UK government consults on review of Computer Misuse Act

February 17, 2023

In 2021, the Home Office issued a call for evidence on the Computer Misuse Act 1990. The Act was 30 years old, and the government says that it “in general has proved to be a far-sighted piece of legislation” which law enforcement agencies are still able to use to prosecute cyber-dependent related crime. This is despite its age. There have been several amendments to the Act, most recently in 2015, to ensure that UK legislation met the requirements of the Council of Europe Convention on Cybercrime (Budapest Convention) and other relevant EU directives. However, these changes were relatively limited. The call for information was to identify whether there is activity causing harm in the area covered by the Act that is not adequately covered by the offences contained within it.

The Home Office has now published its response to the call for evidence and is consulting further on the Act’s review. It says that a number of proposals were put forward, both for changes to the Act itself, and for additional powers to allow law enforcement agencies to more effectively tackle the offences covered by the Act.

This consultation now seeks views on three proposals for legislation.

The first is a proposal to develop a new power to allow law enforcement agencies to take control of domains and internet protocol addresses where these are being used by criminals to support a wide range of criminality, including fraud and computer misuse. The government recognises that a significant amount is done under voluntary arrangements to tackle the misuse of domain names, and would not want to see these arrangements undermined. However, it believes that there is a need to ensure that where such arrangements are unavailable, law enforcement agencies have the power to take action.

The second proposal is for a power to allow law enforcement agency to require the preservation of computer data to allow that law enforcement agency to determine whether the data would be needed in an investigation. the power would not allow the law enforcement agency to seize the data, but would allow it to be preserved in case needed.

The third proposal is about whether a power should be created that would allow action to be taken against a person possessing or using data obtained by another person through an offence under the Act, such as through accessing a computer system to obtain personal data, subject to appropriate safeguards being in place.

The consultation also covers the government’s proposed approach to other issues which were raised during the review. These included proposals on the levels of sentencing, defences to the offences under the Act, improvements to the ability to report vulnerabilities, and whether the UK has sufficient legislation to cover extra-territorial threats. Many cases have a neuro-diversity element attached to the offender, making the individual(s) concerned more vulnerable and therefore more difficult to prosecute with proportionate sentences. It says that these are complex issues, and therefore the Home Office intends to bring stakeholders together to identify how these issues should be addressed to ensure that the UK’s cybersecurity can counter the risks posed by state threats and criminals.

The consultation ends on 6 April 2023.