Pioneering Dutch Computer Crime Act III entered into force

On 21 September 2018, the Computer Crime Act III (Wet Computercriminaliteit III) (the Act) was published in the Dutch Government Gazette and is due to enter into force on 01 March 2019. The Act aims to improve the efficiency of tackling cybercrime, to which end various provisions in the Dutch Criminal Code (DCrC) and the Dutch Code of Criminal Procedure (DCCrP) will be amended. The Act was created to latch on to the rapid developments in technology, the internet and cybercrime, continuing along the line first set out in the Computer Crime Act I of 1993 and consolidated in the Computer Crime Act II of 2006.

This article outlines the key elements of the new Act, including the controversial "hacking power", the power to make content inaccessible, the criminalisation of gathering and offering online (stolen) data and the (extended) criminalisation of online commercial fraud and “grooming".

The "hacking power" (Sections 126nba, 126uba 126zpa DCCrP)

Firstly, the Computer Crime Act III provides law enforcement officials with a new power to access computer systems remotely by stealth. The legislator deems the incorporation of such power in the Act a necessity to tackle the ongoing challenges posed by advances in technology and the widespread use of computerised devices or systems for communication and the processing and storage of data. Subject to conditions, this power, in common parlance known as "hacking power", allows designated investigative officials to access remotely and by stealth a computerised system ('a device or a system of inter-connected or related devices, which or any of which, pursuant to a program, performs automatic processing of computer data' (Section 80 DCrC) - such as a computer, smartphone or a server) in use by a suspect. Officials hack a system by breaking or circumventing the system's security or by applying software and technical tools. Gaining access is subject to stringent conditions: the officials are required to specify an investigative objective and the investigation is limited to serious crimes.

The investigative objectives are in line with existing special investigative powers such as establishing specific characteristics of users, systematic observation (by turning on a microphone or video camera), wiretapping and recording (confidential) communications, documenting data stored in the computerised system, and making content inaccessible.

Any implementation of the hacking instrument constitutes a severe violation of the privacy of the individual concerned. It stands to reason, therefore, that the legislator has made it a requirement that the power is exercised subject to stringent conditions. For example, there must be an urgent investigation interest, a warrant from an investigative judge, the suspected offence must constitute a serious breach of legal order and for which the law prescribes a sentence of imprisonment of eight years or more, or it must concern an offence that has been designated by Order in Council (such as the dissemination or possession of child pornography (Section 240b DCrC), grooming (Section 248e DCrC), recruiting for terrorism (Sections 131 and 205 DCrC), participation in a criminal organisation (Section 140 DCrC), fraud offences (such as forgery of documents) and money laundering (Section 420bis DCrC).

In today’s digital era encryption, anonymity and cloud computing are the norm, rather than the exception. It should therefore, incidentally, be noted as a concern that the investigation authorities may quickly meet the conditions of ‘necessity and urgency’ in a criminal investigation. This potentially gives the authorities the opportunity to use the hacking power in (almost) any fraud accusation (offences that have been designated by Order in Council) where the gathering of evidence breaks down. Another concern could be the territoriality principle and conflicts of jurisdiction. A computer system in the Netherlands may serve as a gateway to certain information but this in no way implies that these data are actually (physically) located in the Netherlands. Therefore, it could very well be that the Dutch investigation services will be hacking on foreign territories.

Against this background it is important to note that any data that can be registered may be copied for evidence purposes in a criminal investigation. Therefore, the legislator has built in an additional safeguard: the requirement of "logging" (recording data) during the investigation (Section 126ee DCCrP). However, the logged information will not be added (automatically) in the case-file, the defence must expressly request for it. The controversial nature of the power has prompted the legislator to require the annual publication of statistics of the use of intrusion software as well as an assessment after two years.

Thus, the Computer Crime Act III provides law enforcement officials a power to access the (computer) systems of suspects, but the Minister of Security and Justice, who is charged with overseeing the execution of the law, has spoken out to take explicit account of the facts of every case and of a proportionality test when using this special investigative power, which may result in waiving the application of the power in a particular case.

Making data inaccessible (Section 54a DCrC)

Secondly, the new Act amends the practice where the power to make internet data inaccessible vests in an intermediary, often an organisation providing telecoms services (Section 54a DCrC). Under current legislation, internet providers adhere to a - voluntary - "Notice and Take Down" code of conduct, pursuant to which internet providers immediately take down content they deem to be unmistakably unlawful or punishable. The Computer Crime Act III provides for a separate power (Section 125p DCCrP) enabling the Public Prosecutor to order a provider of telecoms services that is unwilling to make data inaccessible, to do so nonetheless. Such order may only be issued if the suspected offence for which detention in police custody is a prerequisite and prior leave was obtained from an Examining Judge (rechter-commissaris), ensuring that all interests are safeguarded. The purpose of the amendment is to improve the application of the existing scheme, which should serve to increase the degree of protection of society against cyber crime.

Criminalisation of gathering and offering online of (stolen) data (Sections 138c and 139g DCrC)

Thirdly, the unlawful gathering of data and possessing or making public data obtained from criminal activity has been made an offence. Such data need not have been gathered by means of computer intrusion; the term "gathering" (overnemen) does not necessarily require that the data concerned are brought outside the power of disposition of the proprietor. This criminalisation also closes the loophole in the law relating to those cases where the perpetrator has lawful access to non-public data on a computer yet unlawfully copies such data, as well as the possible legal implications of the person then receiving the data, which is tantamount to handling and receiving stolen data.

The objective is to improve the protection of computer data under criminal law.

Criminalisation of online commercial fraud (Section 326 DCrC)

Fourthly, online commercial fraud is made a criminal offence, more specifically: offering, via the internet, goods or services for sale without the intention of (fully) providing such goods or services will be an offence under the new Act. This is in line with the current offence of deception (oplichting), punishable under Section 326 DCrC.

Extending the criminalisation of the offence of grooming (Sections 248a and 248e DCrC)

The term grooming is used to denote the unwanted practice of soliciting minors over the internet with the objective of sexual abuse. In their battle against grooming, the law enforcement authorities would, until recently, use decoy victims, essentially police officers impersonating minors (defined as children under the age of 16). It is established case law that a suspect of grooming cannot be punished if the individual who, pursuant to the current wording of Section 248e DCrC, is identified as the person not having reached the age of 16 is actually 16 years of age or older. Under the Computer Crime Act III, Sections 248a and 248e DCrC will be amended to ensure that the offence also relates to soliciting, for sexual purposes, any person "impersonating an individual not having yet reached the age of 16 or 18". Law enforcement officials will continue to be allowed to use decoys.

Conclusion

13 years have passed since the Computer Crime Act II came into force. It is to be seen if its successor will effectively keep up with the rapid developments that are taking place on the internet. On top of that, the Computer Crime Act III has some controversial features from a "due process" perspective that will have to be monitored closely and should lead to a critical and challenging approach from the defence’s side.