Sentencing data-driven cybercrime. How data crime with cascading effects is tackled by UK courts

Abstract

Cybercrimes that compromise data, and particularly personal data, are on the rise. These ‘data crimes’ display cascading effects, in that they empower disparate criminals to commit further crimes and victimise a broad range of individuals or data subjects. In a way, data crimes are the ‘dark side’ of big data and the data economy enabled by technological applications such as cloud computing. This paper contributes to a growing body of research seeking to understand if and how legislation can effectively counter cybercrimes. It addresses the under-researched area of sentencing, which, as the last step of the judicial process, plays a crucial role in how the law is interpreted and implemented. This paper asks whether courts understand the evolving technological environment of cybercrime captured by data crime and the cascade effect, how they react to such environment, and whether the cascade effect can assist courts in dealing with data-driven cybercrime. The paper answers the question by means of original data collected from UK courts, namely 17 sentencing remarks relating to cybercrime court cases decided in England & Wales between 2012 and 2019. The analysis shows that courts appreciate the impact of data crime and their cascading effects, but that the complexity of the offences is lost at sentencing, arguably due to the negative impact of systemic factors. First, courts have to interpret technology neutral legislation that lends itself to both overly broad and technology unspecific interpretation. Secondly, they do so without the support of stable authorities – e.g. the Computer Misuse Act 1990 benefits from neither sentencing guidelines nor settled precedents. The extant risk is to generate unfair outcomes, particularly for young offenders, who appear to have been the object of harsh punishment as a deterrent, against sentencing guidance – and with little demonstration of success. Thus, in addition to cybercrime literature, the paper contributes to debates on fair sentencing and the related call for open justice, as well as the impact of technology neutral legislation on the work of courts. A solution against the pitfalls of technology neutral legislation could be to create a specialised court dealing with cybercrime cases. The paper also suggests that the cascade effect could be used to give specificity and context to cyber offences, e.g. to support the analysis of seriousness of the offences and identify aggravating and mitigating circumstances. Two recommendations follow suit. The first is to adopt updated sentencing guidelines for the Fraud Act 2006 and brand-new guidelines for the Computer Misuse Act 1990. The second is to support the fight against cybercrime by making better use of complementary data protection legislation.