What is IT forgery and when is it punishable?

In a world where digital data is the backbone of our economy and social interactions, the veracity of that data is crucial. Intentionally manipulating digital information can therefore have serious, far-reaching consequences. This is exactly where IT forgery, criminalized in Article 210bis of the Criminal Code, applies to. This crime punishes the falsification of legally relevant data in an information technology system with intent to deceive or harm.

The Belgian legislature created this specific crime because the traditional legislation on forgery, which dates back to an analog era, was not always adequate for digital reality. The question of whether electronic data could be considered a "writing" led to legal uncertainty and divergent interpretations in case law. Article 210bis Criminal Code provides a clear and modern answer to this. It ensures that the protection of public fidelity is extended to the digital world and that those who distort the truth in data do not go unpunished.

The heart of the matter: the building blocks of the crime

Three constitutive elements must be proven cumulatively in order to constitute IT forgery. It is the combination of these elements that makes an act punishable and distinguishes it from mere technical error or carelessness.

1. Manipulation of legally relevant data

Not just any data falls under the protection of this article. It must be legally relevant data: information that has a legal bearing and imposes itself on the public trust. This means that the government or individuals who take cognizance of it can be convinced of the recorded legal fact or can legitimately give credence to it. Assessing this is a question of fact that the court will have to consider on the merits.

Consider, for example:

  • The data on the magnetic strip or chip of a credit card.
  • The contents of a digitally signed contract or electronic purchase order.
  • Data in an electronic health record that substantiate medical treatments or prescriptions.
  • A car's odometer reading stored digitally.

The material form in which this data is stored-whether electromagnetic, optical or otherwise-playes no role whatsoever.

2. A falsification of the truth via data manipulation

The core of the crime is the active falsification of the truth. The law defines exactly how this falsification must take place, namely through data manipulation. This includes four specific acts:

  • Entering false data in an information technology system.
  • Changing existing, correct data.
  • Deletion of data, resulting in the remaining information presenting an inaccurate picture.
  • Changing the possible use with a different technological means.

The crime is not completed until one of these acts actually changes the legal scope of the data. An interesting issue is whether the crime can also be committed by an omission. Some jurists believe that it can, provided that the intentional omission of crucial information accompanies and influences an active act.

3. A special intent: deception or the will to harm

A mere mistake or inadvertence is not enough. The perpetrator must act with special intent. The law specifies two possible intentions:

  1. Deceptive intent: The perpetrator acts with the intention of obtaining for himself or another an undue advantage that he would not obtain if the truth had been respected. This benefit need not necessarily be financial.
  2. The intent to harm: The perpetrator acts with the conscious will to cause harm to a third party, whether material, financial or moral.

It is not necessary that an actual disadvantage be suffered. A possible disadvantage
suffices.

Computer forgery vs. classical forgery

Although the digital crime is designed to fill the gaps in traditional legislation, there are some important differences from traditional forgery (articles 194-197 Criminal Code).

  • Qualification: Forgery is a crime, while computer forgery is a malpractice. This has implications for statutes of limitations, among other things.
  • Fines: Remarkably, the maximum monetary fines for computer forgery are significantly higher than for the classic variant. The legislature thereby recognizes that the potential asset gains in digital fraud can be much greater.
  • Simpler structure: The law no longer distinguishes by the nature of the forged document (e.g., public vs. private) or the capacity of the perpetrator (official vs. private). This complexity from the old law was deliberately omitted to create a more streamlined and technology-neutral provision.

IT forgery in practice: concrete examples

Case law has further colored the contours of article 210bis Criminal Code. Some clear examples illustrate the broad application:

  • Creating a fake profile: Creating a Facebook or email account in the name of an existing person with the intent to harm that person or mislead others is considered IT forgery. The Ghent Court of Appeal ruled in a ruling of 15 september 2017 that forgery occurs when the name is used to create the impression of an existing person. Even if no messages have been distributed with it yet, creating a false profile on an erotic website with a victim's data and photos can already be punishable.
  • Use for "grooming": The Court of Cassation confirmed in a ruling of 12 February 2013 that creating a false profile to contact minors for sexual purposes is also punishable as forgery. Indeed, the perpetrator aims to provide an unlawful advantage to himself.
  • Fake email accounts: Creating an e-mail account in someone else's name and sending messages from there is also considered a manipulation of legally relevant data.

Yet not every untruth on the Internet is actionable. For example, a one-sided, anonymous and subjective review on a website is not covered. In a ruling of 19 May 2015 the Ghent Court of Appeal ruled that such a comment, which is by definition difficult to verify, does not have the legal scope to convince the average visitor of its veracity.

What penalties does one risk for IT forgery?

The penalties for IT forgery are significant and vary depending on the specific act. It is crucial to know that not only the perpetrator of the forgery, but also users of the fake data and even those who attempt it, are punished.

  • The basic crime (the forgery itself): He who commits the IT forgery shall be punished by imprisonment from six months to five years and a fine from twenty-six euros to one hundred thousand euros, or by either of those penalties alone.
  • Use of false data: Anyone who knowingly uses data he knows to be false will be punished exactly as severely as the perpetrator himself. Thus, the penalty is also imprisonment from six months to five years and a fine of up to 100,000 euros.
  • Criminal attempt: The attempt to commit the crime is also punishable. This is punishable by imprisonment from six months to three years and a fine from twenty-six euros to fifty thousand euros, or by either of those penalties alone.
  • Recurrence (recidivism): The law is extra strict for repeat offenders. The above penalties are doubled if the crime is committed within five years of a previous conviction for (i) IT forgery, (ii) violation of the secrecy of private communications or private data of an information technology system, (iii) computer fraud, (iv) hacking or (vi) computer sabotage.
Faced with IT forgery, as a victim or defendant? The subject matter is technical and complex, and the consequences can be severe. Our attorneys, specializing in criminal law and cybercrime, offer expert analysis and strategic defence. Please feel free to contact us for initial advice.

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics