Skip to content
AS
Alonso Sala
CRIMINAL LAWYERS
ES
Legal Analysis

Illegal Data Access and Interception of Communications (Art. 197 bis CP)

calendar_todayJune 20, 2026

Last updated:

listIn this article

lightbulbKey Takeaways

  • check_circleArt. 197 bis CP protects information security, not privacy
  • check_circle197 bis.1 access by breaching measures: six months to two years
  • check_circle197 bis.2 data interception: three months to two years or a fine
  • check_circleArt. 197 ter CP punishes supplying access programs or passwords
  • check_circleDefence: with no active security measures the offence is not made out

Quick answer

Illegal data access under Article 197 bis of the Spanish Criminal Code punishes anyone who, without authorisation and by breaching security measures, accesses an information system, with six months to two years in prison. Intercepting non-public data transmissions by technical means carries three months to two years in prison or a fine of three to twelve months.

Illegal data access and the interception of communications are conducts that the Spanish Criminal Code punishes autonomously in Article 197 bis CP, among the offences against privacy but with a legal interest of their own: information security — the confidentiality, integrity and availability of information systems. Unlike mere intrusion into a system, the focus here is on access to data and on the interception of transmissions, with a frequent overlap with privacy. As criminal defence lawyers in illegal data access, we explain the two limbs of the offence, how it is distinguished from neighbouring offences, the preparatory acts in Article 197 ter CP and the available lines of defence.

What Article 197 bis CP Punishes

Article 197 bis CP sets out two distinct conducts, both concerning the security of information systems:

  • Illegal access to the system (197 bis.1). Accessing, by any means or procedure, by breaching the security measures established to prevent it and without due authorisation, all or part of an information system, or remaining in it against the will of the person with a legitimate right to exclude others. The penalty is six months to two years in prison.
  • Interception of transmissions (197 bis.2). Intercepting, by technical devices or instruments and without authorisation, non-public transmissions of computer data taking place to, from or within an information system, including electromagnetic emissions. The penalty is three months to two years in prison or a fine of three to twelve months.

The legal interest protected is not personal privacy as such, but information security as an autonomous value. The offence can therefore be committed even if no private information is ever accessed: the unauthorised intrusion into the system or the capture of data in transit is enough.

The Elements of the Offence

For the illegal access of Article 197 bis.1 CP to be complete, the following must concur cumulatively:

  • Access to an information system (or remaining in it), by any means.
  • Breach of security measures. The provision requires that measures established to prevent access exist and are overcome. This is a core element: with no protection to circumvent, the offence is not made out.
  • Lack of authorisation. The access must occur without the consent of the person entitled to grant it.
  • Intent. The offender acts knowing that the access is unauthorised and breaches protections.

In the interception offence of Article 197 bis.2 CP, the defining element is the use of technical devices or instruments to capture non-public transmissions of data. Listening to what is openly public is not punished; interfering with reserved data flows travelling across the network or between devices is.

Penalties and Limbs of the Offence

Article 197 bis CP grades the penal response according to the conduct:

  • Illegal access (197 bis.1): six months to two years in prison.
  • Interception of non-public transmissions (197 bis.2): three months to two years in prison or a fine of three to twelve months.

Where the conduct goes beyond access or interception and involves seizing personal data or communications in order to breach the victim's privacy, the reproach shifts to Article 197 CP, which is markedly more serious (one to four years in prison and a fine of twelve to twenty-four months, with aggravated dissemination of two to five years). And if the conduct destroys, alters or disables another's data or programs, the offence of computer damage comes into play.

Preparatory Acts: Article 197 ter CP

Article 197 ter CP moves the line of protection forward and punishes the preparatory acts of these offences. It penalises anyone who, without authorisation and with the intent to commit one of the offences in Article 197 or 197 bis CP, produces, acquires for use, imports or makes available to third parties:

  • A computer program designed or adapted principally to commit those offences.
  • A computer password, access code or similar data allowing access to all or part of an information system.

The penalty is six months to two years in prison or a fine of three to eighteen months. It is worth noting that the decisive element is the criminal intent: holding or distributing tools that also have legitimate uses (auditing, research, systems administration) is not punishable where that purpose is absent.

Boundary with Disclosure of Secrets (Art. 197 CP)

The most relevant boundary is the one separating Article 197 bis CP from the discovery and disclosure of secrets in Article 197 CP:

  • Article 197 bis CP: protects information security. It is committed through unauthorised access to the system or the interception of data in transit, with no need to breach privacy.
  • Article 197 CP: protects privacy. It punishes seizing papers, letters, email messages or any documents or personal effects, intercepting telecommunications or using listening devices in order to breach another person's privacy.

In practice, a single episode can touch both provisions: someone who accesses a system by breaching its protections (197 bis) and, once inside, seizes personal emails to disseminate them (197) may answer for both in a concurrence of offences. Precisely classifying the facts is decisive, because the penalties and the strategy vary substantially.

Boundary with Computer Damage (Art. 264 CP)

Where the conduct is not limited to accessing or intercepting but erases, damages, deteriorates, alters, suppresses or renders inaccessible another's data, programs or electronic documents in a serious manner, the facts shift to the offence of computer damage in Article 264 CP, carrying six months to three years in prison. In especially serious cases — acting within a criminal organisation, affecting critical infrastructure or essential services — the penalty rises to two to five years in prison and a fine. The key to the distinction is the destructive result: Article 197 bis punishes intrusion and capture; Article 264, sabotage.

Digital Evidence and Its Challenge

These offences are almost always built on electronic evidence, which makes it the centre of the proceedings. Typically there are access logs, IP addresses, device images, computer forensic reports and traffic data supplied by operators. The defence pays particular attention to:

  • The chain of custody of devices and digital evidence, the breaking of which can compromise its validity.
  • Real authorship. An IP address identifies a connection, not necessarily a person; shared networks and equipment, the use of a VPN or the spoofing of credentials raise reasonable doubts about who carried out the access.
  • The lawfulness of how the evidence was obtained and respect for fundamental rights (Article 11.1 of the Organic Law of the Judiciary), with the possibility of seeking the nullity of evidence obtained in breach of safeguards.

Lines of Defence

The defence against a charge of illegal data access is built on several verifiable lines:

  • Absence of active security measures. Article 197 bis.1 CP requires breaching protections; if the system was open or had no effective barriers, an element of the offence is missing.
  • Authorisation from the holder, express or implied. Valid consent excludes the unlawfulness of the access.
  • Legitimate audits and penetration testing. Intrusion tests or bug-bounty programmes covered by a written contract and within their authorised scope do not amount to an offence.
  • Disputing authorship by IP or shared network, in line with the points made on digital evidence.
  • Challenging the evidence and its chain of custody, with possible nullity.

Each case calls for its own technical and legal analysis, without anticipating outcomes and with the utmost discretion.

Criminal Defence in Cybercrime

The criminal-law firm Alonso Sala, based in Madrid (calle Velázquez 27) and acting throughout Spain, takes on the defence in proceedings for illegal data access, interception of communications and related computer offences. We analyse whether the elements of Article 197 bis CP are present, how they are distinguished from the disclosure of secrets and computer damage, and we design a rigorous evidential strategy focused on digital evidence. You can read more about this service on our page on criminal defence for illegal data access.

Frequently asked questions

What does Article 197 bis CP punish?expand_more

It punishes two distinct acts. The first (197 bis.1) is accessing all or part of an information system, or remaining in it against the will of the person entitled to exclude you, without authorisation and by breaching the security measures put in place to prevent it; the penalty is six months to two years in prison. The second (197 bis.2) is intercepting, by technical devices or instruments and without authorisation, non-public transmissions of computer data to, from or within an information system, including electromagnetic emissions; the penalty is three months to two years in prison or a fine of three to twelve months.

How is it different from Article 197 CP on disclosure of secrets?expand_more

Article 197 CP protects privacy: it punishes seizing personal data or communications, or intercepting telecommunications, in order to breach another person's privacy, with one to four years in prison and a fine of twelve to twenty-four months. Article 197 bis CP protects information security as an autonomous legal interest: the mere unauthorised access to the system or the interception of data suffices, with no need to breach personal privacy. A single act can touch both offences.

Is it a crime to access an account whose password I know?expand_more

Knowing the password is not the same as having authorisation. If the account holder has withdrawn, or never granted, permission to access it and security measures exist, entering their system or account may fall under Article 197 bis.1 CP. The decisive point is current authorisation, not the mere availability of credentials.

What penalty applies to supplying hacking software or passwords?expand_more

Article 197 ter CP punishes producing, acquiring for use, importing or making available to third parties, without authorisation and with intent to commit the offences in Articles 197 or 197 bis, a computer program designed for that purpose or a password, access code or similar data. The penalty is six months to two years in prison or a fine of three to eighteen months. It targets preparatory acts.

How is a charge of illegal data access defended?expand_more

The defence examines whether active security measures existed (without protection to breach, the offence under 197 bis.1 is not completed), whether the holder gave express or implied authorisation, whether the access fits within an audit or penetration test under a written contract, and whether authorship is genuinely proven (an IP address or a shared network does not, on its own, identify a person). The digital evidence and its chain of custody are also challenged.

lock_open

gavelDo you need criminal defense in this area?

We are criminal defense lawyers specializing in illegal data access. We act urgently to protect your rights.

View expertisearrow_forward

Related Articles

View allarrow_forward
calendar_todayJune 22, 2026

Fake 'Payment Manager' Job Offer: How You Are Turned Into a Money Mule

Fake 'payment manager' or 'financial agent' job offers are the usual way to recruit money mules without their knowledge. If you fell for one, that prior deception is the basis of your defence.

Money MuleFake Job Offer+2
calendar_todayJune 22, 2026

Money Mule in Spain: What Criminal Risk You Face and How to Defend It

Lending your account to receive and forward money from a scam is not a stand-alone offence: it is prosecuted as money laundering (Art. 301 CP), participation in the fraud or receiving stolen goods. The key is whether you knew the origin of the money.

Money MuleMoney Laundering+2
calendar_todayJune 22, 2026

They Searched My Phone or Cloud Without Authorisation: Is the Evidence Excluded?

Accessing an investigated person's phone, computer or cloud requires a specific, reasoned judicial authorisation (Art. 588 sexies LECrim). Without it, the evidence may be excluded (Art. 11.1 LOPJ) and drag down everything derived from it.

Evidence ExclusionDevice Search+3

Knowledge is power, but strategy is key.

What you read here is just the beginning. Transform information into active defense by contacting our team of experts.

Contact Alonso Sala
Call: +34 91 078 65 74
call