Draft Directive on attacks against information systems will require the UK to amend existing criminal law

Last September, the European Commission put forward a proposal for a directive on attacks against information systems and repealing Council Framework Decision 2005/222/JHA. The Computer Misuse Act 1990 has been amended in 2008 in order to the UK to meet the framework decision’s requirements. However, the UK would have to amend this Act again. According to the Commission the framework decision “only approximates” member states legislation on “a limited number of offences” such as illegal access to information systems, illegal system interference, illegal data interference, and instigation, aiding and abetting and attempting to do so. Consequently, the Commission has proposed the present draft directive to “further approximate the substantive criminal law of Member States and the rules on procedure.”


The Justice and Home Affairs Council discussed the proposal on 25 February, but no agreement has been reached yet.

The draft proposal is based on Article 83(1) TFEU that allows Brussels to adopt measures concerning the definition of criminal offences and sanctions. The proposal is subject to the ordinary legislative procedure and QMV is required at the Council. Under the Protocol on the Position of the UK in respect of the Area of Freedom, Security and Justice, the UK can opt out of amendments to legislation from which it has already opted in. If the UK decides not to op into a proposed amending measure in this area, the existing measure would no longer apply to the UK. The Parliamentary Under-Secretary of State for Crime Prevention, James Brokenshire, explained to the European Scrutiny Committee that "the draft Directive incorporates many of the provisions contained in the 2005 Framework Decision,” therefore "significant new legislation is unlikely to be necessary for the purposes of implementation" as most of the offences foreseen are already offences in the UK law, particularly in the Computer Misuse Act 1990. However, the Government noted "The proposed sentences for offences committed as part of an organised crime group do conflict with the current sentences in UK law.” According to the European Scrutiny Committee “It is evident that the draft Directive will, unless amended in the course of negotiations, require some change to existing criminal law in the UK.” Nevertheless, the Government has decided to opt into the draft Directive, and will be bound by it.

Member States are required to take measures “to ensure that the intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence when committed without right, at least for cases which are not minor.” Under the draft Directive, member states are therefore required to criminalise “cases which are not minor.” However, these provisions are unclear and imprecise. The wording for establishing criminal liability lacks precision. The current Framework Decision already provides that criminal liability applies "at least for cases which are not minor". However, as the ESC noted such wording is not “unusual in Framework Decisions adopted before the Lisbon Treaty entered into force, at a time when the jurisdiction of the Court of Justice for EU criminal law matters was limited,” but it is no longer appropriate as “the Court will have full jurisdiction to sanction Member States for inadequate transposition or implementation of new EU criminal law measures.” The Minister has told to the ESC that the Government is seeking to tackle this issue during negotiations or by national implementing legislation. However, it would be better if the wording were changed during negotiations.

The draft directive introduces “illegal interception” of non-public transmissions of computer data to, from or within a information system, as a criminal offence. Moreover, it also penalizes the production, sale, procurement for use, import, distribution of any device or tool for committing the offences foreseen in the draft Directive. Presently, under the Computer Misuse Act 1990, the production, possession and distribution of tools for the purpose of committing the abovementioned offences in not a criminal offence. Hence, the UK would have to change its domestic legislation in order to provide for this requirement.

The EU Member States are required to introduce measures so that the offences listed in the directive (Illegal access to information systems, Illegal system interference, Illegal data interference, Illegal interception, Tools used for committing offences) “are punishable by criminal penalties of a maximum term of imprisonment of at least two years.” The Commission has proposed to raise the thresholds, as presently “the offences are punishable by criminal penalties of a maximum of at least between one and three years of imprisonment.

The Commission has also introduced, in the draft directive, “aggravating circumstances.” Consequently, Member States would be required to introduce measures ensuring that the abovementioned offences “are punishable by criminal penalties of a maximum term of imprisonment of at least five years” when committed under the following aggravating circumstances: within the framework of a criminal organization, where the offence has been committed “through the use of a tool designed to launch attacks affecting a significant number of information systems, or attacks causing considerable damage” and when committed by “concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner.” The maximum sentence foreseen in the UK for the offences listed in the draft directive is less than five years, consequently the UK would have to amend its legislation increasing the level of sentence.

Under the 2005 Framework Decision, a member state would establish its jurisdiction with regards to offences committed within its territory, by its nationals or for the benefit of a legal person that has its head office in its territory. The present draft directive introduces two new offences: illegal interception and the illegal use of tools to commit cyber crimes and would extend the factors to establish jurisdiction to include the place of habitual residence of the offender.

This would have implications for the UK current rules on jurisdiction. Under the Computer Misuse Act 1990 there is jurisdiction to prosecute all the Act’s offences if there is "at least one significant link with the domestic jurisdiction.” Hence, in order to comply with the new provision on jurisdiction, the Computer Misuse Act 1990 would have to be amended. James Brokenshire said to the ESC that the Government has no intentions of reducing this link hence it would seek to amend the draft directive during negotiations.

Under the current Framework Decision Member States are required to make use of a network of operational points of contact available 24 hours a day and seven days a week for exchanging information related to the different offences. Under the draft directive, Member States would be obliged to reply to urgent requests for information within eight hours.

Moreover, Member States would be obliged to collate statistical data on offences listed in the draft directive, on annual basis, including the number of offences and the follow-up given to these reports, the number of reported cases investigated, the number of persons prosecuted, and the number of persons convicted. Such data shall be transmitted to the Commission. The European Scrutiny Committed noted “The UK already collates information on prosecutions and convictions under the Computer Misuse Act 1990, but does not collect broader statistical information on computer crime.”

Obviously, the UK Government decision to opt into the draft directive entails further financial costs, which are associated with the need to amend legislation and the requirement to collate statistics. Once the UK decides to opt in it will be subject to the ECJ and the European Commission enforcement powers. Therefore, it can be taken before the ECJ for failure to implement correctly or in due time this draft directive. The government is seeking to amend the draft proposal during the negotiations, however there is no guarantee that this can be achieved, as it is subject to QMV and to the ordinary legislative procedure.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>