Penalties and Sanctions for digital identity theft in Spain

The taking of someone else’s identity on the Internet, and using the data collected for malicious purposes, is often called spoofing. Data includes a user’s name, surname, pseudonym and password used on the Internet, but this is not limited to personal data. As follows, data also includes emails, IP addresses, URL, websites, messages published online, social network profiles, logos, pictures and all the other numerical elements that may characterize a natural person. Consequently, both the common characteristics of the identity, plus those specific to the Internet are concerned.

To date, no specific Spanish law regulates spoofing on the Internet. Instead, a combination of the Spanish Penal Code articles provides protection, with more or less efficiency, to victims of these acts.

Article 18-4º of the Spanish Constitution specifically provides that the use of information technology cannot be made at the expense of honour and respect of the private lives of Spanish citizens. Article 401 of the Spanish Penal Code, which sanctions the theft of civil identity with a term of imprisonment ranging from 6 months up to 3 years, suggests spoofing. However, this article does not precisely concern infringements perpetuated on the Internet, but  also (according to the Supreme Court jurisprudence of 15 June 2009) only applies in the case of permanent identity theft. Indeed, this article is valid only if the usurper has the intention to use and claim ownership of the data in order to act on behalf of the people attacked, for example, for the misappropriation of an inheritance. Alternatively, spoofing is not considered a crime with a permanent character since the person who uses a website or a social networking  profile only intends to use his victim’s identity for a limited time to set up the fraud. Moreover, since it takes place on Internet, this attack cannot last long.

Articles 197-2 and 197-3 of the Spanish Penal Code punish the use and modification of personal and familial data as well as their unauthorized access, which has been performed by any way against the will of the owner. These two articles might sanction spoofing even if this is not, as such, an offense prescribed by law. However, these articles only concern personal data and do not mention all the other types of data present on the Internet used to identify a person.

Therefore, in order to fully sanction spoofing in Spain, it will be necessary to file a lawsuit using the following legal actions conjointly: unauthorized access to an information technology, theft of civil identity if it is serious and permanent, libel, slander, and threat; offenses all contained in the Penal Code. In this way, if the theft is serious, by cumulating these different actions, the Penal Code seems to give victims sufficient resources to protect themselves.  In the event that there has been only one of the above crimes, the theft will be considered a misdemeanour and therefore will be difficult to prove and punish. Therefore, victims do not yet have sufficient legal security to make sure damages suffered from will be repaired. Thus, it is still complicated in Spain to punish spoofing because this is not an offense recognized by law.

On the contrary, in France, Law n° 2011-267 of 14 March  2011 for orientation and programming to develop internal security, LOPPSI 2 reinforces the protection given to people on the Internet by introducing in the French Penal Code Article 226-4-1. The Article specifically recognizes spoofing as a crime, as long as the fraudulent use of data disturbs the tranquillity or violates the victim’s honor and reputation.

Lucie Robin & Nicolás Melchior

Nicolás Melchior

A Law graduate from the Universidad Carlo III de Madrid, Nicolás Melchior specialises in corporate Law, commercial contracts and electronic commerce. Working languages: Spanish, German, English and French. For any further enquiries please Contact us