Background

  7.1  We considered an earlier version of this proposal for a Framework Decision on the criminal law relating to attacks on computer and electronic communications systems (document (a)) on 10 July and 30 October 2002. We raised a number of technical issues of definition and asked the Minister for an account of how our concerns on such issues as the inclusion as an aggravating circumstance of unforeseen and indirect economic loss, the meaning of the term 'without right' and the lack of definition of 'serious cases', were being dealt with in any revised version.

    The revised proposal

  7.2  The revised proposal (document (b)) reflects the outcome of deliberations by the Council working party on substantive criminal law at its meeting on 3 and 4 October. The revised version of Article 2 makes a number of minor changes to the definitions. It continues to contain a reference to conduct which is 'without right', so that conduct which is 'recognised as lawful under domestic law is excluded'.[36]

  7.3  Article 3(1) defines the offence of illegal access to information systems. It is still a necessary part of the offence under Article 3(1) that security measures should have been infringed. Article 3(2) provides for an offence of intentional access, without right, to the whole or any part of an information system where such access is gained for the purpose of causing economic damage to a natural or legal person or 'for the purpose of economic benefit for the person committing the offence or for a third party'.

  7.4  The provisions of Article 4a and 4b of the earlier version (document (a)) on interference with information systems have been amended so that the offences of system interference and data interference are now defined in separate Articles (Articles 4 and 4 bis, respectively). Article 4 refers to intentional serious hindering or interruption of an information system, mentioning a number of illustrative examples of the means by which this might be done such as by damaging, deleting or suppressing computer data. Article 4bis provides for an offence of intentional deletion, deterioration, alteration, suppression or rendering inaccessible of computer data when this is done without right, but there is no longer any requirement that this be done with the intention of causing damage to a natural or legal person.

  7.5  As in the previous text, Article 5 deals with the offences of instigation, aiding and abetting, and attempts. Articles 6 and 7 deal with penalties and aggravating circumstances, respectively. Article 6(1) no longer refers to 'serious cases'. Article 7 on 'aggravating circumstances' has been slightly amended to replace the reference to a term of imprisonment of 'no less than four years' with a reference to a term of at least one to three years.[37]

  7.6  No material change has been made to the provisions of Articles 9,10 and 11 dealing with the liability of legal persons and with jurisdiction. Article 12, which provided for the establishment by Member States of operational contact points for the exchange of information, has been deleted from the latest version.

The Government's view

  7.7  In his Explanatory Memorandum of 21 November 2002 the Parliamentary Under-Secretary of State at the Home Office (Mr Bob Ainsworth) explains that the proposal is already covered by existing UK legislation, primarily the Computer Misuse Act 1990, and that the Government supports the central principle of ensuring approximation of the criminal law of all Member States on this subject.

  7.8  In his detailed comments on the revised text, the Minister indicates that he considers the definition of 'without right' in Article 2(f) to be unclear as it currently stands and that he will be seeking a clearer definition in subsequent texts. On Article 3(1) the Minister considers that the requirement that security measures should have been infringed is unnecessary and informs us that he will be seeking removal of this requirement so as to 'improve the scope of the offence from that which was agreed in the equivalent provision in the Cybercrime Convention'[38]. The Minister adds that, if Article 3(1) can be so amended, there is no need for the provisions of Article 3(2).

  7.9  The Minister explains that he supports the changes made by Article 4 and Article 4 bis, and points out that the offence of illegal data interference has been amended so as to remove the requirement that it be committed with the intention of causing damage to a natural or legal person, and that he supports this change.

  7.10  On Articles 6 and 7 the Minister explains that the UK is reserving its position in this area until agreement has been reached on the precise definition of offences. However, the Minister considers that the removal of the reference to 'serious cases' in Article 6(1) makes the text clearer. The Minister comments that consideration of the severity of the offence will remain a matter for the discretion of the sentencing judicial authority. The Minister also adds that he is seeking to remove the current provision in Article 7(2) (which requires Member States to provide for increased penalties where the offender has been convicted of such an offence in another Member State) primarily because 'there is no reliable mechanism in place between Member States to exchange details of such convictions'.

  7.11  In relation to the deletion of Article 12, the Minister comments that a network of contact points to enable a 24 hours seven days a week exchange of information about such offences was originally put in place between the G8 countries in 1997, and that the Cybercrime Convention also contained such a provision.[39] The Minister further comments that it may be some time before all EU Member States implement that Convention, and that having a commitment in the Framework Decision to establish such a contact point would be a useful addition. The Minister states that he will be seeking the re-insertion of Article 12 during negotiations.

Conclusion

  7.12  We thank the Minister for his detailed and helpful explanations of the negotiations on this proposal, and we note that there have been a number of improvements, notably the removal of references to (undefined) 'serious cases'. We also note that the Minister will be seeking further improvements, and that he shares our concern over the imprecision of the term 'without right'.

  7.13  As with the earlier version, it is evident that more work will be needed on the current version of this proposal before it is ready for adoption. We clear the earlier version (document (a)) on the grounds that it has been superseded, but shall hold the current version (document (b)) under scrutiny pending deposit of a revised version.

37  Under the European Arrest Warrant (OJ No. L 190, 18.7.2002, p.1) Member States may only impose a requirement of dual criminality in respect of extradition requests for 'computer-related crime' if the offence carries a penalty of less than three years' imprisonment. Back

38  The Council of Europe Convention on Cybercrime, adopted at Budapest 23 November 2001 (ETS No. 185). Article 2 of that Convention permits, but does not require, Parties to provide for infringement of security measures as an ingredient of the offence. Back

39  In Article 35. Back