I am very pleased to introduce the Bill to this House on behalf of my colleague, the Tánaiste and Minister for Justice and Equality, Deputy Frances Fitzgerald, who regrets that she is unable to be present. I am also pleased to be able to report that it received general support on its recent passage through the Lower House.
The Criminal Justice (Offences Relating to Information Systems) Bill 2016 is relatively short but very significant legislation. It is, notably, the first piece of Irish legislation dedicated to dealing with cybercrime, a transnational problem which requires a co-ordinated, international response. The Bill will ensure Ireland will play its part by giving effect to provisions of Directive 2013/40/EU of the European Parliament and the Council of 12 August 2013 on attacks against information systems. It will also give effect to many of the key provisions of the Council of Europe convention on cybercrime - the Budapest Convention - which Ireland signed in 2002. The legislation reflects these international instruments in that it provides for criminal offences in relation to attacks against information systems and establishes effective, proportionate and dissuasive penalties for such offences, the most serious of which could result in a term of imprisonment of up to ten years. The offences provided for relate to information systems and data and do not cover content-related matters. The Bill creates new offences relating to the unauthorised accessing of information systems; unauthorised interference with information systems or data on such systems; unauthorised interception of transmissions of data to or from information systems; and the use of tools such as computer programmes, passwords or devices to facilitate the commission of these offences relating to information systems.
Before outlining the content of the Bill in more detail, I would like to provide some context for the legislation. It is true to say information systems are very much part of our daily lives in the modern world. They are increasingly relied on by governments, businesses and individual citizens alike. The term "information system", as defined in the Bill, is deliberately broad, encompassing all devices involved in the processing and storage of data, not only those considered to be computer systems in the traditional sense. This reflects the range of modern communications and data storage technology currently available such as tablets and smartphones. Information systems also encompass the IT infrastructure or networks that support communication systems and individual devices, as well as data. The term "data" is also broadly circumscribed in the Bill, as meaning any representation of facts, information or concepts in a form capable of being processed and includes a programme capable of causing an information system to perform a function. There is no doubting the very significant benefits which modern information systems bring to our lives. However, reliability on such systems can also, unfortunately, mean vulnerability.
New technology creates opportunities for new crimes. Cybercrime and attacks on information systems have become increasingly problematic and challenging across Europe and the rest of the world. The European Commission brought forward its proposal for a directive in this area against a backdrop of steadily increasing cybercrime. It included previously unknown large-scale and dangerous attacks against the information systems of companies such as banks, the public sector and even the military in EU member states and other countries. New concerns emerged in this area such as the massive spread of malicious software. Such "malware", as it is termed, can, for instance, create what are known as "botnets" - networks of infected computers that can be remotely controlled to stage large-scale, co-ordinated attacks. These networks of compromised computers may be activated, often without the knowledge of the users of the computers, to perform specific actions such as attacks against information systems.
The interconnection of computers and information systems, through cyberspace, facilitates communication between companies and individuals across the world. What has become clear is that, as cyberspace has developed and evolved, so has cybercrime which is a transnational phenomenon. Traditional law is based on physical geography, whereas cybercrimes occur in the virtual world of cyberspace and readily intersect and transcend national boundaries. There is a clear need, therefore, for international co-operation in this area and harmonisation of national laws to counter the very real threats faced. It is vital that we seek to protect citizens, businesses and government structures alike from cyber attacks which represent such a growing challenge in the modern technological environment. That is the central aim of the Bill.
I propose to outline in more detail the content of the Bill which contains 17 sections. Section 1 provides the necessary interpretation provisions for the Bill and includes a definition of "information system". The term "information system", rather than "computer", is used in order to enable the Bill to have the widest possible application taking account of rapidly evolving technology in this area. The section also includes a broad definition of "data". Both definitions are based on those contained in the EU directive.
Further important definitions in section 1 relate to the concepts of lawful authority and right holder. These are particularly significant in relation to how the offences under sections 2 to 6, inclusive, are framed. I will outline these offences presently, having made a couple of preliminary comments in this regard. I first point out that the activities concerned such as access to or interference with information systems or data are not offences if they are performed with lawful authority such as with the permission of the owner or right holder of the system. It is clearly not intended to criminalise the activities of those who have authority to access information systems or possess a computer programme or code for the purpose of maintaining, testing or protecting information systems. There are, for instance, companies which carry out such activities legitimately in the course of their work which could involve testing the security of information systems and protecting them from attack. Such companies are effectively exempt from the provisions of the Bill. A further point of commonality in the manner in which the offences under sections 2 to 6, inclusive, are framed is the notion of intent. When the activities described are carried out with lawful authority and without criminal intent, they could not be considered to be offences.
Section 2 provides that it is an offence to intentionally access an information system by infringing a security measure without lawful authority or reasonable excuse.
Section 3 provides that it is an offence to intentionally interfere with an information system so as to hinder or interrupt its functioning. It also describes the various means of interference such as, for example, inputting data to the system, damaging or deleting data or making data on the system inaccessible.
Section 4 provides that it is an offence to intentionally interfere with data on an information system, for example, by deleting, altering or causing the deterioration of the data.
Section 5 provides that it is an offence to intentionally intercept the non-public transmission of data to or from or within an information system.
Section 6 provides that it is an offence to intentionally produce, sell, import, distribute or otherwise make available a computer programme or any device, computer password, access code or similar data for the purpose of the commission of an offence under sections 2 to 5, inclusive. It will be noted that the direct intention to commit an offence is specifically required in relation to this provision, in addition to the general intent requirement contained in all of the offence provisions. This reflects the requirements of the EU directive and is designed to avoid criminalisation where such tools or devices are produced and put on the market for legitimate purposes such as the testing of the security of information systems.
Section 7 allows a search warrant to be issued to An Garda Síochána by the District Court in the investigation of the suspected commission of offences under the Bill. It also sets out the process involved and provides for related matters. It includes a requirement that a person under investigation shall, on request, provide the Garda with any password or key or code necessary to operate a computer or access the data. This provision, essentially, replaces the search warrant provision in section 13 of the Criminal Damage Act 1991 in so far as it relates to data and applies the provision generally to the investigation of offences relating to information systems. Section 13 of the Bill amends the 1991 Act and includes a transitional provision in respect of search warrants issued under that Act. I will return to section 13 and the Criminal Damage Act shortly.
Section 8 sets out the penalties for the commission of offences under sections 2 to 6, inclusive. It provides that a person who commits an offence under sections 2 and 4 to 6, inclusive, will be liable, on summary conviction, to a fine of up to €5,000 or imprisonment for a term of up to 12 months, or both. On conviction on indictment, these offences are punishable by a fine or a term of up to five years in prison, or both. The same penalties apply on summary conviction for offences committed under section 3 which relates to unlawful interference with an information system but conviction on indictment for this offence carries an even more prohibitive penal sanction of up to ten years. This penalty reflects the gravity of the offence and the potential for damage in which unlawful interference with an information system could result.
Section 8 further provides that fraudulent use of the personal data of another person will be treated as an aggravating factor when the court is determining sentence for an offence under sections 3 or 4. It also provides for penalties for offences in relation to the search warrant provisions in section 7. Such offences include obstructing a Garda member acting under authority of a search warrant, a failure to provide information to facilitate Garda access to a computer or a failure to give the Garda a correct name and address.
Section 9 clarifies that where an offence under the Bill is committed by a body corporate, liability will rest with the person acting on behalf of the body corporate, as well as with the body corporate.
Section 10 establishes legal jurisdiction with regard to the commission of offences under sections 2 to 6, inclusive. It provides that a person may be tried in the State for an offence under sections 2 to 6, inclusive, where it is committed by a person inside the State in relation to an information system outside the State or where an offence is committed outside the State in relation to an information system in the State. Legal jurisdiction also extends to the commission of such an offence in relation to an information system outside the State if the person is an Irish citizen, ordinarily resident in the State or a body corporate or company under the law of the State and the act is an offence under the law of the place where it is committed.
Section 11 relates to evidence of Irish citizenship in the context of legal proceedings for offences under the Bill that are committed outside the State. It clarifies that it is an officer of the Minister for Foreign Affairs and Trade who certifies that a passport has issued and that it is an officer of the Minister of Justice and Equality who certifies that a person has not ceased to be an Irish citizen.
Section 12 deals with the legal concept of double jeopardy and provides that a person who has been tried for an offence outside the State will not be proceeded against for an offence under this legislation in respect of which the person has already been tried.
Section 13 amends the Criminal Damage Act 1991 in so far as it relates to damage to computer data in the context of damage to property. The offences contained in the 1991 Act in relation to computer data are being deleted and will instead be covered and expanded on in this legislation. Section 5 of the 1991 Act which relates to unauthorised access to computer data is, for instance, being deleted as it is being replaced by section 2 of the Bill.
Section 14 amends the Bail Act 1997 to include in the Schedule to that Act the offences provided for under sections 2 to 6, inclusive, of the Bill. The Schedule to the 1997 Act specifies serious offences, in respect of which an application for bail may be refused by the court. The offences under sections 2 to 6, inclusive, of the Bill will, therefore, come within this category.
Section 15 is a technical amendment to Schedule 1 to the Criminal Justice Act 2011 which provides for certain powers and procedures with respect to the prosecution and investigation of white collar crime. Schedule 1 specifies the offences which are relevant for the purposes of the 2011 Act and includes the data related offences which are contained in the Criminal Damage Act 1991 and which will be replaced by the Bill. Section 15, therefore, includes the new offences in the Schedule and also inserts a transitional provision to cover data related offences which were committed under the Criminal Damage Act prior to the commencement of this legislation.
Section 16 provides that expenses incurred by the Minister for Justice and Equality in the administration of this legislation shall, to the extent sanctioned by the Minister for Public Expenditure and Reform, be paid out of moneys provided by the Oireachtas.
Section 17 is a standard provision providing for the Short Title and commencement. There will be an opportunity on Committee Stage to discuss in more detail any aspect of the Bill that Senators wish to explore further. I am sure they will agree that it is vital that we seek to safeguard modern information and communication systems and maintain users' confidence in the safety and reliability of such systems. This is arguably even more important and appropriate in Ireland which has become somewhat of a global cyber-hub in view of the number of high-tech and information technology and Internet based companies that have major operations here. The legislation ensures unlawful activities relating to information systems are criminalised and that strong penalties are in place to both deter and punish offenders. I am pleased, therefore, to commend the Bill to the House.