Last September, the European Commission put forward a proposal for a directive on attacks against information systems and repealing Council Framework Decision 2005/222/JHA. According to the Commission the framework decision “only approximates” member states legislation on “a limited number of offences” such as illegal access to information systems, illegal system interference, illegal data interference, and instigation, aiding and abetting and attempting to do so. Consequently, the Commission has proposed the present draft directive to “further approximate the substantive criminal law of Member States and the rules on procedure.” The Computer Misuse Act 1990 has been amended in 2008 in order to the UK to meet the framework decision’s requirements. However, the UK would have to amend this Act again.

Under the Protocol on the Position of the UK in respect of the Area of Freedom, Security and Justice, the UK can opt out of amendments to legislation from which it has already opted in. According to the European Scrutiny Committee “It is evident that the draft Directive will, unless amended in the course of negotiations, require some change to existing criminal law in the UK.” Nevertheless, the Government has decided to opt into the draft Directive, and will be bound by it. Obviously, the UK Government decision to opt into the draft directive entails further financial costs, which are associated with the need to amend legislation and the requirement to collate statistics. Once the UK decides to opt in it will be subject to the ECJ and the European Commission enforcement powers. Therefore, it can be taken before the ECJ for failure to implement correctly or in due time this draft directive.

The Justice and Home Affairs Council has recently reached a general approach on the draft directive. The draft proposal is based on Article 83(1) TFEU that allows Brussels to adopt measures concerning the definition of criminal offences and sanctions. The proposal is subject to the ordinary legislative procedure and QMV is required at the Council. The Council’s general approach constitutes now the basis for the negotiations with the European Parliament.

Member States are required to take measures “to ensure that the intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence when committed without right, at least for cases which are not minor.” Under the draft Directive, member states are therefore required to criminalise “cases which are not minor.” However, these provisions are unclear and imprecise. The wording for establishing criminal liability lacks precision. The current Framework Decision already provides that criminal liability applies "at least for cases which are not minor". However, as the ESC noted such wording is not “unusual in Framework Decisions adopted before the Lisbon Treaty entered into force, at a time when the jurisdiction of the Court of Justice for EU criminal law matters was limited,” but it is no longer appropriate as “the Court will have full jurisdiction to sanction Member States for inadequate transposition or implementation of new EU criminal law measures.” The Parliamentary Under-Secretary of State for Crime Prevention, James Brokenshire, has told to the ESC that the Government was seeking to tackle this issue during negotiations or by national implementing legislation. The Government has, therefore, raised this issue during negotiations. The text has not been removed but it is now provided, in a recital, that member states decide what constitutes a minor case in accordance with national law and practice.

The Commission’s draft proposal introduced “illegal interception” of non-public transmissions of computer data to, from or within a information system, as a criminal offence. Moreover, it also penalizes the production, sale, procurement for use, import, distribution of any device or tool for committing the offences foreseen in the draft Directive. Presently, under the Computer Misuse Act 1990, the production, possession and distribution of tools for the purpose of committing the above-mentioned offences in not a criminal offence. Hence, the UK would have to change its domestic legislation in order to provide for this requirement. James Brokenshire said to the ESC “that the Government believes that no new offences will need to be created, and that it has negotiated with other Member States to ensure that existing UK penalties for offences will be sufficient to meet the requirements of the Directive.” According to the Minister “the criminalisation of an attempt to commit an offence has been limited to illegal system interference and illegal data interference.

The EU Member States are required to introduce measures so that the offences listed in the directive (Illegal access to information systems, Illegal system interference, Illegal data interference, Illegal interception, Tools used for committing offences) “are punishable by criminal penalties of a maximum term of imprisonment of at least two years.” The Commission has proposed to raise the thresholds, as presently “the offences are punishable by criminal penalties of a maximum of at least between one and three years of imprisonment.” The Commission has also introduced, in the draft directive, “aggravating circumstances.” Consequently, Member States would be required to introduce measures ensuring that the above-mentioned offences “are punishable by criminal penalties of a maximum term of imprisonment of at least five years” when committed under the following aggravating circumstances: within the framework of a criminal organization, where the offence has been committed “through the use of a tool designed to launch attacks affecting a significant number of information systems, or attacks causing considerable damage” and when committed by “concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner.” The maximum sentence foreseen in the UK for the offences listed in the draft directive is less than five years, consequently the UK would have to amend its legislation increasing the level of sentence. The Council has changed the thresholds proposed by the Commission, and, under the Council’s present text a maximum term of imprisonment varies between three and five years, depending on the gravity of the offence.

Under the 2005 Framework Decision, a member state would establish its jurisdiction with regards to offences committed within its territory, by its nationals or for the benefit of a legal person that has its head office in its territory. The Commission’s proposal introduced two new offences: illegal interception and the illegal use of tools to commit cyber crimes and would have extend the factors to establish jurisdiction to include the place of habitual residence of the offender, which would have implications for the UK current rules on jurisdiction. Under the Computer Misuse Act 1990 there is jurisdiction to prosecute all the Act’s offences if there is "at least one significant link with the domestic jurisdiction.” Hence, in order to comply with the new provision on jurisdiction, the Computer Misuse Act 1990 would have to be amended. James Brokenshire explained to the ESC that under the present Council’s text “the proposed extension of extra-territorial jurisdiction to habitual residents is something which Member States may choose (but are no longer required) to do;” Nevertheless, the Government is still concerned about “the issue of extending extra-territorial jurisdiction by nationality, and will continue to explain to other Member States why the UK believes this is unnecessary.

Under the current Framework Decision Member States are required to make use of a network of operational points of contact available 24 hours a day and seven days a week for exchanging information related to the different offences. Under the draft directive, Member States would be obliged to reply to urgent requests for information within eight hours. Moreover, Member States would be obliged to collate statistical data on offences listed in the draft directive, on annual basis, including the number of offences and the follow-up given to these reports, the number of reported cases investigated, the number of persons prosecuted, and the number of persons convicted. Such data shall be transmitted to the Commission. The European Scrutiny Committed noted “The UK already collates information on prosecutions and convictions under the Computer Misuse Act 1990, but does not collect broader statistical information on computer crime.

The government was able to negotiate “an adequate solution to the definition of minor cases” as well as ensure “that the proposed extension of extra-territorial jurisdiction to habitual residents is something which Member States may choose (but are no longer required) to do.” But, It remains to be seen what will come out from the negotiations with the European Parliament.