Legal protection of students’ personal data

Prepared by the researche : El bakouhi safae – University sidi Mohamed ben Abdellah , Fès, Morocco

Democratic Arabic Center

Journal index of exploratory studies : Thirteenth Issue – April 2024

A Periodical International Journal published by the “Democratic Arab Center” Germany – Berlin

:To download the pdf version of the research papers, please visit the following link

https://democraticac.de/wp-content/uploads/2024/04/%D9%85%D8%AC%D9%84%D8%A9-%D9%85%D8%A4%D8%B4%D8%B1-%D9%84%D9%84%D8%AF%D8%B1%D8%A7%D8%B3%D8%A7%D8%AA-%D8%A7%D9%84%D8%A7%D8%B3%D8%AA%D8%B7%D9%84%D8%A7%D8%B9%D9%8A%D8%A9-%D8%A7%D9%84%D8%B9%D8%AF%D8%AF-%D8%A7%D9%84%D8%AB%D8%A7%D9%84%D8%AB-%D8%B9%D8%B4%D8%B1-%D9%86%D9%8A%D8%B3%D8%A7%D9%86-%E2%80%93-%D8%A7%D8%A8%D8%B1%D9%8A%D9%84-2024.pdf

Abstract

The legal protection of students’ personal data is a crucial priority. Educational institutions must obtain informed consent from students before collecting, processing or sharing their data. Robust security measures are needed to prevent unauthorized access, and data collection must be restricted to what is strictly essential, encouraging data minimization. Transparency of privacy policies is essential to establish trust, and students are guaranteed rights of access and rectification. Data retention periods must be limited, followed by secure deletion. Regular evaluations are necessary to adjust policies in line with technological developments and legal changes, ensuring solid legal protection of students’ personal data.

introduction

“Cybercrime is the third greatest threat to the major powers, after chemical, bacteriological and nuclear weapons’’. (ROSE Colin.2015)

There is no legal or regulatory definition of cybercrime. However, certain closely related concepts, such as computer crime, computer offences, computer offences and computer misuse, have been defined, raising the question of whether crime and cybercrime should be assimilated or distinguished. According to the French Ministry of the Interior, cybercrime covers “all criminal offences likely to be committed on telecommunications networks in general, and more particularly on networks sharing the TCP-IP11 protocol, commonly known as the Internet”. (CERE Jean-Paul, RASCAGNERS Joan Miquel and VERGES Etienne.2015).

According to the UN, cybercrime is “any illegal behavior involving electronic operations that target the security of computer systems and the data they process”. And in a broader definition given by the European Commission, cybercrime is “any offence involving the use of computer technologies”.

Cybercrime covers defamatory offences that can be divided into two categories: offences linked to traditional forms of crime that have evolved with new information and communication technologies (NICT), and offences linked to information and automated data processing systems (STAD), which have emerged with the development of computer networks and the Internet.

Morocco, like other countries in the world that have chosen to open up to the world of technology, is also threatened by the phenomenon of cybercrime, which has led Morocco to put in place a strategy to combat this scourge through the enactment of laws sanctioning this offence.

Among the measures adopted by Morocco is the ratification by the Moroccan Parliament of the Convention on Cyber Attacks, adopted in November 2001 in Budapest. This is the first international treaty on computer and Internet crime. The legal framework for cybercrime encompasses a number of legal texts, including Law 24-96 on postal services and communications, Law 07-03 supplementing the Penal Code with regard to offences relating to (STAD), considered to be the first Moroccan text dealing with computer-related offences, Law 03-03 on the fight against terrorism, Law 53-05 on the electronic exchange of legal data, Decree no. 2-13-881 of 28 Rabii I 1436 (20 January 2015) amending and supplementing decree no. 2-08-518 of 25 Jumada I 1430 (21 May 2009) implementing articles 13, 14, 15, 21 and 23 of law no. 53-05 on the electronic exchange of legal data. The Malabo Convention , Law 31-08 on consumer protection measures, Law 88-13 on the press and publishing, and Law 103.13 on combating violence against women.

In France, cybercrime has been taken into legal account since the Data Protection Act (loi relative à l’informatique, aux fichiers et aux libertés of January 6, 1978).

The Godfrain law of February 5, 1988 on computer fraud introduced articles 323-1 et seq. into the French Penal Code, notably concerning the deletion or modification of data (art 323-1 al 1), or attempted offences on a STAD (323-7),The law of November 15, 2001 on daily security, The Act of March 18, 2003 on internal security, The Act of March 9, 2004 adapting the justice system to developments in crime, The Act of June 21, 2004 on confidence in the digital economy, which amended articles 323-1 et seq. of the Criminal Code. This law also amended article 94 of the Code of Criminal Procedure, concerning the inclusion of computer data in the list of items liable to be seized during searches carried out in flagrante delicto or during an investigation (these searches are also governed by arts. 56 and 97 of the Code of Criminal Procedure), the Law of July 9, 2004 on electronic communications and audiovisual communication services, the Law of January 23, 2006 on the fight against terrorism and containing various provisions relating to security and border controls, the Law of March 5, 2007 on the prevention of delinquency.

The first major wave of cybercrime came with the proliferation of e-mail in the late 80s. It enabled a series of scams and/or malware to be delivered to your inbox. The next wave in the calendar of cybercrime history occurred in the 90s with the advance of web browsers, most of which were vulnerable to viruses. Cybercrime really began to take off in the early 2000s with the rise of social networking (the exploitation of personal data to facilitate access to bank cards). The latest wave involves the creation of a global criminal industry worth almost half a billion dollars a year. These criminals operate in gangs, use well-established methods and target everyone and everything Grace to their web presence.

There’s no need to systematically compare crimes committed on the Internet, which is a virtual space, with those committed in the real world.

The legal problem posed consists in identifying digital criminal evidence in the field of cybercrime, which is why we need to identify the constituent elements in the first chapter (I) and at international level in the second chapter (II).

Chapter 1: The constituent elements of digital evidence in cybercrime

• Methods of gathering criminal evidence

Two stages are generally observed in the establishment of digital evidence by investigators. The first relates to the information-gathering process, while the second emphasizes the judge’s role of appreciation.

The search or collection process involves first collecting digital information and then storing and preserving it.

Collecting digital information as part of a digital criminal investigation involves either a flagrante delicto or preliminary investigation, or the execution of a technical rogatory commission. In either case, under the responsibility of their hierarchical judicial authority, investigators are required to carry out a variety of actions, ranging from computer searches, virus implantation, the affixing of a bug, the implementation of a communication injunction to infiltration. This also presupposes a certain knowledge of the type of cybercrime they are working on.

In the context of a computer search, data may be collected in the presence of the owner of the premises, or on police premises, in accordance with article 56 of the French Criminal Procedure Code (CPP). Internationally, the Budapest Convention adds that data may be collected in real time . There may be situations where investigators do not have the access code to a device, or where the person concerned refuses to provide it. Refusal to communicate this code is an offence under the Criminal Code. However, investigators are obliged to do their utmost, as far as the search warrant allows, to gain access to the code and the device being searched. In the case where this code was found in the absence of the accused at the search site, and that this code enabled access to data stored on foreign territory, the question arose as to whether possession of this code without specific authorization from the liberty and custody judge vitiated the procedure ^{( Cass crim.2014)} . In this case, as part of a preliminary investigation, police investigators carried out a computer search as provided for in article 57-1 of the French Criminal Procedure Code (CPP). The search was carried out in the absence of the homeowner, and uncovered a code used to access a foreign server (USA), which contained data relevant to the investigation. Noting this procedural flaw, the defense parties raised an objection to the nullity of the procedure before the Court of Appeal, which rejected the request on the basis of article 32 of the Budapest Convention, which authorizes investigators to access foreign servers during a computer search.

Once the investigators or experts have been able to access, collect and exploit the various elements useful to the investigation under secure conditions, it is mandatory to ensure their integrity with a view to their production in court. Otherwise, the slightest anomaly detected by the defense will result in the rejection of this evidence, and indeed all subsequent proceedings.

• Legal assessment of protection students’ personal data

With regard to the objective assessment, and based on the elements provided to him and the contradictory debates, the judge will make an objective and subjective assessment of the digital traces.

The judge’s initial expectations regarding the creation of digital evidence are relatively dependent on the expert’s mission. In other words, the expert’s work must make it possible to grasp and understand the digital data contained in a storage memory, so as to enable the judge to understand the reality of the offence. For example, in the case of fraudulent intrusion into a computer system by means of a malicious program, such as Wabbit , the Trojan horse or Worms , the judge’s assessment will depend on the expert’s ability to see how these viruses work in practice. This expectation is just as valid when the suspects have used procedures designed to blur the traces of their crime, or when there is a discrepancy between dates. The judge is only waiting for the expert’s work to make the cybercriminals’ modus operandi perceptible, because digital evidence by its very nature is “any information contained in an object that man is unable to examine with the use of his direct senses“.

Then, throughout the proceedings, the judge bases his objective assessment of the evidence on concrete criteria, sifting through the work of investigators and experts. In particular, he must verify the integrity and traceability of the evidence. To put it plainly, the judge must ensure that the procedures for collecting and preserving digital data allow him to be convinced of their true origin. He must ensure that the expert has not omitted anything in his work, and that the parties can trust his work. To this end, he has the power to order or authorize a counter-expertise to ensure that there are no technical contradictions. However, the jurisprudence of the French Supreme Court (Cour de cassation) takes a relative view of this criterion of integrity.

As for subjective assessment, the judge’s “inner conviction” must reveal the effect that the various elements presented by the parties have had on him, on his conscience , i.e. the judge’s reasoning must reveal his apprehension of the defendant’s innocence or guilt based on the elements presented by the parties. In the words of the Code of Criminal Procedure, the judge or jurors sitting on a jury must “question themselves in silence and meditation, and seek, in the sincerity of their conscience, what impression the evidence against the accused and the means of his defense have made on their reason” . And the Criminal Division of the French Supreme Court (Cour de cassation) is particularly careful to ensure that this intimate conviction is well detailed: “All decisions must be reasoned; insufficient or contradictory reasons are tantamount to their absence”.

Prior to a law passed on January 13, 2011 , French judges were not obliged to give reasons for their decisions, or to explain which pieces of evidence had convinced them of a person’s innocence or guilt. This lack of reasoning was frowned upon in both domestic and international law. At the same time, the Criminal Chamber ruled out the unconventionality of this French practice (cass crim.1996), a position endorsed by the Constitutional Council in a response to a priority constitutionality question . The Léger Committee’s report drew on ECHR case law and enshrined the obligation to give reasons for all judgments. This case law condemned Belgium for the non-conformity of its legislation with the Convention, due to the lack of effective application of the right to a fair trial in that country. In fact, under the Belgian system, no reasons were given for judgments, as the Belgian authorities considered that giving reasons for a judicial decision was in total contradiction with the principle of personal conviction. Following this conviction, as part of a 2009 law on the reform of the cour d’assise, Belgium replaced the notion of “intimate conviction” with another formula almost identical to it: “evidence beyond all reasonable doubt” (Federal Public Service Justice.2009).

Chapter 2: The legal framework for digital evidence in cybercrime

The complexity of cybercrime is now universally acknowledged. Indeed, it would be very surprising if any state could claim, with equal force, that it is undoubtedly protected from this phenomenon. The latest news of various computer attacks on the US infrastructure shows that even the world’s leading force is far from unprotected in terms of cyber attacks. Today, states are combining all possibilities, nationally and internationally, to combat this phenomenon. There is a race against time in the process of legislating cybercrime standards. These standards, most of which deal with digital evidence, also allow, in addition to existing players, the creation of other types of players with greater efficiency in collecting digital evidence.

• Internal legal provisions

Moroccan legislation has taken initiatives to adopt laws against cybercrime, even though there is a significant and undeveloped legal vacuum.

Indeed, national legal responses to the phenomenon of cybercrime differ from country to country.

This is largely due to the emergence of two currents with two different conceptions of the phenomenon. The first considers that there is no need to distinguish between information stored on traditional media and that which is automated.

Consequently, cybercrime does not justify new legislative measures  (M.CHAWKI.2019) , The second trend considers cybercrime to be a specific phenomenon.

New measures are needed. Moroccan legal responses are in line with this second perspective  (A.ELAZZOUZI,2019). The Moroccan legislator has therefore adopted 3 laws concerning this phenomenon:

Law n°07-03 supplementing the Penal Code with regard to offences relating to automated data processing systems (STAD)

It was the first law to deal with the phenomenon of cybercrime, and was inspired by, and reproduced from, similar laws in other countries, notably the French GODFRAIN law of January 5, 1988. It deals with and penalizes intrusions and attacks on automated data processing systems.

Concerning intrusions

There is a distinction between fraudulent access and fraudulent maintenance in a STAD, according to law n°07-0374, which sanctions all unauthorized intrusions. As a result, two types of unauthorized access can be envisaged:

• Access in space, which consists in breaking into a computer system, i.e. fraudulent access. Fraudulent access to the STAD can be :

From outside the system: for example, a hacker who penetrates a computer connected to the Internet is subject to the law.

Or :

From inside the system: an employee who, from his or her workstation, enters an area of the company network to which he or she has no right of access may be prosecuted.

The offence of fraudulent access is punishable under article 607-3 of the French penal code, which states that “fraudulent access to all or part of an automated data processing system is punishable by one to three months’ imprisonment and a fine of 2,000 to 10,000 dirhams, or one of these two penalties only”.

• Temporal access, i.e. exceeding an access authorization given for a specific period of time, i.e. fraudulent maintenance.

The latter is also considered a punishable offence under Article 607-3 of the Moroccan Penal Code, which states: “The same penalty shall apply to any person who remains in all or part of an automated data processing system to which he has gained access by mistake and when he does not have the right to do so”.

Moroccan law provides for a doubling of the penalty if fraudulent maintenance or access leads to system alteration.

According to article 607-3, paragraph. 3 of the French Penal Code, which stipulates that “the penalty is doubled when the result is either the deletion or modification of data contained in the STAD, or an alteration in the operation of this system”.

Adding to this, any fraudulent act leading to the alteration of a system containing information relating to the security or economy of the State is punishable under article 607-4, which states: “Without prejudice to more severe penal provisions, anyone who commits the acts provided for in the preceding article against all or part of an automated data processing system supposed to contain information relating to the internal or external security of the State shall be punished by six months’ to two years’ imprisonment and a fine of 10.000 to 100,000 dirhams shall be imposed on anyone who commits the acts provided for in the preceding article against all or part of an automated data processing system supposed to contain information relating to the internal or external security of the State, or secrets concerning the national economy.

Without prejudice to more severe penal provisions, the penalty is increased from two years’ to five years’ imprisonment and a fine of 100,000 to dirhams when the acts punishable under the first paragraph of this article result in either the modification or deletion of data contained in the automated data processing system, or an alteration in the operation of this system, or when the said acts are committed by a civil servant or employee in the course of or in connection with the performance of his duties, or if he facilitates the performance of such acts by another person”.

In French criminal law, evidence is governed by article 427 and following of the French Code of Criminal Procedure. This article states that, “except in cases where the law provides otherwise, offences may be established by any means of proof, and the judge shall decide on the basis of his innermost conviction”. However, other provisions of this code make the question of criminal evidence even more complex. This is notably the case with article 57-1 of the March 18, 2003 law on internal security, which deals with the search of computer systems. This article specifies that, in the context of a search carried out as part of a flagrante delicto investigation, investigators may use a computer system installed on the premises where the search is taking place to access data useful to the investigation in progress and stored in the said system or in another system, provided that the data in question is accessible from the initial system. In the event that the data is concealed in a system located abroad, and when the OPJ is informed of this, access to the data is made in compliance with France’s international commitments . The provisions of this article are normally implemented as part of a flagrante delicto investigation, in accordance with article 53 paragraph 1 of the French Criminal Procedure Code (CPP) , but may also be applied as part of a preliminary investigation, where the consent of the accused is required, as stipulated in article 76 of the same Code. In addition, the provisions relating to computer or telematic requisitions in article 60-2 of the Code of Criminal Procedure, enacted by law no. 2003-239 of March 18, 2003, empower the various investigators, with the authorization of the public prosecutor , to request information from public bodies or legal entities under private law, with the exception of churches or religious, philosophical, political or trade-union groups, as well as audiovisual press organizations, to make available to them information useful in ascertaining the truth contained in the nominative data system(s), with the exception of information protected by secrecy as provided for by law  (Martine Exposito.2014) . This provision is only applicable in the context of a preliminary investigation, but can also be applied in the context of a preliminary investigation or an investigation in flagrante delicto, and only on the basis of a rogatory commission in the case of an investigation in flagrante delicto, provided that the conditions set out in article 53 of the French Criminal Procedure Code are met.

Law no. 09-08 on the protection of individuals with regard to the processing of personal data.

This law was promulgated on May 21, 2009, and was inspired by the French Data Protection Act of January 6, 1978, which deals with the protection of individuals with regard to the processing of personal data. And for the first time in the Moroccan legal system, this law introduces legal provisions harmonized with European law  (A.ELAZZOUZI . 2019).

Firstly, the law lays down general provisions concerning the definition and scope of the law, data quality and the prior consent of the person concerned. Secondly, it sets out the rights of the person concerned.

The third chapter sets out the obligations of data controllers. The final chapters set out the role of the National Commission for the Supervision and Protection of Personal Data, the transfer of data to a foreign country, the national register for the protection of personal data, limits on the creation or use of central registers and files, penalties and transitional provisions .

• Legal provisions derived from conventions and treaties

Firstly, at regional level, the Union’s desire to establish an area of security, freedom and justice has led to the creation of police and judicial cooperation in criminal matters . Based on the fundamental principle of mutual recognition of decisions and judgments between member states, this cooperation ensures ease of movement between states. It has enabled the Union to establish minimum rules for the admissibility of evidence between Member States in the fight against organized crime and computer crime . Article 87(2)(a) of the Treaty on the Functioning of the European Union states that “the European Parliament and the Council, acting under an ordinary legislative procedure, may establish measures on the collection, storage, processing, analysis and exchange of relevant information”. This desire has been concretized and reinforced by the introduction of several texts, including for example the European Investigation Directive of 03 April 2014, which aims to require a State to transfer electronic evidence to a requesting State in the context of a European warrant . This directive follows on from two European framework decisions, one dating from 2003 on the freezing of property and evidence, and the other from 2008 on the European evidence warrant aimed at collecting documents and data in the context of criminal proceedings . Several provisions of this directive deal with the issue of digital evidence. Article 13, for example, provides further details on the procedures for transferring data between States . In Article 12, the Union has chosen to resolve the problem of the time it takes to process transfer requests. Initially, the Union was able to reduce this timeframe to 120 days, marking a commendable step forward compared with the 10 months traditionally taken for mutual assistance procedures under the Legal Assistance Treaty (MLAT) (Daskal, Jennifer.2016). All member states participate in this directive except Denmark and Ireland, which operate under the mutual assistance in criminal matters regime. In addition, in 2013, the Union issued a directive to replace Framework Decision 2005/222/ JHA, in order to bring States’ criminal law closer together in the fight against attacks on IT systems. For example, this directive provides a number of definitions of computer data , a computer system, unlawful interference with the integrity of a data item, etc. Paragraph 24 of the preamble to the directive also specifies the need for member states to “provide Europol and its European Cybercrime Centre with information on the modus operandi of offenders, so that these agencies can draw up threat assessments and strategic analyses of cybercrime”.

conclusion

As we’ve seen in this article, the Internet has become a world where people spend most of their time with each other, and the Internet users of this world are increasingly connected to this virtual world, due to several aspects and circumstances. Especially the openness and democratization of this world, freedom, social networks like Facebook.

According to the latest statistics, 3.5 billion people use social media, an increase of 288 million (9%) on last year . According to the same statistics, 17 million people in Morocco use the Facebook social network. So, as the virtual world rapidly evolves, as we have seen in our research, so does cybercrime. It is becoming increasingly difficult to combat this phenomenon.

At the end of this research, we were also able to note the existence of gaps that run counter to the ambitions of the fight against cybercrime, whether at the conventional international level, in the case of the 2001 Convention on Cybercrime, or at the regional national level, in the case of Morocco. The Moroccan legal system or framework is neither sufficient nor well adapted to combat this phenomenon effectively, compared with other countries such as its counterpart France.

Bibliography