On 3 April 2014, the Luxembourg Supreme Court (Cour de cassation) issued a decision reversing long-standing criminal case law by finding that the (unauthorised) extraction of electronic data can constitute theft within the meaning of Article 461 of the Criminal Code. This is yet another step by Luxembourg law towards the recognition of electronic data as a form of property, after a number of legislative initiatives acknowledging that such data may form the object of a right of retention or lien.
The facts of the case can be summarised as follows. In order to ensure his defence in the context of a potential dispute with his employer, a well-known bank on the Luxembourg market, an employee downloaded electronic data directly from the bank's server. He also "borrowed" documents belonging to the bank in order to make photocopies for his personal use.
The Luxembourg Supreme Court held that both acts can constitute theft within the meaning of Article 461 of the Criminal Code. The downloading of data is a particularly interesting question, as the Court expressly found that the unauthorised extraction of electronic data can be considered a criminal offence. In the Court's opinion, Article 461 of the Criminal Code does not draw a distinction based on whether the property that forms the object of the theft is tangible or intangible in nature, and hence the appellate court violated this article by finding that the defendant had not taken possession of a tangible good by downloading electronic data from the bank's server, so that the essential requirement of theft was not met. By finding that electronic data may form the object of theft, the Court of Cassation appears to have taken a step towards recognising the existence of a true property right for this type of data.
This decision goes against long-standing case law on the subject. Indeed, until now, the generally accepted position in the case law was that intangible data could not enter or exit a person's estate and consequently could not form the object of extraction, except in the case of theft of the physical device on which they are stored. In the legislative history to the Act of 15 July 1993 aimed at reinforcing the fight against economic crime and computer fraud, the Council of State reached moreover the same conclusion.
Aside from constituting theft within the meaning of Article 461 of the Criminal Code, the Court found that the facts of which the employee was accused could also be considered hacking, which is sanctioned by Article 509-1 of the Criminal Code, if after lawfully gaining access to the bank's network, the employee intentionally maintained such access for a fraudulent purpose, for example the performance of unauthorised transactions. The situation would then comprise a maximum number of offences.
Notwithstanding the foregoing, the Court appears to find in this case that the employee should not be held criminally liable, since there is a justification for his actions, namely the gathering of evidence in order to ensure due process.