Sovereign Cloud's "twin" in Luxembourg: entry into force of the bilateral agreement, extension of Monaco's jurisdiction over technological crime

Entry into force

Sovereign Order no. 9.965 of 30 June 2023 (JDM no. 8650 of 7 July 2023) rendered enforceable from 30 June 2023 the Agreement between the Principality of Monaco and the Grand Duchy of Luxembourg concerning the hosting of data and information systems, signed in Luxembourg on 15 July 2021.

Parliamentary ratification and amendment of the Code of Criminal Procedure

Law No. 1.545 of 20 April 2023 approving the ratification of the Agreement between the Grand Duchy of Luxembourg and the Principality of Monaco concerning the hosting of data and information systems and Law No. 1. 546 of 20 April 2023 amending Articles 7 and 8 of the Code of Criminal Procedure, published in JDM No. 8640 of 28 April 2023, are respectively derived from Bills No. 1076 (2023-1, 18 January 2023) and No. 1075 (2023-2, 25 January 2023) received by the Parliament (Conseil National) on 23 February 2023 and voted on in the Public Session of 13 April 2023.

Purpose

Laws No. 1.545 and No. 1.546 are intended to protect the "twin" (backup data centre) of Monaco's sovereign cloud hosted in the Grand Duchy of Luxembourg, which is the basis for the Principality's digital services (smart city, e-administration, e-health, e-education, etc.) and which enables the storage of both State data and that of private Monegasque players.

This backup guarantee corresponds to what is commonly referred to in the business world as a "Business Continuity Plan", "Business Resumption Plan" or "IT Backup Plan", in the event of intrusion, damage, destruction or loss resulting from natural disasters or illicit acts (cyber attacks).

Security standards recommend a geographical distance of 150 km between the main and backup storage locations. Given the small size of Monaco, the backup data centre could only be hosted abroad. The choice fell on Luxembourg "which very early on was a pioneer in the field of digital security". (Explanatory memorandum to Bill 1076).

* * *

SUMMARY

• By the vote of Law No. 1.545, the Parliament approved the ratification of the Agreement between the Grand Duchy of Luxembourg and the Principality of Monaco concerning the hosting of data and information systems (held by Monaco in Luxembourg) signed on 15 July 2021.

The Bilateral Agreement confers on the premises to be used by Monaco, as well as on its data and information systems, equipment and licences which will be hosted in Luxembourg, a legal status guaranteeing their protection. It determines the conditions ensuring the inviolability and immunity of the Principality's property.

The Agreement has already been approved by Luxembourg by the Law of 28 November 2022, published in the Journal Officiel of the Grand Duchy of Luxembourg on 8 December 2022 and entered into force on 12 December 2022.

The bilateral agreement will enter into force 30 days after receipt of Monaco's notification (through diplomatic channels) of the completion of the required constitutional and legislative procedures.

• Following the ratification of the Bilateral Agreement, Law No. 1.546 amends Articles 7 (new 4°) and 8 (new 4°) of the Code of Criminal Procedure relating to "the exercise of public action in respect of crimes or offences committed outside the Principality", in order to expressly confer jurisdiction on the Monegasque courts to prosecute, judge and punish acts of technological crime committed to the detriment of the rescue centre located abroad.

The offences that could be criminally apprehended by the proposed scheme are those introduced in Articles 389-1 to 389-10 of the Criminal Code by Law No 1.435 of 8 November 2016 on the fight against technological crime.

* * *

NOTES:

Article 14, paragraph 2, number 2°) of the Constitution of 17 December 1962, as amended by Law No. 1.249 of 2 April 2002, requires a ratification law for "international treaties and agreements whose ratification entails the amendment of existing legislative provisions;" as is the case here with the amendment of Articles 7 and 8 of the Criminal Procedure Code.

Law No. 1.435 of 8 November 2016 on technological crime transcribed substantive and procedural criminal law provisions of the Council of Europe Convention (ETS No. 185) on Cybercrime (the so-called Budapest Convention), so that the Principality could ratify it. The Convention was made enforceable in Monaco by Sovereign Order No. 6.492 of 28 July 2017. It has been in force for Monaco since 1 July 2017.

* * *

IN DETAIL

— Key points of the Agreement between the Grand Duchy of Luxembourg and the Principality of Monaco concerning the hosting of data and information systems:

The Agreement is based on the main principles of international public law governing diplomatic relations between States.

• Management of secure premises, data and information systems, equipment and licences belonging to Monaco

The State of Luxembourg, through its majority shareholding in the private company Luxconnect (created on the initiative of the Luxembourg government in 2006 and whose main objectives are the improvement of the national dark fibre network and the construction and operation of state-of-the-art data centres), is the owner on its territory of secure premises in a data centre for the hosting of data and information systems, the management of which is currently placed under the control of the State of Luxembourg.

In the event of a transfer or change of manager of the premises, the Principality must be informed by Luxembourg six months in advance (except in the event of an urgent or duly justified emergency).

The transport on Luxembourg territory of Monaco's equipment, material and licences intended to be installed in the premises made available to it is assimilated to the transport of a suitcase, a parcel or diplomatic mail within the meaning of article 27 of the Vienna Convention of 18 April 1961 on diplomatic relations, which guarantees their inviolability.

In the event of force majeure leading to a total or partial interruption of the means of communication relating to the premises, Luxembourg is obliged to give them the same priority treatment as that accorded to its government services.

• Inviolability of premises and immunity from execution attached to the property of Monaco

In the context of the exercise of the competences and powers of the Principality of Monaco as a sovereign State, the Bilateral Agreement confers on the data and information systems, equipment and licences to operate the backup data centre of the Sovereign Cloud of Monaco in Luxembourg, which are property of the Principality of Monaco, a protective legal status conferring inviolability and immunity from execution.

In concrete terms :

→ Inviolability means that the premises made available to Monaco by Luxembourg may not be subject to any search, requisition, seizure or enforcement measure. Only official representatives of the Principality, its authorised agents and representatives of the Monegasque judicial authority may access the premises.
Without the prior consent of the Principality, no Luxembourg or foreign person may enter these premises, whether they perform administrative, judicial, military or police functions.

This is the counterpart of the regime applicable to an embassy and to the ambassador's residence which is part of the premises of the diplomatic mission, the inviolability of which is guaranteed by Article 22 of the Vienna Convention on Diplomatic Relations of 18 April 1961 (made enforceable in Monaco by Order No 332 of 1 December 2005 and entered into force for Monaco on 3 November 2005). The provisions of the Vienna Convention on the protection of the premises of diplomatic missions did not provide a protective legal framework for the "Twin" of the Sovereign Cloud of Monaco, hence the need to conclude the bilateral agreement.

→ Immunity from execution protects the State of Monaco against measures and procedures which would tend to divest it of its assets (in this case the data and information systems, equipment and licences to operate the backup data centre in Luxembourg).

Immunity from execution allows the State to oppose measures of compulsory execution as well as precautionary measures which render the seized property unavailable.

The Agreement transcribes a customary rule of public international law governing relations between States.

• Settlement of disputes concerning the interpretation or application of the Agreement

→ First phase of consultation within the Joint Committee to find a mutually acceptable solution.

→ If unsuccessful, either Party may request the settlement of the dispute by an ad hoc Arbitral Tribunal.

The Tribunal would be composed of three arbitrators: two arbitrators appointed by each Party; one arbitrator who will preside over the Tribunal and who is not of the nationality of either Party, appointed by the first two arbitrators. If within 3 months of the notification of the request for arbitration these appointments have not been made, either Party may, in the absence of any other agreement, request the International Court of Justice (ICJ) to make the appointments.

The Tribunal adopts its own rules of procedure. Its decision is final and binding on the parties.

As long as the Tribunal has not ruled, the Joint Commission is not deprived of jurisdiction, which means that if it succeeds in finding a solution, the Tribunal may accordingly withdraw.

Any amendment to the bilateral agreement must be the subject of an agreement negotiated, signed and ratified under the same conditions as the first agreement.

— Jurisdiction of Monegasque courts for offences against data and information systems (presented below) committed against the data centre located outside Monegasque territory:

The proposed amendments to the Code of Criminal Procedure are intended to expressly affirm the jurisdiction of Monegasque courts to prosecute and judge acts of technological crime (such as cyber-attacks) committed against the "twin" of Monaco's sovereign cloud:

• Any foreigner who, outside the territory of the Principality, is guilty of one of the offences to the detriment of the data and information systems of a data centre located abroad could be prosecuted and judged in the Principality (new 4° of Article 7 of the Code of Criminal Procedure);

• Any Monegasque or foreign perpetrator, co-perpetrator or accomplice who, outside the territory of the Principality, commits one of the offences to the detriment of the data and information systems of the data centre situated abroad, and who is found and arrested in the Principality, may be prosecuted and judged in the Principality (new 4° of Article 8 of the Code of Criminal Procedure).

— The acts of "technological crime" to the detriment of the data centre located in Luxembourg which could be apprehended by the Monegasque courts:

• Articles 389-1 to 389-7 of the Criminal Code (CP) incriminate offences that may be committed against an information system (IS), i.e. the device that ensures the automated processing of computer data, and the computer data used for the operation, use, protection or maintenance of this device:

- fraudulent access to or maintenance of an IS, with an aggravating circumstance when the computer data has been damaged; erased, deteriorated, modified, altered or deleted, or when the functioning of the system has been hindered or altered (Article 389-1 CP);

- hindering or fraudulent alteration of the functioning of an IS (Article 389-2 CP);

- fraudulent introduction, damage, deletion, deterioration, modification, alteration, deletion, extraction, possession, reproduction, transmission, or inaccessibility of computer data, or fraudulent modification or deletion of the mode of processing or transmission of computer data (Article 389-3 CP);

- fraudulent use of computer data that has been deliberately damaged, deleted, deteriorated, modified or altered (Article 389-4 CP);

- fraudulent interception by technical means of computer data, in non-public transmissions, to, from or within an IS, including electromagnetic emissions from an IS carrying such computer data (Article 389-5 CP);

- production, importation, possession, offering, transfer, dissemination, fraudulent obtaining with a view to using or making available: a) equipment, a device, including a computer programme, or any data principally designed or adapted to enable the commission of one or more of the offences provided for in Articles 389-1 to 389-5 of the Criminal Code; b) a password, access code or similar computer data enabling access to all or part of an IS to commit one or more of the offences provided for in Articles 389-1 to 389-5 of the Criminal Code (Article 389-6 CP);

- fraudulently introducing, altering, deleting or suppressing computer data, resulting in inauthentic data, with the intention that they be taken into account or used for legal purposes as if they were authentic (Article 389-7 CP);

• Other offences relate to :

- the introduction, alteration, deletion or suppression of computer data or any other form of interference with the functioning of an IS with the intention of obtaining an economic benefit, which causes a financial loss to another person (Article 389-8 CP);

- the participation in an organised gang or a conspiracy established with a view to preparing, committing or facilitating the commission or concealment of one or more of the offences provided for in Articles 389-1 to 389-5 of the Criminal Code (Article 389-9 CP);

- the attempted commission of one of the offences provided for in Articles 389-1 to 389-5 of the Criminal Code (Article 389-10 CP).

• Natural and legal persons may be held liable (Article 389-11 CP).