The United Criminal Sections of the Italian Supreme Court affirmed this principle with judgment no. 4694 filed on February 7, 2012, resolving a heated debate which had taken place over the course of many years in case law.
According to a first (more restrictive) interpretation given thereto by case law, the offence in question was committed by whoever introduced themselves into an I.T. system by using a (lawfully held) password for purposes which were, however, extraneous to those for which access had been authorized (cfr., among others, Italian Supreme Court judgment nos. 12732/2000, 37322/2008, 1727/2008, 18006/2009, 2987/2009, 19463/2010 and 39620/2010).
On the basis of a different (and less restrictive) line of interpretation, such offence was held to have been committed only in the case in which access to an I.T. system had been unlawfully gained.
In other words, only unauthorized access thereto was held to be unlawful and not access gained – albeit for purposes which were extraneous to those for which authorization had been given- by someone who had been authorized to gain access thereto (this left unaffected the latter’s liability for any such offences as might be committed in relation thereto; cfr. Italian Supreme Court judgments nos. 2534/2007, 26797/2008 and 3290/2008).
The United Criminal Sections of the Italian Supreme Court resolved, therefore, the conflict which had arisen in previous judgments, adopting the (more restrictive) stance taken by the courts and upholding the Rome Court of Appeal’s conviction of a police officer who – by means of the password which had been given to him – had gained access to an investigative database not for the purpose of conducting an inquiry but merely for the purpose of disclosing confidential to third parties.
The Italian Supreme Court judges held, in relation thereto, that the point in dispute was not so much the objectives pursued by the offender (which could consist in the commission of other offences) as the objective fact that the orders given by the system controller (i.e. internal regulations, employment agreements etc.) had been disobeyed.
It was, in fact, affirmed that an offence is committed by whosoever – after having been authorized to gain access to and stay inside an I.T. system – breaches the conditions and restrictions which are placed by the system controller with a view to objectively regulating what type of access may be had to such system.
The court had, therefore, to assess whether the controller’s instructions as to what use may be made of the I.T. system have been contravened (whereas the objectives pursued by the defendant in relation thereto would be altogether irrelevant).
The Supreme Court judges were of the opinion that the offence of acquiring confidential data for unlawful purposes sanctioned by article 615-ter of the Italian Penal Code would not be committed in the event that such data were to be acquired in accordance with the instructions given by the data controller (central to the question of exactly what conduct was forbidden by the system controller would be the general terms and conditions of access/use of such (public or private) I.T. system drafted by the controller).