Check against delivery
Criminal Justice (Offences Relating to Information Systems) Bill 2016
Second Stage Speech – Dáil Éireann
Minister of State for Justice, David Stanton TD
25 January 2017
A Cheann Comhairle,
The Criminal Justice (Offences Relating to Information Systems) Bill 2016 is a relatively short but very significant piece of legislation. I am very pleased to introduce this Bill to the House on behalf of my colleague, the Tánaiste and Minister for Justice and Equality, Frances Fitzgerald, who regrets that she is unable to be present. The main purpose of the Bill is to give effect to provisions of Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems.
The Bill will also give effect to many of the key provisions of the Council of Europe Convention on Cybercrime - the “Budapest” Convention - which Ireland signed in 2002.
The legislation before us reflects the EU Directive in that it provides for criminal offences in relation to attacks against information systems and establishes effective, proportionate and dissuasive penalties for such offences – the most serious of which could result in a term of imprisonment of up to 10 years. The offences provided for relate to information systems and data and do not cover content-related matters.
The Bill creates new offences relating to:
· unauthorised accessing of information systems
· unauthorised interference with information systems or with data on such systems
· unauthorised interception of transmissions of data to or from information systems, and
· the use of tools, such as computer programmes, passwords or devices, to facilitate the commission of these offences relating to information systems.
Before outlining the content of the Bill in more detail I would like to provide some context for the legislation.
It is true to say that information systems are very much part of our daily lives in the modern world. They are increasingly relied upon by governments, businesses and individuals alike. The term “information system” itself, as defined in the Bill, is deliberately broad, encompassing all devices involved in the processing and storage of data, not only those considered to be “computer systems” in the traditional sense. This reflects the range of modern communications and data storage technology currently available, such as tablets and smart phones. Information systems also encompass the IT infrastructure or networks that support communication systems and individual devices, as well as data. The term “data” is also broadly circumscribed in the Bill, as meaning any representation of facts, information or concepts in a form capable of being processed, and includes a programme capable of causing an information system to perform a function.
There is no doubting the very significant benefits which modern information systems bring to our lives. However, reliability on such systems can also unfortunately mean vulnerability. New technology creates opportunities for new crimes. Cybercrime and attacks on information systems have become increasingly problematic and challenging across Europe and indeed the world in general. The European Commission brought forward its proposal for a Directive in this area against a backdrop of steadily increasing cybercrime. This included previously unknown large-scale and dangerous attacks against the information systems of companies, such as banks, the public sector and even the military, in EU Member States and other countries. New concerns emerged in this area, such as the massive spread of malicious software. Such “malware”, as it is termed, can for instance create what are known as “botnets” – networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks. These networks of compromised computers may be activated – often without the knowledge of the users of these computers – to perform specific actions such as attacks against information systems.
The interconnection of computers and information systems, through cyberspace, facilitates communication between companies and individuals across the world. What has become clear is that, as cyberspace has developed and evolved, so has cybercrime, which is a transnational phenomenon. Traditional law is based on physical geography whereas cybercrimes occur in the “virtual” world of cyberspace and readily intersect and transcend national boundaries. There is a clear need, therefore, for international cooperation in this area and for harmonisation of national laws to counter the very real threats faced. It is vital that we seek to protect citizens, businesses and government structures alike from cyberattacks which represent such a growing challenge in the modern technological environment. That is the central aim of this Bill.
I now propose to outline, in more detail, the content of the Bill, which contains 17 sections and largely reflects the EU Directive on attacks against information systems, as I mentioned earlier.
Section 1 provides the necessary interpretation provisions for the Bill and includes a definition of “information system”. The term “information system”, rather than “computer”, is used in order to enable the Bill to have the widest possible application taking account of rapidly evolving technology in this area. This section also includes a broad definition of “data”. Both of these definitions are based on the definitions contained in the Directive.
Further important definitions in section 1 relate to the concepts of “lawful authority” and “right holder”. These are particularly significant in relation to how the offences under sections 2 to 6 of the Bill are framed. I will outline these offences presently, having made a couple of preliminary comments in this regard. I would first point out that the activities concerned, such as access to or interference with information systems or data, are not offences if they are performed with lawful authority, such as with the permission of the owner or right holder of the system. It is clearly not intended to criminalise the activities of those who have authority to access information systems or possess a computer programme or code for the purpose of maintaining, testing or protecting information systems. There are, for instance, companies who carry out such activities legitimately in the course of their work - which could involve testing the security of information systems and protecting them from attack. Such companies are effectively exempt from the provisions of the Bill.
A further point of commonality in the manner in which the offences under sections 2 to 6 are framed is the notion of intent. When the activities described are carried out with lawful authority and without criminal intent they could not be considered to be offences.
Section 2 provides that it is an offence to intentionally access an information system by infringing a security measure without lawful authority or reasonable excuse.
Section 3 provides that it is an offence to intentionally interfere with an information system so as to hinder or interrupt its functioning. It also describes the various means of interference such as, for example, inputting data to the system, damaging or deleting data or making data on the system inaccessible.
Section 4 provides that it is an offence to intentionally interfere with data on an information system, for example, by deleting, altering or causing the deterioration of the data.
Section 5 provides that it is an offence to intentionally intercept the non-public transmission of data to or from or within an information system.
Section 6 provides that it is an offence to intentionally produce, sell, import, distribute, or otherwise make available a computer programme or any device, computer password, access code or similar data for the purpose of the commission of an offence under sections 2, 3, 4 or 5 of the Bill. It will be noted that the direct intention to commit an offence is specifically required in relation to this provision, in addition to the general intent requirement contained in all of the offence provisions. This reflects the requirements of the EU Directive and is designed to avoid criminalisation where such tools or devices are produced and put on the market for legitimate purposes, such as testing the security of information systems.
Section 7 allows a search warrant to be issued to the Garda Síochána by the District Court in relation to the investigation of the suspected commission of offences under the Act. It also sets out the process involved and provides for related matters. The section includes a requirement that a person under investigation shall, on request, provide the Gardaí with any password or key or code necessary to operate a computer or to access the data.
This provision essentially replaces the search warrant provision in section 13 of the Criminal Damage Act 1991 insofar as it relates to data and applies the provision generally to the investigation of offences relating to information systems. Section 13 of this Bill amends the 1991 Act and includes a transitional provision in respect of search warrants issued under that Act. I will return to section 13 and the Criminal Damage Act shortly.
Section 8 sets out the penalties for the commission of offences under sections 2 to 6 of the Bill. It provides that a person who commits an offence under section 2, 4, 5 or 6 will be liable, on summary conviction, to a fine of up to €5,000 or imprisonment for a term of up to 12 months, or both. On conviction on indictment, these offences are punishable by a fine or a term of up to 5 years in prison, or both. The same penalties apply for summary conviction for offences committed under section 3, which relates to unlawful interference with an information system, but conviction on indictment for this offence carries an even more prohibitive penal sanction of up to 10 years. This penalty reflects the gravity of the offence and the potential for damage which unlawful interference with an information system could result in.
Section 8 further provides that fraudulent use of the personal data of another person will be treated as an aggravating factor when the court is determining sentence for an offence under sections 3 or 4. It also provides for penalties for offences in relation to the search warrant provisions in section 7. Such offences include obstructing a Garda member acting under authority of a search warrant, failure to provide information to facilitate Garda access to a computer or failure to give the Gardaí a correct name and address.
Section 9 clarifies that where an offence under the Bill is committed by a body corporate, liability will rest with the person acting on behalf of the body corporate as well as with the body corporate itself.
I would just mention at this point that it may be necessary for the Tánaiste to bring forward a minor, essentially technical amendment to section 9 at Committee Stage. Legal advice is currently awaited from the Office of the Attorney General in this regard.
Section 10 establishes legal jurisdiction with regard to the commission of offences under sections 2 to 6 of the Bill. It provides that a person may be tried in the State for an offence under sections 2 to 6 of the Bill - whether the offence is committed in relation to an information system in the State by a person who is inside or outside the State. Legal jurisdiction also extends to the commission of such an offence in relation to an information system outside the State if the person is an Irish citizen, is ordinarily resident in the State or is a body corporate or company under the law of the State, and the act is an offence under the law of the place where it is committed.
Section 11 relates to evidence of Irish citizenship in the context of legal proceedings for offences under the Bill that are committed outside the State. It clarifies that it is an officer of the Minister for Foreign Affairs and Trade who certifies that a passport has issued and that it is an officer of the Minister of Justice and Equality who certifies that a person has not ceased to be an Irish citizen.
Section 12 deals with the legal concept of “double jeopardy” and provides that a person who has been tried for an offence outside the State will not be proceeded against for an offence under this legislation in respect of which the person has already been tried.
Section 13 amends the Criminal Damage Act 1991 insofar as it relates to damage to computer data in the context of damage to property. The offences contained in the 1991 Act in relation to computer data are being deleted and will instead be covered and expanded on in this legislation. Section 5 of the 1991 Act, which relates to unauthorised access to computer data is, for instance, being deleted and replaced by section 2 of this Bill.
Section 14 amends the Bail Act 1997 to include in the Schedule to that Act the offences provided for under sections 2 to 6 of the Bill. The Schedule to the 1997 Act specifies serious offences in respect of which an application for bail may be refused by the court. The offences under sections 2 to 6 of this Bill will therefore come within this category.
Section 15 is a technical amendment to Schedule 1 of the Criminal Justice Act 2011 which provides for certain powers and procedures in relation to the prosecution and investigation of white collar crime. Schedule 1 specifies the offences which are relevant for the purpose of the 2011 Act and includes the data-related offences which are contained in the Criminal Damage Act 1991 and which will be replaced by this Bill. Section 15, therefore, includes the new offences in the Schedule and also inserts a transitional provision to cover data-related offences which were committed under the Criminal Damage Act prior to the commencement of this legislation.
I would also just mention at this point that the Tánaiste proposes to make a minor technical amendment to Section 15 at Committee Stage. It relates to the re-numbering of the new paragraph 31, which the Bill inserts into the Criminal Justice Act 2011, to 30A as a paragraph 31 has already been inserted into the 2011 Act by other amending legislation.
Section 16 provides that any expenses incurred by the Minister for Justice and Equality in the administration of this legislation shall, to the extent sanctioned by the Minister for Public Expenditure and Reform, be paid out of moneys provided by the Oireachtas.
Section 17 is a standard provision providing for the short title and commencement.
There will of course be an opportunity at Committee Stage to discuss in more detail any aspects of the Bill that Deputies wish to explore further.
Finally, I am sure Deputies will agree that it is vital that we seek to safeguard modern information and communication systems and also maintain users’ confidence in the safety and reliability of such systems. This is arguably even more important and appropriate in Ireland which has become somewhat of a global cyber hub in view of the number of high tech IT and internet-based companies that have major operations here. This legislation ensures that unlawful activities relating to information systems are criminalised and that strong penalties are in place to both deter and punish offenders.
I am pleased therefore to commend this Bill to the House.