ARTICLE 19 and Digital Rights Foundation Pakistan are concerned about the draft Prevention of Electronic Crimes Act of Pakistan 2014 (Draft Law) currently being prepared for presentation before the Pakistani Parliament. Although the Draft Law contains a number of welcome procedural safeguards, several provisions violate international standards on freedom of expression. We therefore call on the Pakistani Government to amend the Draft Law in accordance with our recommendations below before submitting it for Parliament's consideration.
The Draft Law
The Draft Law, which has been drafted by the Ministry of Information Technology and Telecommunications, establishes specific computer crimes and procedural rules for the investigation, prosecution and trial of these offences. The Draft Law criminalises:
- illegal access to and interference with programs, data or information systems
- cyber terrorism
- electronic forgery and fraud
- the making of devices for use in these types of offences
- unauthorised interception of communication.
Protecting human rights within computer crime legislation
ARTICLE 19 and Digital Rights Foundation Pakistan welcome the efforts of the Pakistani Government to provide adequate procedural safeguards in the context of cybercrime investigations. However, all regulation of computer crimes must include the protection of human rights, in particular:
Article 19 of the International Covenant on Civil and Political Rights (ICCPR), to which Pakistan acceded in 2010. This defines the right to freedom of expression and sets out the requirements for limitations to this right. States can limit freedom of expression only in the interest of protecting reputation, national security, public order, health and morals. Limitations must be clearly defined in law and be necessary and proportionate in order to secure one of the aforementioned aims. States must refrain from applying these limitations in a discriminatory manner.
Article 17 of the ICCPR, which guarantees the freedom of individuals from arbitrary or unlawful interference with their privacy and correspondence.
In General Comment 34 on Freedom of Expression, the UN Human Rights Committee states that extreme care must be taken in crafting and applying laws that purport to restrict expression in order to protect national security. Whether characterised as cyber-crime laws, treason laws, official secrets laws or sedition laws they must conform to the strict requirements of Article 19(3).
In General Comment 16 on the Right to Privacy, the UN Human Rights Committee states that interference by states can only take place when based on a law which itself specifies in detail the precise circumstances in which such interference may be permitted.
The 2011 Joint Declaration on the Right to Freedom of Expression and the Internet was adopted by the four international special rapporteurs on freedom of expression representing the Americas, Europe, Africa and the United Nations (UN). This emphasises that standards of liability in cases relating to the internet must take into account the overall public interest in protecting both the expression itself and the forum in which it is shared, (i.e. the need to preserve the "public square" aspect of the internet).
The Council of Europe Cybercrime Convention (2001) ('Cybercrime Convention') provides a helpful comparison. It includes basic procedural safeguards and guidance on how to draft cybercrime legislation in accordance with human rights standards.
In the light of these standards, ARTICLE 19 and Digital Rights Foundation remain concerned that the Draft Law violates international standards for several reasons:
Lack of clear definitions: A number of definitions in the Draft Law are unclear, notably the definition of 'content data', which partially reproduces the definition of 'computer data' as stipulated in the Cybercrime Convention.
This is confusing as computer data and content data are separate concepts. In other instances, the Draft Law fails to define important terms such as 'information systems' or 'program or data'. The lack of clear definitions in the Draft Law means it is more open to abuse and is more likely to criminalise innocuous behaviour, such as accessing a website in breach of its terms of service. By the same token, this endangers the right to freedom of expression. We recommend that 'content data' is replaced by 'computer data' in the Draft Law and refer to the Cybercrime Convention for a definition of 'computer systems'.
Lack of public interest defence for hacking types of offences: The Draft Law criminalises unauthorised access to information systems, programs or data. While the Draft Law is presumably aimed at criminalising 'hacking', it fails to provide a public interest defence for cases where this type of conduct takes place for legitimate purposes, such as investigative journalism or research.
Overly broad cyber-terrorism offence: Section 7 (a) and (b) fails to make an explicit reference to "violence" as part of the offence of cyber-terrorism. Cyber-terrorism should be more clearly linked to the risk of harm or injury in the real world, and in particular harm against the welfare of individuals. It should not be equated with even moderate disruption of public services or damage to property. It is not clear that sections 7 (1) (b) (i) and (ii) would meet that threshold if read independently from Section 7 (1) (b) (vi).
Criminalisation of "defamation against women": Although the attempts to offer special protection to women (e.g. through prohibitions on threatening sexual acts) are laudable, we find the provisions of Section 13 of the Draft Law problematic. Section 13 criminalises "defamation against women" and other vaguely phrased offences, such as "distorting the face of a woman". We recall that the UN Human Rights Committee stated in General Comment 34 that States parties should consider the decriminalisation of defamation and that criminal law should only be applied in the most serious of cases. Also, the provisions of Section 13 fail to meet the three-part test, as they are not formulated with sufficient precision to enable individuals to regulate their conduct in accordance with the law. We therefore recommend that Section 13 be revised.
Lack of procedural safeguards against surveillance activities carried out by intelligence agencies: Although efforts have been made to provide effective procedural safeguards against unchecked surveillance by law enforcement agencies (e.g. section 30), the same is not true of intelligence services, which remain subject to the provisions of the Pakistan Telecommunications (Re-Organisation) Act 1996. This is a serious concern as it effectively gives the Pakistani intelligence services carte blanche to carry out mass surveillance without meaningful oversight (see ARTICLE 19's analysis of the Pakistan Telecommunications (re-Organisation) Act).
In our view, if the Draft Law were to be adopted in its current form, it would be in breach of the right to freedom of expression and privacy under international law.
We therefore call on Pakistani legislators to protect the rights to freedom of expression and privacy in accordance with Pakistan's obligations under international by reviewing the Draft Law in line with the above recommendations.