REGULATION OF CYBER SPACE IN UNITED KINGDOM

REGULATION OF CYBER SPACE IN UNITED KINGDOM

Author : Satakshi

Introduction–

The term “Cyber Space” refers to a technological environment in which communication occurs with the help of computers and technology. This space forms a global network which initiates online communication worldwide. In today’s era, cyber communication and environment have become an integral part of the society and these are involved in most of the things that we face everyday, be it contracts, shopping, education, banking etc. Before we discuss that how cyber space is regulated we need to understand why is it necessary to regulate the cyber environment. When something is done through humans, we find relevant laws in almost every country, there happen to be penal provisions for punishing humans, contract laws to govern agreements between humans etc. but with the emergence of technology in the past 20-30 years, a need has been felt for such laws that can govern computers and internet network all across the world. This gave rise to the concept of Cyber Law, and effective mechanisms to protect the users from the wrongs that are committed with the help of computers.

What is Cyber Crime? –

As we know, Crime is a wrong, which law prohibits and punishes, but the question arises as to what Cyber Crime is? Well! Cybercrime may be defined as an unlawful activity which is either done by using a computer system or is done to target a system user. These crimes involve a very high level of technology and technological skills. There are a number of examples that fall under the umbrella term “cybercrime”, such as- email/ internet fraud, false identity, theft of debit/credit card data, theft or sale of personal data, virus attacks, phishing etc.

Cyber Threats in United Kingdom-

With an approximate of 92.6%internet users, United Kingdom faces almost 1 successful hack in every 19 seconds. Out of around 5.7 million small-to-medium-sized-businesses, 1.6 million are hacked every year in the country. The statistics makes it explicitly clear is United Kingdom faces a numerous amount of cyber breaches, threats and crimes on a daily basis. As it is always said that ‘drastic times call for drastic measures’, the cyberspace in UK requires effective and vibrant mechanism to deal with such threats.

Legal Landscape of United Kingdom–

As businesses and companies in United Kingdom continue to expand their digital operations, the country is facing a key challenge to ensure cyber security to all its citizens, and the task becomes more challenging when the country lacks a particular vibrant “Cyber Security Law”. The legal framework of the country imposes certain regulations, guidelines and obligations in relation to cyber space, however there is no such particular act which is dedicated towards the very subject of cyber crime. There are a number of legislations which somehow try to reach the subject and create a kind of patchwork for covering the lack of an exclusive legislation. These laws impose cyber security obligations for all persons, and those persons are generally provided the freedom as to how they wish to comply with those obligations .Following are the main legislations and measures that are adopted in the country in case of cyber crimes.

• GDPR (General data protection regulation) – This regulation governs the processing of ‘personal data” in the European Economic Area. It also applies to those businesses which offer goods and services to individuals under EEA. In United Kingdom, businesses are required to comply with Data Protection Act, 2018 which relates to the GDPR. Basically, the GDPR requires businesses and organizations to protect the personal data which is in their possession. The major implications of these both are explained further-
• Article 5 of the GDPR states that processing of data should be done keeping in view seven principles i.e. Transparency, Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, Integrity and Confidentiality and Accountability.
• This regulation r/w the data protection act requires the organizations to protect personal data and only allow third party access, when that party provides enough guarantee in respect of that data.
• The companies are also required to implement sufficient measures for the protection of that data such as- antivirus programs, time to time scanning of data, policies of the company in respect with the data and to make certain that these steps are being followed effectively.

Court of Justice of the European Union, once decided that ‘with an aim of preventing Cyber Attacks, storing the IP address of the computer used in the process by most websites could be justified to guaranteeing and securing the functioning of online services to combat cyber attacks.’

• Companies are expected to make sure that the data in their possession is not being used unlawfully anywhere. They are also required to protect the data from any kind of loss, damage or destruction.

If any organization or company fails to comply with these norms, the same can result in enforcement action, including imposition of penalty by the Information Commissioner’s Office (ICO). It has been made explicitly clear in these regulations that even in the absence of any cyber threat, negligence in handling personal data can result in enforcement action.

• Computer Misuse Act, 1990– This act governs those situations, where a crime is committed by using a computer. This act makes it a crime to access, alter or produce computer program with an intention to cause harm to economy, environment, security of the nation, human welfare etc. If a person is found engaged in a crime that has been prohibited under this act, he/she shall be liable to a term of imprisonment or to a fine or both.

• NIS Regulations (Network and Information Security Regulations 2018)– The GDPR emphasizes upon the safeguarding of personal data however NIS regulations are concerned with the security of information network. The NIS regulations impose obligations related to cyber security upon “Essential Services Operators” (such as companies that deal with energy, transport or health) and “Digital Services Providers” (such as providers of online services), which serve within the boundaries of United Kingdom. The businesses and organizations falling under the ambit of NIS are required to protect the information systems from risks and to prevent those incidents which harm these systems. If an organization could not comply with these obligations, it may be subject to enforcement action including penalties also.

• The Investigatory Powers Act, 2000– It criminalizes interception of information and communication received or sent through computers. This act provides for obtaining of data only by an authorized person only when it is necessary to do so –

1. In the interest of national security.
2. For the purpose of detecting serious crimes.
3. In the interest of economic well being of UK.
4. In the interest if public safety.
5. In case of an emergency preventing death or injury or damage to a person.
6. For any purpose specified by Secretary of State.

Note– Apart from these significant acts, regulations and obligations there are certain provisions in the Common Law, Intellectual Property Law, Copyright Design and Patents Act 1988, Fraud act etc, which somehow govern upon the topic of cyberspace in United Kingdom.

Effectiveness of these laws – 

When it comes to check the effectiveness of UK legislations and regulations to prevent cyber crimes, the need for a specific legislation dedicated to cyberspace only is felt.  Though there are plenty of legislations and regulations in UK, however these seem to be a little outdated when we look at the growth rate of cyber threats in the country.

• For example, the Computer Misuse Act, 1990 has become very outdated with the time and needs an update. The act prevents security professionals from analyzing threat intelligence researches. The act also restricts students, journalists and scholars from conducting a research on potential cyber threats.
• The provisions of these multiple legislations and regulations overlap each other sometimes, and create confusion as to which provision is superior in case of conflict.

Conclusion-

On an average, we generate around “2.5 Quintilian bytes of data” everyday and the total amount of data in this world has been generated in the past two years only. These statistics show that with the time increasing day by day we need to secure this data that we generate. Now, when we talk about United Kingdom, the country somehow lacks in preventing cyber threats in within its boundaries. Even the courts in UK admit that, “Advances in cyber and digital technology continue to outrun the society’s ability to monitor or control it and has become a considerable issue of national and international concern”. A report states that British companies have the lowest cyber security budget. Hence, the firms in the country need to relocate their resources adequately keeping in mind the threats they are facing regularly and the government needs to make a specific legislation which governs upon the subject of cyber space.