Before the 1995 Penal Code, any computer-related crime was quite strange for our courts, which were used to study crimes where the objects were tangible, visible; an aspect that has changed significantly nowadays, where cybercrimes are becoming more and more typical.

In order to correctly understand the offence of computer fraud, we must first develop the basic offence of fraud, typified in Article 248.1 of the Criminal Code (hereinafter CC), by which the person who, with the intention of making a profit, uses “sufficient deceit” to produce error in another, leading them to carry out an act of disposition to their own or another person’s detriment, commits fraud. In simplified terms, one person deceives another against his will; one could say that the main element is that deception, that ability of the fraudster to know the weaknesses of the person being defrauded, in order to achieve an end, such as making a profit.

The problem was that, over time, and with advances in technology, new forms of fraud had been created, which did not necessarily require such personal deception in order to be committed, as mentioned by the Second Criminal Chamber of the Supreme Court in STS 533/2007, 12 June 2007, but the typical action of these new offences is the mere use of a computer system. For this reason, paragraph 2 of the aforementioned Article 248 CC refers to any “computer manipulation or similar device”, thereby including all possible casuistry and protecting those affected.

The speedy advance of technology, and all that this entails, has meant that there is currently a disparity in legislation between different countries on this issue, or even that there is no regulation at all, an issue that has become even clearer with the increase of cyber-crime in the context of the COVID-19 pandemic, given the increase in the use of computer devices in day-to-day life. For example, in Chile, where its legislation does not contemplate acts such as “phishing”, or does not contemplate legal persons as subjects, active or passive, of the offence.

Another major problem, which we will see below, is the lack of consensus when it comes to deciding which court should hear the crime of economic fraud when, as is often the case, the place where the action is carried out and the place where the victim is affected are different.

A clear example of what a financial scam consists of is when a person receives an email that at first sight appears to be sent by their bank, asking them to update their “online bank” passwords via a direct link that will take them to the process. Once the person accesses the link, and without knowing or realising it, malware enters their device and all the funds in their bank account are withdrawn.

Once it has been reported to the competent authority, all necessary measures can be taken to find out who has committed the act. In this regard, it is necessary to mention Constitutional Court Ruling 104/2006 of 3 April 2006, which, although it does not specifically address the crime of computer fraud, does talk about computer-related crimes and cybercrime (websites selling unauthorised computer products).

The TC affirmed that computer crimes in general, by their very nature, have a higher “damaging potential” due to the difficulty of tracing and prosecuting them through the usual channels. Another of the arguments presented in favour of the application of these measures is the capacity of computer crimes to generate greater harm to victims, given the facility offered by current technology.

Such cases were clearly solved by the reform of the Criminal Procedure Act of 2015, which expressly regulates technological investigation techniques in article 588, measures which, as it mentions, are restrictive of the rights recognised in article 18 of the Spanish Constitution. Some of these measures are the interception of telephone communications as a method of criminal investigation of offences committed through the network, the capture and recording of oral communications, or the identification
of equipment from an IP address.

As mentioned at the beginning of this report, the problem is the determination of the place where the crime is committed, given the nature of the Internet, whereby this information can easily be hidden. Because of this, and as a general rule to resolve this issue, the theory of ubiquity is applied, whereby both the court of the place where the acts were carried out and the court where the result was produced may have jurisdiction, and in the event that more than one court wants to know about the issue, the first court that initiated the proceedings will have jurisdiction to continue with the procedure (although the reality is that it is necessary to go from case to case).

This highlights the real importance of an equal legal configuration of all countries in order to avoid competition issues.

Finally, the penalties applicable to this type of offence are set out in Articles 249 and 250 CC, and can be prison for up to 6 years and a monetary penalty of up to 12 months, but in order to decide the penalty, must be taken into account the amount defrauded, the methods used to carry it out, and any other circumstance that serves to accurately assess the offences committed.

A real and current vision of the crime of fraud is what happened through the “Telegram” platform, in which groups offered false certificates against COVID, as well as false negative PCR tests, all of which could be obtained by paying 150.-€ through the well-known cryptocurrency “Bitcoin”.

Another example is the attack on a hospital in Barcelona, for which a fee was demanded (not reported in the press) in exchange for the release of the blocked servers. Fortunately, however, the hospital’s computer protection system was able to stop the attack before it could wreak further damage.

Both news are clear examples that the current situation caused by COVID-19, which forces the population to be even more tied to electronic devices, leads to the development of new computer crimes that take advantage of this situation, either through acts of disposition (extracting money from the bank account) or through viruses that block the operating system, as in the case of the attack on the hospital in Barcelona.

Although these are not the only types of computer crimes provided in our criminal code, which after the 2015 reform introduced, as a result of the computer era in which we live, other crimes that have as a common point the use of computer systems for their perfection; Such as the crime of computer intrusion (article 197 bis section one) which punishes access to an information system by violating security measures, in this case, the mere access is punished, even if the data has not been accessed; or the interception of computer data transmissions (article 197 bis section two) which punishes the transmission of non-public data.

After all that has been exposed, it can be concluded that current legislation is and will be increasingly changing, in order to adapt to the IT reality in which we live, and, above all, it will be in order to offer those affected, the necessary protection to their interests. There are still many steps to be taken in order to reach this goal satisfactorily, considering that the personal rights of all individuals will always prevail, even if they are the ones committing the crime, and also taking into account that it is complicated to homogenise the different legislations in this aspect.

By Madalina Tepes Tifrea, Lawyer