Select Committee on European Union Forty-Ninth Report


DRAFT EU FRAMEWORK DECISION ON ATTACKS AGAINST INFORMATION SYSTEMS

(COUNCIL DOC. 13533/02)

Letter the Chairman to Bob Ainsworth MP, Parliamentary Under-Secretary of State, Home Office

  Sub-Committee E (Law and Institutions) considered the proposal at its meeting on 18 December. The Committee welcomes the removal of the "seriousness" element from the provisions on penalties, which, along with the newly inserted penalty levels, alleviate to some extent our concerns regarding the application of the European Arrest Warrant. There remain however a number of unresolved issues.

THE SCOPE OF THE OFFENCES

  The scope of the offences is very broad, especially with regard to illegal system and data interference. A crucial safeguard to avoid the over-extension of the scope of these offences is the requirement for them to be committed intentionally and without right. However, as you note in your Explanatory Memorandum, the definition of "without right" in Article 2(f) is unclear. We assume that you will be pressing for a clear definition, which is essential in view of the potentially broad scope of Articles 4 and 4bis. Has the Government proposed an alternative wording?

  Another cause of concern is the illustrative—but not exhaustive—enumeration of means of illegal system interference in Article 4. This goes beyond the Council of Europe Cybercrime Convention and may cause considerable uncertainty as to the scope of the offence. It may further lead to different standards in the implementation of the measure by Member States, which could in its turn cause problems in the application of the European Arrest Warrant.

  Finally, it is not clear what is meant by "infringing security measures" which is a key element in the offence of illegal access to information systems (Article 3(1)).

PENALTIES

  We note that the penalty levels in Article 6 have been increased. Care must be taken to ensure that these levels (reaching up to three years of minimum maximum custodial sentence) are proportionate to some of the offences, especially in view of the lack of clarity regarding their scope. You have rightly indicated that the delimitation of penalties must follow agreement on the precise definition of the offences. We would welcome any information on developments in the field. It would also be helpful if you could inform the Committee of existing penalty levels in domestic law.

AGGRAVATING CIRCUMSTANCES

  There remain a number of terms in need of clarification, such as "substantial proceeds" (Article 7(1)(e)). There is also some uncertainty regarding the wording in Article 7(1)(a)—what is meant by "apart from the penalty referred to therein"? Does this mean that the four year custodial sentence required by Joint Action 98/733 is not required here?

  We would welcome your comments on these points. The Committee decided to retain document 13533/02 Droipen 76 under scrutiny. Document 8586/02 COM (2002) 173 final has been cleared.

  I am copying this letter to Jimmy Hood MP, Chairman of the Commons European Scrutiny Committee; and to Dorian Gerhold, Clerk to the Commons Committee; Michael Carpenter, Legal Adviser to the Commons Committee; Les Saunders (Cabinet Office); Joanne Harrison, Departmental Scrutiny Co-ordinator.

Letter from Bob Ainsworth MP, Parliamentary Under-Secretary of State, Home Office to the Chairman, Chairman of the Committee

  Thank you for your letter of 19 December regarding this draft EU instrument.

  Turning to each of the points you raise:

THE SCOPE OF THE OFFENCES

  I agree that there is the potential for the scope of the offences to be very broad. The use of the terms "intentional" and "without right" are an essential part of the formulation of each of the offences in Articles 3, 4 and 4bis. A definition of the term "without right" has proved a difficult task, but I consider that the current formulation is along the right lines. As the Explanatory Memorandum explains, the definition now seeks to establish two concepts, access or interference not covered by domestic law, and such activity not authorised by the owner or other right holder of the system. Whilst the text could be more clearly expressed than "unlawful", saying for example "access or interference not permitted under the domestic legislation", I would consider that this formulation is a suitable means of expressing this concept.

  I have noted your concern that the means of illegal system interference are illustrative rather than exhaustive, and that this could lead to different standards in the implementation of this measure across Member States. Use of the words "in particular" aims to ensure that the list can cope with future means of illegally interfering with a system, and in this respect the offence differs from the equivalent one in the Council of Europe Cybercrime Convention. However, the UK officials are considering with prosecutors and legal advisers the value of the use of the term "in particular" in this offence, and will report to the Committee on the outcome of these discussions at the earliest opportunity.

  Whilst the use of the term "infringing security measures" is not part of the Article 3 offence in this new text (15311/02), it is still an important requirement for the formulation of this offence for some Member States as its inclusion as a permissive provision in the formulation of the illegal access offence in the Council of Europe Convention, and the revised text of Article 6(2) and 7(1), demonstrates. The term "infringing security measures" applied to the illegal access offence would mean that it would be a requirement for a security measure such as a firewall or a password protecting a computer system to be overcome by a hacker before committing the offence. Whilst the infringing of security measures was a permissive component of the offence of illegal access in Article 2 of the Cybercrime Convention, the UK does not favour such a requirement in the formulation of this offence. Current domestic legislation under Section 1 of the Computer Misuse Act 1990 (CMA) encompasses and goes further than the text in the Cybercrime Convention in requiring the criminalisation of all intentional, unauthorised access.

PENALTIES

  The relationship between the definitions in the text and the formulation of the offences will, as you have noted, define the appropriateness of the penalty levels to be used in the text, and I will of course keep you advised of developments here.

  With regards to existing UK legislation, Section 1 of the CMA, criminalises the intentional unauthorised access to computer material. This offence is currently punishable by six months' imprisonment, but under proposals contained in the "Justice for All" White Paper would increase to 51 weeks. Section 2 of the CMA concerns where an individual commits a Section 1 offence with intent to commit or facilitate the commission of further offences. Conviction for this offence attracts maximum term of imprisonment of five years. Section 3 of the CMA concerns the unauthorised modification of computer material and again attracts a maximum term of imprisonment of five years.

AGGRAVATING CIRCUMSTANCES

  The phrase "substantial proceeds" at Article 7(1)(c) of the text of 13533/02 was ambiguous and has been replaced by the clearer wording of "economic benefit" in this new text.

  The Joint Action 98/733 of 21 December 1998 referred to a criminal organisation committing offences punishable by a deprivation of liberty of at least four years. The use of the phrase "apart from the penalty referred to therein" is to clarify that the penalty threshold of at least two to five years in this Article is potentially lower than the threshold for offences committed by a criminal organisation as specified in the Joint Action. Therefore, for the purposes of the offences in this framework decision such offences may be considered as being committed within a criminal framework regardless of the potentially lower than four years penalty level they may attract.

Letter from the Chairman to Bob Ainsworth MP, Parliamentary Under-Secretary of State, Home Office

  Thank you very much for your letter of 15 January and your Explanatory Memorandum of 16 January on the above proposal. They were most helpful for Sub-Committee E (law and Institutions) in its examination of the proposal on 29 January.

  The Committee notes that there have been some substantial improvements in the new draft, the most notable being the clarification of the definition of "without right". A welcome development is also the requirement for illegal access to have been committed by infringing security measures for the penalty threshold of Article 6(2) to apply. This is a welcome safeguard, as the offence of illegal access in Article 3 is very broad, and the one-year penalty threshold in Article 6 would trigger the application of the European Arrest Warrant.

  There remain, however, a number of points that raise concerns. These involve, as you have pointed out in your Explanatory Memorandum, the potential over-extension of the instrument's scope by its application to "electronic communications networks", and the use of an illustrative—but not exhaustive—enumeration of means of illegal system interference in Article 4. We note that the Government is currently examining the suitability of both provisions and would welcome further information on your consultation and the progress of negotiations in Brussels.

  The Committee decided to retain document 15311/02 Droipen 90 under scrutiny. Document 13533/02 Droipen 76 has been cleared.

Letter from Bob Ainsworth MP, Parliamentary Under-Secretary of State, Home Office to the Chairman

  I am writing in response to your letter of 30 January concerning this draft Framework Decision.

  Your approval of changes secured by the UK to the definition of "without right" is welcome. However, with regards to the change you have referred to in Article 6(2)—slightly amended in the new text of 5715/03 DROIPEN 5—as you will have noted, the requirement to commit the offence of illegal access by infringing of security measures is now a permissive component of the Article 3 offence (in the same way that it was in Article 2 of the Council of Europe Cybercrime Convention). Current domestic legislation under Section 1 of the Computer Misuse Act 1990 (CMA) encompasses and goes further than the text in the Framework Decision in requiring the criminalisation of all intentional, unauthorised access, regardless of whether the offence is committed by infringing a security measure. The Government is not proposing to make a declaration as envisaged in Article 3(2), or to seek a requirement that a security measure is infringed in committing an illegal access offence before applying a one-year penalty threshold, and I consider that this is consistent with current domestic legislation which I could not weaken in this way.

  Turning to the outstanding issues of concern. In Article 2, following consultation the Government takes the view that the scope of the Framework Decision should not relate to "electronic communications network" devices and systems. Application of this provision into legislation would lead to a potentially confusing overlap of domestic provisions to cover offences against the complete range of systems this term envisages. Furthermore the definitions in the text encompassing an information system—excluding any reference to an "electronic communications network"—are considered sufficiently wide to cope with the currently envisaged technological development of computer and wider information systems. As such the Government will seek the exclusion of the term "electronic communications network" from the scope of this instrument.

  In my letter of 16 January I advised the Committee that UK officials were considering with prosecutors and legal advisers the value of the use of the term "in particular" in Article 4. Having done so, the UK is now satisfied that all the means of undertaking this offence are now covered in the text, and that the list of the mechanisms of illegally interfering with a system should be exhaustive. As you will note from the new text of 5715/03 DROIPEN 5, this change has already been made to the text.

  I would like to inform the Committee that we now expect this Framework Decision to be submitted for agreement at the Justice and Home Affairs Council on 27-28 February 2003. I hope that my letter has fully dealt with your outstanding concerns in relation to this Framework Decision.

Letter from the Chairman to Bob Ainsworth MP, Parliamentary Under-Secretary of State, Home Office

  Sub-Committee E (Law and Institutions) considered the above documents, along with your letter of 7 February, at its meeting on 19 February. The Committee notes that the text has been improved by the tightening of the scope of the offences of illegal access and interference. The Committee decided to clear the documents from scrutiny, but would welcome your comments on the following points.

PENALTIES AND AGGRAVATING CIRCUMSTANCES FOR ILLEGAL ACCESS

  You are concerned that Article 3(2) does not refer to a specific offence and argue that all references to Articles 6 and 7 are to Article 3. This may be a valid drafting point. However, the Committee believes that it is important to distinguish between illegal access infringing a security measure, which warrants a heavier penalty and triggers the application of the European Arrest Warrant, and illegal access in general, which may cover only minor offences.

ELECTRONIC COMMUNICATIONS SYSTEMS

  You reiterate that you will seek the exclusion of electronic communications systems from the scope of the proposal. Preambular paragraph 11bis, however (providing that the Framework Decision "does not require Member States to establish the criminal offence per se of unauthorised viewing of television and cable broadcasts") appears to be an important safeguard against the over-extension of the offences. It would be preferable if these words were included in the text of Article 3.

Letter from Bob Ainsworth MP, Parliamentary Under-Secretary of State, Home Office to the Chairman

  I am writing in response to your letter of 20 February concerning this draft Framework Decision.

  I note from your letter that you approve of the tightening of the scope of the offences of illegal access and interference in the Framework Decision, and that you have cleared the deposited documents from Scrutiny. I would like to thank you for your assistance in clearing these texts from scrutiny prior to the February Justice and Home Affairs Council.

  With regards to the two points you have asked for further comments on, firstly you have sought that there be a distinction between an offence of illegal access, and a second offence attracting a heavier penalty where an offence of illegal access is committed by infringing a security measure.

  I accept that in committing an offence of illegal access there may be a range of criminal activities which may differ in their severity. This is one of the reasons why the government was keen to restrict the scope of application of the framework decision to exclude devices in an electronic communications network, as when the range of systems and networks covered by this definition was applied to the illegal access offence it did have the potential to criminalise a number of trivial offences. You will be pleased to note that the government was successful in restricting the scope of application of the instrument to exclude any reference to an electronic communications network.

  Furthermore, as I indicated in my letter of 7 February to you, under current legislation at Section 1 of the Computer Misuse Act 1990 (CMA), there is no requirement that an offence of unauthorised access to a computer system be committed by infringing a security measure, but the offence requires simply the criminalisation of all intentional, unauthorised access. I can only restate my earlier comment that changing legislation to create an offence of unauthorised access committed by infringing a security measure would weaken existing law in this area by creating a two tier test which could make prosecutions more difficult to secure. As such it is not a change which I can agree to.

  Secondly, you have sought that the provision in the recital stating that the Framework Decision "does not require Member States to establish the criminal offence per se of unauthorised viewing of television and cable broadcasts" be moved to the body of the text to relate to the illegal access offence. As you have pointed out this provision was originally placed in the recital as a clarification of the scope of offences which should be criminalised under the illegal access offence, when applied to systems included in the definition of an electronic communications network. However as I have indicated above, the government was successful in removing the definition of an electronic communications network—and any device in an electronic communications network from the definition of an information system—from the text of the Framework Decision. This means that the text now relates to information systems and does not extend to transmission systems and networks used for radio, television and cable TV networks which were included in the definition of an electronic communications network, making the change you have sought unnecessary.

  I hope that my letter has addressed these outstanding issues of concern for the Committee.

Council Doc 5715/03

DROIPEN 5

EXPLANATORY MEMORANDUM ON JUSTICE AND HOME AFFAIRS MATTERS

DRAFT EU FRAMEWORK DECISION ON ATTACKS AGAINST INFORMATION SYSTEMS

SUBMITTED BY THE HOME OFFICE ON 6 FEBRUARY 2003

  This Explanatory Memorandum on work being carried out under Title VI (Police and Judicial Co-operation in Criminal Matters) of the Treaty on European Union is being provided to Parliament in accordance with current arrangements for Parliamentary scrutiny, as amended in November 1998

SUBJECT MATTER

  This draft Framework Decision requires the approximation of Member States' criminal law (offences, penalties and jurisdiction) on attacks against information systems.

SCRUTINY HISTORY

  An Explanatory Memorandum on the previous version of the text 15311/02 (DROIPEN 90) was deposited for scrutiny on 16 January. It was considered, but not cleared, by the European Scrutiny Committee on 22 January and by Sub-Committee E of the European Union Committee on 29 January. Further information was asked for by the European Scrutiny Committee in their uncorrected report of 22 January, and was responded to. Both Committees cleared an earlier version of the text, 13533/02 (DROIPEN 76), at these meetings.

  An Explanatory Memorandum on 8586/02 was deposited on 13 June 2002. It was considered by the ESC on 10 July when the ESC asked for further information. The Government responded on 15 October. The ESC again considered this document on 30 October and held it under scrutiny pending deposit of a revised text. The EUC asked for further information on this document on 4 July with the Government responding on 15 October. The EUC again considered this document on 29 October but held it under scrutiny pending deposit of a revised text. An Explanatory Memorandum on 13533/02 (DROIPEN 76) was deposited for scrutiny on 20 November; it was considered, but not cleared, by Sub-Committee E of the European Union Committee on 18 December. It was considered, but not cleared, by the European Scrutiny Committee on 11 December. The ESC held it under scrutiny pending deposit of a revised text. At these meetings both Committees cleared an earlier version of the text 8586/02 (Com (2202) 173 final).

MINISTERIAL RESPONSIBILITY

  The Home Secretary has responsibility for policy matters relating to the criminal law (except in Scotland) and takes the lead on judicial co-operation with other EU Member States within the framework of Title VI of the Treaty on European Union. Scottish Executive Ministers also have an interest in view of their different criminal law system.

LEGAL AND PROCEDURAL BASIS

    (i)  Legal basis

  Article 31 and 34(2)(b) of the Treaty on European Union.

    (ii)  European Parliament procedure

  Article 39 of the Treaty on European Union requires the Council to consult the European Parliament before adopting measures covered inter-alia by Article 34(2)(b).

    (iii)  Voting Procedure

  Unanimity in the Council.

    (iv)  Impact on United Kingdom Law

  The proposal is already largely covered by existing UK legislation, primarily under the Computer Misuse Act 1990. The scope of clarifying amendments that would be needed will depend on the negotiation of the detail of the Framework Decision, but it is likely that there will be a need for some amendments to this legislation.


GIBRALTAR

  The proposal has a legal base in Title VI of the TEU and will not therefore apply to Gibraltar unless expressly extended. The Government of Gibraltar has been consulted about the instrument and we are awaiting a final decision as to whether they wish to participate in this instrument.

APPLICATION TO THE EUROPEAN ECONOMIC AREA

  The Draft Framework Decision does not apply to the European Economic Area.

CONSULTATION WITH OUTSIDE INTERESTS

  The Government has sought the comments of a range of law enforcement agencies and government departments with responsibilities for hi-tech crime domestic policy, practice and investigation of such offences. It has also asked a range of industry groups, including the Internet Crime Forum (a joint industry and law enforcement forum) legal sub-group, and members of Eurim (an all party, pan-industry discussion group on the information society and e-commerce) to consider the detail of the proposed Framework Decision.

POLICY IMPLICATIONS

  The Government supports the central principle of this initiative of ensuring that there is approximation of the criminal law in all Member States regarding these offences and their penalisation.

ARTICLE 2

  The UK has secured a further change to the definition of "without right" at Article 2(f) from the previously deposited text. This adds greater clarity to the definition by reference to access or interference "not permitted under domestic legislation". This provision is necessary to protect the activities of the police and security services who may be required to access a computer system when not authorised by the owner, but still acting in accordance with their legislative powers.

  The UK has widely discussed the implications of the inclusion of systems within an "electronic communications network" in the instrument, and the danger that this would lead to a too far ranging scope, covering a wide range of transmission systems already dealt with by other domestic legislation and offences outside of the Computer Misuse Act. It was considered that the inclusion of this term would not only lead to a potentially confusing overlap in domestic legislation relating to computer and other transmission systems, but that the formulation of the definition of "information systems" at Article 2(a) is sufficiently wide to encompass future technological developments currently envisaged.

  Following this further consultation, the Government considers that such transmission systems and other resources covered by the definition of "electronic communications network", should be excluded from the scope of the Framework Decision. We will seek a revision to the text excluding "It shall also include any device in an electronic communications network" from Article 2(a), and the deletion of the definition at Article 2(b).

ARTICLE 3

  The offence of illegal access to information systems has been altered at Article 3 (2) to allow that a Member State may declare that the offence of illegal access be committed by infringing a security measure. This exception was a component of that offence of illegal access in Article 2 of the Cybercrime Convention. Whilst the UK considers that current legislation, Section 1 of the Computer Misuse Act, goes further than this formulation, it believes that the provision agreed in the Cybercrime Convention is a standard which many Member States consider a necessity, and as such it is appropriate to include such a provision in this Framework Decision.

  Whilst the Government wishes to ensure that there are minimal barriers to judicial co-operation between Member States, we do not consider that the inclusion of a text such as that proposed in Article 3 paragraph 3 is the correct way to achieve this aim, and we shall seek the deletion of this specific provision.

ARTICLE 4

  The text has been altered to remove the words "in particular" from the version of the text previously deposited. This provides for an exhaustive rather than illustrative list of the mechanisms of illegally interfering with a system. Following consultation the UK is now satisfied that all the means of undertaking this offence are now covered, and as such supports this new text.

ARTICLE 6 AND 7

  The UK is supportive of these provisions. However it is considered that the changes to the text in respect of references to Article 3, references to paragraph 1 and 2 are inappropriate. The offence of illegal access as currently defined in the text of article 3(1) may be qualified by provisos in Article 3(2). There is however no offence defined in Article 3 paragraph 2 on its own and all references in Articles 6 and 7 should be just to Article 3.

ARTICLE 11

  Article 11(4) has been revised to specify that a number of factors may be taken into account when considering which jurisdiction will prosecute when a number of Member States could validly prosecute an offender. The UK is satisfied that the specified factors provide useful guidelines for Member States to consider in such circumstances.

ARTICLE 12

  The Government is satisfied that the text relating to operational contact points has been introduced. There are still Member States who do not have such a valuable contact point in force, and given that the Framework Decision has a definite implementation date, and there is no knowing when the Cybercrime Convention will be ratified, it is considered that this is a positive inclusion.

REGULATORY IMPACT ASSESSMENT

  Not applicable.

FINANCIAL IMPLICATIONS

  The proposal will not entail financial implications for the budget of the European Communities or have a significant financial impact on the UK.

TIMETABLE

  Agreement to the instrument is likely to be sought at the Justice and Home Affairs Council on 27-28 February.

Bob Ainsworth

Parliamentary Under-Secretary of State,

Home Office

Note from the Presidency of the Council of the European Union to the Working Party on Substantive Criminal Law

  During its meeting on 23 and 24 January 2003, the Article 36 Committee examined recital 11 bis and Articles 2, 3 and 12 of the above proposal on the basis of 8586/02 DROIPEN 29 ECO 143 and 5281/03 DROIPEN 1 TELECOM 4.

  The proposal was subject to general reservations by the          and          delegations. It was subject to parliamentary reservations by the          and          delegations. The          delegation also introduced a linguistic reservation.

  On the basis of comments made during the meeting, the Presidency has prepared the revised text in the Annex for future discussions. Changes concerning recital 11 bis and 16, and Articles 2, 3 and 12 are underlined as compared to 5281/03 DROIPEN 1 TELECOM 4. Comments and reservations by the delegations are set out in footnotes to the text.

Annex

Proposal for a

COUNCIL FRAMEWORK DECISION

on attacks against information systems

THE COUNCIL OF THE EUROPEAN UNION,

  Having regard to the Treaty on European Union, and in particular Articles 29, 30(1)(a), 31 and 34(2)(b) thereof,

  Having regard to the proposal of the Commission[24],

  Having regard to the opinion of the European Parliament[25],

  Whereas:

  (x)  The objective of this Framework Decision is to improve co-operation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, through approximating rules on criminal law in the Member States in the area of attacks against information systems. [26]

  (1)  There is evidence of attacks against information systems, in particular as a result of the threat from organised crime, and increasing concern at the potential of terrorist attacks against information systems which form part of the critical infrastructure of the Member States. This constitutes a threat to the achievement of a safer Information Society and an Area of Freedom, Security and Justice, and therefore requires a response at the level of the European Union.

  (2)  An effective response to those threats requires a comprehensive approach to network and information security, as underlined in the Europe Action Plan, in the Communication by the Commission "Network and Information Security: Proposal for a European Policy Approach"[27]and in the Council Resolution of 6 December 2001 on a common approach and specific actions in the area of network and information security.

  (3)  The need to further increase awareness of the problems related to information security and provide practical assistance has also been stressed in the European Parliament Resolution of 5 September 2001[28].

  (4)  Significant gaps and differences in Member States' laws in this area hamper the fight against organised crime and terrorism, and act as a barrier to effective police and judicial co-operation in the area of attacks against information systems. The trans-national and borderless character of modern electronic communication networks means that attacks against information systems are often international in nature, thus underlining the urgent need for further action to approximate criminal laws in this area.

  (5)  The Action Plan of the Council and the Commission on how to best implement the provisions of the Treaty of Amsterdam on an area of freedom, security and justice[29], the Tampere European Council on 15-16 October 1999, the Santa Maria da Feira European Council on 19-20 June 2000, the Commission in the Scoreboard[30]and the European Parliament in its Resolution of 19 May 2000[31] indicate or call for legislative action against high technology crime, including common definitions, incriminations and sanctions.







  (6)  It is necessary to complement the work performed by international organisations, in particular the Council of Europe's work on approximating criminal law and the G8's work on transnational co-operation in the area of high tech crime, by providing a common approach in the European Union in this area. This call was further elaborated by the Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on "Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime"[32].

  (7)  Criminal law in the area of attacks against information systems should be approximated in order to ensure the greatest possible police and judicial co-operation in the area of criminal offences related to attacks against information systems, and to contribute to the fight against organised crime and terrorism.

  (8)  The Framework Decision on the European Arrest Warrant[33], the Annex to the Europol Convention and the Council Decision setting up Eurojust contain references to computer-related crime which needs to be defined more precisely. For the purposes of such instruments, computer-related crime should be understood as including attacks against information systems as defined in this Framework Decision which provides a much greater level of approximation of the constituent elements of such offences. This Framework Decision also complements the Framework Decision on combating terrorism[34] which covers terrorist actions causing extensive destruction of an infrastructure facility, including an information system, likely to endanger human life or result in major economic loss.

  (9)  All Member States have ratified the Council of Europe Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data. The personal data processed in the context of the implementation of this Framework Decision will be protected in accordance with the principles of the said Convention.

  (10)  Common definitions in this area, particularly of information systems and computer data, are important to ensure a consistent approach in Member States in the application of this Framework Decision.

  (11)  There is a need to achieve a common approach to the constituent elements of criminal offences by providing for a common offence of illegal access to an information system, and illegal interference with an information system.

  (11 bis)  This Framework Decision requires Member States to establish the criminal offence of illegal access to information systems. (. . .) However it does not require Member States to establish the criminal offence per se of unauthorised viewing of television and cable broadcasts (. . .)[35].

  (12)  There is a need to avoid over-criminalisation, particularly of trivial or minor conduct, as well as the need to avoid criminalizing right-holders and authorised persons such as legitimate private or business users, managers, controllers and operators of networks and systems, legitimate scientific researchers, and authorised persons testing a system, whether a person within the company or a person appointed externally and given permission to test the security of a system.

  (13)  There is a need for Member States to provide penalties for attacks against information systems which are effective, proportionate and dissuasive, including custodial sentences in serious cases;

  (14)  It is necessary to provide for more severe penalties when certain circumstances accompanying an attack against an information system make it an even greater threat to society. In such cases, sanctions on perpetrators should be sufficient to allow for attacks against information systems to be included within the scope of instruments already adopted for the purpose of combating organised crime such as the 98/733/JHA Joint Action of 21 December 1998 adopted by the Council on the basis of Article K.3 of the Treaty on European Union on making it a criminal offence to participate in a criminal organisation in the Member States of the European Union[36].

  (15)  Measures should be taken to enable legal persons to be held liable for the criminal offences referred to by this act which are committed for their benefit, and to ensure that each Member State has jurisdiction over offences committed against information systems in situations where the offender is physically present on its territory or where the information system is on its territory.

  (16)  Measures should also be foreseen for the purposes of co-operation between Member States with a view to ensuring effective action against attacks against information systems. (. . .) Member States should therefore make use of the existing network of operational contact points for the exchange of information.[37].

  (17)  Since the objectives of ensuring that attacks against information systems be sanctioned in all Member States by effective, proportionate and dissuasive criminal penalties and improving and encouraging judicial co-operation by removing potential obstacles, cannot be sufficiently achieved by the Member States individually, as rules have to be common and compatible, and can therefore be better achieved at the level of the Union, the Union may adopt measures, in accordance with the principle of subsidiarity as referred to in Article 2 of the EU Treaty and as set out in Article 5 of the EC Treaty. In accordance with the principle of proportionality, as set out in the latter Article, this Framework Decision does not go beyond what is necessary in order to achieve those objectives.

  (18)  This Framework Decision is without prejudice to the powers of the European Community.

  (19)  This Framework Decision respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, and notably Chapters II and VI thereof.





HAS ADOPTED THIS FRAMEWORK DECISION:

Article 1

Article 2

Definitions

  For the purposes of this Framework Decision, the following definitions shall apply:

  (a)  "Information System" means any device or group of inter-connected or related devices, one or more of which, pursuant to a program, performs automatic processing of computer data, as well as computer data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance. It shall also include any device in an electronic communications network. [38]

  (b)  "Electronic communications network" means transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable TV networks, irrespective of the type of information conveyed.

  (c)  (. . .) [39]

  (d)  "Computer data" means any representation of facts, information or concepts in a form suitable for processing in an information system, including a program suitable for causing an information system to perform a function.

  (e)  "Legal person" means any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations.

  (f)  "Without right" means access or interference not authorised by the owner, other right holder of the system or part of it, or not permitted under the domestic legislation.

Article 3

Illegal access to Information Systems

  1.  Each Member State shall take the necessary measures to ensure that the intentional access without right to the whole or any part of an information system is punishable as a criminal offence. [40]

  2.  Each Member State may declare that the acts referred to in paragraph 1 are incriminated only where the offence is committed by infringing a security measure (. . .)

  [3.  A Member State may not invoke the condition mentioned in sub-paragraph 2 as grounds for refusing mutual legal assistance, on the basis of the principle of dual criminality.] [41]

  [4.  Declarations referred to in paragraph 2 shall be communicated to the Council at the time of the adoption of the instrument and shall be valid for five years from the implementation deadline for the Framework Decision.] [42]

  [5.  In due time before the expiry of five years after the deadline referred to in Article 13(1) for implementing this Framework Decision, the Council shall review this Article with a view to considering whether it shall be possible to renew a declaration made under paragraph 2.]

Article 4

Illegal system interference

  Each Member State shall take the necessary measures to ensure that the intentional serious hindering or interruption of the functioning of an information system (. . .) by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence when committed without right.

Article 4 bis

Illegal data interference

  Each Member State shall take the necessary measures to ensure that the intentional deletion, damaging, deterioration, alteration, suppression or rendering inaccessible of computer data on an information system is punishable as a criminal offence when committed without right.

Article 5

Instigation, aiding and abetting and attempt

  1.  Each Member State shall ensure that the instigation of, aiding and abetting an offence referred to in Articles 3, 4 and 4 bis is punishable.

  2.  Each Member State shall ensure that attempt to commit the offences referred to in Articles 3, 4 and 4 bis is punishable. [43]





Article 6

Penalties[44]

  1.  Each Member State shall take the necessary measures to ensure that the conduct referred to in Articles 3 paragraph 1, and 5 is punishable by effective, proportionate and dissuasive criminal penalties.

  2.  Each Member State shall take the necessary measures to ensure that the conduct referred to in Articles 3 paragraph 2 (. . .), 4 and 4 bis is punishable of a maximum of at least between one and three years of imprisonment.

Article 7[45]

Aggravating circumstances

  Each Member State shall take the necessary measures to ensure that the conduct referred to in Articles 3 paragraph (. . .) 4 and 4 bis is punishable by criminal penalties of a maximum of at least between two and five years of imprisonment when committed (. . .) within the framework of a criminal organisation as defined in Joint Action 98/733/ JHA of 21 December 1998 on making it a criminal offence to participate in a criminal organisation in the Member States of the European Union, apart from the penalty level referred to therein.

  (. . .)

  (. . .)

Article 8

  (. . .)

Article 9

Liability of legal persons

  1.  Each Member State shall take the necessary measures to ensure that legal persons can be held liable for conducts referred to in Articles 3, 4, 4 bis and 5, committed for their benefit by any person, acting either individually or as part of an organ of the legal person, who has a leading position within the legal person, based on:

    (a)  a power of representation of the legal person, or

    (b)  an authority to take decisions on behalf of the legal person, or

    (c)  an authority to exercise control within the legal person.

  2.  Apart from the cases provided for in paragraph 1, Member States shall ensure that a legal person can be held liable where the lack of supervision or control by a person referred to in paragraph 1 has made possible the commission of the offences referred to in Articles 3, 4, 4 bis and 5 for the benefit of that legal person by a person under its authority.

  3.  Liability of a legal person under paragraphs 1 and 2 shall not exclude criminal proceedings against natural persons who are involved as perpetrators, instigators or accessories in the conduct referred to in Articles 3, 4, 4 bis and 5.

Article 10

Sanctions for legal persons

  1.  Each Member State shall take the necessary measures to ensure that a legal person held liable pursuant to Article 9(1) is punishable by effective, proportionate and dissuasive sanctions, which shall include criminal or non-criminal fines and may include other sanctions, such as:

    (a)  exclusion from entitlement to public benefits or aid;

    (b)  temporary or permanent disqualification from the practice of commercial activities;

    (c)  placing under judicial supervision; or

    (d)  a judicial winding-up order.

  2.  Each Member State shall take the necessary measures to ensure that a legal person held liable pursuant to Article 9(2) is punishable by effective, proportionate and dissuasive sanctions or measures.

Article 11

Jurisdiction

  1.  Each Member State shall establish its jurisdiction with regard to the conduct referred to in Articles 3, 4, 4 bis and 5 where the conduct has been committed:

    (a)  in whole or in part within its territory; or

    (b)  by one of its nationals; or

    (c)  for the benefit of a legal person that has its head office in the territory of that Member State.

  2.  When establishing jurisdiction in accordance with paragraph (1)(a), each Member State shall ensure that it includes cases where:

    (a)  the offender commits the offence when physically present on its territory, whether or not the offence is against an information system on its territory; or

    (b)  the offence is against an information system on its territory, whether or not the offender commits the offence when physically present on its territory.

  3.  A Member State which under its laws, does not as yet extradite or surrender its own nationals shall take the necessary measures to establish its jurisdiction over and to prosecute, where appropriate, the conduct referred to in Articles 3 to 5 in cases when it is committed by one of its nationals outside its territory.

  4.  Where an offence falls within the jurisdiction of more than one Member State and when any of the States concerned can validly prosecute on the basis of the same facts, the Member States concerned shall co-operate in order to decide which of them will prosecute the offenders with the aim, if possible, of centralising proceedings in a single Member State. To this end, the Member States may have recourse to any body or mechanism established within the European Union in order to facilitate co-operation between their judicial authorities and the co-ordination of their action. Sequential account may be taken of the following factors:

    —  the Member State shall be that in the territory of which the acts has been committed according to Article 11 paragraph 1(a) and paragraph 2; [46]

    —  the Member State shall be that of which the perpetrator is a national;

    —  the Member State shall be that in which the perpetrator has been found.

  5.  A Member State may decide not to apply, or to apply only in specific cases or circumstances, the jurisdiction rule set out in paragraphs 1(b) and 1(c).

  6.  Member States shall inform the General Secretariat of the Council and the Commission accordingly where they decide to apply paragraph 5, where appropriate with an indication of the specific cases or circumstances in which the decision applies.

Article 12[47]

  1.  For the purpose of exchange of information relating to the offences referred to in Articles 3, 4, 4 bis and 5, and in accordance with data protection rules, Member States shall ensure that they make use of the existing network of operational points of contact available 24 hours a day and seven days a week.

  2.  Each Member State shall inform the General Secretariat of the Council and the Commission of its appointed point of contact for the purpose of exchanging information on offences relating to attacks against information systems. The General Secretariat shall notify that information to the other Member States.

Article 13

Implementation

  1.  Member States shall take the necessary measures to comply with this Framework Decision by [. . .][48].

  2.  By the same date Member States shall transmit to the General Secretariat of the Council and to the Commission the text of any provisions transposing into their national legislation the obligations imposed on them under this Framework Decision. By 31 December 2004 at the latest on the basis of a report drawn up on the basis of information and a written report from the Commission, the Council shall assess whether Member States have taken the necessary measures in order to comply with this Framework Decision.

Article 14

Entry into force

  This Framework Decision shall enter into force on the date of its publication in the Official Journal of the European Communities.

  Done at Brussels,

For the Council

The President





COMMERCIAL EXPLOITATION OF PUBLIC SECTOR DOCUMENTS (11093/02)

Letter from Stephen Timms MP, Minister of State for e-Commerce and Competitiveness, Department of Trade and Industry and Douglas Alexander MP, Minister of State, Cabinet Office, to the Chairman

  Thank you for your letter dated 21 October 2002 which set out your Committee's view on the proposed Directive on the re-use and commercial exploitation of public sector documents. Your Committee expressed concern that the specific national interests set out in the Explanatory Memorandum submitted on 4 September 2002 should be adequately protected during the process of negotiation. Finally, your Committee maintained its Scrutiny Reserve on the document and asked for a regular report on the progress of negotiation.

  Two key points for the UK during negotiations were how the proposal fitted with access regimes, and how the charging mechanisms for public sector documents would be applied. Discussions within the Working Group of the Telecommunications Council have resulted in a working text that reflects many of the UK's core concerns.

ACCESS

  Following negotiations a new Article 1.2a is proposed which reads:

  "This Directive builds on the existing access regimes in the Member States and does not change the rules for access to documents held by public sector bodies. This Directive does not apply in cases in which citizens or companies have to prove a particular interest under the access regime to get access to the documents."

  This in reinforced by an additional exclusion in the same Article, which reads:

  "(ca) documents which are excluded from access by virtue of the access regimes in the Member States, including on the grounds of:

    —  the protection of national security (ie state security), defence, or public security

    —  statistical or commercial confidentitiality".

  The government now considers that its concern over the possibility of inadvertent encroachment on access regimes in Member States have been fully addresses by these changes.

CHARGING

  The part of the proposed Directive dealing with charging principles (Article 6) has also evolved during negotiations. In particular, a sentence has been added which confirms that:

  "Charges should be cost-orientated over the normal accounting period."

  This answers a major concern of the UK government that this requirement should not be interpreted as applying to every individual transaction, but take into account normal trading conditions and practices. In earlier drafts the burden of proof was on the public sector bodies to demostrate that charges were cost-oriented. However, in the current draft this obligation has been removed. This reflects the view of the Working Group that this was a matter for the Member States working within the content of their individual legal frameworks.

  The definition of cost-oriented in Article 6 and Recital 12 has been expanded to include:

  "Where charges are made, the total income from supply and allowing re-use of these documents shall not exceed the cost of collection, production, reproduction and dissemination, together with a reasonable return of investment."

  Recital 12 goes on to specify that production includes creation and collation.

  The proposed Directive ensures that the private and public sector operate on a level playing field when value-added products are based on public sector documents. As recently amended it states:

  "If documents are re-used by a public sector body as input for its commercial actitivies which fall outside the scope of its public tasks, the same charges and other conditions shall apply to the supply of the documents for those acitivies as apply to other users."

  The equality treatment, favouring neither public or private sector body and allowing both the compete on even terms, is an important provision of the Directive, and the government considers that it strikes the right balance. The source data for value-added material produced by the public sector is within the scope of the Directive, and available on the basis set out, ie the same conditions would apply for the private sector user as for the public sector bodies which produced the material.

  The inclusion of the possibility for public sector bodies to include a reasonable return on investment in the charges for re-use of documents is an important one for the UK, and particularly for organisations such as Ordnance Survey and the Met Office. A Presidency proposal, which has received wide support, is for specific recognition in a Recital that some public sector bodies depend on income from sales of their documents to finance their activities. The precise definition and level of "reasonable return on investment" has been deliberately left in general terms by the Commission, and for the discretion of Member States to interpret. This will vary according to the circumstances. However, the availability of the source material on the same terms and conditions will encourage competition, ensuring that the level does not become excessive. If concerns remain complainants will have the usual recourse to the law, and the public sector bodies concerned may be challenged in Court to prove that they are abiding by the rules set down by the Directive.

CONCLUSION

  The negotiations within the Telecommunications Working Group have addressed the access issue, whilst the key point on charging is to ensure a level playing field in the market. It is essential that the same conditions and costs are applicable for both the private sector and public sector when adding value to public sector information. The possibility of public sector bodies obtaining a reasonable return on investment is important, and the market, and the possibility of legal challenge, will ensure that this is not excessive.

  We will ensure that your Committee is kept closely informed of developments as negotiations continue. On that basis it would be greatly appreciated if your Committee could agree to lift your scrutiny reserve in time for the meeting of the Telecommunications Council, which will be looking to agree a common orientation on this proposal, on 5 December 2002.

21 November 2002


24   IJ C . . p. Back

25   IJ C . . p. Back

26   See footnote to Article 1. Back

27   COM (2001) 298. Back

28   [2001/2098(INI)]. Back

29   OJ C 19, 23.1.1999. Back

30   COM (2001) 278 final. Back

31   A5-0127/2000. Back

32   COM (2000) 890. Back

33   OJC . . P. Back

34   OJC . . P. Back

35   Proposal by the Presidency to take account of concerns about the previous text. This is also the reason why the definitions now make clear that an "information system" consists of devices. Back

36   OJ L 351, 29.12.1998, p.1. Back

37   See Article 12. Back

38   Proposal by the presidency to address the concerns of the ?? and delegations on Article 2(a) and (b) due to the extension of the definition to "electronic communications networks". On the basis of the comments made during the meeting, the Presidency proposes this text, which corresponds to a large extent to the Council of Europe Cyber Crime Convention. The end of the first sentence corresponds to the original Commission proposal, and did not give rise to any specific comments. The final sentence is based on a proposal made by ???, but the word "part" has been replaced by "device" to bring it into line with the CoE Convention, and to limit the scope. Back

39   Paragraph (c) has been deleted as its content has been moved to paragraph (a). Back

40   The delegations was in favour of limiting this Article to the only paragraph 1. Back

41   The delegations were in favour of including this paragraph. The delegations were against. The delegations thought that mutual legal assistance should not apply to minor offences. Back

42   Several delegations, including the delegation supported the proposal of a time limit as contained in paragraphs 4 and 5 which were proposed by . The delegation was reserved. Back

43   Scrutiny reservation by the and delegations. The delegation considered that the attempt concerning the conduct described in Article 3 should not be covered as it is a minor offence. The delegation announced that would only be able to decide whether this provision should refer to both paragraph 1 and 2 of Article 3 once Article 3 will be agreed. Back

44   Scrutiny reservation by several delegations. The delegations were in favour of two levels of sanctions only (effective, proportionate and dissuasive criminal penalties, and one to three years). Back

45   See previous footnote. Back

46   The delegation favoured the following wording: "the Member State shall be that in the territory of which the acts have been committed". Back

47   Several delegations ( ) supported the Commission's proposal to reintroduce Article 12. The delegation was against. The delegation could agree on the principle, but thought this should be achieved in a separate instrument. The wording has been changed as compared to the original text proposed by to reflect the wish of the and delegations not to create a new network (See also recital 16). Back

48   Date to be inserted. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2003