The European Union (EU) has proposed a "Council Framework Decision" that would help standardize criminal law across all member nations for the prosecution of computer-related crimes. The framework defines punishment for offenses that include unauthorized access to computers, Denial of Service (DoS) attacks, intentional propagation of destructive code such as worms and viruses, malicious interception of communications, and identity theft.
Antonio Vitorino, European Commissioner for Justice and Home Affairs, said, "Member States' laws contain some significant gaps which could hamper the ability of law enforcement and judicial authorities to respond to crimes against information systems. Given the transnational nature of hacking, virus and denial of service attacks, it is important that the European Union takes action in this area to ensure effective police and judicial co-operation."
The proposal would require EU member states to punish computer crime offenses (and those who aid and abet such crimes) by inflicting effective, proportionate, and dissuasive penalties commensurate with the offense. Mandatory jail time of no less than 1 year would be imposed for cases that are deemed to be serious. The framework points out that serious cases would be those cases in which the perpetrator inflicted damage or realized an economic benefit. In nonserious crime cases, jail time could be imposed, but would not be mandatory.
In some instances jail time of no less than 4 years would be mandated. Such instances include crimes committed by criminal organizations, offenses that cause substantial economic loss, physical harm to a person, or substantial damage to critical infrastructures of member states, and offenses in which the perpetrators received substantial proceeds.
Erkki Liikanen, European Commissioner responsible for Enterprise and the Information Society said, "There is a vast amount of network traffic, of which only a very small percentage is problematic and can be disruptive. However small a part of the overall picture, cybercrime is still crime which needs to be dealt with."
The framework also specifies punishment for people in a position to have legally prevented a given computer-related crime through the exercise of control or supervision. Such persons found criminally or civilly liable for not exercising such control could face sanctions such as fines.
The framework hasn't become EU law yet, but will enter into force 20 days after its publication in the "Official Journal of the European Communities." A copy of the Council Decision Framework can be reviewed on the EU Web site.