In our digitalised world, the protection of data is crucial. Growing interconnectedness and our ever-increasing reliance on electronic data transmission have increased the risk of data alteration crimes. In this comprehensive blog post, we will explore what exactly data alteration is, how it is treated in German criminal law, what consequences it can have and what protective measures are recommended.

We will also look at relevant court rulings and answer frequently asked questions on the topic.

What is data alteration?

Data alteration refers to the unauthorised modification, deletion or other interference with data stored on a computer, server or other storage medium. This type of cybercrime can take various forms, such as:

  • Hacking and altering websites
  • Deleting data from a server
  • Manipulating software to affect the way it works
  • Infecting computer systems with viruses that destroy or alter data

Legal basis for data alteration

Data alteration is a criminal offence in Germany. The legal basis can be found primarily in the Criminal Code (StGB) and the Unfair Competition Act (UWG).

§ Section 303a StGB: Data alteration

The central provision on the criminal liability of data alteration is § 303a StGB. This provision reads as follows:

(1) Any person who deletes, renders unusable, alters or suppresses data (section 202a(2)) without authorisation shall be liable to a custodial sentence not exceeding two years or to a monetary penalty.

(2) The attempt is punishable.

According to Section 303a of the Criminal Code, anyone who deletes, makes unusable, alters or suppresses data without authorisation is punished. This must be data that is of legal interest to another person (section 202a(2) StGB). The penalty is imprisonment for up to two years or a fine. Attempting to alter data without authorisation is also punishable.

§ Section 303b StGB: Computer sabotage

A special form of data alteration is computer sabotage, which is regulated in Section 303b of the Criminal Code. It exists when someone commits data alteration in order to disrupt data processing that is of essential importance to another person. The penalty for computer sabotage is a prison sentence of up to three years or a fine.

§ Section 4 UWG: Obstructing Competitors

In addition, data alteration can lead to violations of competition law if it serves to hinder competitors. Section 4 No. 10 UWG provides that unlawful acts of obstruction against competitors are considered unfair competition. A data modification that, for example, impairs a competitor’s online presence or disrupts its business processes can thus constitute a competition infringement.

Current court decisions on data alteration

To better understand the issue of data alteration in a legal context, it is helpful to look at some recent court rulings.

Case 1: The hacker attack on the Bundestag

A prominent example of data alteration is the hacker attack on the German Bundestag in 2015, in which unknown perpetrators penetrated the Bundestag’s IT system and stole large amounts of data. The Federal Public Prosecutor investigated on suspicion of intelligence agency activity, computer sabotage and data alteration. Although the perpetrators have not been identified to date, the case shows the importance of protecting against data alteration at a high political level.

Case 2: Manipulation of customer ratings

Another case (judgement of the Higher Regional Court of Karlsruhe of 05.11.2020, ref. 6 U 51/19) was about the manipulation of customer ratings on a rating portal. A doctor had submitted fake reviews via a fictitious account in order to present himself as a better doctor. The court judged the doctor’s conduct to be unfair competition under Section 4 No. 3 UWG, as he created a competitive advantage over his competitors by depositing falsified customer reviews. Although there was no direct data alteration in this case, the example shows how manipulating information can have consequences under competition law.

Case 3: Data deletion in the employment relationship

In a case decided by an employment court in Austria, an employee had deleted all project data stored on the server before leaving the company. The court ordered the employee to pay damages of 15,000 euros because he had destroyed the data willfully and intentionally. Although this is not a German court ruling, the case shows that employees who make data changes in their employment relationship must expect serious legal consequences.

Consequences of data alteration for affected persons and perpetrators

In addition to criminal sanctions, data alteration can also have far-reaching consequences for data subjects and perpetrators:

  • Financial damages due to data loss, data recovery or reputational damage
  • Liability for damages to third parties, e.g. in the case of the dissemination of harmful programmes
  • Civil law claims for damages by the injured parties
  • Conversion of the employment relationship or sanctions under labour law if employees commit data alterations
  • Entries in the police record, which can have long-term effects on career advancement

Protective measures against data alteration

Both technical and organisational measures are required to protect against data changes. Here are some recommended protective measures:

  • Regularly backing up important data (backups)
  • Updating operating systems and software to the latest version
  • Installing virus and malware protection programmes
  • Secure passwords and changing passwords
  • Encrypting sensitive data
  • Restricting access to data to an authorised group of persons
  • Training employees in the handling of sensitive data and the detection of cyber threats

FAQ on the subject of data alteration

Below are answers to some frequently asked questions about data alteration and legal issues.

Who is responsible for protecting data?

In a company, the responsibility for protecting data lies with the management or owners. This duty can be partially delegated to IT managers or data protection officers, but the fundamental responsibility remains with the business owner. Private individuals are responsible for the protection of their own data if they operate a home network or a personal computer, for example.

Can a company be held liable for a data breach caused by an employee?

In principle, a company can be held liable for damage caused by the actions of an employee if the employee is acting within the scope of his or her employment duties. However, liability may be limited if the employee acted intentionally or with gross negligence.

What should I do if I have been the victim of a data breach?

If you have been the victim of a data breach, you should take the following steps:

  1. Inform the competent police authority and file a criminal complaint if necessary.
  2. Document the incident and secure possible evidence, e.g. log files or communication with the perpetrator.
  3. Inform affected customers, partners or employees about the incident and keep them informed about further developments.
  4. Implement technical measures to remedy the data alteration and take measures to prevent future attacks.
  5. If necessary, consult a lawyer to check your legal options against the perpetrator, such as civil claims for damages.

Are there international agreements to combat data alteration?

Yes, there are some international treaties to combat cybercrime, including data alteration. One of the most important agreements is the Council of Europe Convention on Cybercrime, also known as the Budapest Convention, which sets standards for criminal legislation in the contracting states and promotes international cooperation in the fight against cybercrime.

Data alteration: What is allowed and what is not?

Data alteration is an increasingly important phenomenon in the digitalised world and poses a serious threat to businesses and individuals. Law enforcement and the legal implications of data alteration are a significant aspect in the fight against cybercrime. Only through an interplay of legal regulations, technical protective measures and increased educational work can we effectively protect ourselves from the negative effects of these crimes.