Background

  12.1  We considered earlier versions of this proposal for a Framework Decision on the criminal law relating to attacks on computer and electronic communications systems on 10 July and 30 October 2002 and 11 December. We considered document (a), then the current version, on 22 January. We noted the Minister's statement that the proposal was already covered by existing UK legislation, primarily the Computer Misuse Act 1990, and that the Government supported the central principle of ensuring approximation of the criminal law of all Member States on this subject.

  12.2  We noted that a number of questions of definition were being addressed, notably the reference to access or interference being 'without right' as an ingredient of the proposed offences. We considered the new definition of 'without right' to be an improvement, and we noted that it was designed to cover both access or interference which was unlawful and access or interference which took place without the owner's consent. We noted the Minister's intention to seek a re-wording of the text and asked him to bear in mind that the rules of jurisdiction in this proposal could lead to cases where two systems of law (i.e. the law of the place of the defendant and the law of the place where access was attempted) might be relevant in determining whether conduct amounts to 'unlawful access'.

  12.3  We welcomed the changes made to Article 7(1)(b) and (c) which addressed a concern we expressed that economic loss should not be taken into account as an aggravating circumstances in the absence of any intention by the defendant to cause such loss, or foresight by him that such loss would be caused.

  12.4  We asked the Minister to keep us informed of the outcome of further negotiations on these questions of definition. We noted that the current version of the proposal no longer provided for a 24 hour contact network between the Member States. Since the Minister had considered this to be important, we asked him if he intended to seek to restore this provision.

The Minister's letter

  12.5  The Parliamentary Under-Secretary of State at the Home Office (Mr Bob Ainsworth) replied to us on 4 February 2003. On the meaning of the term 'without right' he explains that the UK has secured a change to the definition, which will now (in document (b)) be "access or interference not authorised by the owner, other right holder of the system or part of it, or not permitted under the domestic legislation".

  12.6  The Minister agrees that we were right to highlight the fact that the rules of jurisdiction in the proposal could lead to a case where two systems of law might be relevant in determining whether conduct amounts to illegal access. The Minister points out that Article 11 provides for the case where the offender is physically present on its territory and also where the offence is committed against a system on its territory, whether or not the offender is physically present in the territory when committing the offence. The Minister adds that in cases where an offence could be prosecuted in two jurisdictions it will be for the relevant Member States to decide where to prosecute, using the guidelines set out in Article 11(4) of the proposal.

  12.7  On the question of providing for a 24 hour contact network between the Member States, the Minister explains that the UK has been seeking to re-insert these provisions. The Minister makes this further comment:

"The UK considers that whilst Article 35 of the Cybercrime Convention[15] details a similar provision, there is no knowing when Member States will ratify the Convention and to date there are still Member States who do not have such a valuable operational contact point in force. In addition the re-insertion of the text would also be useful in ensuring that applicant Member countries also establish such provisions. For these reasons I consider that there is still value in supporting the reinsertion of the original Article 12 text."

The revised draft Framework Decision

  12.8  A revised draft Framework Decision (document (b)) has been produced following further consideration of the proposal by the Article 36 Committee[16] at its meeting on 23 and 24 January 2003.

  12.9  The Presidency has proposed a new definition of 'information system' in Article 2 (a) which would correspond more closely to the definition in the Council of Europe Cybercrime Convention and would incorporate the definition of 'computer system' in Article 2(c) of document (a). An 'information system' is accordingly defined as 'any device or group of inter-connected or related devices, one or more of which, pursuant to a program, performs automatic processing of computer data, as well as computer data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance. It shall also include any device in an electronic communications network'.

  12.10  The definition of 'electronic communications network' in Article 2(b) has remained unchanged. It continues to refer to equipment and other resources for the transmission of signals whether by wire, radio, optical or electro-magnetic means, including satellite networks, and those used for radio and television broadcasting, as well as cable television networks.

  12.11  The definition, in Article 2(f), of conduct which is 'without right' has been amended so that it now refers to 'access or interference not authorised by the owner, other right holder of the system or part of it, or not permitted under the domestic legislation'.

  12.12  Whereas the previous version of Article 3 provided for illegal access to be criminalised whether or not security measures are infringed, the present version of Article 3(2) permits Member States to declare that they will not criminalise access unless it is achieved by infringing security measures.

  12.13  Article 4 has been amended to make clear that the list of acts constituting illegal system or data interference are exclusive and no longer illustrative, as they were in the previous version. Article 11(4) has been amended to include a number of guidelines to deal with cases where the rules of jurisdiction provided for in Article 11(1) and (2) lead to more than one Member State being competent to prosecute. Article 12 (which dealt with the 24 hour contact network) has now been re-instated.

The Government's view

  12.14  In his Explanatory Memorandum of 6 February, the Parliamentary Under-Secretary of State at the Home Office (Mr Bob Ainsworth) comments on the amendments made in the latest version of the proposal.

  12.15  On the definitions in Article 2, the Minister comments that the UK has not been in favour of including systems within the definition of 'electronic communications network' in Article 2(b), since this would give rise to the danger of the Framework Decision having too wide a scope, and covering a wide range of transmission systems already dealt with by other domestic legislation and offences outside the scope of the Computer Misuse Act 1990. The Minister considers that the inclusion of systems would lead to a potentially confusing overlap between the domestic law relating to computer and other transmission systems. The Minister also considers that the definition of 'information systems' in Article 2(a) is already sufficiently wide and that transmission systems and other resources used for transmitting signals should be excluded from the scope of the Framework Decision. The Minister indicates that he will accordingly seek the deletion of the reference to 'any device in an electronic communications network' in Article 2(a) and the deletion of Article 2(b).

  12.16  Also on Article 2, the Minister explains that the UK has secured a further change to the definition of 'without right' in Article 2(f), so that this now refers to access or interference 'not permitted under domestic legislation'.

  12.17  In relation to Article 3(2) the Minister notes that Article 2 of the Cybercrime Convention allows parties not to criminalise unlawful access to information systems unless this is done by infringing security measures. The Minister notes that the offence under section 1 Computer Misuse Act 1990 does not require a security measure to have been infringed, but recognises that the provision in the Cybercrime Convention was thought to be necessary by many Member States and that it is appropriate to include a similar provision in the Framework Decision.

  12.18  The Minister supports the new text of Article 4, which now provides for an exhaustive, rather than illustrative, list of acts constituting illegal system or data interference. The Minister indicates that following consultation the UK is satisfied that all the means whereby the offence could be committed are now covered by the present text.

  12.19  The Minister also indicates his support for the revisions to Article 11 and the reinstatement of Article 12.

Conclusion

  12.20  We thank the Minister for his reply and for his informative Explanatory Memorandum on the latest version of this proposal.

  12.21  We agree that the text is now significantly improved. In particular, we consider that the reference in Article 2(f) to access or interference which is 'not permitted under the domestic legislation' does make it tolerably clear that relevant law is that of the place where the system is based and not that of the place of the defendant, so that the ambiguity we identified in the earlier version has now been addressed.

  12.22  We believe the Minister is right to press for the exclusion of transmission systems from the scope of the Framework Decision and for deletion of the provisions of Article 2(b) defining an 'electronic communications network'.

  12.23  We have no further points to put to the Minister and are content to clear the documents.

16  The committee of senior officials of Member States provided for under Article 36 EU to contribute to the Council's work under Article 29 EU. Back