Skip to content
AS
Alonso Sala
CRIMINAL LAWYERS
ES

Criminal Lawyers in Digital Privacy Defense

Strategic defense against accusations of hacking, phishing, and unauthorized system access

Last updated:

What Is Illegal Data Access: Types, Penalties and Defense (Arts. 197-197 quinquies CP)

The crime of illegal data access and other types related to digital privacy are regulated in Arts. 197 to 197 quinquies of the Spanish Criminal Code, within Title X dedicated to privacy crimes. The protected legal interest is personal and family privacy recognised in Art. 18 of the Spanish Constitution, together with the right to informational self-determination consolidated by constitutional doctrine in STC 292/2000 and the secrecy of communications. Supreme Court case-law has clarified that the type covers any unauthorised intrusion into the individual's reserved sphere, whether through physical seizure of supports, interception of communications, breach of computer security measures or use of spyware, regardless of whether sensitive information is actually discovered.

Modalities (Arts. 197-197 quinquies)

The Spanish Criminal Code distinguishes several modalities within this scope. Art. 197.1 CP punishes the discovery of secrets through seizure of papers, letters, emails or any other documents, as well as the interception of telecommunications or use of technical listening and recording devices. Art. 197.2 CP punishes unauthorised access, modification, alteration or use of personal data registered in files or computer media (the typical crime of discovery and disclosure of protected data). Art. 197 bis CP introduces pure hacking: access by any means or procedure, breaching established security measures, to a computer system or part thereof, without authorisation; the crime is completed with mere intrusion, without need to copy or disseminate information. Art. 197 ter CP punishes the manufacture, import or facilitation of programs or tools designed to commit previous crimes (phishing kits, keyloggers, remote access trojans). Art. 197 quater and quinquies CP aggravate penalties when facts are committed within a criminal organisation or group or when affecting essential infrastructure.

Penalties by Modality

The penalties are severe and graduated according to modality. The basic discovery of Art. 197.1 CP is punished with one to four years' prison and fine of twelve to twenty-four months. If the subject disseminates, reveals or transfers the discovered data, the penalty rises to two to five years' prison. The illegitimate access of Art. 197 bis CP carries six months to two years' prison, aggravable to three years if specific circumstances concur (remaining in the system against the holder's will). The interception of Art. 197 bis 2 CP is punished with three months to two years' prison or fine of three to twelve months. The facilitation of tools of Art. 197 ter CP means six months to two years' prison or fine of three to eighteen months. When facts are committed by a public official taking advantage of their position, penalties are imposed in their upper half. The vulnerable victim aggravator (minors, persons with disability) likewise raises penalties, and the impact on especially sensitive data (health, racial origin, sexual orientation) determines imposition of the upper half.

Defence Strategy

Technical defence in these proceedings requires advanced knowledge of criminal law, procedural law and forensic computing. The first axis is challenging the digital chain of custody: electronic evidence must have been obtained respecting bit-by-bit forensic imaging, hash calculation, time-stamping and documented preservation per UNE-EN ISO/IEC 27037 and case-law on digital evidence; any breach can lead to evidentiary nullity under Art. 11.1 LOPJ. The second axis is challenging authorship: IP addresses, device identifiers or digital footprints may correspond to a shared computer, a compromised network or a terminal infected by malware acting as botnet without the holder's knowledge; the contradictory computer expert is decisive to prove these hypotheses. The third axis is the denial of intent: hacking requires knowledge and will to breach security measures; accidental access, legitimate exercise of administrator functions or ignorance of the absence of authorisation can exclude typicality. The fourth axis is the express or tacit consent of the holder: when corporate monitoring policy exists with prior notice per the ECHR case law on employer monitoring of employee communications, employer access may be covered.

Current Forensic Practice

In current forensic practice we observe exponential growth in digital privacy crimes. The most frequent cases include access to the partner or ex-partner's WhatsApp, Instagram, Gmail or iCloud account, installation of spy apps on family devices, targeted phishing against individuals and companies, social engineering attacks and, in the corporate sphere, internal intrusions by employees with privileged access. Organic Law 3/2018 on Personal Data Protection and the direct application of the EU's General Data Protection Regulation (GDPR) have reinforced the affected party's rights and, in parallel, have increased criminal rigour in pursuing these conducts. The National Police Central Technological Investigation Brigade, the Civil Guard Telematic Crimes Group and the Computer Crime Section of the General Prosecutor's Office coordinate increasingly complex investigations requiring specialised defences. At Alonso Sala we combine 15+ years of experience in criminal law with collaboration of forensic computer experts accredited by ANCITE to articulate strategies tailored to each modality —domestic access, corporate hacking, industrial espionage or personal data dissemination— aiming to preserve the client's freedom and fundamental rights.

Mobile & Social Media Access

Accessing a third party's personal accounts without consent, even if the password is known, constitutes a crime. The law focuses on the intent to invade privacy rather than technical complexity.

security

Specialist Cyber Defense

We combine legal expertise with digital forensic skill to challenge evidence in cybercrime cases.

  • checkAnalysis of logs and IP traces to identify the real origin of access.
  • checkDetection of malware or trojans that could have mimicked identity.
  • checkChallenging digital evidence obtained without judicial control.
  • checkDefense in cases of industrial espionage and disclosure of secrets.

Privacy Crimes in Spain: Discovery & Disclosure of Secrets — Defence Guide

Privacy crimes — discovery and disclosure of secrets (Art. 197 CP), illegal access to computer systems (Art. 197 bis), and non-consensual image sharing (Art. 197.7) — are among the fastest-growing offences in Spain. The digital environment has made private communications, intimate images and personal data especially vulnerable. These offences carry prison sentences of up to 5 years and require specialised technical defence combining legal expertise with digital forensics.

Penalty Table: Privacy Crimes

OffenceArticleDescriptionPenalty
Discovery of secrets (basic)Art. 197.1Seizing letters, emails, or intercepting telecommunications1 – 4 years prison
Disclosure to third partiesArt. 197.3Revealing or transferring discovered secrets2 – 5 years prison
Sensitive data (health, sexuality, ideology)Art. 197.5Discovery/disclosure involving specially protected data3 – 5 years prison
Illegal access to computer systemsArt. 197 bisUnauthorised access breaching security measures6 months – 2 years
Non-consensual image sharing (sexting)Art. 197.7Sharing intimate images obtained with consent3 months – 1 year
Professional perpetratorArt. 197.4Crime committed by person in charge of data filesUpper half + disqualification

Key Defence Strategies

Consent Defence

If the victim gave express consent to access their communications or devices, the crime is excluded. The defence must prove that consent was freely given, specific and not obtained through deception.

Fruit of the Poisonous Tree

If the prosecution's evidence was obtained through illegal means (hacked WhatsApp, unauthorised wiretap), it is inadmissible under Art. 11.1 LOPJ. Challenging the chain of custody is critical.

Lack of Criminal Intent (Dolo)

If the access was accidental or by mistake (opening someone else's email by confusion, finding an unlocked phone), there is no criminal intent. The prosecution must prove the accused acted knowingly.

Whistleblowing Protection

EU Whistleblowing Directive (2019/1937) protects employees who report illegal activity through proper channels. Revealing secrets to expose crime may be justified, though procedure matters.

IP Attribution Challenge

An IP address alone may not identify the perpetrator. Shared connections (Wi-Fi, VPN, corporate networks) create reasonable doubt about who actually accessed the data.

Statute of Limitations

Basic privacy crimes prescribe in 5 years. Digital evidence is volatile — logs, IPs and server records may be deleted. Early action by both prosecution and defence is essential.

Key Case Law

Doctrina TSWhatsApp access without password is still a crime

The Supreme Court confirmed that accessing a partner's unlocked phone constitutes the crime of Art. 197.1 CP. The absence of a password does not imply consent. Privacy is presumed regardless of security measures.

Doctrina TSEmployee monitoring: workplace communications doctrine

Following the European Court of Human Rights case law on employer monitoring of employee communications, the Court ruled that such monitoring requires prior, clear policy notification. Without it, evidence is inadmissible and the employer may face criminal liability.

Doctrina TSNon-consensual image sharing: Art. 197.7 elements

Clarified that Art. 197.7 requires images obtained WITH victim's consent (within a relationship) and shared WITHOUT consent. Images obtained covertly constitute a different offence (Art. 197.1).

quiz

Digital Privacy

Is it a crime to log into someone's Facebook if I guess the password?expand_more
Yes. 'Unauthorized access' is the core of the crime. You don't need to be a sophisticated hacker; exploiting a weak password (e.g. '123456') to invade privacy is a crime under Art. 197 CP.
Can I read my employee's emails to see if they are working?expand_more
Only if the European Court of Human Rights case law on employer monitoring of employee communications requirements are met: prior notice, clear prohibition of personal use, and proportionality. If you haven't expressly warned that email is monitored, reading it is a privacy crime.
What if I install a spy app on my partner's phone?expand_more
You commit two crimes: discovery of secrets (by accessing data) and computer crime under 197 bis (using spyware). Penalties accumulate. It is coercive control and usually leads to restraining orders.
Is it a crime to use someone's computer if they left it on?expand_more
Yes. The lack of a password does not authorize access. Just like an open door in a house, entering without permission is trespassing/privacy crime if restricted data is accessed.
If I get a screenshot of a private chat, can I use it?expand_more
As evidence in court, it is risky and may be void. If you disseminate it, you commit disclosure of secrets. Receiving it passively is not a crime, but keeping or forwarding it can be.
Is it legal to record with a hidden camera in my own home?expand_more
Depends. You can record for security (robbery prevention), but you cannot record the privacy of domestic workers or guests in areas like bathrooms or bedrooms. That would be a very serious crime.
What if I suspect I have spyware on my phone?expand_more
Do not factory reset, as you would delete the evidence. Go to a forensic computer expert to extract the evidence and certify the intrusion. Then report with that expert report.
Is 'Remote Access Trojan' (RAT) a crime?expand_more
Yes, it is one of the most aggressive forms of hacking. It allows remote control of camera and mic. It is punished as illegitimate access to systems (Art. 197 bis) and privacy crime.
Can I recover my hacked account by hacking the hacker?expand_more
No. 'Hack back' is illegal in Spain. You must report and use the platform's recovery mechanisms. Taking justice into your own hands is a crime.
What liability does a system administrator have?expand_more
They have a reinforced duty of confidentiality. If an IT pro uses admin privileges to snoop on user emails without order or technical justification, they commit a crime with aggravating factor of abuse of position.
Is sharing Netflix passwords a crime?expand_more
Not criminal (unless massive organized fraud), it is a civil breach of terms. But if you use that password to access the profile and extract payment or personal data, you enter criminal territory.
If the phone is company-owned, is it mine or the company's?expand_more
The device belongs to the company, but content generated by employee personal use may be protected by privacy rights if there is a 'privacy expectation' tolerated by the company.
What is interception of communications?expand_more
It is intercepting the signal 'in flight' (before it arrives/is read). Eg: tapping a phone or using a WiFi sniffer. It is punished whether or not a secret is discovered, due to the danger to communication.
Difference between hacking and computer damage?expand_more
Hacking (197) seeks to see/steal data (espionage). Computer damage (Art. 264) seeks to delete, damage, or render the system useless (sabotage). Often they happen together.
Does hacking expire?expand_more
5 years. But in complex cybercrimes, investigation can take long. International cooperation to get IPs from foreign servers can stop the statute of limitations.

Looking for a Digital Privacy Defense Lawyer in Spain?

As a national law firm, we offer specialized criminal defense in courts across Madrid and the rest of Spain. We handle each Digital Privacy Defense case with the urgency and technical rigor it requires from day one.

Do you need specialised legal assistance?

The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.

call