On 19th August 2016, the law related to the electronic crimes was passed by the Parliament; it’s a federal law and is styled as the Prevention of Electronic Crimes Act, 2016. This write-up shall adumbrate its main features and shall attempt to appraise its substance; this may be done appositely by organizing the content of the law into substantive and adjective laws. The Black’s Law Dictionary (8th Edition) has conceptually elucidated the difference between the substantive and adjective laws as:
“The body of the law in a State consists of two parts, substantive and adjective law. The former prescribes those rules of civil conduct which declare the rights and duties of all who are subject to the law. The latter relates to the remedial agencies and procedure by which rights are maintained, their invasion redressed, and the methods by which such results are accomplished in judicial tribunals.”
A. Substantive Law
The law provides an array of new offences in Chapter II of the Act. In all, it introduces twenty-three offences, which are: (1) unauthorized access to information system or data, (2) unauthorized copying or transmission of data; (3) interference with information system or data; (4) unauthorized access to critical infrastructure information system or data; (5) unauthorized copying or transmission of critical infrastructure data; (6) interference with critical infrastructure information system or data; (7) glorification of an offence; (8) hate speech; (9) recruitment, funding and planning of terrorism; (10) electronic forgery; (11) electronic fraud; (12) making, obtaining or supplying device for use in offence; (13) unauthorized use of identity information; (14) unauthorized issuance of subscriber identity module (SIM) card, reusable identification module (R-IUM) or universal integrated circuit card (UICC) etc.; (15) tampering of communication equipment; (16) unauthorized interception; (17) offences against dignity of a natural person; (18) offences against modesty of a natural person and minor; (19) child pornography; (20) malicious code; (21) cyber stalking (criminal intimidation); (22) spamming (transmission of harmful information for wrongful gain); and (23) spoofing (dishonest display of website/information).
Besides criminalizing the specific acts as offences, the law provides for two types of punishments: imprisonment and fine, together or as alternate to each other. The quantum of punishment is usually high, but there is no sentencing limitation to regulate judicial decision-making at the time of conviction of an offender. In addition, Section 1(4) of the law provides for its extra-territorial application. It may be noted that the draftsman has used the definition of ‘offence’ to import the juvenile justice regime into the law by redefining the offence as an act committed by a person over the age of fourteen; conversely, the Pakistan Penal Code, 1860, which is the master criminal law of Pakistan, opts to define the word ‘offence’ independent of the age consideration of the offender. The finesse of the language of the criminalized acts is neither distinctive nor exemplary. The permissive and inclusionary language of the definitions of offences leaves them open to be misapplied irrespective of the privacy and due process constitutional safeguards enshrined in the Constitution of Pakistan.
B. Adjective Law
The architecture of the law is confounded insofar as the adjective provisions are concerned; for neat and conceptual presentation, the following areas may be examined:
No investigation agency has been authorized to investigate cybercrimes. The matter has been left open in the law, and the power has been given to the Federal Government to ‘establish’ or ‘designate’ an agency to investigate cybercrimes: this has left much to be desired as the function has been delegated to the executive in a manner that has not only created opaqueness in the process, but has also shielded the investigation agency, if any, from any meaningful oversight by the parliament.
Conventionally, the investigation of the electronic crimes was carried out under the Prevention of Electronic Crimes Ordinance, 2007, which expired after periodic renewals. After the Eighteenth Amendment, it could not be renewed/re-promulgated as conveniently as it used to be renewed. This led to the expiry of the law and Pakistan virtually acted without a dedicated law on the subject for many year. The Federal Investigation Agency (FIA) was constituted under the Federal Investigation Agency Act, 1974 and works under the supervision of the Ministry of Interior. It has expertise and specialization to deal with cybercrimes. It has a National Response Centre for Cyber Crimes (NR3C), which is a dedicated centre to deal with the cybercrimes. What was the trade-off in not integrating the FIA into the new legal framework is not, however, clear; this is particularly complex as budget-making and lawmaking processes in Pakistan are ominously delinked, and the likelihood of allocation of resources for a new civilian organization to investigate cybercrimes is relatively remote.
ii. Evidence and Forensics
The meat of any investigation is evidence, and in case of Pakistan, despite all the inefficiencies, distrust and difficulties, in every new piece of legislation, the threshold for collection of evidence is raised. The new cybercrimes law is no exception. On the one hand, it imposes the requirement of getting warrants for search, seizure and disclosure of content data on the individual investigator, on the other, it makes the forensic reports generated by the investigation agency itself as admissible in evidence. In the same breadth, the law in its Section 40 ordains that the Federal Government shall establish an independent forensic laboratory.
Since 2007, prosecution departments have been established in all the provinces. These departments are separate and independent of police departments, the provincial investigation agency. No such separation is in sight at the federal level as the laws do not call for independent and separate federal prosecution department. The new law, therefore, does not call for separate and specialized prosecution service for cybercrimes.
The court system envisioned by the law is top-heavy as it treats the Sessions Judge as the court of first instance. It gives a right to appeal against the order of the court to the High Court. It also provides that the judges shall be qualified and the Federal Government shall arrange to provide for their training in cybercrimes.
v. Internet Regulation and Liability of Service Providers
As a general principle, according to Section 38 of the Law, service providers shall have no criminal or civil liability. The onus of proof regarding failure of service provider to comply with the law shall be on the person who alleges the failure. The liability of the service providers should have been the subject of regulation in the law related to the regulators that license the service providers i.e. Pakistan Electronic Media Regulatory Authority (Pemra) or Pakistan Telecommunication Authority (PTA), but the content of the internet has been made subject matter of the new law, which is against its design and objectives.
The PTA has been given authority under Section 37 of the law to block undesired material on electronic media and internet; the content management of the electronic and social media through a criminal law needs reconsideration.
vi. International Cooperation
Chapter IV deals with international cooperation. The law authorizes the Federal Government to extend international cooperation to any foreign government, ‘foreign agency’, and ‘international agency’ etc. The blanket power to extend cooperation without the role of the Ministry of Foreign Affairs may need further deliberation.
vii. Intelligence Agencies
The Federal Government shall frame rules to determine manner of coordination between the investigation agency and intelligence agencies. The rule, if ever framed, will be useful in adding transparency to opaque structures in working of the security apparatus of the country.
viii. Computer Emergency Response Teams
Chapter VI deals with preventive measures related to electronic crimes. There is no anticipatory preventive power under the law, however, it provides for computer emergency response teams comprising experts to deal with any cyber-related threat or attack.
ix. Oversight by Parliament
Section 53 requires the would-be designated or established investigation agency to submit a half-yearly report to both houses of parliament. This report may become the source of consolidated and authentic flow of information to the parliament to enable it to exercise effectiveand meaningful oversight.
The absence of legal framework indirectly benefited the delinquents and criminals alike.The introduction of a dedicated cybercrimes law is, therefore, a step in the right direction. The implementation of the law shall remain a challenge as the lawmaking and the budget-making in Pakistan have not been correlated, and priorities of the legislature and those of the executive do not converge to create synergy in governance and public policy.