Weekly analytics for 29 January – 04 February

Unauthorized Interference in the Public Electronic Registers Operation: Certain Issues of Criminalization

Event

On January 16, 2024, the draft Law “On Amendments to the Criminal Code of Ukraine to establish criminal liability for unauthorized interference, sale, or distribution of information processed in public electronic registers, and to strengthen criminal liability for criminal offenses in the area of information and communication systems during martial law” of November 9, 2023 (№10242) was adopted as a basis.

The draft law proposes for the following:

1) to clarify Article 361 of the Criminal Code of Ukraine (CC) (unauthorized interference in the operation of information (automated), electronic communication, and information and communication systems), electronic communication networks by explicitly recognizing public electronic registers as a distinct type of such systems, thereby reinforcing the criminalization of unauthorized interference in their operation;

2) to supplement part 5 of Article 361 and part 2 of Article 361-2 of the CC (unauthorized sale or distribution of restricted-access information) by introducing an aggravating circumstance: “by an official using his/her official position”. Additionally, part 3 of Article 361-1 (creation, distribution, or sale of malicious software or technical tools for illegal use) and Part 3 of Article 361-2 with the qualifying circumstance “during martial law”;

3) to define the terms in the notes to Article 361 of the CC, including: unauthorized interference (for Article 361); unauthorized sale or distribution of restricted-access information (for Article 361-2) and to supplement a clause 2 of this note  with a clarification stating that the provisions do not apply to actions committed by whistleblowers who report misconduct in accordance with Articles 53-1 and 53-2 of the Law “On Corruption Prevention”; to clarify a definition of public electronic registers for application in Articles 361, 361-2, 362 (unauthorized actions with information), 363 (violations of computer, network, or information security rules), 363-1 (obstruction of computer operation), and 365-2 (abuse of authority by individuals providing public services);

4) supplement clause 1 of Part 1 of Article 43 of the Law “On the Prosecutor’s Office” with a new ground for a prosecutor’s disciplinary liability: “failure to make a procedural decision or take a procedural action within the timeframe prescribed by law” defining it as a specific form of neglect or improper execution of official duties;

5) to repeal clause 10 of Part 1 of Article 284 of the Criminal Procedure Code of Ukraine (CPC), which currently allows for the closure of criminal proceedings if the pre-trial investigation period (as provided in Article 219 of the CPC)  expires after a suspect has been notified. Additionally, to supplement Part 4 of Article 219 with a provision requiring that the prosecutor, no later than the final day of the investigation period, must take one of the actions outlined in Part 2 of Article 283 of the CPC – such as closing the proceedings, filing a motion to release the suspect from criminal liability, or submitting an indictment.

CPLR’s position

1. According to clause 12, Part 1 of Article 2 of the Law “On Public Electronic Registers”, a public electronic register (register, cadastre, registry, etc.) is an information and communication system that facilitates the collection, storage, protection, accounting, display, processing, and provision of registry data. In other words, registers are a subset of information and communication systems.

2. In accordance with Article 1 of the Law “On Information Protection in Information and Telecommunication Systems”, an information system user is an individual or legal entity granted access to system data under the law. The Law “On Public Electronic Registers” governs the entry, use, administration, and management of registry information (Articles 28, 34, 36-39).

Based on legal study on this category of criminal offenses, as well as the definitions of unauthorized actions regarding information provided in Article 1 of the Law “On Information Protection in Information and Telecommunication Systems”, unauthorized interference in a public electronic register should be understood as modifying the register’s operating mode by manipulating data carriers or automated processing tools in violation of established access procedures.

3. Qualification of actions under Part 3 of Article 361 of the CC requires establishing the following consequences: 1) information leakage – when information becomes known to at least one person who does not have authorized access; 2) loss of information – an impact on the data carrier that causes the information to cease to exist in a form that allows it to be processed by a computer; 3) forgery – distortion of information that renders it false; 4) information blocking – a form of restriction where the information is neither destroyed nor forged, but access to it is completely prevented; 5) distortion of information processing – obtaining results during data operations (executed via technical or software tools) that do not correspond to the technical specifications or the computer program’s algorithm; 6) violation of the established information routing procedure – where a specific recipient fails to receive transmitted information, or access to certain network resources occurs in violation of the established routing rules.

4. The subject of criminal offenses under Articles 361, 361-1, and 361-2 of the CC is general, meaning any legally competent individual aged 16 or older. However, the subject of an offense under Article 362 is special, referring to individuals with authorized access to information. This includes those directly involved in register maintenance (such as operators, programmers, engineers, and computer repair technicians), register users, administrative and managerial personnel, and law enforcement officers performing duties related to information access. Similarly, the subject of an offense under Article 363 is also special, applying to individuals responsible for the operation of computers, registers, computer networks, or telecommunications networks.

Since some offenses in this category can be committed by a general subject, investigative journalists and civil activists could hypothetically fall within this scope. Moreover, if these individuals have register access, they could be classified as special subjects under Articles 362 and 363. However, the proposed amendments in the Draft Law are not specifically aimed at investigative journalists or civil activists monitoring government activities and public officials.

5. Given the critical role of registers in both state and society, strengthening safeguards against unauthorized interference is essential, especially during martial law. For instance, a cyberattack in Ukraine between December 19, 2024, and the present led to the blocking of dozens of state registers containing citizens’ data. However, 2023 statistics show that despite 3,841 recorded criminal offenses under Articles 361, 361-1, 361-2, 362, and 363-1, and 2,455 cases sent to court with an indictment, only 95 individuals were convicted, with just 9 receiving prison sentences. This indicates that criminal law measures alone are insufficient and do not significantly impact the situation. Instead, greater emphasis should be placed on identifying and mitigating threats, preventing data leaks through stricter staff background checks, and regularly updating software, among other preventive measures.

On the other hand, statistical data show that the articles of the CC mentioned above are applied selectively, with no sufficient safeguards in place to prevent their disproportionate use against investigative journalists and civil activists.

Furthermore, these articles are not specifically aimed at individuals from the aggressor state. According to Article 8 of the CC, foreign nationals who commit crimes outside Ukraine can only be prosecuted in Ukraine for serious and particularly serious offenses, specifically those under Parts 4 and 5 of Article 361 and Part 3 of Article 362.

At the same time, data from the Unified State Register of Court Decisions reveal that the unauthorized sale or distribution of restricted-access information (Article 361-2 of CC) is often committed by law enforcement officers, tax officials, and other public authorities to benefit their relatives and associates. Strengthening penalties for these offenses could paradoxically foster more corruption, as it may encourage efforts to shield such individuals from responsibility.

6. For years, experts have emphasized the need to eliminate the automatic closure of criminal proceedings due to the expiration of pre-trial investigation periods. This issue was also raised by the European Commission. The proposed amendments aim to implement recommendations regarding the repeal of the “Lozovyi amendments”. The CPLR has consistently supported their partial repeal. In our view, while deadlines should exist after the notification of suspicion, they should be extended by investigating judges rather than prosecutors (as was the case before March 15, 2018). The only necessary change is to eliminate the possibility of appealing the notification of suspicion. The exclusion of clause 10, Part 1 of Article 284 of the CPC remains a matter of debate. On the one hand, if the deadlines have expired, it seems reasonable for the defense to request the closure of proceedings. On the other hand, it may be more appropriate to leave such decisions to the discretion of the court. A further complication arises when, according to Article 49 of the CC, the statute of limitations for criminal liability has not yet expired, but the investigation deadlines under the CPC have lapsed. These issues need to be addressed in alignment with other initiatives concerning the repeal of the “Lozovyi amendments”, particularly with Draft Law № 10100.

7. The clarification of grounds for prosecutorial disciplinary liability is generally welcomed, especially given Ukraine’s continued failure to implement GRECO’s 2017 recommendations regarding the legal certainty of prosecutors’ disciplinary liability. In the studies conducted by the CPLR in 2019 and 2023, it was suggested that the failure to fulfill or improper fulfillment of official duties should be more clearly defined by listing typical forms while keeping the list open-ended. However, the proposed version includes only one such form. Therefore, a more systematic approach is needed. Additionally, it is important to note that the proposed amendments to the CPC and the Law “On the Prosecutor’s Office”, which were introduced only during the second reading, do not align with the overall subject matter and, consequently, the title of the Draft Law.