
Criminal Lawyers in Digital Privacy Defense
Strategic defense against accusations of hacking, phishing, and unauthorized system access
Last updated:
What Is Illegal Data Access: Types, Penalties and Defense (Arts. 197-197 quinquies CP)
The crime of illegal data access and other types related to digital privacy are regulated in Arts. 197 to 197 quinquies of the Spanish Criminal Code, within Title X dedicated to privacy crimes. The protected legal interest is personal and family privacy recognised in Art. 18 of the Spanish Constitution, together with the right to informational self-determination consolidated by constitutional doctrine in STC 292/2000 and the secrecy of communications. Supreme Court case-law has clarified that the type covers any unauthorised intrusion into the individual's reserved sphere, whether through physical seizure of supports, interception of communications, breach of computer security measures or use of spyware, regardless of whether sensitive information is actually discovered.
Modalities (Arts. 197-197 quinquies)
The Spanish Criminal Code distinguishes several modalities within this scope. Art. 197.1 CP punishes the discovery of secrets through seizure of papers, letters, emails or any other documents, as well as the interception of telecommunications or use of technical listening and recording devices. Art. 197.2 CP punishes unauthorised access, modification, alteration or use of personal data registered in files or computer media (the typical crime of discovery and disclosure of protected data). Art. 197 bis CP introduces pure hacking: access by any means or procedure, breaching established security measures, to a computer system or part thereof, without authorisation; the crime is completed with mere intrusion, without need to copy or disseminate information. Art. 197 ter CP punishes the manufacture, import or facilitation of programs or tools designed to commit previous crimes (phishing kits, keyloggers, remote access trojans). Art. 197 quater and quinquies CP aggravate penalties when facts are committed within a criminal organisation or group or when affecting essential infrastructure.
Penalties by Modality
The penalties are severe and graduated according to modality. The basic discovery of Art. 197.1 CP is punished with one to four years' prison and fine of twelve to twenty-four months. If the subject disseminates, reveals or transfers the discovered data, the penalty rises to two to five years' prison. The illegitimate access of Art. 197 bis CP carries six months to two years' prison, aggravable to three years if specific circumstances concur (remaining in the system against the holder's will). The interception of Art. 197 bis 2 CP is punished with three months to two years' prison or fine of three to twelve months. The facilitation of tools of Art. 197 ter CP means six months to two years' prison or fine of three to eighteen months. When facts are committed by a public official taking advantage of their position, penalties are imposed in their upper half. The vulnerable victim aggravator (minors, persons with disability) likewise raises penalties, and the impact on especially sensitive data (health, racial origin, sexual orientation) determines imposition of the upper half.
Defence Strategy
Technical defence in these proceedings requires advanced knowledge of criminal law, procedural law and forensic computing. The first axis is challenging the digital chain of custody: electronic evidence must have been obtained respecting bit-by-bit forensic imaging, hash calculation, time-stamping and documented preservation per UNE-EN ISO/IEC 27037 and case-law on digital evidence; any breach can lead to evidentiary nullity under Art. 11.1 LOPJ. The second axis is challenging authorship: IP addresses, device identifiers or digital footprints may correspond to a shared computer, a compromised network or a terminal infected by malware acting as botnet without the holder's knowledge; the contradictory computer expert is decisive to prove these hypotheses. The third axis is the denial of intent: hacking requires knowledge and will to breach security measures; accidental access, legitimate exercise of administrator functions or ignorance of the absence of authorisation can exclude typicality. The fourth axis is the express or tacit consent of the holder: when corporate monitoring policy exists with prior notice per the ECHR case law on employer monitoring of employee communications, employer access may be covered.
Current Forensic Practice
In current forensic practice we observe exponential growth in digital privacy crimes. The most frequent cases include access to the partner or ex-partner's WhatsApp, Instagram, Gmail or iCloud account, installation of spy apps on family devices, targeted phishing against individuals and companies, social engineering attacks and, in the corporate sphere, internal intrusions by employees with privileged access. Organic Law 3/2018 on Personal Data Protection and the direct application of the EU's General Data Protection Regulation (GDPR) have reinforced the affected party's rights and, in parallel, have increased criminal rigour in pursuing these conducts. The National Police Central Technological Investigation Brigade, the Civil Guard Telematic Crimes Group and the Computer Crime Section of the General Prosecutor's Office coordinate increasingly complex investigations requiring specialised defences. At Alonso Sala we combine 15+ years of experience in criminal law with collaboration of forensic computer experts accredited by ANCITE to articulate strategies tailored to each modality —domestic access, corporate hacking, industrial espionage or personal data dissemination— aiming to preserve the client's freedom and fundamental rights.
Mobile & Social Media Access
Accessing a third party's personal accounts without consent, even if the password is known, constitutes a crime. The law focuses on the intent to invade privacy rather than technical complexity.
Specialist Cyber Defense
We combine legal expertise with digital forensic skill to challenge evidence in cybercrime cases.
- checkAnalysis of logs and IP traces to identify the real origin of access.
- checkDetection of malware or trojans that could have mimicked identity.
- checkChallenging digital evidence obtained without judicial control.
- checkDefense in cases of industrial espionage and disclosure of secrets.
Privacy Crimes in Spain: Discovery & Disclosure of Secrets — Defence Guide
Privacy crimes — discovery and disclosure of secrets (Art. 197 CP), illegal access to computer systems (Art. 197 bis), and non-consensual image sharing (Art. 197.7) — are among the fastest-growing offences in Spain. The digital environment has made private communications, intimate images and personal data especially vulnerable. These offences carry prison sentences of up to 5 years and require specialised technical defence combining legal expertise with digital forensics.
Penalty Table: Privacy Crimes
| Offence | Article | Description | Penalty |
|---|---|---|---|
| Discovery of secrets (basic) | Art. 197.1 | Seizing letters, emails, or intercepting telecommunications | 1 – 4 years prison |
| Disclosure to third parties | Art. 197.3 | Revealing or transferring discovered secrets | 2 – 5 years prison |
| Sensitive data (health, sexuality, ideology) | Art. 197.5 | Discovery/disclosure involving specially protected data | 3 – 5 years prison |
| Illegal access to computer systems | Art. 197 bis | Unauthorised access breaching security measures | 6 months – 2 years |
| Non-consensual image sharing (sexting) | Art. 197.7 | Sharing intimate images obtained with consent | 3 months – 1 year |
| Professional perpetrator | Art. 197.4 | Crime committed by person in charge of data files | Upper half + disqualification |
Key Defence Strategies
Consent Defence
If the victim gave express consent to access their communications or devices, the crime is excluded. The defence must prove that consent was freely given, specific and not obtained through deception.
Fruit of the Poisonous Tree
If the prosecution's evidence was obtained through illegal means (hacked WhatsApp, unauthorised wiretap), it is inadmissible under Art. 11.1 LOPJ. Challenging the chain of custody is critical.
Lack of Criminal Intent (Dolo)
If the access was accidental or by mistake (opening someone else's email by confusion, finding an unlocked phone), there is no criminal intent. The prosecution must prove the accused acted knowingly.
Whistleblowing Protection
EU Whistleblowing Directive (2019/1937) protects employees who report illegal activity through proper channels. Revealing secrets to expose crime may be justified, though procedure matters.
IP Attribution Challenge
An IP address alone may not identify the perpetrator. Shared connections (Wi-Fi, VPN, corporate networks) create reasonable doubt about who actually accessed the data.
Statute of Limitations
Basic privacy crimes prescribe in 5 years. Digital evidence is volatile — logs, IPs and server records may be deleted. Early action by both prosecution and defence is essential.
Key Case Law
The Supreme Court confirmed that accessing a partner's unlocked phone constitutes the crime of Art. 197.1 CP. The absence of a password does not imply consent. Privacy is presumed regardless of security measures.
Following the European Court of Human Rights case law on employer monitoring of employee communications, the Court ruled that such monitoring requires prior, clear policy notification. Without it, evidence is inadmissible and the employer may face criminal liability.
Clarified that Art. 197.7 requires images obtained WITH victim's consent (within a relationship) and shared WITHOUT consent. Images obtained covertly constitute a different offence (Art. 197.1).
Digital Privacy
Is it a crime to log into someone's Facebook if I guess the password?expand_more
Can I read my employee's emails to see if they are working?expand_more
What if I install a spy app on my partner's phone?expand_more
Is it a crime to use someone's computer if they left it on?expand_more
If I get a screenshot of a private chat, can I use it?expand_more
Is it legal to record with a hidden camera in my own home?expand_more
What if I suspect I have spyware on my phone?expand_more
Is 'Remote Access Trojan' (RAT) a crime?expand_more
Can I recover my hacked account by hacking the hacker?expand_more
What liability does a system administrator have?expand_more
Is sharing Netflix passwords a crime?expand_more
If the phone is company-owned, is it mine or the company's?expand_more
What is interception of communications?expand_more
Difference between hacking and computer damage?expand_more
Does hacking expire?expand_more
Looking for a Digital Privacy Defense Lawyer in Spain?
As a national law firm, we offer specialized criminal defense in courts across Madrid and the rest of Spain. We handle each Digital Privacy Defense case with the urgency and technical rigor it requires from day one.
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.