Penal Code - Securisersonsite.fr

Dernières alertes

Vulnerability SQL-Injection [ TinyBB 1.2 ]

Vulnerability SQL Injection [ AdressBook ]

1 - Introduction

Here are excerpts of all articles of the Penal Code concerning computer security. It is very important to realize that the prohibitions and requirements exist and that the convictions are very clearly defined.

We can distinguish two parts of the criminal code that tells everyone its specificity:

Part 1: Book III - Title II - Chapter III

This part is related to anything that affects the security of information systems in general. It is positioned at the location of the Penal Code:

BOOK III - Crimes against property
PART II - Other property offenses
CHAPTER III - violations of the automated processing of data

2nd Part: Book II - Title II - Chapter VI - Section 5

This part is related to anything that affects the individual and his rights. It is positioned at the location of the Penal Code:

BOOK II - Crimes against people
PART II - violations of human
CHAPTER VI - Offences against the person
SECTION 5 - Attacks on human rights resulting from files or data processing

2 - Book III - Title II - Chapter III

2.1 - Article 323-1

(Order No. 2000-916 of 19 September 2000 art. 3 Official Journal of 22 September 2000 in force on 1 January 2002)
(Act No. 2004-575 of 21 June 2004 art. 45 I, Official Journal of 22 June 2004)

By accessing or remain fraudulently, in whole or part of a system of automated data processing is punishable by two years imprisonment and 30,000 euros fine.
Where these have either deleting or modifying data contained in the system, or an alteration of the functioning of this system, the penalty is three years imprisonment and a 45,000 euro fine.

2.2 - Article 323-2

(Order No. 2000-916 of 19 September 2000 art. 3 Official Journal of 22 September 2000 in force on 1 January 2002)
(Act No. 2004-575 of 21 June 2004 art. 45 II Official Journal of 22 June 2004)

The fact hinder or distort the functioning of a system of automated data processing is punishable by five years' imprisonment and a fine of € 75,000.

2.3 - Article 323-3

(Order No. 2000-916 of 19 September 2000 art. 3 Official Journal of 22 September 2000 in force on 1 January 2002)
(Act No. 2004-575 of 21 June 2004 art. 45 III Official Journal of 22 June 2004)

The fact of fraudulently entering data into an automated processing system or to remove or modify fraudulently the data it contains is punishable by five years' imprisonment and a fine of € 75,000.

2.4 - Article 323-3-1

(Inserted by Act No. 2004-575 of 21 June 2004 art. 46 I, Official Journal of 22 June 2004)

The fact, without good reason, import, hold, offer, sell or make available any equipment, instrument, computer program or data designed or specially adapted to commit one or more offenses under Articles 323-1 to 323-3 is punished by the penalties, respectively, for the offense itself or the infringement most severely repressed.

2.5 - Article 323-4

(Act No. 2004-575 of 21 June 2004 art. 46 II Official Journal of 22 June 2004)

Participation in any group formed or an agreement established for the preparation, characterized by one or more material, one or more offenses under articles 323-1 to 323-3-1 is punished by the penalties prescribed for the offense itself or for the infringement most severely repressed.

2.6 - Article 323-5

Natural persons convicted of offenses under this chapter also incur the following additional penalties:

The ban, for a period of five years, civil rights, civil and family, under the terms of article 131-26;
The ban, for a period of five years, to hold public office or to exercise professional or social activity in the exercise of which or during which the offense was committed;
The confiscation of the thing was used or intended to commit the offense or the thing which is the product, with the exception of articles subject to restitution;
The closure, for a period of five years, institutions or one or more establishments of the enterprise used to commit the offense;
The exclusion for a period of five years, public procurement;
The ban, for a period of five years, to issue checks other than those allowing the withdrawal of funds by the drawer from the drawee or those who are certified;
The display or circulation of the decision taken in accordance with Article 131-35.
2.7 - Article 323-6

Corporations can be held criminally liable, as provided by Article 121-2, the offenses defined in this chapter.
The penalties incurred by legal persons are:

The fine, in the manner provided by section 131-38;
The penalties mentioned in Article 131-39.
The prohibition mentioned under 2 ° of Article 131-39 concerns the activity in the course of or in connection with the exercise of which the offense was committed.

2.8 - Article 323-7

(Act No. 2004-575 of 21 June 2004 art. 46 II Official Journal of 22 June 2004)

The attempt of the crimes provided by articles 323-1 to 323-3-1 is punished in like manner.

3 - Book II - Title II - Chapter VI - Section 5

3.1 - Article 226-16

(92-1336 of 16 December 1992 art. 360 373 Official Journal of 23 December 1992 in force on 1 March 1994)
(Order No. 2000-916 of 19 September 2000 art. 3 Official Journal of 22 September 2000 in force on 1 January 2002)
(Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

The fact, including negligent conduct, or arrange for the processing of personal data without complying the formalities prior to their implementation provided by law is punishable by five years imprisonment and 300 000 Euros fine.

The same penalties is the fact, including negligent conduct, or arrange for a treatment that has been one of the measures provided for under 2 ° of I of Article 45 of Law No. 78 - 17 of 6 January 1978 relating to data, files and freedoms.

3.2 - Section 226-16-1-A

(Inserted by Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

When it was undertaken or to treatment of personal data as provided by the I or II of Article 24 of Law No. 78-17 of January 6, 1978, supra, the failure respect, including negligence, standards or simplified exemption established for this purpose by the National Commission on Informatics and Freedoms is punishable by five years' imprisonment and a 300,000 euros fine.

3.3 - Article 226-16-1

(Inserted by Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

The fact, except in cases where treatment has been authorized as provided by law No. 78-17 of 6 January 1978 referred to above, to make or cause to treatment of personal data included in the data on which it is the registration number of people in national identification of individuals, is punishable by five years' imprisonment and a 300,000 euros fine.

3.4 - Article 226-17

(Order No. 2000-916 of 19 September 2000 art. 3 Official Journal of 22 September 2000 in force on 1 January 2002)
(Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

To proceed or to proceed with the treatment of personal data without implementing the measures prescribed in Article 34 of Law No. 78-17 of 6 January 1978 referred to above is punishable by five years imprisonment and 300 000 Euros fine.

3.5 - Article 226-18

(Act No. 94-548 of 1 July 1994 art. 4 Official Journal of 2 July 1994)
(Order No. 2000-916 of 19 September 2000 art. 3 Official Journal of 22 September 2000 in force on 1 January 2002)
(Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

The fact of collecting personal data by fraudulent, unfair or wrongful act is punishable by five years' imprisonment and a 300,000 euros fine.

3.6 - Article 226-18-1

(Inserted by Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

To proceed with the treatment of personal data relating to an individual despite the opposition of that person, when such treatment meets marketing purposes, including commercial uses, or where the opposition is based on legitimate reasons, is punished five years' imprisonment and a 300,000 euros fine.

3.7 - Article 226-19

(Order No. 2000-916 of 19 September 2000 art. 3 Official Journal of 22 September 2000 in force on 1 January 2002)
(Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

The fact, except as provided by law, to put or keep in a computer memory without the express consent of the person concerned, personal data that directly or indirectly, reveal the racial or ethnic minorities, views political, philosophical, religious or union affiliation of persons, or which relate to the health or sexual orientation thereof, is punishable by five years' imprisonment and a 300,000 euros fine.
The same penalties is the fact that, except as provided by law, to retain or store computerized personal data on offenses, convictions or security measures.

3.8 - Article 226-19-1

(Inserted by Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

In case of processing personal data with the purpose of research in the field of health, is punished by five years' imprisonment and a 300,000 euros fine with the fact of treatment:

Individually without first informing the people on whose behalf the personal data are collected or transmitted to the right of access, rectification and opposition, the nature of the data transmitted and recipients thereof;
Despite opposition from the person concerned, or when required by law, in the absence of informed consent and express consent of the person, or if a deceased person, notwithstanding the express refusal it's alive.

3.9 - Article 226-20

(Act No. 2000-321 of 12 April 2000 art. 5 Official Journal of 13 April 2000)
(Order No. 2000-916 of 19 September 2000 art. 3 Official Journal of 22 September 2000 in force on 1 January 2002)
(Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

The retention of personal data beyond the period prescribed by law or regulation, the authorization request or notice, or by prior notification to the Commission Nationale Informatique and Freedoms, is punishable by five years imprisonment and a fine of 300,000 Euros, unless such storage is done for historical, statistical or scientific purposes as provided by law.
The same penalties is the fact that, except as provided by law, to treat for purposes other than for historical, statistical or scientific personal data stored beyond the period mentioned in the first paragraph.

3.10 - Section 226-21

(Act No. 95-116 of 4 February 1995 art. 34 Official Journal of 5 February 1995)
(Order No. 2000-916 of 19 September 2000 art. 3 Official Journal of 22 September 2000 in force on 1 January 2002)
(Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

A failure by any person holding personal data in connection with their registration, their classification, transmission or any other form of treatment, this information away from their original purpose as defined by the legislation, Regulatory act or decision of the Commission Nationale Informatique and freedoms allowing automated processing, or by statements prior to the implementation of this treatment, is punishable by five years imprisonment and 300 000 Euros fine.

3.11 - Section 226-22

(Order No. 2000-916 of 19 September 2000 art. 3 Official Journal of 22 September 2000 in force on 1 January 2002)
(Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

The fact, for anyone who has collected at the time of its recording, classification, their transmission or another form of treatment of personal data whose disclosure would undermine the consideration of the individual or the intimacy of his private life, to wear, without your authorization, the data to inform a third party who is not entitled to receive payment is punishable by five years' imprisonment and a 300,000 euros fine.
The disclosure under the preceding paragraph shall be sentenced to three years imprisonment and a 100,000 euros fine when it was committed recklessly or negligently.
In the cases mentioned in the two preceding paragraphs, proceedings may be exercised only at the request of the victim, his legal representatives or assigns.

3.12 - Article 226-22-1

(Inserted by Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

The fact, except as provided by law, to undertake or arrange for a transfer of personal data being or intended to be treated to a state outside the Community EU infringement action taken by the European Commission or the Commission Nationale Informatique and freedoms mentioned in Article 70 of Law No. 78-17 of January 6, 1978 above is punishable by five years imprisonmentand 300 000 Euros fine.

3.13 - Article 226-22-2

(Inserted by Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

In the cases provided for in Articles 226-16 to 226-22-1, deletion of all or part of the personal data covered by the treatment which gave rise to the offense may be ordered. Members and staff of the Commission Nationale Informatique and freedoms are authorized to establish the erasure of data.

3.14 - Section 226-23

(Act No. 2004-801 of 6 August 2004 art. 14 Official Journal of 7 August 2004)

The provisions of article 226-19 are applicable to non-automated processing of personal data whose implementation is not limited to the pursuit of purely personal.

3.15 - Section 226-24

(Act No. 2004-801 of 6 August 2004 art. 14 II Official Journal of 7 August 2004)

Corporations can be held criminally liable, as provided by Article 121-2, the offenses defined in this section.
The penalties incurred by legal persons are:

The fine, in the manner provided by section 131-38;
The penalties mentioned in 2 º, 3 º, 4 º, 5 º, 7 º, 8 º and 9 of section 131-39.
The prohibition mentioned under 2 ° of Article 131-39 concerns the activity in the course of or in connection with the exercise of which the offense was committed.

Dernières alertes

Tags