Protection of information systems and computer programs under Greek law – article 370D of Greek Criminal Code – Lexology

Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
A. Introductory remarks
In modern times, the rapid development of information and communication technology has brought to the fore a new type of crime, which is detected in the field of informatics and computers. This indicates the importance of protecting the right to information and data, the circulation, processing and storage of which is made possible via Internet and, in this way, they easily become target to criminal activity. The evidential difficulties in solving these crimes are major, especially if we take into account that data that have been the means, object or proceeds of the crime can easily be eliminated or distorted
B. Legal Protection
At national level, the constitutional legislator has enshrined the confidentiality of communications, which is inextricably linked to the right of privacy and of free development of the personality, in Article 19 of the Greek Constitution which provides that, ''The confidentiality of letters and of the free correspondence or communication in any other way is absolutely inviolable. The law defines the guarantees, under which the judicial authority is not bound by the confidentiality, on grounds of national security reasons or for ascertaining particularly serious crimes.''
It should be noted that communication is defined as the exchange or transmission of any kind of information, between a finite number of parties, in any way suitable for conducting communication in conditions of intimacy. This definition covers the entire range of communication, such as the usage of the Internet in any way. The protection of confidentiality applies to those communications made in conditions of intimacy, i.e. to private communications between a finite number of parties and provided that even one of the parties expects such confidentiality to be maintained in relation to any third party.
Apart from the protection of communication by whatever means it takes place, the protection of information itself is of great importance. Already in 1989 a Special Committee of Experts of the Council of Europe, in cooperation with the European Commission on Crime Problems, made a recommendation to the Member States, which contained a list of acts that should be criminalized, aiming at the effective protection of data and computer programs. Law 1805/1989 introduced in the Greek Criminal Code case b’ of article 13 subpar. (c), which defines the meaning of the “document”. According to this, “Document is also any means used by a computer or a peripheral computer memory, by electronic, magnetic or other way, for recording, storing, producing, reproducing of data that cannot be read directly, as well as any magnetic, electronic or other material in which any information, image, symbol or sound is recorded, separately or in combination, provided that such means and materials are intended or are suitable for proving facts of legal significance.” Moreover, through Law 1805/1989 the acts of copying, imprinting and revealing computer data were criminalized. This constitutes an important legislative change, given that the provisions of the Greek Criminal Code reflected the social reality that was, until then, oriented towards infringements mainly of tangible rights.
A broader description of these criminal behaviors took place through the Cyber-crime Convention of the Council of Europe of 23.11.2001 and through Directive 2013/40/EU of the European Parliament and of the Council regarding the attacks against Information Systems. These legislative initiatives aimed at combating crime in an electronic and digital environment.
For the incorporation of the above-mentioned statutes into Greek law, Law 4411/2016 was adopted. The changes that have been made through this in the Greek Criminal Code concern art. 13 elements f' and g', regarding the notions of information systems and digital data. Specifically, the following are applied under these provisions: “An information system is a device or a group of interconnected or related devices, of which one or more perform, according to a program, automatic processing of digital data, as well as the digital data stored, processed, retrieved or transmitted from this device or group of devices, for the purpose of the operation, use, protection and maintenance of these devices”, and “Digital data is the presentation of facts, information or concepts in a form suitable for processing by an information system, including a program enabling the information system to perform a function.” In addition, the above law introduced a broad protective framework for information systems, programs and data by Articles 370B-E of Greek Criminal Code.
C. Article 370D of Greek Criminal Code – General points – The protection of programs and information systems
Article 370D of Greek Criminal Code aims to punish and suppress any unlawful interference in computer systems and its peripheral memories, any unlawful use or copying of computer programs and any unlawful access to data transmitted through telecommunications systems. It is established as a crime of endangerment. It is therefore not necessary to harm the owner’s right, as long as this behavior has created a danger that threatens it. The introduction of the provisions of article 370D extended the scope of protection for data in motion, as this does not fall under the provision of article 370A of Greek Criminal Code, whose criminal protection extends to telephone and oral conversations.
 The protected right is the power of the legal owner of the data to exclude others from accessing them (right of sovereignty). In other words, it is a right over the intellectual content of the data and it is independent of any ownership in relation to the material or digital carrier. Moreover, this right is not necessarily linked to any economic benefit from the data. The legal owner, who is the only one who can allow third parties to have access to the programs, systems or data, is not necessarily the same person with the one to whom the information relates.
D. 370D par. 1 of Greek Criminal Code – The illegal copying or usage of computer programs
According to the constitutive elements of par. 1 of article 370D, “Anyone who, without having the right, copies or uses computer programs shall be punished by pecuniary penalty or community service”. A program is defined as a set of directives and regulations, which is incorporated into a means and processed by a machine, which the program leads to the resolution of a problem or to the achievement of a result.
 The act that leads to the fulfillment of the constitutive elements of par. 1 is the copying of programs, that is to say, the incorporation of the program into a material carrier that makes the program understandable for people, e.g., into paper, magnetic disks, or even the simple storage in an internal secondary memory. The second way of conduct that constitutes an offence punishable by this provision is the usage of the programs.  The term “usage” contains, inter alia, a) the commercial exploitation for benefit, b) the technical adaptations, in order for the program to be executed by a certain computer system, and c) the use of the original program in order to design another one.
These actions must be done by the perpetrator without a right. The conceptual element, therefore, that makes copying and usage illegal is the lack of consent of the owner. As a result, when the owner consents, the right will not be infringed and thus the act will not be unlawful. In cases where the power of disposal is exercised jointly by several people, the offence is committed when the perpetrator, while having the consent of one or some of the owners, acts without the consent of the others. Also, the legal owner can give his consent under certain requirements (e.g., for a fee). In such a case, only when these requirements are satisfied it is lawful to use or copy the programs. If the right to copy or use the programs, which has been given to the user, is derivative and he, by exceeding the limits of his discretion and in breach of his contractual obligations, grants a license to a third party, the third-party acts without consent. The original owner of the data does not lose his exclusive discretion to determine who will have access to it.
The penalty threatened by the provision for the commission of this offence is pecuniary penalty or alternatively the imposition of community service.
E. 370D par. 2 of Greek Criminal Code – Without right access to information systems or data transmitted through telecommunication systems
According to par. 2 of this article, "Anyone who, without right, gains access to an information system, as a whole or to a part of it, or to data transmitted by telecommunication systems, by violating prohibitions or security measures taken by its legal owner, shall be punished with imprisonment".
As provided for in Art. 13 cs. f) of Criminal Code, an information system is a device or group of interconnected or related devices (e.g., processor, printer, display-hardware, software), of which one or more perform, according to a program, automatic processing of electronic data, as well as the digital data stored, processed, recovered or transmitted by that device or group of devices for the purpose of operation, usage protection and maintenance of such devices.
Access means any penetration of the data processing and storage systems, that leads to the unhindered acquisition of knowledge of information that was entered into the computer or peripheral computer memory or transmitted by telecommunication systems. In other words, the offender must have penetrated the computer and, thus, acquires the ability to act within the system. This action is sufficient for the fulfillment of the constitutive elements of the crime, without requiring further action (e.g., copying, alteration, use of data). In addition, no intention of damaging or using the data is required. Only the fact of gaining access without a right to computer systems establishes itself the act of wrongdoing, since it carries criminal risks and leads to the risk of further rights. The constitutive elements of par. 2 are also fulfilled through the simple unauthorized access to computer systems, through an external computer, which is outside of the system that the perpetrator penetrates (hacking).
Data transmitted via telecommunication systems (analogue, digital, wired, wireless and through satellites transmission) are also protected. An example of criminal conduct, which falls under this provision, is the acquisition of access to the electronic mail using telecommunication connections. As the provision requires access to "transmitted" data, its constitutive elements are fulfilled when the intrusion takes place from the sending phase until the message is received by the recipient.
For conducting this offence, the legislator requires that, the offender has acquired access without a right and also by violating prohibitions or security measures. Those two elements must therefore occur cumulatively. As analyzed above, access without right is the access that is unauthorized by the legal owner of the system.
Moreover, in order to fulfill the constitutive elements of par. 2, the offender should ignore the prohibitions or overcome the security measures set by the legal owner of the data. The prohibitions may be oral, written or even formulated as terms in a contract. In any case they must be stated in such a way and place that they can be made comprehensible by the unauthorized persons. Security measures must objectively express the will of the legal owner to safeguard his power of excluding others from the data, i.e., to make it more difficult for them to access the system. Such security measures could be the introduction of passwords, user code numbers, magnetic cards, fingerprint and voice recognition machines, or even technical or structural security devices that protect the space where the computer systems are located (security locks, video surveillance of the space, alarm installations, etc.). In order to protect the transmitted data, the security measure that can be taken is to encode it.
The penalty threatened for committing this offence is imprisonment from 10 days to 5 years.
F. 370D par. 3 of Greek Criminal Code – Offender at the service of the Legal Owner
            According to par. 3 of article 370D of the C.C., "If the offender is at the service of the legal owner of the information system or data, the act referred to in the previous paragraph shall be punishable only if it is explicitly forbidden by an internal regulation or by a written decision of the owner or of a competent employee". This case refers to an employee at the service of the legal owner of the data, engaged by an employment contract. In this regard, it is not required a breach of security measures but an expressed injunctive order of the internal regulation of the company, or a written decision of the owner or the competent employee (e.g., employer, chief of staff, manager of the company).                                                                  
G. Difficulty in the application of article 370D C.C.
The provisions introduced by Law 4411/2016 are characterized by ambiguity and in some cases overlap. Thus, this fact raises a problem in cases where access to information systems without a right can fulfill the constitutive elements of several provisions. Characteristically mentioned, par. 1 of art. 370B of the Criminal Code, which concerns the illegal access to information systems or data, according to which, "Anyone who, in breach of a protection measure and without right, gains access to an information system, as a whole or to a part of it, or to electronic data shall be punished by imprisonment…". Also, in cases of confidential information, an issue will arise in relation to the fifth way of committing the offence of par. 1 of article 370C of the Code, according to which "Whoever in any way violates data or computer programs,…". Therefore, as a result, certain conducts may fulfill the constitutive elements of more than one provisions of the law. Most of the time, of course, these issues will be resolved based on the rules of concurrency and specifically through the application of the principle of speciality.
H. Remarks
Provided that computer programs and information systems hold a major economic, social and political importance and the various forms of cybercrime are causing devastating economic consequences to victims, often resulting in the disablement of information and communication systems and the distortion of important information, a high level of protection must be ensured. The national legislator established the possession of electronic data as an autonomous right and, in compliance with the European law, sought to provide general legal protection of the information systems, data and programs. However, the broad conceptual formulation of those articles and the variety of terminology used, cause ambiguities and difficulties in subjecting the facts to the constituent elements of the articles. In conclusion, regarding the rapidly developing technology and the increasing use of the Internet and computers, the legislator should adapt the provisions to meet the new requirements of social reality, aiming at protecting the relevant rights more effectively.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
"The content and quality of the newsfeeds is very good and well indexed by subject making it easy to follow up on."
© Copyright 2006 – 2022 Law Business Research

source

Share this post:

Leave a Reply