Professional Documents
Culture Documents
I6214416 - Assignment - European Criminal Law
I6214416 - Assignment - European Criminal Law
ID-number: i6214416
Name of student: Vuong Thao LY
European Criminal Law
Name of assignment: Assignment
Number of words: 1500
ASSIGNMENT
UK law implementation of Directive 2013/40/EU
on attack against information systems
INTRODUCTION
It is inevitable that criminal law is of paramount importance in any socio-cultural
context and offences related to attack against the information systems must be
paid more attention. Directive 2013/40/EU on attack against the information
systems establishes minimum rules concerning the definition of criminal
offences and sanctions in the area of attacks against information systems, as well
as aims to facilitate the prevention of such offences and to improve cooperation
between judicial and other competent authorities1. In this essay, the author would
like to analyze comprehensively how this Directive is transposed into United
Kingdom provisions under Computer Misuse Act 1990, which entered into force
in February 1st 1991 with some amendments in May 3rd 2015.
CONTENT
(a)he causes a computer to perform any function with intent to secure access to
any program or data held in any computer, or to enable any such access to be
secured;
(c)he knows at the time when he causes the computer to perform the function that
that is the case.3
Furthermore, the Directive also sets out the minimum rules with regards to the
illegal interference to computers and data under Article 4 and 5 such as seriously
hindering or interrupting the functioning of an information system by inputting
computer data, by transmitting, damaging, deleting, deteriorating, altering or
suppressing such data, or by rendering such data inaccessible. In compliance
with the Directive, the UK legislators implemented the Union law by interpreting
the illegal acts as laid down by the EU Directive. For more specific, Section 3 of
the Computer Misuse Act stipulates the unauthorised acts with intent to impair,
or with recklessness as to impairing, operation of computer, etc. such as to impair
the operation of any computer; to prevent or hinder access to any program or data
held in any computer; or to impair the operation of any such program or the
reliability of any such data and so on. The UK legislators also lay down rules
concerning unauthorised acts causing, or creating risk of, serious damage under
Article 3ZA of the Directive, which is pursuant to the Article 4 and 5 of the
Directive.
On top of that, under Article 7, 8 of the Directive stipulating incitement, aiding
and abetting and attempt, the UK law also implement this provision relating to
3
Section 1, Computer Misuse Act 1990
the acts of making, supplying or obtaining articles for use in offence
under section 1, 3 or 3ZA as laid down under section 3A, as followed:
(1)A person is guilty of an offence if he makes, adapts, supplies or offers to
supply any article intending it to be used to commit, or to assist in the
commission of, an offence under section 1, 3 or 3ZA.
(b)with a view to its being supplied for use to commit, or to assist in the
commission of, an offence under section 1, 3 or 3ZA.
(4)In this section “ article ” includes any program or data held in electronic
form.4
Second, as to the question of whether the United Kingdom has implemented the
EU Directive on time, it should be emphasized in relation to the transposition
period is that the United Kingdom has the obligation to bring into force the laws,
regulations and administrative provisions necessary to comply with this Directive
by 4 September 2015, as stipulated under Article 16 of the Directive. The clauses
stating the illegal access and acts of interference with computers and data under
Computer Misuse Acts 1990 entered into force in May 3rd 2015; hence, the UK
legislators has implemented the EU Directive on attack against the information
systems on time.
Third, with reference to whether all provisions of the European instrument are
implemented into UK law as well as if there are any incompatibilities, the illegal
interference to the information systems may be sentenced to imprisonment for a
term not exceeding 12 months or to a fine not exceeding the statutory maximum
or to both; or on conviction on indictment, to imprisonment for a term not
exceeding ten years or to a fine or to both. Therefore, the maximum term of
imprisonment is ten years when it comes to the conviction on indictment, which
4
Section 3A, Computer Misuse Act 1990
is compatible with EU provision stating that illegal system interference and
illegal data interference are punishable by a maximum term of imprisonment of
at least three years. Moreover, concerning the acts of incitement, aiding and
abetting and attempt, as stipulated under Article 7 of EU Directive on attack
against information systems, the minimum maximum term of imprisonment is
two years for the conviction on indictment; and the offence committed according
to Article 3A on making, supplying or obtaining articles for use in offence under
section 1, 3 or 3ZA, is sentenced with the maximum term of imprisonment of at
least two years as well. Regarding the acts causing serious damage as laid down
under point 4, Article 9 of EU Directive on attack against information systems,
the minimum maximum term of imprisonment is 5 years and the stipulation of
the UK law is that the maximum term of sentence is 14 years or an imprisonment
for life or a fine or both.
Forth, when it comes to case law on the interpretation of the national provisions,
it is obvious that in the case of R v Bow Street Magistrates' Court and Allison
(AP) Ex Parte Government of the United States of America (Allison) 5 the House
of Lords considered whether an employee, who was authorised to access certain
client accounts, could commit an offence securing 'unauthorised access' as
stipulated under Section 1 of Computer Misuse Act 1990. It was held that the
employee clearly came within the provisions of Section 1, as she intentionally
caused a computer to give her access to data she knew she was not authorised to
access (which she then passed on to others who were able to forge credit cards).
The House of Lords made it clear that an employee would only be guilty of an
offence if the employer clearly defined the limits of the employee's authority to
access a program or data. Besides, in DPP v Lennon (2006) 170 JP 532, Section
3 should be considered in cases involving distributed denial of service attacks
(DDoS), as the term "act" includes a series of acts, there is no need for any
modification to have occurred and the impairment can be temporary.
CONCLUSION
5
https://publications.parliament.uk/pa/ld199899/ldjudgmt/jd990805/bow.htm
From the aforementioned points, it is undoubtedly reasonable that the UK
implementation is in compliance with the EU Directive on attack against the
information systems.
BIBLIOGRAPHY
1. Directive 2013/40/EU on on attacks against information systems and
replacing Council Framework Decision 2005/222/JHA
2. Computer Misuse Act 1990
3. André Klip, European Criminal Law. An Integrative Approach, 3rd
edition, Intersentia, Cambridge 2016.
4. Case R v Bow Street Magistrates' Court and Allison (AP) Ex Parte
Government of the United States of America (Allison)
5. Case DPP v Lennon (2006)