Article 3: “Anyone who unlawfully commits the following actions in relation to confidential and classified data which are in transition and traffic electronically, or are stored and saved – by computer and telecommunication systems or data storage devices, will be punished in manners determined by the law:
A- The punishment of accessing the above-mentioned data or obtaining them in some ways or eavesdrop on the transmission of the secret contents of the data, will be punished by imprisonment from one year up to three years, or paying twenty million rials up to sixty million rials fine, or both of these punishments.
B- The punishment for making the data available to unauthorized individuals is imprisonment from two to ten years.
C- The punishment for making the data available to the foreign governments, organizations, and companies, as well as their agents is imprisonment from five up to fifteen years.
Note 1:-Confidential and secret data is the types of data whose disclosure will harm the security of the nation.
Note 2: Within a period of 3 months from the approval of this law, the procedural codes for determining and discerning confidential and secret data, and guidelines on how to store and safeguard them, will be issued and submitted for approval to the cabinet, by the Intelligence Ministry, with the cooperation of the Justice, Interior, Communications, and Defence and Armed Forces Logistics Ministries.
Article 3 of the Cyber Crimes Law has three parts and the special feature of the contents of the transmitted data through computer or telecommunication systems is the element of “Secrecy” and this is the main difference between this Article and the two others mentioned above. Describing the data as secret gives apolitical dimension to the crime.
According to the first part of Article 3 of the Cyber Crime Law, if anyone commits the following actions:
A1- Unauthorized access to the data during its transition: This crime is related to the data that have been described as secret data and were already classified as such.
A2- Unauthorized acquisition of data while it is being transmitted: obtaining the data that are secret and their secrecy already has been clarified.
The different between accessing data and acquisition of data is that in acquisition, an individual obtains the data and in other word, he catches them. By accessing that date, the individual will be capable of studying the data and comprehending their content .
A3- Unauthorized eavesdropping on the content of the communication going through computer and telecommunication systems: Unauthorized eavesdropping on the content of data transfer and communication going through computer and telecommunication systems that have been classed as secret data is included in this Article of the law.
The element of conduct in a crime in this part of Article 3 is the positive aspect of the action. In other words, an act has to be carried out for the crime to materialize.
The perpetrator must be aware that the system in which the data are recorded is a system for recording secret data.
The mental element of this crime is that the perpetrator must be aware of the illegality of unauthorized access or acquisition and/or eavesdropping, and he must intentionally do it. Therefore, awareness and intent of the perpetrator is the mental element of the crime.
Question: How is it possible to consider some data as secret data? And, can some data be considered as secret just because it has been said to be such?
Answer: In Note 1 of this Article, the secret data is identified as the kind of information whose divulgence would harm the country. But, rule of law requires that the classification of data as secret should be done in advance, so that the perpetrator can be accused of trying to access, acquire or divulge them.
It follows from the provisions of Article 5 that secret and confidential data are protected in special systems and maintained by trained officials. Therefore, every data cannot be considered as secret data to allow us to punish the perpetrator with the penalties which are prescribed in Article 3.
Question: What is the punishment for the perpetrator of this crime?
Answer: There are two types of punishments for this crime and these are applicable in three ways:
1. The imprisonment term of at least one year and maximum of three years.
2. Paying fine. At least 20 million rials and maximum 60 million rials. According to the Article 54, the amount of the fine could be changed based on the rate of the inflation, by a recommendation by the Head of the Judiciary and approval of the Cabinet Ministers every three years.
3. Both of these punishments.
According to the second part of Article 3 of the Cyber Crimes Laws:
To make the secret and classified data on computer or telecommunication systems available to unauthorized people is a crime.
To accomplish this crime is necessary:
First- the data on computer or telecommunication systems must be secret and confidential
Second- the perpetrator must access to data without legal authorization.
Third- the data should be made available to other people.
Fourth- the individuals to whom the data have been made available are not authorized to access these types of data.
Question: What is the punishment for an individual who makes secret data available to unauthorized people?
Answer: The punishment is imprisonment and it is at least two years while the maximum is ten years.
According to the third part of Article 3 of the Cyber Crimes Law, the following acts are considered as crime:
A- The disclosure of the secret data which is being transmitted through computer and telecommunication systems.
B- Making the secret data available to a foreign government or foreign organizations or companies, or foreign groups and the agent of these foreign governments and organizations.
The subject matter of the third part in this Article is also related to secret data, both the date in transmission, or recorded data.
For t disclosure — which means revealing and uncovering, and could happen for the purpose of information sharing — it is not necessary to give the data to someone else. The crime is done once the perpetrator makes the content of the secret data available to a foreigner.
However, it in the discussion about giving data to others. someone must be given access to data or obtain it. According to this Article, “the others” must be a non-Iranian and foreigner, whether a real person or a corporate legal entity such as foreign companies or foreign governments or foreign individuals or their agents.
There is no different between data which is in traffic and recorded or stored data in the subject matter of espionage through computer and telecommunications systems. The only special criterion for the spying subject matter is the secret nature of the data.
For the crime of computer espionage, the following are necessary prerequisites and criteria:
*The perpetrator must know and be aware that the system through which the data are transferred, or in which they are recorded and stored is dedicated to confidential data.
* The data must be secret and confidential.
*The perpetrator must be aware of that the data are secret. This means he must know and be aware that the specific data in question are classified.
*The perpetrator must know and be aware that the person to whom he makes the data available or disclosed to is not legally authorized to access the data.
*The perpetrator must know and be aware that the person who the data are made available or to whom the data are disclosed is a foreigner or an agent of the foreigner.
Question: What is the punishment for the perpetrator?
Answer: The punishment is imprisonment for at least five years and a maximum of 15 years.
Article 4:“If anyone violates the security measures for protection of computer or telecommunication systems in order to access some secret data, as defined in Article 3, he will be sentenced to imprisonment of six months up to two years or to paying the fine of 10 million rials up to 40 million rials, or both.”
Article4 of the Cyber Crimes Law is related to the actions of the individuals who make it possible to enter and access the computer or telecommunications systems in which secret data are recorded. In this Article, the violation of the security and protection measures for keeping the secret data safe is considered as a special crime. Although, in reality, it is much closer to the offence of aiding and abetting a crime.
There are two types of punishments for this crime and these are applicable in three ways according to the circumstances of the crime and also the situation of the offender:
1. The punishment could be imprisonment for at least six months and maximum of two years.
2. The punishment could be a fine of at least 10 million rials and a maximum of 40 million rials. According to Article 54 of this law, the amount of the fine can change every three years based on the rate of the inflation. The change will be based on a proposal by the Head of the Judiciary and, the has to be approved by the cabinet..
3- The punishment could be both of the above.