Data Offences
Jurisdiction and Crime
It is a general principle of criminal law that only offences committed within a state are subject to that state’s criminal law. Generally, an offence must occur within the jurisdiction in order to be subject to the Irish criminal law. In the absence of an indication otherwise, criminal law is presumed to be limited to acts within the jurisdiction.
Certain crimes in relation to computer data can apply to actions outside the State which have an effect within the state or vice versa. In this cases, the crimes may be prosecuted in Ireland under ordinary principles.
Information technology raises cross-border and jurisdictional issues. In recent years, the Oireachtas has legislated to allow prosecution within the State, for certain acts committed outside the state. This legislation reverses the general principle in those cases that that criminal law extends only to acts undertaken in the State.
Many of the extensions of criminal law to cover offences committed in part or in whole in another jurisdiction have been motivated by the fact that the World Wide Web facilitates instant contact across borders, in a way that was not contemplated 25 years ago.
Offences relating to Information Systems
The following are offences
- to intentionally access an information system without lawful authority.
- to intentionally interfere with an information system so as to hinder or interrupt its functioning.
- to intentionally interfere with data on an information system.
- to intentionally intercept the transmission of data to, from or within an information system.
- to intentionally produce, sell, procure for use, import, distribute, or otherwise make available, a device, computer programme, password, code or data for the purpose of the
- commission of any of the above offences.
Further details of the offences are set out in the following pages
Pre-2017 Act Offences
The Criminal Damage Act provided that a person, who without a lawful excuse operates a computer with intent to access data kept either within or outside the State or operates it outside the State with intent to access data within the State, is guilty of an offence. This provision effectively criminalises computer hacking.
It is a defence if at the time of the act or acts alleged to constitute the offence, the defendant believed that the persons whom he believed to be entitled to consent, had consented or would have consented or authorised the access if they had known about it. The offence may be committed, even though data is not successfully accessed.
The offence is subject on summary conviction to a fine of up to €635 and/ or three months’ imprisonment.
The Criminal Damage Act offences relating to computer data are, after commencement of the 2017 Act, replaced by those those set out below
Unlawful Access
A person who, without lawful authority or reasonable excuse, intentionally accesses an information system by infringing a security measure is guilty of an offence.
A person who, without lawful authority, intentionally hinders or interrupts the functioning of an information system by—
- inputting data on the system,
- transmitting, damaging, deleting, altering or suppressing, or causing the deterioration of, data on the system, or
- rendering data on the system inaccessible,
is guilty of an offence.
Interference and Interception of data without lawful authority
A person who, without lawful authority, intentionally deletes, damages, alters or suppresses, or renders inaccessible, or causes the deterioration of, data on an information system is guilty of an offence.
A person who, without lawful authority, intentionally intercepts any transmission (other than a public transmission) of data to, from or within an information system (including any electromagnetic emission from such an information system carrying such data), is guilty of an offence.
Use of programme, password etc for Access, Interference or Interception
A person who, without lawful authority, intentionally produces, sells, procures for use, imports, distributes, or otherwise makes available, for the purpose of the commission of any of the above offences (unlawful access, interception or interference)
- any computer programme that is primarily designed or adapted for use in connection with the commission of such an offence, or
- any device, computer password, unencryption key or code, or access code, or similar data, by which an information system is capable of being accessed,
is guilty of an offence.
A search warrant may be issued to the Garda Síochána by the District Court in relation to the investigation of the suspected commission of the above offences under the Act
Criminal Jurisdiction for 2017 Act Offences
A person may be tried in the State for the above offences (access, interception, interference etc) whether in whole or in part
- by the person in the State in relation to an information system outside the State,
- by the person outside the State in relation to an information system in the State, or
- by the person outside the State in relation to an information system outside the State if—
that person has one of the below connections with the State and the act is an offence under the law of the place where the act was committed.
A person has the required connection with the State if
- he is an Irish citizen;
- he is a person ordinarily resident in the State;
- it is a body corporate established under the law of the State;
- it is a company formed and registered under the Companies Act 2014 ;
- it is an existing company within the meaning of the Companies Act 2014 .
A person is deemed to be ordinarily resident in the State if he or she has had his or her principal residence in the State for the period of 12 months immediately preceding the alleged commission of the relevant offence concerned.
Penalties for 2017 Act Offences
A person who commits any of the above offences in relation to unlawful interference or interception of computer data or the offences in relation to facilitation of them is liable
- on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or
- on conviction on indictment, to a fine or imprisonment for a term not exceeding 5 years or both.
A person who commits an offence in relation to unlawful access is liable
- on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or
- on conviction on indictment, to a fine or imprisonment for a term not exceeding 10 years or both.
Where a court is determining the sentence to be imposed on a person for an offence in relation to interference or interception, the fact that the commission of the offence involved misusing the personal data of the rightful identity owner with the aim of gaining the trust of a third party, thereby causing prejudice to the rightful identity owner, shall be treated as an aggravating factor for the purpose of determining the sentence.
Where an offence under the Act is committed by a body corporate, liability shall rest with the person acting on behalf of the body corporate as well as with the body corporate itself.
Damaging Data
Criminal damage may be committed in respect of data. Data includes information in a form which can be accessed by a computer.
Damaging data and information is an offence under the Criminal Damage Act. Property, as defined by the act, covers information in a form that can be accessed by a computer and a computer program.
Damage to a computer system may be constituted by an orchestrated attack of mass data such as e-mail. The use or distribution of a virus is likely to constitute criminal damage against a computer or other such device.
Computer Hacking
It is an offence for a person without lawful excuse to operate a computer within the State with the intent of accessing data kept within or outside the State with the intent of accessing data kept in the state. In broad terms, the offence relates to hacking into another’s computer. This may happen remotely by physically accessing another’s computer without consent. It is not necessary to actually succeed in accessing the data.
A person has a lawful excuse if he believes that he has the consent of the person entitled to give consent that the person would have consented if they had known of the accessing and the circumstances. If a person honestly believes that he has consented, he is not guilty of the offence.
With some IT products, a person may have access to a product or system which itself is protected and coded and allows limited access only. For examples, computer software may be copyrighted and limited rights may be granted in relation to the use of the intellectual property concerned by the terms of the relevant licence. If a person accesses data or information beyond that protected by the coding or access, the offence may be committed.
Other Access Offences
The entry or use of a false user name and/or password may constitute forgery. Forgery is committed where a false instrument is made with the intention to induce another to accept it is genuine and by reason of so accepting it, does some act or to makes some omission to the prejudice of that person or another. An “instrument” is widely defined and includes anything stored electronically.
The Data Protection Act /GDPR provides that a person who obtains access to personal data or obtains information constituting personal data without the prior authority of the data controller or processor by whom it is kept, and who discloses it to another person is guilty of an offence.
See generally the section on enforcement of the Data Protection Act and the General Data Protection Regulations. There are provisions for significant administrative fines in addition to criminal offence.
Official Secrets Act
The Official Secrets Act protects official information. This includes all passwords, sketches, plans, models, notes, documents which are secret or confidential or are expressed to be such, which have been in the possession, custody or control of a public office holder to which he has had access by virtue of his office.
The Act includes information recorded in any medium. It is an offence for a person to communicate official information to another person, unless duly authorised to do so or unless he does so, in the course of or in accordance with his duties as the holder of a public office.
Interception of Data
The interception of wi-fi may constitute theft under the Criminal Justice (Theft and Fraud) Act. This may apply if an encrypted system is used without consent.
The Post and Telecommunication Services Act makes it an offence where a person connects or causes to be connected any apparatus or device or places or causes it to be placed in association or conjunction with a telecommunication system operated by a licensed operator or any part of the system, the effect of which might result in the provision of a service to any person without payment of the appropriate rental fee or charge. This offence was provided to prohibit unlawful use of a telephone service but is presumed to apply to the interception of electronic data generally.
Copyright Offences
A range of offences is applicable under copyright legislation. It is an offence in relation to doing the following in relation to an infringing copy of goods, software or other thing protected by copyright
- make it for sale, rent or loan;
- expose it for sale, rent or loan, import,
- have possession of it in the course of business or
- make it available to the public in the course of a business.
See generally the sections on infringement of copyright.
An offence is committed, when a person removes or alters rights management information (controls) from copyright work, recordings, performances or databases, knowing or having reason to believe that the primary purpose or effect of such a removal or alteration, is to induce, enable, facilitate or conceal an infringement of copyright.
EU Directive re Interfering with Data
The European directive on attacks against information requires States to provide for offences as follows:
- illegal access to information systems;
- illegal system interference;
- illegal data interference;
- Instigation, aiding and abetting and attempting to do any of the above.
Illegal system interference and illegal data interference must be punishable by criminal penalties of a maximum of at least one to three years imprisonment. In the cases of offences of gaining illegal access by infringing security measures, illegal system interference or illegal data interference, they must be punishable by criminal penalties with a maximum of two to five years imprisonment
To a large extent, the above offences were already adequately provided for by Irish law. They have been given further effect by 2017 legislation.
The directive provides for the exchange of information between states. States must ensure they make use of the existing network of points of contact. States must inform the Secretariat of the Council and Commission of their points of contact for the purpose of co-operation.
States must take the necessary measures to ensure that the offences are punishable by effective, proportional and dissuasive criminal proceedings and penalties.
References and Sources
Irish Books
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
Contract Law in an Electronic Age Haigh 2001
Contract law McDermott 2nd ed 2017
EU and UK Texts
Cover of Getting the Deal Through: e-Commerce 2018 Robert Bond 2017
EU Regulation of e-Commerce: A Commentary Edited by: Arno R. Lodder, Andrew D. Murray 2017
Butterworths E-Commerce and IT Law Handbook 6th ed Jeremy Phillips 2012
Internet & E-commerce Law, Business and Policy Internet & E-commerce Law, Business and Policy 2nd ed Brian Fitzgerald, Anne Fitzgerald, Gaye Middleton, Yee Fen Lim, Timothy B Beale 2011
E-Commerce and Convergence: A Guide to the Law of Digital Media E-Commerce and Convergence: 4th ed Edited by: Mike Butler 2011
Blackstone’s Statutes on IT and e-commerce Blackstone’s Statutes on IT and e-commerce 4th ed Edited by: Steve Hedley, Tanya Aplin 2008
E-Commerce Law E-Commerce Law Paul Todd 2005
A Practical Guide to E-Commerce and Internet Law 2nd ed Osborne Clarke 2005