Select Committee on European Scrutiny Thirty-Sixth Report





Draft Council Framework Decision on attacks against information systems.

Legal base:

Articles 29, 30(1)(a), 31 and 34(2)(b) EU; consultation; unanimity


Document originated:

19 April 2002

Deposited in Parliament:

24 May 2002


Home Office

Basis of consideration:

EM of 13 June 2002

Previous Committee Report:


To be discussed in Council:

No date fixed

Committee's assessment:

Legally and politically important

Committee's decision:

Not cleared; further information requested



    1. One of the matters contained in the Action Plan agreed by the European Council in Feira in 2000 is further action to enhance network security and the establishment of a co-ordinated and coherent approach to cybercrime by the end of 2002. The Stockholm European Council of 23 and 24 March 2001 has since called on the Council and the Commission to develop a comprehensive strategy on the security of electronic networks, including practical implementing action.
    2. A number of instruments dealing at least in part with the security of information systems have already been adopted under the EC Treaty. These include Directives on data protection[17], electronic signatures[18] and the legal protection of services based on, or consisting of, conditional access[19]. The field covered by the present proposal has been the subject of consideration within the Council of Europe and has led to the adoption in November 2001 of a convention on cybercrime[20].
    3. The draft Framework Decision

    4. The object of the proposal is to approximate the criminal law of Member States in relation to attacks against computer and electronic communications networks and the data which is stored or communicated by such networks. The proposal is to apply generally and is not limited to organised crime or terrorism.
    5. Article 2 sets out a series of definitions relating to such concepts as 'electronic communications network', 'computer data', 'Information System' and 'authorised person'. An 'authorised person' is defined as a person 'who has the right, by contract or by law, or the lawful permission, to use, manage, control, test, conduct legitimate scientific research or otherwise operate an information system and who is acting in accordance with that right or permission'. The proposal refers, in a number of instances, to conduct which is 'without right'. This is defined as conduct by authorised persons or 'other conduct recognised as lawful under domestic law'[21].
    6. Articles 3 and 4 set out the substantive offences of illegal access to and illegal interference with Information Systems respectively. Illegal access is constituted by intentional access, 'without right', to the whole or any part of a system in three cases. These are, first, access to an information system which is subject to 'specific protection measures'[22]. The second case is where intentional access is gained 'with the intent to cause damage to a natural or legal person', and the third case arises where intentional access is gained 'with the intent to result in an economic benefit'.
    7. Illegal interference is defined as intentional conduct,'without right', which consists of 'serious hindering or interruption' of the functioning of an information system 'by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data' (Article 4(a)). By virtue of Article 4(b) illegal interference also consists of the 'deletion, deterioration, alteration, suppression or rendering inaccessible of computer data' where this is done with the intention of causing damage to a natural or legal person[23].
    8. Article 5 requires Member States to provide for offences of instigating, aiding and abetting, as well as for attempts to commit, offences under Articles 3 and 4.
    9. Article 6 requires Member States to provide for a sentence of at least one year's imprisonment 'in serious cases' of the offences under Articles 3,4 and 5.[24] Article 6(1) provides that the term 'serious cases' is to be understood as excluding cases where the conduct resulted in no damage or economic benefit.
    10. Article 7 requires Member States to provide for a period of imprisonment of not less than four years where the offence is committed within the framework of a criminal organisation as defined in Joint Action 98/733/JHA of 21 December 1998[25], or where the offence caused or resulted in substantial direct or indirect economic loss, physical harm or substantial damage to part of the 'critical infrastructure of the Member State'[26], or where the offence 'resulted in substantial proceeds'.
    11. Article 8 requires Member States to ensure that the penalties referred to in Articles 6 and 7 can be reduced where 'in the opinion of the competent judicial authority, the offender caused only minor damage'. Article 9 contains a standard provision on the liability of legal persons, and provision for sanctions on such person is made in Article 10.
    12. Article 11 addresses the question of jurisdiction. Member States are required by Article 11 (1)(a) to provide for jurisdiction where an offence is committed in whole or in part within its territory. Article 11 (1)(b) provides for optional rules of jurisdiction to be adopted where an offence is committed by a national of a Member State and the act affects individuals or groups of that State, or where the offence is committed for the benefit of a legal person which has its head office in the territory of that Member State. The territorial jurisdiction rules are required, by Article 11(2) also to cover the case where the offender commits the offence when physically present within the national territory (whether or not the information system is located there) and where the information system is located within the national territory, whether or not the offender is also physically present there[27].
    13. Article 12 requires Member States to establish operational points of contact for the exchange of information 'in accordance with data protection rules'.[28] Articles 13 and 14 provide for implementation and entry into force.
    14. The Government's view

    15. In his short Explanatory Memorandum, the Parliamentary Under- Secretary of State at the Home Office (Mr Bob Ainsworth) explains that the proposal 'already has [a] direct equivalent in UK legislation, though it does not go as far as UK legislation'. On the policy implications of the proposal, the Minister comments as follows:
    16. "The Government welcomes this proposal in principle. Approximation of law in this area is something we have been working towards in Europe and in the G8. Any impact on domestic legislation would be minor. The twenty four hour a day point of contact is already in place.

      "However, the proposal is still at an early stage and there are a number of areas in which the Government would wish to see clarification. These include the detail of the definitions set out in Article 2, the benefit of narrowing the scope of Article 3(i) to systems subject to specific protection and the benefit in narrowing the scope of Article 4(a) to specific methods of hindering or disrupting."

    17. On the question of consultation, the Government indicates that it has asked the Internet Crime Forum (a joint industry and law enforcement forum) to consider the detail of the proposed Framework Decision and that it will consider the views of any other body that makes representations.
    18. Conclusion

    19. We note that the Government intends to raise issues of definition and the question of narrowing the scope of the offences created by Article 3(i) and Article 4(a), and we shall look forward to an account from the Minister as to how these concerns have been met.
    20. We also have a number of detailed concerns, notably as to the meaning of 'under domestic law' in Article 2(g), the apparent overlap between the offences in Article 4 (a) and (b) and the lack of definition of what is meant by 'serious cases' for the purposes of the penalties under Article 6.
    21. In relation to the provisions on aggravating circumstances in Article 7, we ask for the Minister's views on whether it is right to include a reference to 'indirect economic loss', particularly where such loss could not be reasonably foreseen by the accused person.
    22. Finally, we note that the Council of Europe has adopted a comprehensive Convention in this field, which is likely to have a much greater geographical scope than the Framework Decision, and we ask the Minister if the present proposal is really necessary, or in which respects it marks any improvement over the Council of Europe Convention.
    23. We shall hold the document under scrutiny pending the Minister's reply.


17  Directive 95/46/EC, OJ No L 281, 23.11.1995, p31. Back

18  Directive 1999/93/EC, OJ No. L 13, 19.01.2000. Back

19  Directive 98/84/EC, OJ No.L320, 28.11.1998, p. 54. Back

20  Adopted in Budapest 23.11.2001 European Treaty Series No 185. The Convention deals with illegal access, interference and interception as well as computer-related crime and crimes related to child pornography and intellectual property infringements. Back

21  It is not clear from this whether conduct which is lawful under the law of some country other than the one in which proceedings are brought is also protected. The wide jurisdiction rules under Article 10(1) will cover cases where the offence is committed extra-territorially. Presumably, although this is far from clear, 'recognised as lawful under domestic law' will include the case where a system is damaged in country A by conduct which is lawful under the law of country B. It is also not clear if the term 'domestic law' is confined to the law of Member States. Back

22  These are not defined. The Commission's Explanatory Memorandum refers to the fact that a large number of users leave themselves exposed to attack by not having 'adequate (or even any) technical protection'. Back

23  There appears to be a considerable overlap between Article 4(a) and (b)since the deletion etc. of computer data is an ingredient of both offences. 'Serious hindering or interruption' of the functioning of an information system (Article 4(a))is also likely to involve the intentional causing of damage to a natural or legal person (Article 4(b)).  Back

24  The one year minimum therefore brings the offence within the scope of the European Arrest Warrant. Back

25  OJ No. L 351, 29.12.1998, p.1. Back

26  The term is not defined. Back

27  This corresponds to the provision made in s.5 Computer Misuse Act 1990 on the existence of significant links with the domestic jurisdiction. Back

28  It is not clear which rules are in issue. Presumably the Framework Decision is not intended to displace national rules on data protection. Back

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2002
Prepared 25 July 2002