Date of submission: 13/03/2020

ID-number: i6214416
Name of student: Vuong Thao LY
European Criminal Law
Name of assignment: Assignment
Number of words: 1500

ASSIGNMENT
UK law implementation of Directive 2013/40/EU
on attack against information systems
 INTRODUCTION
It is inevitable that criminal law is of paramount importance in any socio-cultural
context and offences related to attack against the information systems must be
paid more attention. Directive 2013/40/EU on attack against the information
systems establishes minimum rules concerning the definition of criminal
offences and sanctions in the area of attacks against information systems, as well
as aims to facilitate the prevention of such offences and to improve cooperation
between judicial and other competent authorities1. In this essay, the author would
like to analyze comprehensively how this Directive is transposed into United
Kingdom provisions under Computer Misuse Act 1990, which entered into force
in February 1st 1991 with some amendments in May 3rd 2015.

CONTENT

First, it should be noted that the method of implementation regarding Directive

2013/40/EU on the attack against the information systems which has been used
by the UK legislator is the judicial European interpretation of the elements of the
national definition of a crime. An example of this is where a national criminal
court interprets an existing provision of the national criminal code in the light of
Union legislation. In a situation in which the national provision is the product of
the implementation of European obligations, this must already be done in the
form of an interpretation that is in conformity with the Directive. Additionally,
there are also situations in which the significance of a term, apparent from the
description of the offence, is further defined by the underlying Union law. These
can be either in very broad terms, such as “unauthorised access” or “unauthorised
acts”. National criminal courts can interpret the national terminology in a Union
minded manner without further implementation. The limits of the interpretation
in conformity with Directive lie in the principle of legality. 2
More specifically, under Article 3 “Illegal access to information systems” of the
Directive, it stipulates that the access to the whole or to any part of an
1
Article 1, Directive 2013/40/EU on on attacks against information systems and replacing
Council Framework Decision 2005/222/JHA
2
André Klip, European Criminal Law. An Integrative Approach, 3rd edition, Intersentia,
Cambridge 2016
information system is punishable as a criminal offence, and according to the
Computer Misuse Act 1990 of United Kingdom, it lays down the circumstances
in which an individual is charged with an offence due to unauthorised access to
computer material, as followed:
1 Unauthorised access to computer material.
(1)A person is guilty of an offence if—

(a)he causes a computer to perform any function with intent to secure access to
any program or data held in any computer, or to enable any such access to be
secured;

(b)the access he intends to secure, or to enable to be secured, is unauthorised;

and

(c)he knows at the time when he causes the computer to perform the function that
that is the case.3

Furthermore, the Directive also sets out the minimum rules with regards to the
illegal interference to computers and data under Article 4 and 5 such as seriously
hindering or interrupting the functioning of an information system by inputting
computer data, by transmitting, damaging, deleting, deteriorating, altering or
suppressing such data, or by rendering such data inaccessible. In compliance
with the Directive, the UK legislators implemented the Union law by interpreting
the illegal acts as laid down by the EU Directive. For more specific, Section 3 of
the Computer Misuse Act stipulates the unauthorised acts with intent to impair,
or with recklessness as to impairing, operation of computer, etc. such as to impair
the operation of any computer; to prevent or hinder access to any program or data
held in any computer; or to impair the operation of any such program or the
reliability of any such data and so on. The UK legislators also lay down rules
concerning unauthorised acts causing, or creating risk of, serious damage under
Article 3ZA of the Directive, which is pursuant to the Article 4 and 5 of the
Directive.
On top of that, under Article 7, 8 of the Directive stipulating incitement, aiding
and abetting and attempt, the UK law also implement this provision relating to

3
Section 1, Computer Misuse Act 1990
the acts of making, supplying or obtaining articles for use in offence
under section 1, 3 or 3ZA as laid down under section 3A, as followed:
(1)A person is guilty of an offence if he makes, adapts, supplies or offers to
supply any article intending it to be used to commit, or to assist in the
commission of, an offence under  section 1, 3 or 3ZA.

(2)A person is guilty of an offence if he supplies or offers to supply any article

believing that it is likely to be used to commit, or to assist in the commission of,
an offence under  section 1, 3 or 3ZA.

(3)A person is guilty of an offence if he obtains any  article—

(a)intending to use it to commit, or to assist in the commission of, an offence

under section 1, 3 or 3ZA, or

(b)with a view to its being supplied for use to commit, or to assist in the
commission of, an offence under  section 1, 3 or 3ZA.

(4)In this section “ article ” includes any program or data held in electronic
form.4

Second, as to the question of whether the United Kingdom has implemented the
EU Directive on time, it should be emphasized in relation to the transposition
period is that the United Kingdom has the obligation to bring into force the laws,
regulations and administrative provisions necessary to comply with this Directive
by 4 September 2015, as stipulated under Article 16 of the Directive. The clauses
stating the illegal access and acts of interference with computers and data under
Computer Misuse Acts 1990 entered into force in May 3rd 2015; hence, the UK
legislators has implemented the EU Directive on attack against the information
systems on time.
Third, with reference to whether all provisions of the European instrument are
implemented into UK law as well as if there are any incompatibilities, the illegal
interference to the information systems may be sentenced to imprisonment for a
term not exceeding 12 months or to a fine not exceeding the statutory maximum
or to both; or on conviction on indictment, to imprisonment for a term not
exceeding ten years or to a fine or to both. Therefore, the maximum term of
imprisonment is ten years when it comes to the conviction on indictment, which
4
Section 3A, Computer Misuse Act 1990
is compatible with EU provision stating that illegal system interference and
illegal data interference are punishable by a maximum term of imprisonment of
at least three years. Moreover, concerning the acts of incitement, aiding and
abetting and attempt, as stipulated under Article 7 of EU Directive on attack
against information systems, the minimum maximum term of imprisonment is
two years for the conviction on indictment; and the offence committed according
to Article 3A on making, supplying or obtaining articles for use in offence under
section 1, 3 or 3ZA, is sentenced with the maximum term of imprisonment of at
least two years as well. Regarding the acts causing serious damage as laid down
under point 4, Article 9 of EU Directive on attack against information systems,
the minimum maximum term of imprisonment is 5 years and the stipulation of
the UK law is that the maximum term of sentence is 14 years or an imprisonment
for life or a fine or both.

Forth, when it comes to case law on the interpretation of the national provisions,
it is obvious that in the case of R v Bow Street Magistrates' Court and Allison
(AP) Ex Parte Government of the United States of America (Allison) 5 the House
of Lords considered whether an employee, who was authorised to access certain
client accounts, could commit an offence securing 'unauthorised access' as
stipulated under Section 1 of Computer Misuse Act 1990. It was held that the
employee clearly came within the provisions of Section 1, as she intentionally
caused a computer to give her access to data she knew she was not authorised to
access (which she then passed on to others who were able to forge credit cards).
The House of Lords made it clear that an employee would only be guilty of an
offence if the employer clearly defined the limits of the employee's authority to
access a program or data. Besides, in DPP v Lennon (2006) 170 JP 532, Section
3 should be considered in cases involving distributed denial of service attacks
(DDoS), as the term "act" includes a series of acts, there is no need for any
modification to have occurred and the impairment can be temporary.

CONCLUSION

5
https://publications.parliament.uk/pa/ld199899/ldjudgmt/jd990805/bow.htm
From the aforementioned points, it is undoubtedly reasonable that the UK
implementation is in compliance with the EU Directive on attack against the
information systems.

BIBLIOGRAPHY
1. Directive 2013/40/EU on on attacks against information systems and
replacing Council Framework Decision 2005/222/JHA
2. Computer Misuse Act 1990
3. André Klip, European Criminal Law. An Integrative Approach, 3rd
edition, Intersentia, Cambridge 2016.
4. Case R v Bow Street Magistrates' Court and Allison (AP) Ex Parte
Government of the United States of America (Allison)
5. Case DPP v Lennon (2006)