The President of Poland has signed the Act on combating fraud in electronic communications. The so called Antispoofing Act is supposed to implement Directive (EU) 2018/1972 of The European Parliament and of The Council of 11 December 2018 establishing the European Electronic Communications Code. It imposed many new obligations, mainly on telecommunications enterprises and public entities. In addition, the President of the Office of Electronic Communications has been given additional competences. Importantly, there are severe penalties for violations. In addition to administrative sanctions, the Act also introduces several new types of offences.
Crimes in Antispoofing Act
There are for new types of crimes stated in Articles 29-31 of the Act.
The first offence is the sending or receiving of messages or voice calls on a telecommunications network using telecommunications equipment or programmes the purpose of which is not to make use of a telecommunications service but to be recorded at the point of connection of telecommunications networks or by billing systems (Article 29)
Next one is sending a short text message (SMS), multimedia message (MMS) or message via other interpersonal communication services, and impersonating someone else in order to induce the recipient of the message to provide personal data, to commit a criminal act, to open a website, to initiate a voice call, to install software, to transfer computer passwords, access codes or other data allowing unauthorised access to information stored in a computer system, data communication system or network (Article 30).
The third is using, without being entitled to do so, an address information pointing to another natural person, a legal person or an organisational unit without legal personality, in order to impersonate another entity with the purpose of inducing the recipient of such a call to submit personal data, to make a disadvantageous disposition of property or to install software, to submit computer passwords, access codes or other data enabling unauthorised access to information stored in an IT system, data communication system or network (Article 31).
And last but not least – making an unlawful modification to address information that makes it impossible or materially more difficult for authorised parties or telecommunications undertakings involved in the delivery of a communication to ascertain the address information of the user sending the communication (Article 32).
Penalties and material liability
They are all punishable by 3 months to 5 years of imprisonment. In minor cases, the Court may choose the penalty between fine, restriction of liberty and up to 1 year imprisonment. All four crimes can only be committed if the perpetrator acts with intent. It must be the intent to obtain a pecuniary advantage, personal benefit or to cause harm to another person.
The Act significantly changes the situation of public entities and telecommunications entrepreneurs, on whom many new obligations have been imposed. Failure to comply with them may be grounds for the imposition of high administrative penalties. In some case the exposure of the company to a penalty may be the result of decisions of the management. Then members of the board may also be criminally liable. The basis for liability for causing damage to the managed entity’s assets is Article 296 of the Criminal Code.
The victim may request compensation for damages. What if there was no material damage, only personal harm, which does not directly translate into material values? Then the victim may request order of an exemplary payment. It is also a court-determined amount of money due to the victim estimated as compensation for non-material damage.
Another issue may be the possible liability of the telecommunications company for damages. If, by failing to comply with its cyber-security obligations, it has exposed its customers to harm, it may also have to face this risk.
The full article is available in Polish here.