Penalties and Sanctions for digital identity theft in Spain

The taking of someone else’s identity on the Internet, and using the data collected for malicious purposes, is often called spoofing. Data includes a user’s name, surname, pseudonym and password used on the Internet, but this is not limited to personal data. As follows, data also includes emails, IP addresses, URLs, websites, messages published online, social network profiles, logos, pictures and all the other numerical elements that may characterize a natural person. Consequently, both the common characteristics of the identity, plus those specific to the Internet are concerned.

To date, no specific Spanish law regulates spoofing on the Internet. Instead, a combination of the Spanish Penal Code articles provides protection, with more or less efficiency, to victims of these acts.

Article 18-4º of the Spanish Constitution specifically provides that the use of information technology cannot be made at the expense of honour and respect for the private lives of Spanish citizens. Article 401 of the Spanish Penal Code, which sanctions the theft of civil identity with a term of imprisonment ranging from 6 months up to 3 years, suggests spoofing. However, this article does not precisely concern infringements perpetuated on the Internet, but also (according to the Supreme Court jurisprudence of 15 June 2009) only applies in the case of permanent identity theft. Indeed, this article is valid only if the usurper has the intention to use and claim ownership of the data to act on behalf of the people attacked, for example, for the misappropriation of an inheritance. Alternatively, spoofing is not considered a crime with a permanent character since the person who uses a website or a social networking profile only intends to use his victim’s identity for a limited time to set up the fraud. Moreover, since it takes place on the Internet, this attack cannot last long.

Articles 197-2 and 197-3 of the Spanish Penal Code punish the use and modification of personal and familial data as well as their unauthorized access, which has been performed in any way against the will of the owner. These two articles might sanction spoofing even if this is not, as such, an offence prescribed by law. However, these articles only concern personal data and do not mention all the other types of data present on the Internet used to identify a person.

Therefore, to fully sanction spoofing in Spain, it will be necessary to file a lawsuit using the following legal actions conjointly: unauthorized access to information technology, theft of civil identity if it is serious and permanent, libel, slander, and threat; offences all contained in the Penal Code. In this way, if the theft is serious, by cumulating these different actions, the Penal Code seems to give victims sufficient resources to protect themselves.  If there has been only one of the above crimes, the theft will be considered a misdemeanour and therefore will be difficult to prove and punish. Therefore, victims do not yet have sufficient legal security to make sure the damages suffered will be repaired. Thus, it is still complicated in Spain to punish spoofing because this is not an offence recognized by law.

On the contrary, in France, Law n° 2011-267 of 14 March  2011 for orientation and programming to develop internal security, LOPPSI 2 reinforces the protection given to people on the Internet by introducing the French Penal Code Article 226-4-1. The Article specifically recognizes spoofing as a crime, as long as the fraudulent use of data disturbs the tranquillity or violates the victim’s honour and reputation.

Lucie Robin & Nicolás Melchior

If you need additional information,

Please note that this article is not intended to provide legal advice.

Related Articles