Theft of information

In a decision dated June 28, 2017, the Criminal Chamber of the Cour de cassation (French Supreme Court) specified that “free access to personal information on a company’s IT network does not mean that such information may not be fraudulently appropriated by any means of reproduction”.

This landmark decision revives the debate on the tricky issue of theft of information.

The terms of the June 28, 2017 decision

In the decision commented herein, the partner of a law firm had retrieved letters of another partner from the firm’s IT network and delivered such letters to the President of the Bar.

Charged with theft, he was convicted by the first instance court and then by the Court of Appeals. He lodged an appeal before the Cour de Cassation, arguing that there had not been any fraudulent retrieval insofar as (i) the letters were freely accessible, and (ii) the authors of the letters had not been dispossessed thereof. Yet, the Criminal Chamber of the Cour de Cassation dismissed the appeal and upheld the findings of the appellate judgment.

Judges considered that only the plaintiff had the power to use such letters which had, as a result, been fraudulently appropriated. The indicted had consulted such letters and reproduced them without the knowledge, and against the will, of the injured party for purposes unconnected with the interests of the law firm.

In its decision, the Criminal Chamber of the Cour de Cassation specified that “free access to personal information on a company’s IT network does not mean such information may not be fraudulently appropriated by any means of reproduction”.

The enshrinement of a case-law development

This decision is in line with a case-law trend towards a progressive recognition of the offense of theft of information.

Judges initially recognized the offense of theft of information only if a material medium had been stolen, in which case, they would convict the applicant who had “fraudulently appropriated [the documents] for the laps of time necessary to reproduce them”[1].

Subsequently, the Cour de Cassation, upholding judgments by which Courts of Appeals had convicted parties for the theft of material media and their informational contents, refrained however from ruling that a piece of information was an object of property that can be stolen[2].

In another more recent decision dated May 20, 2015[3], the Criminal Chamber of the Cour de Cassation upheld a judgment by which an individual who had downloaded and copied confidential digital data was convicted for theft.

Specifically, the Cour de Cassation held that the offender had “retrieved data that he has used without the consent of their owner”, thereby acknowledging that computer data not recorded on any physical medium could be misappropriated.

As such, the June 28, 2017 decision enshrines the existence of the offense of theft of information even when the relevant individual was authorized to access the documents fraudulently appropriated.

The evolution of the concepts of “thing” and “appropriation”

Such a case-law development raises questions as to the concepts of “thing” and “appropriation”, both of which are expressly referred to in Article 311-1 of the French Criminal Code.

Firstly, the concept of “thing” requires, in the traditional sense of the word, a material dimension. But the recognition of the offense of theft of information implies that such information, even though intangible, is a “thing” within the meaning of the aforementioned Article.

Secondly, the concept of “appropriation” traditionally requires a switch of possession, even momentarily. Yet, when it comes to a theft of information, there is no dispossession as the information is simply shared. The appropriation would then be a mere taking of possession without the knowledge or against the will of the owner.

The extension of these two concepts tends to a dematerialization of the material element of the offense, which creates some legal uncertainty.

This development needs to be articulated with Article 323-3 of the French Criminal Code

The reach of the June 28, 2017 decision remains to be determined insofar as the material facts occurred prior to the entry into force of Law n°2014-1353 of November 13, 2014 (tougher than the previous Law) that punishes the fraudulent retrieval of data from an automated data processing system.

Currently, Article 323-3 of the French Criminal Code (as amended by Law n°2015-912 of July 24, 2015) stipulates as follows: “fraudulently introducing data into an automated data processing system or fraudulently extracting, holding, reproducing, transmitting, deleting or modifying the data it contains is punishable by five years’ imprisonment and a €150,000 euros fine”.

This offense is likely to stop convictions for theft of information – which are legally questionable. Incidentally, it cannot be excluded that the wording used by the Cour de Cassation – according to which free access to personal information does not mean that such information may not be fraudulently appropriated – will be applied in connection with this new offense.

[1] Criminal chamber of the Cour de Cassation, January 8,1979, Logabax, n°77-93.038

[2]  Cf. in particular, Criminal chamber of the Cour de Cassation, January 12, 1989, Bourquin, n°87-82.265; Criminal chamber of the Cour de Cassation, March 1, 1989, Antoniolli n°88-82.815; Criminal chamber of the Cour de Cassation, September 9,.2003, n°02-87.098; Criminal chamber of the Cour de Cassation, March 4, 2008, n°07-84.002

[3] Criminal chamber of the Cour de Cassation, May 20, 2015, n°14-81.336 (following a technical failure, the indicted accessed an extranet platform protected by an access control mechanism)