Computer Misuse Amendments

June 5, 2014

The Government has published the Serious Crime Bill, which begins its passage through Parliament in the House of Lords. Part 2 of the Bill covers computer misuse and consists of four clauses amending the Computer Misuse Act 1990 (one of the clauses being a ‘savings’ provision).

A new s 3ZA is proposed to be inserted in the 1990 Act which covers ‘Unauthorised acts causing, or creating risk of, serious damage’. This is essentially an aggravated form of the existing offence under s. 3, the key difference being that the act must cause ‘serious damage of a material kind, or create a significant risk of such damage of a material kind and, crucially, that the person concerned intends by doing the act to cause such damage or is reckless as to whether such damage is caused. The definition of ‘damage of a material kind’ covers damage to human welfare, the environment, the economy or national security –so not much is left. Moreover, the material damage may be suffered in any country. The maximum penalty is 14 years’ imprisonment; but, where the serious material damage is to national security or is damage to human welfare resulting in the loss of life or illness or injury, the maximum penalty is life imprisonment. 

The other two material amendments to the 1990 Act are necessary for compliance with EU Directive 2013/40/EU on attacks against information systems. The first amends s 3A (making, supplying or obtaining articles for use in offences under s 1 or s 3) so as to close a loophole whereby it was an offence to obtain an article with a view to supplying it to another for the commission of an offence but it was not an offence to obtain for personal use with the intention of committing an offence. An individual obtaining malware with a view to committing an offence would be caught by s 3A if the amendment is passed. The second amendment arising from the Directive widens the territorial scope of the Act by amending the two sections (ss. 4 and 5) that currently limit the jurisdiction of the courts so that they may deal only with offences where there is a ‘significant link’ with the home country concerned (England and Wales, Scotland or Northern Ireland). Under the proposed s 5(5A):

‘(1A) In relation to an offence under section 1, 3, 3ZA or 3A, where the accused was in a country outside the United Kingdom at the time of the act constituting the offence there is a significant link with domestic jurisdiction if—

(a) the accused was a United Kingdom national at that time; and

(b) the act constituted an offence under the law of the country in which it occurred.’


Laurence Eastham writes:

Since it appears from the impact statement that there has been just one conviction under ss. 3A of the 1990 Act in the last eight years, it is hard to take seriously the grandiose claims in the Home Office impact statement that these amendments will ‘contribute to the Home Secretary’s commitment to relentlessly disrupt organised crime’ and that they will reduce the threat of cyber crime. But there is no doubt that the amendments arising from the Directive are sensible.

The new aggravated offence looks suspiciously like grand-standing. As so often, problems in enforcement are met with proposed ‘solutions’ that add extra offences (which there will be a struggle to enforce). And I am amazed that the new offence extends to damage to the national security of any country – Russia, Syria, North Korea included presumably. But critics of GCHQ and NSA may be cheered by the fact that there is no specific exemption here for the acts of the security service nor any requirement that a prosecution be brought only by the DPP. Private prosecution for damage to the economy anyone? Interesting thought, but I doubt that the Bill will survive quite in this form.