Published 1 January 2016
The Criminal Justice (Offences Relating to Information Systems) Bill 2016, more commonly referred to as the "Cybercrime Bill", has finally been published by the Department of Justice. The purpose of the Bill is to implement the European Union's harmonising legislation introduced by European Union Directive 2013/40.
While the Bill as published introduces the required aspects of the Directive, albeit not doing so within the required timeframe for transposition of the Directive, it is perhaps a missed opportunity on behalf of the Department in respect of other areas of cybercrime.
The published Bill will provide for five of the areas currently referred to as "cybercrime". These are focused mainly around the areas covered by current criminal damage and offences against property legislation including the creation of offences in respect of:
- The accessing of information without lawful authority (for example hacking but also perhaps encompassing other areas such as unauthorised access to certain information within a workplace);
- Interfering with information systems without lawful authority (e.g. introducing Trojan ware, viruses or other destructive or malicious software);
- Interference with data without lawful authority;
- Intercepting the transmission of data without lawful authority (e.g. interfering with email in transit);
- Use of any computer programme or system, code, data or password for the purpose of committing any offence under the Act (when enacted);
- Obstructing a Garda, or failing to comply with the instructions of that Garda, in possession of a valid search warrant to investigate offences under the Act (when enacted)
The penalty for being found guilty of any of the offences under the Bill range from 12 months imprisonment (or a class A fine of up to €5,000) on summary conviction up to 10 years on conviction on indictment depending on the offence. The Bill also covers the territorial issues surrounding cybercrime and provides for extra-jurisdictional powers in certain cases for the Irish authorities but does fail to address the Directive's requirements in respect of sharing of information between member state authorities and the time limits envisaged for this.
While the introduction of the Bill is a very welcome development it is somewhat disappointing that the Department did not take the opportunity to introduce other cybercrime offences in respect of those affecting personal safety, privacy and reputation as outlined in the Law Reform Commission Report in 2014 (LRC IP 6-2014). In addition, given the timing of the publication of the Bill and the fact that the Dáil will be dissolved soon to facilitate a General Election it may be some time before any legislation is actually enacted.
Should you require any assistance or further information please do not hesitate to contact a member of our Cyber Risk team: