Back United Kingdom
Status regarding Budapest ConventionStatus : Party Declarations and reservations : No declarations. Reservations regarding Art. 9, Art. 22, Art. 29. See legal profile
The UK government published the National Cyber Security Strategy 2016 to 2021 which aims at making Britain secure and resilient in cyberspace. To achieve this vision, its objectives are:
- Obj. 1 - DEFEND. Protect the UK against evolving cyber threats, respond effectively to incidents, ensure UK networks, data and systems are protected and resilient.
- Obj. 2 - DETER. Become a hard target for all forms of aggression in cyberspace. Detect, understand, investigate and disrupt hostile action taken against the nation, pursuing and prosecuting offenders.
- Obj. 3 - DEVELOP. Create an innovative, growing cyber security industry, underpinned by world-leading scientific research and development.
The Strategic context addresses Threats such as cyber criminals; states and state-sponsored threats, terrorists, hacktivists and “script kiddies”. In response, the Objective to Deter, introduced in the Action Plan, focuses on: cyber role in deterrence; reducing cyber crime; countering hostile foreign actors; preventing terrorism; enhancing sovereign capabilities – offensive cyber; enhancing sovereign capabilities – cryptography.
The Objective of reducing the impact of cyber crime by deterring cyber criminals from targeting the UK and pursuing said criminals will be realized through: enhancing the LEA capabilities and skills; build a better understanding of the cyber crime business model; build international partnerships to end the perceived impunity of cyber criminals acting in the UK, by bringing criminals in overseas jurisdictions to justice; deter individuals from becoming or being involved in cyber crime by building on early intervention measures; enhance collaboration with industry to provide them with proactive intelligence on the threat; develop a new 24/7 reporting and triage capability in Action Fraud, linked to the NCSC, the National Cyber crime Unit (NCCU) and the wider LE community, to provide a faster response to reported crimes - a new reporting system will be established to share information in real time across LE on cyber crime and threats; work with the NCSC and the private sector to reduce vulnerabilities in UK infrastructure that could be exploited; further cooperate with finance sector to make UK a more hostile environment for those seeking to monetize stolen credentials.
(Source1 : https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national-cyber-security-strategies-interactive-map/strategies/cyber-security-strategy-of-the-united-kingdom)
(Source2 : https://www.cyberwiser.eu/united-kingdom-uk)
The NCSS complements the 2013 Serious and Organised Crime Strategy which sets out UK’s strategic response to Cyber Crime, alongside other types of crimes. The National Cyber crime Unit (NCCU) that sits within the National Crime Agency (NCA) was established to lead and coordinate the national response to cyber crime. Action Fraud provides a national reporting center for fraud and cyber crime. A network of cyber crime units within Regional Organized Crime Units (ROCUs) provide access to specialist cyber capabilities at a regional level, supporting the NCCU and loval forces.
The first national strategy was published in 2011, covering the period 2011-2015: The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world of which the first of four objectives is to tackle cybercrime.
The preceding UK Government previously published a ‘Cyber Crime Strategy’ in March 2010, which had not been expressly abandoned.
State of cybercrime legislation
The UK’s cybercrime legislation is found in a range of different statutory measures, as the UK does not have a unified criminal code or criminal procedure.
Both substantive and procedural criminal law framework of United Kingdom, with recent updates in 2015, are fully in line with the Convention requirements.
The criminal conduct detailed in Articles 2 (illegal access); 4 (data interference), 5 (system interference) and 6 (misuse of devices) is found in the Computer Misuse Act 1990: Section 1 (unauthorised access to computer material); section 3 (unauthorised acts); section 3A (making, supplying or obtaining articles for use). This Act is currently being further amended.
The criminal conduct detailed in Article 3 is found in the Regulation of Investigatory Powers 2000: Section 1 (unlawful interception).
The criminal conduct detailed in Article 7 (computer-related forgery) is found in the Forgery and Counterfeiting Act 1981; while Article 8 (computer-related fraud) is found in the Fraud Act 2006.
The criminal conduct detailed in Article 9 (child pornography) is found in the Protection of Children Act 1978 and the Criminal Justice Act 1988, section 160.
The criminal conduct detailed in Article 10 (copyright infringement) is found in the Copyright Designs and Patents Act 1988.
Attempts are criminalized under the Criminal Attempts Act 1981; while aiding and abetting are addressed in the Accessories and Abettors Act 1861, s. 8 (for indictable offences) and the Magistrates’ Courts Act 1980, s. 44(1) (for summary offences).
As a general principle under UK law, legal persons can be held liable for criminal conduct either on the basis of vicarious liability or where the prohibited act of an individual can be attributed to the company.
The jurisdictional reach of each type of offence (Article 22) is detailed in the applicable statutory measure, e.g. Sections 4-8 of the Computer Misuse Act 1990. In terms of extraterritorial jurisdiction (Article 22(3)), UK does not generally adopt such measures.
Rules requiring the preservation of data (Articles 16 and 17) are found in the Police and Criminal Evidence Act 1984. In addition, a preservation request from a foreign law enforcement agency can be made under the Crime (International Co-operation) Act 2003.
Rules requiring the production of data (Article 18(1)(a)) are found in various pieces of pieces of UK legislation, including the Police and Criminal Evidence Act 1984, the Terrorism Act 2002, the Proceeds of Crime Act 2002 and the Social Security Administration Act 1992. The production of subscriber data by service providers (Article 18(1)(b)) is provided for under the Regulation of Investigatory Powers 2000, Part I Chapter II.
General powers of search and seizure (Article 19) are contained in the Police and Criminal Evidence Act 1984.
The real-time collection of data (Articles 20 and 21) from a service provider through interception is provided for under the Regulation of Investigatory Powers 2000, Part I, Chapter I.
General rules and safeguards apply. The Human Rights Act 1998 incorporates the European Convention on Human Rights into UK law, applicable to public authorities such as law enforcement agencies and any other person carrying out a “function of a public nature”.
Related laws and regulations
Besides an extensive legal framework on technical aspects, there are important acts on this field respecting:
- Data Protection Act 1998: http://www.legislation.gov.uk/ukpga/1998/29/contents;
- The Privacy and Electronic Communications Regulations 2003: http://www.legislation.gov.uk/uksi/2003/2426/contents/made
- Data Retention Regulations 2014: http://www.legislation.gov.uk/uksi/2014/2042/contents/made
- Electronic Commerce Regulations 2002: http://www.legislation.gov.uk/uksi/2002/2013/contents/made
(Note that there is no public source of these laws that is maintained in a completely up-to-date form.)
- UK law enforcement is divided into different forces, each with differing responsibilities. The National Crime Agency (NCA) contains the National Cyber crime Unit (NCCU) and the Child Exploitation and Online Protection Command.
- The Crown Prosecution Service does not have a dedicated cybercrime unit, but has trained prosecutors in cybercrime issues throughout the country.
- Providers of electronic communication services are subject to the regulatory oversight of the Office of Communications (Ofcom).
- Data protection law is enforced by the Information Commissioner’s Office.
- National Cyber Security Centre
Competent authorities and channels
The legal competence to begin and direct criminal investigations and obtain evidence belongs to the police and other specified law enforcement agencies.
Requests for evidence from abroad may be made by a judicial authority or a designated prosecuting authority, e.g. the Crown Prosecution Service.
MLA authority in he absence of other treaties (Art. 27)
For matters related to England, Wales and Northern Ireland:
UK Central Authority
5th Floor Peel building
2, Marsham Street
For matters related to Scotland:
International Co-operation Unit
3 Lady Lawson Street
For matters related to indirect taxation:
Law Enforcement and Internationam Advisory Division
HM Revenue and Customs – Solicitor’s Office
100 Parliament Street
Authority for extradition and provisional arrests in the absence of other treaties (Art. 24)
Judicial CO-operation Unit
5th Floor Peel building
2, Marsham Street
Scottish Government (when the person is believed to be in Scotland)
Criminal Procedure Division
St. Andrew’s House
24/7 Point of contact (Art. 35)
National Crime Agency – National Cyber Crime Unit
PO Box 8000
London, SE11 5EN
Practical guides, templates and best practices
Specific procedures and best practices for International Cooperation
The United Kingdom has signed the main treaties and conventions on judicial international cooperation within the European Union and the Council of Europe, specifically the European Convention on Mutual Assistance in Criminal Matters (1959) and the Convention on Mutual Assistance in Criminal Matters between Member States of the European Union (2000). The primary legislation for obtaining evidence abroad for use in domestic proceedings or investigations, and for the provision of domestic evidence in response to a request from abroad, is the Crime (International Co-operation) Act 2003. Requests for evidence within the UK have to be made to the UK Central Authority, which is part of the Home Office.
Leading cases under the Computer Misuse Act 1990 include the following:
- Attorney-General’s Reference (No.1 of 1991)  3 WLR 432
- R v Bow Street Magistrates’ Court, ex parte Allison (1999) 3 WLR 620
- DPP v Lennon  All ER (D) 147 (May)
Leading cases in the area of child sexual abuse images include the following:
- Westgarth Smith and Jayson  EWCA Crim 560
- Dooley  EWCA Crim 3093
Leading cases in the area of illegal interception include the following:
- Stanford  EWCA Crim 258
- Edmondson & ors v R  EWCA Crim 1026
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.
Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?
Share this information with us helping to keep this platform up to date.
- Cybercrime website
- Template: Mutual Legal Assistance Request for subscriber information (Art. 31 Budapest Convention). English and bilingual versions available.
- Template: Data Preservation Request (Articles 29 and 30 Budapest Convention). English and bilingual versions available.