The Criminal Justice (Offences Relating to Information Systems) Bill, 2016, which was introduced by the Minister for Justice on 15 January 2016, is still working its way through the legislative process. The Bill purports to transpose certain aspects of an EU Directive on attacks against information systems. While the Criminal Damage Act, 1991 and Criminal Justice (Theft and Fraud Offences) Act, 2001 contained cybercrime related elements, once enacted the 2016 Bill will be the first dedicated cybercrime legislation introduced in Ireland.
At the core of the 2016 Bill are five cybercrime specific offences, namely:
(a) accessing an information system without lawful authority;
(b) interference with an information system without lawful authority;
(c) interference with data without lawful authority;
(d) intercepting the transmission of data without lawful authority; and
(e) use of a computer programme, password code or data for (a), (b), (c) or (d).
An offence under (a), (c), (d) or (e) carries with it a penalty on summary conviction of a class A fine, a term of imprisonment of up to 12 months or both and on indictment a fine, up to 5 years imprisonment or both. An offence under (b) carries with the same penalty on summary conviction but a term of imprisonment of up to 10 years and/or a fine on indictment. Section 8(c) expressly provides that identity fraud is to be an aggravating factor in determining the appropriate sentence on a conviction under (c) or (d) above.
Obstruction of a Garda acting under the authority of a search warrant in respect of the investigation of a suspected offence under the 2016 Bill or failure to co-operate with a requirement given by such a Garda are also criminalised.
Section 9 provides that a director, secretary or other officer of a body corporate which has committed one of the offences outlined above (or a person purporting to act in such capacity) may be liable as if he or she himself committed the offence if the offence is proven to have been committed by the body corporate with his or her consent or connivance.
Section 10 provides for certain circumstances in which:
- a person outside of the State may tried in relation to acts in respect of information systems in the State;
- an Irish citizen, a person ordinarily resident in Ireland, a body corporate established under Irish law or an Irish company outside of the State may tried in relation to acts in respect of information systems outside of the State; and
- a person in the State may tried in relation to acts in respect of information systems outside the State.
At the time of writing, the Bill has been referred to second stage in the Dáil. The Bill does not ratify the Council of Europe Convention on Cybercrime of 2001 which Ireland signed in 2002. The legislative programme for autumn 2016 noted that preparatory work was underway on legislation to enable such ratification.
In addition, it has been reported that the Minister for Justice has been given approval by Cabinet for the drafting of a Non-Fatal Offences (Amendment) Bill to provide for the criminalisation of ‘cyberstalking’ and ‘revenge pornography’.