The Computer Crime Act III (Wet CCIII), which came into force on March 1, 2019, has significantly broadened the possibilities for investigating and prosecuting digital crime. An extensive evaluation by the WODC (wetenschappelijk Onderzoek- en Datacentrum) shows that the new criminal offenses and powers are frequently used in practice, but that limited investigative capacity and international components are hampering the full potential of the law.
The new articles on data theft (138c Sr) and handling stolen goods (139g Sr) meet a clear need. The Openbaar Ministerie received 39 cases of data theft, most of which involved employees who took data in a work situation. There were 93 cases of data handling, often combined with financial fraud. A striking point of attention is the penalty for data handling; the maximum prison sentence of one year is considered illogically low by professionals in comparison with the handling of physical goods, especially given the enormous size and value of modern data sets.
The specific criminalization of online commercial fraud (Article 326e of the Dutch Criminal Code) is also viewed positively. This article is easier to prove and more applicable than the general provision for fraud. Although 279 cases were filed, the approach to 'large-scale' fraud lagged behind; only three of the 27 judgments examined dealt with this. In many cases, the Openbaar Ministerie decided Openbaar Ministerie to prosecute due to a lack of investigative capacity.
Since April 2021, hacking powers have been used in 89 investigations, notably for traditional serious crimes such as drug trafficking and murder, rather than pure cybercrime. The tool is primarily used to break through encrypted communications (such as Signal or WhatsApp). Although intrusion was successful in more than two-thirds of cases, 40% of the deployments did not yield any useful information for the investigation.
When it comes to the authority to make criminal data inaccessible (125p Sv), such as in the case of fraudulent web shops or Telegram groups, practitioners experience a procedural bottleneck. The mandatory review by the examining magistrate and the prior hearing of the provider often take too much time in situations where immediate action is necessary, for example to stop the distribution of child pornography.
Although the law made it possible to use a 'decoy' to better protect minors against grooming, this tool has hardly been used in practice. There is only one known case in which a police decoy led to prosecution for seducing a minor. Investigation teams indicate that their available capacity is fully occupied with 'bring cases', in which a concrete report has already been filed by a victim.
The evaluation concludes that the law is an important reinforcement, but warns of new developments. The ongoing encryption of data makes interception increasingly complex, while the international dimension—where perpetrators or servers are located abroad—often makes prosecution virtually impossible without intensive international cooperation. The WODC advises the legislator, among other things, to reconsider the penalties for data theft and to streamline the procedure for making data inaccessible in urgent cases.
This article was partly created with the help of AI based on the source: 'Evaluation of the Computer Crime Act III: An empirical study of its application in practice'.
