
Illegal Access to Data & Systems Lawyers
Criminal defence in unauthorised access to IT systems and interception of communications (Art. 197 bis CP).
Last updated:
Illegal access to computer data is an offence of growing importance in the digital age. Regulated in Articles 197 bis and 197 ter of the Criminal Code (CP), it punishes those who access a computer system or intercept electronic communications by breaching security measures, without the owner's authorisation. It is an autonomous offence within the family of crimes against privacy, protecting information security as an independent legal interest.
Criminal Modalities
Art. 197 bis CP covers two forms of conduct: illegal access to computer systems (hacking in the strict sense) and the interception of non-public transmissions of data. The first requires breaching security measures (passwords, firewalls, encryption); the second covers the capture of communications in transit through sniffers, man-in-the-middle attacks or the interception of WiFi signals. Art. 197 ter punishes the production, acquisition or supply of tools designed to commit these offences.
Penalties & Aggravations
Basic illegal access carries prison of 6 months to 2 years. If the data obtained is disclosed, the penalty rises to 2 to 5 years (Art. 197.3 CP). Where the data affects personal privacy (health data, sexual orientation, ideology), the penalty is aggravated. Where the access affects critical infrastructure (healthcare systems, power grids, banking systems), the penalties can reach 5 to 7 years. The offender being a public official, or membership of a criminal organisation, are additional aggravating circumstances.
Most Common Attack Techniques
The access techniques that the courts have tried include: phishing (impersonation to obtain credentials), brute force (systematic password testing), the exploitation of software vulnerabilities (zero-day exploits), social engineering (psychological manipulation to obtain access), network attacks (ARP spoofing, DNS hijacking), the installation of malware (trojans, keyloggers, RATs) and the use of leaked credentials from compromised databases.
Protection of Corporate Data
Illegal access to corporate data has an additional dimension: it may amount to industrial espionage (disclosure of trade secrets, Art. 278 CP), employee disloyalty (where a worker accesses data they are not entitled to) or computer sabotage (deleting or altering data, Art. 264 CP). Under the GDPR, companies are required to notify the Spanish Data Protection Agency (AEPD) of security breaches within 72 hours, and the affected individuals without undue delay.
Ethical Hacking & Cooperation
Ethical hacking or penetration testing is the activity of testing the security of computer systems with the owner's authorisation. It requires a written contract defining the scope, duration and authorised systems. The absence of such a contract turns the activity into punishable illegal access, regardless of the researcher's good intentions. The bug bounty programmes of technology companies provide a legal framework for the responsible disclosure of vulnerabilities.
Forensic Investigation
Investigating illegal-access offences requires computer forensics: analysis of access logs, tracing of IP addresses (with judicial authorisation), recovery of deleted data, malware analysis, metadata study and reconstruction of the attacker's sequence of actions. The digital chain of custody is fundamental: any alteration of the electronic evidence may render it inadmissible. The State security forces have specialised units for this type of investigation.
Defence Strategies
The defence may be built by showing: that there was authorisation from the system owner (express or implied); that no security measures were breached (the data was publicly accessible); that the access was accidental (open data was encountered without any intention to access it); that the identified IP does not correspond to the accused (open WiFi, shared VPN, IP spoofing); or that the person was acting within a legitimate bug bounty programme. The technical complexity of these cases makes independent forensic expert evidence especially important. We act before the Investigating Courts, the Criminal Courts and the Provincial Courts.
Procedure, time limits and the competent court in unlawful access
Unlawful access to an information system is prosecuted through the ordinary channels of criminal procedure. The investigation falls to the Investigating Court (Juzgado de Instrucción) of the place where the offence was committed, which in computer crime is usually fixed at the point from which the actor operated or where the harmful result occurred. Once the investigation closes, the trial belongs to the Criminal Court (Juzgado de lo Penal) where the maximum penalty does not exceed five years, which is the case for every form of Articles 197 bis and 197 ter, whose penalties range from three months to two years of imprisonment.
A common misconception is worth dispelling: these offences are not tried by the National Court (Audiencia Nacional) merely because they have a technological or cross-border element. The National Court only takes jurisdiction where one of the limited statutory grounds applies, or by express connection with another case that does belong to it. Outside those situations, the natural forum is the Criminal Court, and the Provincial Court (Audiencia Provincial) would only step in if the final classification dragged in a connected offence carrying a penalty above five years.
The defence is active from the first stage of the investigation: requesting steps that pin down who actually accessed the system, challenging attribution where it rests solely on an IP address or connection data without proof of personal authorship, and ensuring the charge matches the specific conduct rather than an inflated classification. Each decision on evidence at this stage shapes the room for manoeuvre at trial.
Digital forensic evidence and the lawfulness of how it was obtained
In offences of unlawful access and interception the evidence is almost always digital: connection logs, forensic copies of devices, metadata, network traffic captures or expert reports on the breach of security measures. The decisive question is not only what that evidence shows, but how it was obtained. Article 18.3 of the Spanish Constitution guarantees the secrecy of communications, and any interference requires a prior court order that is reasoned and proportionate.
The Criminal Procedure Act regulates these measures in detail. Interception of electronic communications is governed by Articles 588 ter a and following; access to the content of computers, phones and seized storage media requires the specific authorisation of Article 588 sexies, which is not deemed covered by the mere physical seizure of the device. A data extraction carried out without that authorisation, or exceeding its scope, opens the door to the exclusion of the evidence.
The defence scrutinises the chain of custody of each item: whether the forensic copy was made with methods that preserve its integrity through verification values, whether there was effective judicial control, and whether the expert analysis is reproducible and capable of being contested. Where the core evidence is obtained in breach of fundamental rights, the exclusionary rule applies, together with its knock-on effect on derivative evidence, which can hollow out the prosecution case. That is why the analysis of evidential lawfulness is often the centre of the strategy.
Boundaries with neighbouring offences: computer fraud, damage, money laundering and deepfakes
Unlawful access rarely stands alone. Where, beyond entering the system, an unconsented transfer of assets is achieved through computer manipulation, the conduct shifts to the computer fraud of Article 249.1.a of the Criminal Code, carrying six months to three years of imprisonment; it is not the former 248.2, now reorganised. Where data or programs belonging to another are deleted, altered or rendered useless, the applicable offence is computer damage under Article 264 and related provisions, which protects a different legal interest.
In the fraud chain the intermediary who receives and forwards funds of unlawful origin, the so-called money mule, appears frequently. The key to that defence lies in proving knowledge: whether the person acted with conditional intent, accepting the high probability of a criminal origin, or whether the reckless form of money laundering under Article 301.3 applies, punished with six months to two years of imprisonment, or whether the required subjective element is absent altogether. That often blurred line decides both the classification and the penalty.
Manipulated images deserve a separate note. Article 197.7 punishes the dissemination of intimate images recorded with the person's agreement and later spread without consent, but it presupposes real material. Fully synthetic images generated with artificial intelligence, which do not capture a real image of the victim, do not fit naturally within that offence, which creates a gap. Faced with wholly artificial sexual montages of adults, the usual route is the offence against moral integrity of Article 173, given the serious humiliation that such objectification entails, regardless of whether the image is genuine.
Prescription and plea agreements: two variables worth calculating early
Prescription is calculated under Article 131 of the Criminal Code according to the maximum penalty attached to the offence. Every form of Articles 197 bis and 197 ter is capped at two years of imprisonment, so they fall within the bracket of offences whose maximum penalty does not exceed five years: they prescribe after five years. Under the current system there is no intermediate three-year bracket for these offences; that period disappeared with the reform of Article 131 itself. Time runs from the day the offence was committed and is interrupted when proceedings are effectively directed against the person under investigation.
Where more serious connected offences are present, the prescription period is measured against the penalty of the most serious offence in the set being tried, so an associated computer fraud may carry a different time horizon. It is therefore advisable to establish from the outset which classification the prosecution is pursuing and from what date the clock runs, because a well-framed calculation can close the proceedings before trial.
A plea agreement (conformidad) is another variable assessed early. Such an agreement can, where appropriate, reduce the sentence and bring a faster end to the proceedings, and it makes particular sense where the evidence against the accused is solid and the reduction is substantial. It is not an automatic choice: it is only appropriate after weighing the strength of the evidence, the possible exclusion of items obtained without safeguards, and the presence of mitigating factors such as making good the harm. The defence tests each scenario with the person facing the proceedings so that the choice between contesting the trial and reaching an agreement reflects an informed calculation.
Penalties & Consequences: Illegal Access to Data & Systems Lawyers
| Type / Scenario | Criminal Penalty |
|---|---|
| Illegal access (Art. 197 bis CP) | Prison of 6 months-2 years for accessing a system by breaching its security. |
| Interception (Art. 197 bis.2 CP) | Prison of 6 months-2 years for intercepting non-public transmissions. |
| Supply of tools (Art. 197 ter CP) | Prison of 6 months-2 years for supplying tools for illegal access. |
* Penalties shown are indicative. The actual penalty depends on case circumstances, applicable mitigating and aggravating factors.
Defense Strategy: Illegal Access to Data & Systems Lawyers
No Security Breached
Where there was no active protection, there can be no 'breach' of security measures.
Authorisation
Authorised access that did not exceed the permissions granted.
Bug Bounty
Authorised penetration testing is not illegal access.
Cybercrime in Spain: Hacking, Phishing & Digital Fraud — Defence Guide
Cybercrime encompasses illegal access to computer systems (Art. 197 bis CP), computer damage and ransomware (Art. 264 CP), phishing and digital fraud (Art. 249.1.a CP), and the production or distribution of hacking tools (Art. 197 ter). Spain's prosecution of cybercrime has intensified dramatically, with specialised units in the National Police (BIT) and Guardia Civil (GDT) leading investigations. Defence requires a unique combination of criminal law expertise and advanced technical knowledge.
Penalty Table: Cybercrime
| Offence | Article | Description | Penalty |
|---|---|---|---|
| Illegal access to systems | Art. 197 bis | Unauthorised access breaching security measures | 6 months – 2 years |
| Interception of data | Art. 197 bis.2 | Intercepting non-public data transmissions | 3 months – 2 years |
| Production/supply of hacking tools | Art. 197 ter | Creating or distributing tools designed for cybercrime | 6 months – 2 years |
| Computer damage (basic) | Art. 264.1 | Deleting, damaging or making data inaccessible | 6 months – 3 years |
| Aggravated damage (critical infrastructure) | Art. 264.2 | Affecting essential services or critical infrastructure | 2 – 5 years prison |
| Cyber fraud (phishing) | Art. 249.1.a | IT manipulation to obtain unlawful transfer of assets | 6 months – 3 years |
Key Defence Strategies
IP Attribution Challenge
An IP address does not identify a person. Shared Wi-Fi networks, VPNs, Tor exit nodes and NAT configurations mean multiple users may share one IP. The prosecution must prove the accused was the actual user at the relevant time.
Chain of Digital Custody
Digital evidence is extremely fragile. If the police failed to image the hard drive with a write-blocker, if hash values don't match, or if evidence was handled improperly, the defence can seek exclusion of the entire digital evidence chain.
Authorised Security Testing
Ethical hacking and penetration testing carried out with the system owner's authorisation is legal. If the defendant had a written engagement contract, bug bounty agreement or responsible disclosure policy, there is no criminal offence.
Lack of 'Breaching Security Measures'
Art. 197 bis requires that security measures were breached. If the system had no password, no firewall, or the access point was public, the element of 'breaching security' may be absent, negating the offence.
Key Case Law
The Supreme Court confirmed that 'access' requires effectively entering the system, not merely attempting it. The prosecution must prove: (1) access occurred, (2) it was unauthorised, and (3) security measures were breached. Port scanning alone does not constitute the offence.
The Court ruled that ransomware attacks may constitute a concurrent offence of computer damage (Art. 264) and extortion (Art. 243 CP). The encryption of data satisfies the 'damage' element even if data is technically recoverable upon payment.
In phishing operations, the Court distinguished between the organiser and the 'money mule' (account holder). The mule's liability depends on proof of knowledge that the funds were illicit. Wilful blindness may suffice, but mere negligence does not.
Why Choose Us?
Need a criminal defense lawyer for this type of offense? Here's how we work:
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.