The Italian system does not define what “electronic evidence” is in general. This concept is not even legally defined in the CoE Convention on Cybercrime, where only “computer data” are defined, although the definition above is useful to understand what “digital evidence” is. We retrieve the definition of “digital evidence” from the practice and doctrine. According to the CoE electronic evidence guide, which represents a valid point of reference on this matter: “digital evidence is an information generated, stored or transmitted using electronic devices, that may be relied upon in a trial”.
The discipline for the collection of electronic evidence is outlined, in general, in the criminal procedure code, whilst a special regime is foreseen for the telecommunication providers in a separate law text (Legislative Decree no 196/2003).
As a general rule, there are not threshold for the collection of stored electronic evidence, depending on the seriousness of the crime investigated. All the legal tools provided for by the CPC and Legislative Decree no 196/2003, are suitable for all the offences. Only regarding the real-time gathering of digital evidence (interceptions) threshold are envisaged in the CPC.
According to the CPC digital evidence may be collected ex officio by the Judicial Police in case of urgency, where the intervention of the Public Prosecutor may jeopardize the collection of the digital evidence or when the sensitiveness of the data sought is low (subscriber data) and an order of the Prosecutor or of the Judge is not required.
As per the power of the Judicial Police in case of urgency, Articles 352 and 354 CPC respectively provide as follows:
Article 352 CPC. In case of flagrante delicto or in case of escape, if judicial police officials have reasonable grounds to believe that data, information, software or traces anyhow related to the offence which may be deleted or lost are hidden in IT or electronic systems, they shall search them, even if they are protected by security measures. In these cases, judicial police officials shall adopt technical measures aimed at guaranteeing the preservation of original data and preventing their alteration.
Article 354 CPC is dedicated to urgent verification on the spot by the Judicial Police. It foresees that “If there is a danger that the objects, traces and the scene… may be altered, lost or anyhow modified and if the Public Prosecutor is not able to intervene promptly or has still to undertake the management of the investigations, criminal police officials shall carry out the necessary ascertainments and checks on the conditions of the scene and objects thereof. In relation to data, information, software and IT or electronic systems, criminal police officials shall also adopt the technical measures or establish the obligations necessary to ensure their preservation and prevent them from being altered or accessed and, if possible, take care that they are copied on appropriate media, following a procedure that ensures that the copies are identical to the original and that they cannot be modified”.
In both cases, when the Judicial Police search and seize electronic evidence, those acts should be validated by the Prosecutor within a strict time limit.
Regarding the power assigned to the Public Prosecutor during the investigation phase, he/she may carry out or delegate the Judicial Police to carry out inspections (Article 244 CPC), searches (Article 247 CPC) and seizure (Article 253 and 254-bis CPC), or may issue a production order to professionals (like lawyers, medical doctors, etcetera) and public officials (Art. 256 CPC).
Inspection (Article 244 CPC). The judicial authority may order that inspection be performed by means of descriptive and photographic tools and any other technical operation, also by means of computer or electronic tools, by adopting technical measures capable of guaranteeing the preservation of the original data and preventing their alteration.
Search (Art. 247 par. 1-bis CPC). If there are reasonable grounds to believe that data, information, software or any other traces relating to an offence are stored in a computer or electronic system, even if protected by security measures, a search shall be ordered adopting technical measures capable of guaranteeing the preservation of the original data and preventing their alteration.
Before initiating the search, the judicial authority or the delegated judicial police may invite the person present in place to hand over the searched items. In this case the search may not be carried out (Article 248 CPC).
Seizure (Article 253 CPC). It relates to every object which come into consideration as corpus delicti, as well as other material items related to the offence necessary to ascertain the facts of the case. This provision covers also the seizure (following or not to a search) of data stored in a computer system, electronic devices or storage medium. Article 254-bis CPC outlines a specific methodology to be followed when the seizure concerns computer data stored by IT providers or Telecommunications providers. The general rule is to take a faithful and not alterable copy of the data and put it on a device.
Production order (Article 256 CPC). It concerns only the order directed to persons exercising a certain profession or public officials and persons entrusted with a public service, who must, upon the order of the Judicial Authority (Public Prosecutor during the investigation phase) to hand over data, information or software, also by copying them on a suitable medium, except if they declare in writing that they are covered by either State, public service or professional secret.