What's missing from the Computer Misuse Act 1990?
In 2021, the government issued a call for information on the Computer Misuse Act 1990, which establishes criminal offences in respect of the unauthorised access to computer material (whether alone or with the intention to commit or facilitate the commission of further offences), impairing the operation of a computer, causing or creating the risk of serious damage and, making, supplying or obtaining articles for the use in the commission of such offences. The government sought to ascertain how well understood the provisions of the Computer Misuse Act 1990 (‘CMA’) were, whether the offences under the Act were adequate, whether the protections in the act for legitimate cyber activity were adequate, whether law enforcement had sufficient powers, the impact of the territorial restrictions in the CMA, the adequacy of sentencing powers and, any international learning.
Since prior to the call for information, a campaign run and organised by a public affairs agency, CyberUp, has called for the introduction of a statutory public interest defence to the CMA in circumstances where authorised access was impossible to obtain, and with the burden of proof falling on the defendant to demonstrate that access was defensible having regard to the prospective harm/benefit of the conduct, the proportionality of the conduct, the defendant’s intent and their competence.
Having considered responses to its call for information, in early 2023 the government issued its response, noting that “much of the CMA remains effective in allowing law enforcement agencies to take action against those committing the harms covered by the Act”. At the same time, the government issued a consultation on 3 specific proposals it felt could be pursued immediately, relating to: domain name and IP address takedown and seizure; power to preserve data; and, data copying. It also noted that it proposed to give further consideration to outstanding issues from the call for information, including the extra-territoriality provisions of the CMA, defences and sentencing.
In the intervening period, HM Treasury commissioned Sir Patrick Vallance, the Chief Scientific Adviser, to conduct a review on pro-innovation regulation for digital technologies. The report was published shortly after the CMA consultation, together with the government’s response. Sir Patrick Vallance recommended “amending the Computer Misuse Act 1990 to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals, and would have a catalytic effect on innovation in a sector with considerable growth potential”. The government responded that it was “committed to ensuring that we have the right legislative framework, powers and law enforcement capability to promote a secure and resilient economy and tackle the threat from cyber crime”.
Handley Gill Limited submitted its response to the Home Office’s consultation, which closed on 06 April 2023, addressing both the issues that were the specific subject of consultation and the wider issues to which the government intends to give further consideration.
We welcomed the government’s proposals to grant additional powers to law enforcement entities, and made recommendations as to the threshold requirements for the exercise of those powers in order to ensure that their use was necessary and proportionate while maintaining the ability for online intermediaries to voluntarily comply with law enforcement requests. In relation to data copying, we called for new offences to protect non-personal data and enhanced sentencing powers for the existing offence under s170(1)(a) Data Protection Act 2018.
We called for an expansion of the definition of what constitutes a significant link with the UK consistently across all CMA offences to extend territorial jurisdiction, as well as greater discretion in sentencing powers and the development by the Sentencing Council of sentencing guidelines for CMA offences. As to the contentious issue of the creation of a public interest defence to CMA offences, we rejected such calls, instead advocating the consideration of the development of guidance by the Crown Prosecution Service as to when it will be in the public interest to prosecute CMA offences under The Code for Crown Prosecutors, and the introduction of new legislation setting minimum cyber security standards, expanding upon the requirements in the Product Security and Telecommunications Infrastructure Act 2002 and proposals in the ‘Proposal for legislation to improve the UK’s cyber resilience’.