UK government sets out reforms to 30-year-old cybercrime law

The UK government is proposing new powers for law enforcement agencies to tackle cybersecurity threats and online crimes.

Proposed changes to the 1990 Computer Misuse Act (CMA) are set out in a consultation paper.

The CMA is arguably overdue for review and reform, given the evolution of technology and cyber threats to businesses and individuals in the thirty years since the CMA came into force.

Three main changes to the CMA are proposed. The first will enable law enforcement agencies to take control of domains and IP addresses that are being used by criminals to carry out online criminal activities, such as fraud and computer misuse. It also includes provisions to allow public authorities to take down these domains and prevent the creation of domains that are suspected to be for criminal purposes. 

The second aims to toughen up offences and penalties for taking or coping data rather than merely unauthorised access to or modification of data.

Under the CMA, data copying only attracts a fine and a maximum of up to two years imprisonment. It is difficult to take action against a person possessing or using data obtained through a CMA offence. It is also not covered under the Theft Act, as theft of data from computer systems commonly involves copying the data, without the intention to “permanently deprive”. The government is considering creating a general offence for possessing or using illegally obtained data.

Considering the seriousness of the threat and the difficulty in taking action against a person possessing or using illegally obtained data, we at Pinsent Masons believe the changes are welcome.

The third proposal would give law enforcement agencies power to require data owners or individuals in control of data to preserve that data in an unaltered state so that it is available for law enforcement investigations.

The proposed power would not permit a law enforcement agency to seize data, but it is intended to allow time for the agency to determine whether the data is relevant to an investigation. If the data is required, the agency would need to obtain court authorisation before it could seize the data. This power would apply to any data relating to any offence. It would be available to all UK law enforcement agencies, including the National Crime Agency (NCA), UK police forces, HM Revenue and Customs (HMRC) and the Serious Fraud Office.

We believe the proposals do, however, raise questions over the enforcement given the international nature of CMA offences. The main difficulty will be trying to enforce it worldwide, given that many cybercrimes involving victims in the UK are carried out by individuals or groups outside of the UK. The UK government will have to rely on cooperation with governments and law enforcement agencies in other jurisdictions, and also those jurisdictions having the ability and legislation to prosecute extra territorial criminality.

The consultation ends on 6 April 2023.

For more information please contact: or

Area of expertise: