The Computer Misuse Act 1990 criminalises unauthorised access to computer systems and data, and damage or destruction to them. The Act aims to protect the integrity and security of computer systems and data through criminalising unauthorised access to them.

In 2021, the Home Office issued a call for evidence on the Act.  It is over 30 years old, and despite its age, the Government says that it “has proved to be a far-sighted piece of legislation” which law enforcement agencies are still able to use to prosecute cyber-dependent related crime. Any changes since 1990 have been limited and made to meet the requirements of the Council of Europe Convention on Cybercrime and EU directives. The Government called for information to identify whether there is activity causing harm that is not adequately covered by the offences provided for in the Act.

The Home Office has now published its response to the call for evidence and a further consultation about how to review the Act.  It says respondents to the call for evidence made a number of proposals, both to change the Act and to provide for more powers for law enforcement agencies to deal more effectively with offences covered by the Act.  The consultation will consider:

  • A new power for law enforcement agencies to take control of domains and IP addresses if these are being used by criminals, including in respect of fraud and offences.
  • A power to require the preservation of computer data, before its seizure, to prevent it being deleted where it may be needed for an investigation. Although requests from law enforcement agencies for preservation are generally met, the UK does not have an explicit power to require such preservation - having such a power would make the legal position clear.
  • A power to take action against a person possessing or using data obtained by another person through an offence under the Act, for example, through accessing a computer system to obtain personal data, would be useful, subject to appropriate safeguards being in place. Currently, the Act covers unauthorised access to computers, but the unauthorised taking or copying of data is not covered by the Theft Act.  It states that it can be difficult to take action in these cases. Some of you may be wondering whether s.170 Data Protection Act might already be adequate (which makes it a criminal offence to obtain (or disclose) personal data without the consent of the controller).  s170 is rarely used for ‘serious’ issues because it isn’t subject to a custodial sentence, just a fine.  A change to the Computer Misuse Act here should create more of a deterrent to hackers. 

The consultation also covers the Government’s proposed approach to proposals on the levels of sentencing, defences to the  offences, improvements to the ability to report vulnerabilities, and whether the UK has adequate laws to deal with extra-territorial threats. 

The consultation ends on 6 April 2023.