Criminal Justice (Offences Relating to Information Systems) Act 2017

/static/images/base/harp.jpg


Number 11 of 2017


CRIMINAL JUSTICE (OFFENCES RELATING TO INFORMATION SYSTEMS) ACT 2017


CONTENTS

Section

1. Interpretation

2. Accessing information system without lawful authority, etc.

3. Interference with information system without lawful authority

4. Interference with data without lawful authority

5. Intercepting transmission of data without lawful authority

6. Use of computer programme, password, code or data for purposes of section 2, 3, 4 or 5

7. Search warrant

8. Penalties

9. Liability for offences by body corporate, etc.

10. Jurisdiction

11. Evidence in proceedings for offences outside State

12. Double jeopardy

13. Amendment of Criminal Damage Act 1991

14. Amendment of Bail Act 1997

15. Amendment of Criminal Justice Act 2011

16. Expenses

17. Short title and commencement


Acts Referred to

Bail Act 1997 (No. 16)

Companies Act 2014 (No. 38)

Criminal Damage Act 1991 (No. 31)

Criminal Justice (Female Genital Mutilation) Act 2012 (No. 11)

Criminal Justice Act 1951 (No. 2)

Criminal Justice Act 2011 (No. 22)

Garda Síochána Act 2005 (No. 20)

Police (Property) Act 1897 (60 & 61 Vict. c.30)

/static/images/base/harp.jpg


Number 11 of 2017


CRIMINAL JUSTICE (OFFENCES RELATING TO INFORMATION SYSTEMS) ACT 2017


An Act to give effect to certain provisions of Directive 2013/40/EU of the European Parliament and of the Council of 12 August 20131 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA; for those and other purposes to amend the Criminal Damage Act 1991 , the Bail Act 1997 and the Criminal Justice Act 2011 ; and to provide for related matters.

[24th May, 2017]

Be it enacted by the Oireachtas as follows:

Interpretation

1.(1) In this Act—

“act” includes an omission;

“data” means any representation of facts, information or concepts in a form capable of being processed in an information system, and includes a programme capable of causing an information system to perform a function;

“information system” means—

(a) a device or group of interconnected or related devices, one or more than one of which performs automatic processing of data pursuant to a programme, and

(b) data stored, processed, retrieved or transmitted by such a device or group of devices for the purposes of the operation, use, protection or maintenance of the device or group of devices, as the case may be;

“lawful authority”, in relation to an information system, means—

(a) with the authority of the owner of the system,

(b) with the authority of a right holder of the system, or

(c) as permitted by law;

“Minister” means the Minister for Justice and Equality;

“relevant offence” means an offence under section 2 , 3 , 4 , 5 , 6 or 9 (1);

“right holder”, in relation to an information system, means a person who is not the owner of the system but who has the right to access the system (including the right to access the system for the purposes of maintaining, testing or protecting the system).

(2) In this Act a reference to an information system includes a reference to a part of the system.

Accessing information system without lawful authority, etc.

2. A person who, without lawful authority or reasonable excuse, intentionally accesses an information system by infringing a security measure shall be guilty of an offence.

Interference with information system without lawful authority

3. A person who, without lawful authority, intentionally hinders or interrupts the functioning of an information system by—

(a) inputting data on the system,

(b) transmitting, damaging, deleting, altering or suppressing, or causing the deterioration of, data on the system, or

(c) rendering data on the system inaccessible,

shall be guilty of an offence.

Interference with data without lawful authority

4. A person who, without lawful authority, intentionally deletes, damages, alters or suppresses, or renders inaccessible, or causes the deterioration of, data on an information system shall be guilty of an offence.

Intercepting transmission of data without lawful authority

5. A person who, without lawful authority, intentionally intercepts any transmission (other than a public transmission) of data to, from or within an information system (including any electromagnetic emission from such an information system carrying such data), shall be guilty of an offence.

Use of computer programme, password, code or data for purposes of section 2, 3, 4 or 5

6. A person who, without lawful authority, intentionally produces, sells, procures for use, imports, distributes, or otherwise makes available, for the purpose of the commission of an offence under section 2 , 3 , 4 or 5

(a) any computer programme that is primarily designed or adapted for use in connection with the commission of such an offence, or

(b) any device, computer password, unencryption key or code, or access code, or similar data, by which an information system is capable of being accessed,

shall be guilty of an offence.

Search warrant

7. (1) If a judge of the District Court is satisfied by information on oath of a member that there are reasonable grounds for suspecting that evidence of, or relating to, the commission of a relevant offence is to be found in any place, the judge may issue a warrant for the search of that place and any persons found at that place.

(2) A search warrant under this section shall be expressed, and shall operate, to authorise a named member, accompanied by such other members or persons or both as the member thinks necessary—

(a) to enter, at any time within one week of the date of issue of the warrant, on production if so requested of the warrant, and if necessary by the use of reasonable force, the place named in the warrant,

(b) to search it and any persons found at that place, and

(c) to examine, seize and retain anything found at that place, or anything found in possession of a person present at that place at the time of the search, that that member reasonably believes to be evidence of, or relating to, the commission of a relevant offence.

(3) The authority conferred by subsection (2)(c) to seize and retain anything includes, in the case of a document or record, authority—

(a) to make and retain a copy of the document or record, and

(b) where necessary, to seize and, for long as is necessary, retain any computer in which any record is kept.

(4) A member acting under the authority of a search warrant under this section may—

(a) operate any computer at the place that is being searched or cause any such computer to be operated by a person accompanying the member for that purpose, and

(b) require any person at that place who appears to the member to have lawful access to the information in any such computer—

(i) to give to the member any password necessary to operate it and any encryption key or code necessary to unencrypt the information accessible by the computer,

(ii) otherwise to enable the member to examine the information accessible by the computer in a form in which the information is visible and legible, or

(iii) to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible.

(5) A member acting under the authority of a search warrant under this section may, for the purpose of investigating the commission of a relevant offence,require any person at the place to which the search warrant relates to—

(a) give to the member his or her name and address, and

(b) provide such information to the member as he or she may reasonably require.

(6) The Police (Property) Act 1897 or, where appropriate, section 25 of the Criminal Justice Act 1951 shall apply to property which has come into the possession of the Garda Síochána under this section as that Act or such section 25, as the case may be, applies to property which has come into the possession of the Garda Síochána in the circumstances mentioned in that Act concerned.

(7) A person who—

(a) obstructs or attempts to obstruct a member acting under the authority of a search warrant under this section,

(b) fails to comply with a requirement under subsection (4)(b) or (5), or

(c) in relation to a requirement under subsection (5), gives a name and address or provides information which the member has reasonable cause for believing is false or misleading in a material respect,

shall be guilty of an offence.

(8) The power to issue a warrant under this section is without prejudice to any other power conferred by statute to issue a warrant for the search of any place or person.

(9) In this section—

“computer” includes a personal organiser or any other electronic means of information storage and retrieval;

“computer at the place that is being searched” includes any other computer, whether at the place being searched or at any other place, which is lawfully accessible by means of that computer;

“member” means a member of the Garda Síochána who falls within paragraph (a) of the definition of “member” in section 3 (1) of the Garda Síochána Act 2005 .

Penalties

8. (1) A person who commits an offence under section 2 , 4 , 5 , 6 or 9 (1) shall be liable—

(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine or imprisonment for a term not exceeding 5 years or both.

(2) A person who commits an offence under section 3 shall be liable—

(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine or imprisonment for a term not exceeding 10 years or both.

(3) A person who commits an offence under section 7 (7) shall be liable on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both.

(4) (a) Where a court is determining the sentence to be imposed on a person for an offence under section 3 or 4 , the fact that the commission of the offence involved misusing the personal data of another person (“rightful identity owner”) with the aim of gaining the trust of a third party, thereby causing prejudice to the rightful identity owner, shall be treated as an aggravating factor for the purpose of determining the sentence.

(b) Accordingly, the court shall (except when the court considers that there are exceptional circumstances justifying it not doing so) impose a sentence that is greater than that which would have been imposed in the absence of such a factor.

(c) The sentence imposed shall not be greater than the maximum sentence permissible under this section for the offence concerned under section 3 or 4 .

Liability for offences by body corporate, etc.

9. (1) Where a relevant offence (other than an offence under this subsection) is committed for the benefit of a body corporate by a relevant person and the commission of the relevant offence is attributable to the failure, by a director, manager, secretary or other officer of the body corporate, or a person purporting to act in that capacity, to exercise, at the time of the commission of the relevant offence and in all the circumstances of the case, the requisite degree of supervision or control of the relevant person, the body corporate shall be guilty of an offence.

(2) In proceedings for an offence under subsection (1), it shall be a defence for a body corporate against which such proceedings are brought to prove that it took all reasonable steps and exercised all due diligence to avoid the commission of the offence.

(3) Where an offence under this Act is committed by a body corporate and it is proved that the offence was committed with the consent or connivance, or was attributable to any wilful neglect, of a person who was a director, manager, secretary or other officer of the body corporate, or a person purporting to act in that capacity, that person shall, as well as the body corporate, be guilty of an offence and shall be liable to be proceeded against and punished as if he or she were guilty of the first-mentioned offence.

(4) Subsection (1)

(a) is without prejudice to the other circumstances, under the general law, whereby acts of a natural person are attributed to a body corporate resulting in criminal liability of that body corporate for those acts, and

(b) does not exclude criminal proceedings against natural persons who are involved as perpetrators, inciters or accessories in an offence under this Act.

(5) In this section—

“relevant person”, in relation to a body corporate, means—

(a) a director, manager, secretary or other officer of the body corporate, or a person purporting to act in that capacity, or

(b) an employee, subsidiary or agent of the body corporate;

“subsidiary”, in relation to a body corporate, has the meaning it has in the Companies Act 2014 .

Jurisdiction

10 (1) A person may be tried in the State for a relevant offence in relation to an act, to which this subsection applies by virtue of subsection (2), committed, whether in whole or in part—

(a) by the person in the State in relation to an information system outside the State,

(b) by the person outside the State in relation to an information system in the State, or

(c) by the person outside the State in relation to an information system outside the State if—

(i) that person is a person to whom this subparagraph applies by virtue of subsection (3), and

(ii) the act is an offence under the law of the place where the act was committed.

(2) Subsection (1) applies to an act which, if it had been committed by a person in the State in relation to an information system in the State, would constitute a relevant offence.

(3) Subsection (1)(c)(i) applies to each of the following persons:

(a) an Irish citizen;

(b) a person ordinarily resident in the State;

(c) a body corporate established under the law of the State;

(d) a company formed and registered under the Companies Act 2014 ;

(e) an existing company within the meaning of the Companies Act 2014 .

(4) For the purpose of this section, a person shall be deemed to be ordinarily resident in the State if he or she has had his or her principal residence in the State for the period of 12 months immediately preceding the alleged commission of the relevant offence concerned.

(5) Proceedings for an offence to which subsection (1)(c) applies may be taken in any place in the State and the offence may for all incidental purposes be treated as having been committed in that place.

Evidence in proceedings for offences outside State

11. (1) In any proceedings relating to a relevant offence in circumstances in which section 10 applies—

(a) a certificate that is signed by an officer of the Minister for Foreign Affairs and Trade and stating that a passport was issued by the Minister to a person on a specified date, and

(b) a certificate that is signed by an officer of the Minister and stating that, to the best of the officer’s knowledge and belief, the person has not ceased to be an Irish citizen,

shall be evidence that the person was an Irish citizen on the date on which the relevant offence concerned is alleged to have been committed, unless the contrary is shown.

(2) A document purporting to be a certificate under subsection (1)(a) or (b) is deemed, unless the contrary is shown—

(a) to be such a certificate, and

(b) to have been signed by the person purporting to have signed it.

Double jeopardy

12. (1) Where a person has been acquitted of an offence in a place outside the State, he or she shall not be proceeded against for a relevant offence consisting of the alleged act or acts constituting the first-mentioned offence.

(2) Where a person has been convicted of an offence in a place outside the State, he or she shall not be proceeded against for a relevant offence consisting of the act or acts constituting the first-mentioned offence.

Amendment of Criminal Damage Act 1991

13. The Criminal Damage Act 1991 is amended—

(a) in subsection (1) of section 1—

(i) in the definition of “to damage”—

(I) in paragraph (a), by the deletion of “other than data (but including a storage medium in which data are kept)”, and

(II) by the deletion of paragraph (b),

(ii) by the deletion of the definition of “data”, and

(iii) in the definition of “property”, by the deletion of paragraph (b),

(b) by the deletion of section 5,

(c) in subsection (2) of section 6, by the deletion of paragraph (b),

(d) in section 7—

(i) in subsection (1), by the substitution of “offence under section 2 alleged to have been committed by a person outside the State in relation to property situate within the State” for “offence under section 2 or 5 alleged to have been committed by a person outside the State in relation to data kept within the State or other property so situate”,

(ii) in subsection (2) —

(I) in paragraph (b), by the substitution of “authorised it” for “authorised it, unless the property concerned is data and the person charged is an employee or agent of the person keeping the data”, and

(II) by the deletion of paragraph (c),

and

(iii) by the deletion of subsection (3),

and

(e) in section 13—

(i) in subsection (1), by the deletion of paragraph (c),

(ii) in subsection (2), by the substitution of “aforesaid.” for “aforesaid and, if the property concerned is data or the search warrant has been issued on a ground referred to in subsection (1) (c), to operate, or cause to be operated by a person accompanying him for that purpose, any equipment in the premises for processing data, inspect any data found there and extract information therefrom, whether by the operation of such equipment or otherwise.”, and

(iii) by the insertion of the following subsection after subsection (4):

“(5) (a) Notwithstanding the commencement of section 13 of the CriminalJustice (Offences Relating to Information Systems) Act 2017, a search warrant may, on and after that commencement, be issued under this section, as this section was in force immediately before that commencement, in respect of an information on oath referred to in subsection (1) that relates to matters arising or occurring before that commencement.

(b) For the purposes of the issue and execution of a search warrant under this section where paragraph (a) applies, the other provisions of this Act shall apply for those purposes as those provisions were in force immediately before the commencement referred to in that paragraph.”.

Amendment of Bail Act 1997

The Schedule to the Bail Act 1997 is amended by the insertion of the following paragraph after paragraph 38 (inserted by section 14 of the Criminal Justice (Female Genital Mutilation) Act 2012 ):

Offences Relating to Information Systems

39. An offence under section 2 , 3 , 4 , 5 or 6 of the Criminal Justice (Offences Relating to Information Systems) Act 2017.”.

Amendment of Criminal Justice Act 2011

15. Schedule 1 to the Criminal Justice Act 2011 is amended by the substitution of the following paragraphs for paragraph 30:

“30. An offence under section 2 , 3 or 4 of the Criminal Damage Act 1991

(a) that occurred before the commencement of section 15 of the Criminal Justice (Offences Relating to Information Systems) Act 2017, and

(b) in so far as the offence relates to data (within the meaning of the Criminal Damage Act 1991 as that Act was in force before that commencement) or a storage medium in which such data are kept.

30A. An offence under section 2 , 3 , 4 , 5 or 6 of the Criminal Justice (Offences Relating to Information Systems) Act 2017 in so far as the offence relates to data (within the meaning of that Act).”.

Expenses

16. The expenses incurred by the Minister in the administration of this Act shall, to such extent as may be sanctioned by the Minister for Public Expenditure and Reform, be paid out of moneys provided by the Oireachtas.

Short title and commencement

17. (1) This Act may be cited as the Criminal Justice (Offences Relating to Information Systems) Act 2017.

(2) This Act shall come into operation on such day or days as may be appointed by order or orders made by the Minister either generally or with reference to a particular purpose or provision and different days may be so appointed for different purposes and different provisions.

1OJ No. L218, 14.8.2013, p. 8