Insights UK Computer Misuse Act 1990 (“CMA”): Home Office publishes analysis of responses to its consultation


The CMA creates various cybercrime offences such as hacking, denial of service attacks and the introduction of viruses. Specifically, the offences contained in the CMA include unauthorised access to computer material, unauthorised access to computer materials with intent to commit or facilitate the commission of further offences, and unauthorised acts with intent to, or being recklessness as to whether the act will, impair the operation of a computer, prevent or hinder access to any program or data in a computer or impair the operation of any program or the reliability of any data. It also makes it an office to carry out (intentionally or recklessly) any unauthorised act in relation to a computer causing, or creating a risk of, serious damage of a material kind.

In 2021, the Home Office issued a Call for Information on whether there was any activity causing harm in the area covered by the CMA which was not adequately covered by the current offences. A number of issues were raised by respondents so, in February 2023, the Home Office published a consultation, mainly seeking views on three specific proposals for legislation. On 14 November 2023, the Home Office published a summary of responses to the consultation and its conclusions on whether and how to take the proposals forward.

The first proposal is for a new power to allow law enforcement agencies to take control of domains and internet protocol addresses where these are being used by criminals to support a wide range of criminality, including fraud and computer misuse. The paper concludes that the Home Office will continue to work with stakeholders on the various considerations raised by this proposal in order to be able to legislate at the earliest possible opportunity.

The second proposal is for a new power to allow a law enforcement agency to require the preservation of computer data in order to allow that law enforcement agency to determine whether the data would be needed in an investigation. In view of the number of concerns raised, the paper concludes that the Home Office will continue to engage with stakeholders to understand the impacts and look to mitigate them before considering legislation.

The final proposal is for a new a power to take action against a person possessing or using data obtained by another person through a CMA offence, such as through accessing a computer system to obtain personal data, subject to appropriate safeguards being in place. The paper concludes that the Home Office will undertake the significant further work that needs to be done on this proposal to mitigate risks to the positive work that relies on the use of such data (e.g. cyber security researchers) and provide further legislative solutions in the near future.

For more information, click here.