On June 20, 2022, Law No. 21.459 was published in the Official Gazette, which establishes rules on computer crimes, repeals Law No. 19.223 and modifies other legal bodies in order to adapt them to the Budapest Convention.
For the purposes of this law, the following concepts are defined:
a) Computer data: Any representation of facts, information or concepts expressed in any form that lends itself to computer processing, including programs designed for a computer system to perform a function.
b) Computer system: Any isolated device or set of interconnected or interrelated devices the function of which, or that of any of its elements, is the automated processing of data in the execution of a program.
c) Service Providers: Any public or private entity that offers users of its services the possibility of communicating through a computer system and any other entity that processes or stores computer data for such communication service or for the users thereof.
This law repeals Law No. 19.223 of 1993, which criminalized computer-related offenses, and establishes new computer-related offenses. These new offenses are as follows:
1. Unlawful access: Whoever unduly intercepts, interrupts or interferes, by technical means, the non-public transmission of information in a computer system or between two or more of them, shall be punished with the penalty of minor imprisonment in its medium degree. Whoever, without due authorization, captures, by technical means, data contained in computer systems through electromagnetic emissions coming from them, shall be punished with the penalty of minor imprisonment in its medium to maximum degrees.
2. Unlawful interception: Whoever unduly intercepts, interrupts or interferes, by technical means, the non-public transmission of information in a computer system or between two or more of them, shall be punished with the penalty of minor imprisonment in its medium degree. Whoever, without due authorization, captures, by technical means, data contained in computer systems through electromagnetic emissions coming from them, shall be punished with the penalty of minor imprisonment in its medium to maximum degrees.
3. Attack to the integrity of computer data: Whoever unduly alters, damages or suppresses computer data, shall be punished with minor imprisonment in its medium degree, provided that this causes serious damage to the owner of such data.
4. Computer forgery: Whoever unduly introduces, alters, damages or suppresses computer data with the intention of being taken as authentic or used to generate authentic documents, shall be punished with minor imprisonment in its medium to maximum degrees. When the conduct described in the preceding paragraph is committed by a public employee, abusing his official position, he shall be punished with the penalty of minor imprisonment in its maximum degree to major imprisonment in its minimum degree.
5. Receipt of computer data: Whoever, knowing its origin or being unable but to know it, commercializes, transfers or stores with the same object or other illicit purpose, in any way, computer data coming from the conducts described in the previous crimes, shall suffer the penalty assigned to the respective crimes, reduced by one degree.
6. Computer fraud: Whoever, causing damage to another, with the purpose of obtaining an economic benefit for himself or for a third party, manipulates a computer system, through the introduction, alteration, damage or suppression of computer data or through any interference in the operation of a computer system shall be punished based on the value of the damage.
7. Abuse of devices: Whoever for the perpetration of certain crimes described in the law, delivers or obtains for its use, imports, disseminates or makes available in any other way one or more devices, computer programs, passwords, security or access codes or other similar data, created or adapted mainly for the perpetration of such crimes, shall be punished with the penalty of minimum imprisonment and a fine of five to ten monthly tax units.
A novelty of the law is that it regulates authorization and academic research, which will be lawful when access to a computer system for vulnerability research or to improve computer security involves the express authorization of the owner of the system. Therefore, any identification of vulnerability will necessarily require the express authorization of the owner of the computer system in order for such conduct not to constitute a crime.
The law establishes specific rules regarding the investigation and prosecution of these new crimes, as well as aggravating and mitigating factors for the criminal liability of those who commit them.
This law also implies the modification of different legal bodies, such as the Code of Criminal Procedure, Law No. 19,913, which creates the Financial Analysis Unit and modifies several provisions regarding money laundering and asset laundering, and Law No. 18,168, General Telecommunications Law.
Also, it is important to note that these offenses are incorporated into Law No. 20.393, which establishes the criminal liability of legal entities, so they must be evaluated in terms of compliance in order to prevent their commission.
Regarding the entry into force of the law, the amendments to the Code of Criminal Procedure will become effective six months after the publication in the Official Gazette of a regulation issued by the Ministry of Transportation and Telecommunications and signed by the Minister of the Interior and Public Safety. On the other hand, the amendments to Law No. 20,393 and No. 19,913 shall become effective six months after the publication of this law in the Official Gazette.
If you require additional information on this matter, please contact Jorge Tisné (email@example.com).