criminal Court of Eupen – 4th Chamber (15 December 2003). The use of software to access or remain in a computer system knowing that it is not allowed can be considered as a hacking attempt.
Decision of the Court of Appeal of Antwerp (7th October 2003). The accused in this case operated since February 2000 the illegalwebs.com website. The applicants could obtain, in exchange of payment, a password that enabled them to add hyperlinks on this website. All hyperlinks linked to pages with child pornography content. In its decision, the Court merely states that the comparison with an Internet access provider was not valid, precisely because the accused intended to a specific unlawful topic, i.e. child pornography images.
Judgment of the Criminal Court of Liege – 12th Chamber (18 November 2002). False data used on the Internet, either to create an Internet account or to write messages on a discussion forum, are considered as written documents as soon as they can be transposed on written materials.
Decision of the Criminal Court of Ghent – 19th Chamber (11 December 2000). The user name, the password and the pin codes are telecommunications data in the meaning of art. 109ter D, 3° of the law of 21 March 1991 relating the reform of certain economic public companies. To benefit from this law, it is only required that, in terms of accessibility of data, these data are not intended for the general public. It is not important to know whether these data are easily accessible from a technical point of view. Neither the intentional knowledge of telecommunications data related to another person, nor the disclosure of these data require a special intention.
Yahoo case: Court of Cassation 1 December 2015: the Court confirmed the conviction of Yahoo for having refused to collaborate with Belgian judicial authorities concerning a request for subscriber data. Yahoo was considered to offer its services on Belgian territory and is therefore obliged to collaborate in judicial requests.
Skype case: Court of Cassation 19 February 2019: the Court confirmed the conviction of Skype for having refused to collaborate with Belgian judicial authorities concerning a request for communication interception. Again, Skype was considered to offer its services on Belgian territory and is therefore obliged to collaborate in judicial requests. In this case, Skype argued that it was technically impossible to grant the police access to the communication. This argument was not accepted. When offering communication services in the Belgian territory, service providers need to be capable of collaborating with the judicial authorities.