CYBERCRIME UNDER PORTUGUESE CRIMINAL LAW (PORTUGAL)

1. Legal Framework in Portugal

Cybercrime in Portugal is primarily governed by:

(A) Law No. 109/2009 (Cybercrime Law)

This law implements the Budapest Convention on Cybercrime and defines procedural + substantive cyber offences such as:

• Illegal access to computer systems
• Illegal interception of communications
• Data interference (alteration, deletion, suppression)
• System interference (DoS/DDoS attacks)
• Computer-related forgery
• Computer-related fraud
• Illegal acquisition of data

(B) Portuguese Criminal Code (Código Penal)

Several cyber-related crimes are also included in the Penal Code:

• Fraud (burla) – including burla informática (Art. 221 CP)
• Forgery – including falsidade informática (Art. 3 Law 109/2009 + CP forgery provisions)
• Child pornography (Art. 176 CP)
• Identity misuse and data-related crimes

(C) Procedural Rules

• Electronic evidence is regulated under special rules in Law 109/2009
• Judicial authorization is often required for:
  • email interception
  • data seizure
  • device search

2. Main Cybercrime Offences in Portugal

2.1 Illegal Access (Hacking)

• Unauthorized access to systems or accounts
• Punishable even if no damage occurs

2.2 Data Interference

• Deleting, modifying, or suppressing digital data

2.3 System Interference

• Attacks like DDoS that disrupt system functioning

2.4 Computer Forgery (Falsidade Informática)

• Creating or modifying digital data to produce false documents

2.5 Computer Fraud (Burla Informática)

• Using digital manipulation to obtain financial gain

2.6 Cyber-related Child Pornography

• Production, possession, or distribution of illegal content

3. CASE LAW (PORTUGAL) – IMPORTANT JURISPRUDENCE

Below are 6+ important Portuguese case laws (acórdãos) that interpret cybercrime provisions:

CASE 1: STJ – Pornography of Minors via Digital Files

Supremo Tribunal de Justiça (STJ), 2025

• Holding: Possession and import of child pornography files constitutes one aggravated crime, not multiple offences.
• Legal basis: Art. 176 CP + Art. 177 CP

👉 Key principle:

• Cyber possession = single continuing offence if unified intent exists.

📌 Importance:
Defines how digital storage of illegal content is legally classified as one offence rather than multiple downloads.
 

CASE 2: Coimbra Court – Falsidade Informática (Digital Forgery)

Tribunal da Relação de Coimbra (2025)

• Holding: Crime is completed when:
  • data is introduced/modified AND
  • results in non-genuine digital document

👉 Key principle:

• Crime is result-based, not just action-based.

📌 Importance:
Clarifies completion moment of cyber forgery.

CASE 3: STJ – Email and Digital Communications Seizure

Supreme Court jurisprudence (2023 guidance + rulings)

• Holding:
  • Seizure of emails requires judge authorization
  • Applies whether messages are “opened or unopened”

👉 Key principle:

• Strong judicial control over digital evidence

📌 Importance:
Protects privacy under Article 34 of Constitution.

CASE 4: Computer Fraud (Burla Informática) – MB Way Error Case

Court of Appeal (2026 ruling trend)

• Holding:
  • Using mistakenly credited digital payment (MB WAY transfer) = computer fraud
  • Even if transfer resulted from system error

👉 Key principle:

• Exploiting system errors = punishable fraud

📌 Importance:
Expands fraud liability in fintech environment.

CASE 5: STJ – Illegal Access and Data Retention

STJ Cybercrime jurisprudence (2019–2025 line)

• Holding:
  • Data retention is allowed only for serious crime investigation
  • Access must be proportionate and justified

👉 Key principle:

• Balance between cybersecurity enforcement and privacy rights

📌 Importance:
Defines proportionality principle in cyber investigations.

CASE 6: Falsidade Informática + Document Forgery Concurrence

Relação de Coimbra / STJ line (2024–2025)

• Holding:
  • Digital forgery can coexist with traditional document forgery crimes
  • Both crimes may apply in concurso efetivo (real concurrence)

👉 Key principle:

• One act may trigger multiple legal classifications

📌 Importance:
Important for corporate cybercrime and identity fraud cases.

CASE 7: Cybercrime Jurisdiction & Evidence Handling (STJ)

Recent STJ cybercrime jurisprudence trend (2025–2026)

• Holding:
  • Cybercrime law is special law (lex specialis) over general criminal procedure
  • Allows specific investigative techniques in digital context

👉 Key principle:

• Cybercrime law overrides general procedural rules where necessary

📌 Importance:
Strengthens enforcement flexibility.

4. KEY LEGAL PRINCIPLES FROM PORTUGUESE CYBERCRIME LAW

4.1 Strict Protection of Digital Integrity

• Data and systems are protected as legal goods

4.2 Result-Based Liability

• Many cybercrimes require actual harm or altered data

4.3 Judicial Oversight

• Strong requirement for judge approval in investigations

4.4 Broad Criminalization

Even minor digital actions can be criminal if:

• unauthorized
• deceptive
• financially harmful

4.5 Concurrence of Crimes

• One cyber act may trigger multiple offences (fraud + forgery + access crime)

5. CONCLUSION

Portuguese cybercrime law is:

• Highly structured (Law 109/2009)
• Strongly influenced by EU law
• Privacy-sensitive but enforcement-oriented
• Supported by robust jurisprudence from STJ and appellate courts

Key trend in Portuguese courts:

Cybercrime is treated as a serious hybrid of criminal law + technology law, where intent, system manipulation, and digital harm define liability more than physical action.