The Department of Justice yesterday published the Criminal Justice (Offences Relating to Information Systems) Bill 2016. The Bill, which is long overdue, will replace some of the existing patchwork of cybercrime legislation.
The primary purpose of the Bill is to transpose the European Directive 2013/40 or the Cybercrime Directive as it is more commonly known. The Cybercrime Directive is aimed at harmonising Member States' criminal law in the area of cybercrime by creating minimum rules for the definition of cybercrime offences and the relevant sanctions and to improve cooperation between competent authorities.
Ireland, along with other Member States, did not meet the 4 September 2015 deadline for bring into force laws to transpose the Directive. The projected timeline for enactment and commencement of the Bill is uncertain. The upcoming election certainly will not aid the Bill's progression through the Oireachtas and it is likely that the Bill will not move forward until the next Dáil is formed.
The Bill creates five key cybercrime offences namely:
- accessing information system without lawful authority (e.g. hacking);
- interfering with an information system so as to hinder or interrupt its functioning (e.g. introducing malicious software);
- interfering with data without lawful authority;
- intercepting the transmission of data without lawful authority; and
- use of a computer programme, password, code or data for the purpose of the commission of any of the above offences.
The offences carry sentences of up to 5 years imprisonment on conviction on indictment. A tougher penalty of up to 10 years imprisonment applies to the offence of interfering with an information system without lawful authority. Identity theft will be deemed to be an aggravating factor for the sentencing purposes for the two data specific offences.
It will also be an offence to obstruct a Garda acting under the authority of a search warrant (in relation to the investigation of a suspected offence under this Act), or to fail to comply with a requirement given by such a Garda. Such an offence will be punishable by up to 12 months imprisonment or a class a fine (€5,000).
An officer of the company may be guilty of an offence and prosecuted, if it is proved that an offence committed by the company was so committed with the officer's consent or connivance.
The Bill allows for both territorial and nationality based jurisdiction. The key cybercrime offences may be tried in the State where the offence was committed, in whole or in part, by a person:
- in the State in relation to an information system outside the State;
- outside the State in relation to an information system in the State; or
- outside the State to an information system outside the State where the act is an offence in the place it occurred and the person is an Irish citizen, or is ordinarily resident in the State, or is an Irish company.
The Bill does not appear to deal with the specific requirements of the Cybercrime Directive in relation to the exchange of information between Member States within 8 hours, and 24/7 contact points in connection with urgent requests for help relating to offences. The Bill was also intended to pave the way for ratification of the 2001 Budapest Convention on Cybercrime. The Budapest Convention is the first international treaty to provide a model for international cooperation in combating cybercrime. Ireland signed the Convention in 2002, but has yet to ratify it. The Bill as published does not appear to move Ireland any closer to ratification.
Tackling cybercrime is a key strand of the National Cyber Security Strategy published last year. Once enacted and commenced the Bill will provide Gardaí with a more robust statutory basis for the prosecution of cybercrime. This is particularly important given the number of high tech IT and internet-based companies that have major operations here.