Skip to main content

Computer Misuse Act 1990: Review

Volume 727: debated on Tuesday 7 February 2023

The Government are reviewing the Computer Misuse Act 1990 (CMA/the Act) and this statement provides an update on the progress of the review.

It is essential that the UK has the right legislative framework to allow us to tackle the harms posed to our citizens, businesses and Government services online. As part of this, we initiated a review of the CMA, and following a call for information on the CMA, we have been considering the proposals made in response. A number of proposals were put forward, both for changes to the Act itself, and for additional powers to allow law enforcement agencies to more effectively tackle the offences covered by the Act.

We will issue a formal consultation today to seek views on a number of proposals made during the consultation, including:

Considering the development of a new power to allow law enforcement agencies to take control of domains and internet protocol (IP) addresses where these are being used by criminals to support a wide range of criminality, including fraud and CMA offences.

Developing a power to require the preservation of computer data, ahead of its seizure, to prevent it being deleted where it may be needed for an investigation. While requests from law enforcement agencies for preservation are generally met, the UK does not have an explicit power to require such preservation, and having such a power would make the legal position clear.

Considering whether a power to take action against a person possessing or using data obtained by another person through a CMA offence, such as through accessing a computer system to obtain personal data, would be of benefit, subject to appropriate safeguards being in place. Currently, the CMA covers unauthorised access to computer, but the unauthorised taking or copying of data is not covered by the Theft Act so it is difficult to take action in these cases.

In addition, a number of other issues were raised during the call for information, relating to the levels of sentencing, statutory defences to the CMA offences, improvements to the ability to report vulnerabilities, and whether the UK has sufficient legislation to cover extra-territorial threats. As part of our work to improve the cybersecurity of the UK, we will work with a wide range of stakeholders with a policy interest in these areas, to ensure that any proposals that we take forward will deliver enhanced protection of the UK in cyberspace.

A copy of this consultation will be placed in the Libraries of both Houses and published on