Luxembourg: The theft of digital data – protection or restriction?

A new criminal offence of theft of digital data was introduced in Luxembourg this year, when the Legislator adopted the law of 18 July 2014 on cybercrime, published on 25 July 2014 (the “Law”), amending the Luxembourg Criminal Code (the “Code”).This initiative constitutes the first step towards the recognition of digital data theft and aims to protect computer systems, preventing the interception or attempted interception of digital data. The law can be seen as a response to profound changes brought about by the digitalisation, convergence and continuing globalisation of computer networks, with such networks being increasingly used to commit criminal offences.

As this recognition of digital data theft is a very recent phenomenon in Luxembourg law, case law is still scarce on the issue and actual trends remain difficult to establish. It will therefore be interesting to see how the Luxembourg Courts apply the Law in the coming months and to obtain clarification of its extent.

In fact, a potential conflict already exists regarding the definition of assets provided by the Law and the definition hitherto used by the Luxembourg Court of Cassation (the “Court of Cassation”).

Prior to the introduction of the Law, the Court of Cassation, which handed down the first and only public court judgment recognizing the illegal downloading of digital data as a criminal offence, considered that Article 461 of the Code, which sanctions the offence of theft, does not distinguish between the tangible and intangible nature of the asset that forms the subject of the theft.

In contrast to the Court of Cassation, which construed the term “asset” in article 461 of the Code as referring to both material and intangible assets, the Legislator seems to be specifying the exact type of intangible data concerned, by adding the words “electronic key” to its definition, to include passwords, digital signatures, certificates such as those of the Luxtrust type and digital identifiers. Thus, Article 461(1) now provides that whoever fraudulently removes an asset or an electronic key that does not belong to them is guilty of theft. The broad interpretation of the term "asset" originally provided by the Court of Cassation may in fact have been narrowed by the amendment to the Code as, by adding the words “electronic key” to its definition, the Legislator now seems to be specifying the exact type of intangible data concerned.

During the coming months, we will know if the added words “electronic key” will affect the effectiveness of the new Law. With the entry into force of the Law, one may wonder how jurisprudence concerning cases related to digital data theft will develop. It remains to be seen how the restriction in scope of application of the relevant provision is interpreted in practice and how this will influence the effective prosecution of cybercrimes.