Author: Eesha Arshad Khan
The advent of the digital age has created the need for a robust cybercrime legislation to be formulated by nation-states. However, many countries around the world are struggling with drafting comprehensive laws in this regard. Technological developments are outpacing the solutions proposed by state institutions, which aim to address the new challenges arising from the increasing use of digital media. Governments are also struggling to amend existing laws that seek to ensure the regulation of ‘cybersecurity’. In Pakistan, prior to the promulgation of the Prevention of Electronic Crimes Act (‘PECA’) in 2016, the Electronic Transactions Ordinance 2002 (‘ETO’) criminalised unlawful and unauthorised access to information. In the absence of a direct data protection legislation, the ETO provisions theoretically regulated data privacy and protection. It, however, does not regulate data protection directly but criminalises unlawful or unauthorised access to information. It also envisages the establishment of a governmental authority to certify electronic documents and makes regulations for the privacy and protection of its users.
The issues that have currently emerged due to the increasing usage of digital media call for the creation and implementation of a suitable legal framework that strives to protect the ‘digital rights’ of individuals. It must not be forgotten that such laws are ultimately enacted for the protection of citizens. Any draconian provision that curtails the constitutional rights of citizens and bolsters tyrannical governmental power would defeat the spirit and letter of the law.
Despite near universal condemnation from alarmed human rights activists and politicians, the PECA came into effect in August 2016. The enactment of this controversial statute ended a lengthy and fraught battle between the government and the various stakeholders who denounced it as “an incoherent mix of anti-speech, anti-privacy and anti-Internet provisions”. In a country like Pakistan, where there is relatively low digital literacy, an effective law dealing with cybercrimes should have been drafted and enforced, with the requisite acumen and insight to ensure that it remains within the constitutional framework.
This review aims to analyse the PECA by placing it within Pakistan’s constitutional framework and evaluating certain provisions which are most likely to be in violation of fundamental rights granted in the Constitution of the Islamic Republic of Pakistan (‘Constitution’). While there are several provisions in the PECA that are problematic, this review only focuses on a selected few. Firstly, the PECA is analysed in light of the due process provisions in the Constitution. Secondly, the restrictions which the PECA imposes on free speech are analysed. Lastly, the review expounds the concept of the right to privacy in Pakistan and the potential harm that the PECA poses in this regard.
Background to the Law
The government campaigned for the law as a flagship element of its anti-terrorism agenda. PECA was drafted as being part of the National Action Plan (‘NAP’), which was developed in response to the APS attack of December 2014. In lieu of the severity of the attack, the NAP was considered as a necessary step to eradicate terrorism. Government officials stressed that they needed an "unfettered ability to monitor, locate and prosecute alleged militant activity." It is this particular desire that also permeated into all the other laws drafted in the aftermath of the APS attack. For example, in a defining moment in its war against terrorism, the Pakistani government responded to the attack by lifting the unofficial moratorium on the death penalty, asserting that only those convicted of terrorism would be executed.
The situation of the post-APS Pakistan is comparable to that of a post-9/11 USA, wherein the US Congress passed the Patriot Act 2001, within one month of the collapse of the World Trade Center. Similarly, in the UK, two months after 9/11, the Anti-Terrorism, Crime and Security Act was passed in 2001. Both these laws were criticized for threatening the civil liberties of resident nationals. In view of the aforementioned examples, it can be stated that the fundamental rights of the citizens were curtailed simply by spreading a panic. As per the Humanitarian Policy Group, the Pakistani state tends to prioritize national security at the expense of the constitutional safeguards and humanitarian considerations, especially in situations of crisis when a response is needed on an emergency basis. Therefore, in order to identify which fundamental rights are being infringed, it is imperative to analyse the cybercrime statute from a constitutional perspective in order to ensure that it does not negatively impact the rights of citizens.
The Vagueness and Overbreadth in the Laws
Due process of law is a constitutional guarantee that generally relates to fair treatment through the normal judicial system. This specifically relates to a citizen’s entitlement to notice of a charge and hearing before an impartial judge. An understanding of due process of law is necessary in order to comprehend the significance of constitutional rights. This is because without this guarantee there might be rampant abuse of power by the government.
Under Article 4 of the Constitution, every citizen has the right to be treated according to the law. This means any invasion upon the rights of a citizen – whether by a private or public individual or body – must be justified with reference to some law of the country. Another relevant provision is Article 10-A which entitles citizens to a fair trial and due process. This provision is limited to criminal charges only.
These constitutional guarantees have been subject to interpretation by the judiciary. The scope of the doctrine of due process was first discussed in the Begum Shorish Kashmiri case. Along with discussing the meaning of the word ‘law’, the court also affirmed that it was the constitutional right of every citizen to be tried in accordance with it. Herein, this word was not confined to a statute and was used in a generic sense as something that should be in accordance with the judicial principles laid down from time to time by superior courts. Thus, the Supreme Court ruled that Article 2 of the 1962 Constitution should be interpreted “according to the accepted forms of legal process” and so “in this sense, it is as comprehensive as the American due process clause.” Verily, it was in this case that the scope and ambit of due process was expanded from merely procedural due process to substantive due process. Therefore, it can be concluded that due process protections in Pakistan guarantee an adherence to the ethical spirit of the law, which means that among other things, a law must uphold the liberties and rights of the citizenry.
With regards to PECA, it can be stated that it offends the inalienable guarantees of the due process provisions provided in the Constitution. Both are elements that can cause the legislation to be struck down. The drafting of the law is such that it is difficult to decipher exactly what amounts to a criminal conduct. For example, under the definitions section, certain terms have been defined in a very subjective manner. The word ‘act’ has been defined under the statute as ‘a series of acts’ without elaborating as to what constitutes an ‘act’ under the said provision. Similarly, dishonest intention has been defined as having an “intention to cause injury, wrongful gain or wrongful loss or harm to any person or to create hatred”. This definition has been made extremely subjective due to the inclusion of the words “to create hatred”. Section 10 entails the description of cyber-terrorism, which is a crucial concept for the purposes of this Act. However, it has been criticized that this concept has been defined too broadly. Critics are of the view that cyber-terrorism offences must be clearly linked to “violence and the risk of harm and injury”. However, section 10 (b) declares the advancement of “inter-faith, sectarian or ethnic hate” as a qualifier for cyber-terrorism. Hence, the language of the provision tends to confuse terrorism with offences relating to the incitement of violence or hostility.
Generally speaking, ambiguous and technical provisions in the law are usually tested on the basis of the vagueness doctrine. This doctrine requires criminal laws to explicitly state what exactly amounts to a punishable conduct and any law which is in violation of this doctrine is said to be void on the grounds of vagueness. Several provisions of this Act can be rendered void as they are likely to offend the due process provisions guaranteed in the Constitution. An example of this is section 48, which is a general provision relating to the prevention of electronic crimes. This provision gives the government and Pakistan Telecommunications Authority (‘PTA’) the power to issue directives to service providers in the interest of preventing an offence under the Act. Once again, the provision lacks precision and any restrictions whatsoever. The lack of any safeguards gives PTA unbridled discretion to issue additional rules that would just exacerbate various problems, especially those relating to the curtailment of free speech.
Section 31 of the Act discusses “expedited preservation and acquisition of data”. It allows an authorized agent to require a person to hand over data without producing a court warrant if it is believed that it is “reasonably required” for a criminal investigation. This can be termed as a blanket authorization provision that gives the executive direct authority to take action without any judicial oversight or scrutiny. In addition to this, no test as to what amounts to a reasonable requirement is provided in the section. This is problematic because the lack of requisite checks and balances affords the executive a discretionary power that can be used to violate fundamental rights. This can consequently rob a citizen of his right to be treated in accordance with the due process of law. Such a provision can, therefore, be subject to misuse and exploitation in order to achieve certain political agendas and suppress any form of lawful debate or dissent.
Freedom of Speech
PECA has faced a lot of criticism for violating the fundamental right of freedom of speech under Article 19 of the Constitution. Freedom of speech and press are fundamental rights that signify the cornerstones of democratic institutions. However, such freedom is subject to any reasonable restrictions that may be imposed by law. While, there can be no absolute test for reasonableness of restrictions imposed by law, as a general rule of thumb, it is for the courts to decide whether, under the given circumstances, a restriction is reasonable or not.
Firstly, one of the most pressing concerns relates to whether some of the powers given to authorities under PECA should lie with them in the first place. For instance, section 37 of the Act discusses unlawful online content. It gives vast powers to PTA to block or remove online content, thereby restricting the right to freedom of expression. Historically speaking, PTA is notorious for its casual yet frequent dalliances with censorship, and for its arbitrary blocking and removal of content. This is problematic at two levels. Firstly, the specific cases related to the right to freedom of speech that fall within or outside the exceptions listed in Article 19 are left to the sole discretion of the executive authority of PTA. PTA has the absolute power to decide as to how Article 19 is to be interpreted and applied. PTA also has the authority to determine the content that may or may not be accessed by internet users in the country. Authorized personnel from the PTA have the power to remove any content that they believe is immoral, anti-state, against any country considered to be an ally of Pakistan, or politically unacceptable. This shows that both legislative and judicial functions have been placed in the domain of a single executive authority. One must also note that section 37 simply reiterates the restrictions relating to freedom of speech which have been discussed in Article 19 of the Constitution. Instead of adopting a more nuanced approach towards cybercrimes and providing laws that secure the interest of citizens and safeguard fundamental rights, the legislature has focused on providing a law that prioritizes national security.
Moreover, section 37 allows complainants to file petitions with the PTA to block any content in question. PTA can act unilaterally against such content, without acquiring a court order. This indirectly provides the State with a mechanism to deal with and block content that it deems as unpalatable. For example, the government might block access to some political content under the pretext of preventing harm. According to a transparency report issued by Facebook, 177 pieces of content have already been restricted from viewership in the country based on requests forwarded by the PTA for violating “local laws prohibiting blasphemy and condemnation of the country’s independence”.
There are several other provisions of the Act that threaten free speech. For example, section 9 discusses the glorification of an offence and specifies the types of offences and activities for which this is criminalized. However, this section has been drafted in overly broad terms and breaches international standards of freedom of speech, if not Article 19 of the Constitution. It is a textbook example of a provision that has a ‘chilling effect’ on free speech. In a legal context, a chilling effect is the discouragement of the legitimate exercise of legal rights by the threat of legal sanction. Normally, this terminology is discussed in the USA as being linked to the First Amendment. In the US Supreme Court case of Reno v ACLU, the constitutionality of two provisions of a statue was challenged. The Supreme Court held that the statute violated its First Amendment because the regulations amounted to a content-based blanket restriction of free speech. Justice John Paul Stevens wrote that the vagueness of the statute was a matter of special concern because it related to a content-based regulation of speech. The vagueness of such a regulation raised special First Amendment concerns because of its chilling effect on free speech. Herein, the ‘chilling effect’ would have been the discouragement of the exercise of an individual’s right to free speech. Similarly, section 9 of the PECA would most likely stifle any sort of debate on issues of national security, terrorism or even of a mere public interest. Specifying that this section relates to “a crime related to terrorism” and “activities of proscribed organizations” does not resolve the threat it poses to the freedom of speech and press.
In 2015, in a watershed moment for free speech online, the Indian Supreme Court struck down section 66-A of the Information Technology Act 2000 on the grounds of violation of freedom of speech, guaranteed under Article 19(1)(a) of the Constitution of India. It was held that the section did not meet the criterion of ‘reasonable restriction’. The phenomenon of ‘chilling effect’ was discussed by the court as the rationale for striking down the overbroad and vague statutory provision. This action shows the importance of the right to freedom of speech. Furthermore, Pakistan, just like India, has signed and ratified the International Covenant on Civil and Political Rights (‘ICCPR’). The government is therefore bound to ensure adherence and implementation of its provisions, especially those relating to freedom of expression and speech.
The Right to Privacy
The Constitution of Pakistan enshrines the right to privacy as a fundamental right under Article 14(1). Moreover, Article 17 of the ICCPR, to which Pakistan is a signatory, states that “no one shall be subject to arbitrary or unlawful interference with his privacy, family or correspondence." The scope and interpretation of Article 14 was discussed by the Supreme Court in the case of Mohtarma Benazir Bhutto v President Pakistan. Affirming the dignity of man and privacy home as inviolable, the Court went on to clarify that an individual’s privacy is vulnerable even outside his home and the emphasis was on the right regardless of the location. The term ‘home’ was construed as being a space wherein an individual enjoys personal freedom and feels secure. The Court went on to hold that subject to law, the privacy of person could not be intruded in public spaces.
A report published by Privacy International, reveals that there are no direct data protection authorities or laws in Pakistan. In the absence of a direct data protection legislation, data privacy and protection was theoretically regulated through provisions of the Electronic Transactions Ordinance 2002 and The Freedom of Information Ordinance 2002. PECA also contains a number of provisions related to data privacy. However, these are intended to grant government agencies access to the private data of citizens or to restrict citizens from gaining access to government data. Several provisions of the statute make it a crime for anyone to gain unauthorised access to any information system or data or copying or transmission of critical infrastructure data.
PECA also tends to encroach upon the right to privacy, as certain provisions therein are intended to grant the PTA and other law enforcement agencies access to the private data of citizens, along with restricting citizens from gaining access to government data. Provisions of the Act allow for the retention of data by Internet Service Providers (‘ISPs’), for the supply of data to foreign entities, and the empowerment of officials to force citizens to give up their private information (which could be used against them in criminal investigations).
As per, section 31 of the Act a law enforcement agency may require an individual to hand over data without producing any court warrant if it is believed that it is "reasonably required" for a criminal investigation. The provision empowers an officer to take this action as per his discretion and requires for him to only bring this to the notice of a court within 24 hours after the acquisition of the data. Thus, in cases involving "cyberterrorism”, which is vaguely defined, the officer can search, seize, and retain data without a warrant and notify the court within 24 hours of its seizure. The right to privacy vis a vis the power to enter, search, and seize was discussed in Mehram Ali v Federation of Pakistan, wherein the Supreme Court declared section 10 of the Anti-Terrorism Act (‘ATA’) to be unconstitutional. Section 10 of the ATA, empowered an authorized official, on him being satisfied that there were reasonable grounds for suspecting that a person had in his possession some written material or recording in contravention of section 8 of the ATA, to enter and search the premises, and seize any suspicious material or recording. The Supreme Court held that while there was no doubt that right to privacy was subject to reasonable restriction but such law was supposed to be reasonable and in conformity with the constitutional mandate.
Section 32 of the Act requires ISPs to retain specified traffic data for a minimum of one year and subject to the demands of the PTA, provide that data to an investigation agency or authorized agent. Such an indiscriminate requirement for service providers to retain data breaches the international standards of the right to privacy. The requirement of storing it for one year is significantly longer than the previous requirement of 90 days, as envisaged in an earlier draft of the Act. This requirement is deemed quite problematic as it fosters the growth of conditions under which a highly invasive blanket surveillance of populations would be able to take place. In 2014, a UK High Court declared the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’) to be unlawful. DRIPA was challenged on the grounds of violation of the right to privacy. Furthermore, it was found to be inconsistent with Article 8 of the European Convention on Human Rights, which relates to the right to respect for one’s private and family and the protection of personal data. In the same year, the Court of Justice of the European Union noted that the retention of data may allow “very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained”. Thus, it was concluded that such retention was a disproportionate interference with the right to privacy. The same arguments can be made to challenge the constitutionality of this particular section in Pakistan. The practical implications of this particular provision are already beginning to materialize. From January 2017 to June 2017, the Pakistani government sent 1,050 requests for data to
Facebook, compared to 2016 when only 719 requests were made. However, nobody knows the reasons as to why such access was requested and whether this law was actually used to prevent tangible harm from materializing.
Section 42 of the Act discusses international cooperation in the context of data sharing. Herein, sweeping powers are delegated to the government when it comes to sharing information with foreign entities. This is troubling as the language of the provision allows for unilateral cooperation between the government and other countries and their agencies. Furthermore, sub-section 2 permits the government to share data obtained under this Act with foreign or international agencies. This is extremely alarming because this entire process entails no recourse to judicial authorization or oversight. Under this provision, once sensitive private data has been left at the disposal of the government, it could be used by foreign entities as they deem fit. Moreover, the language of the section is a product of poor drafting. A plain reading of the law might lead one to conclude the law of information sharing in Pakistan primitive and undeveloped, as the provision does not even discuss any accountability mechanisms or any process of administrative and judicial oversight.
Drafted within the national security framework, PECA compromises multiple constitutional rights under the guise of curbing cybercrime, the likes of which include common digital threats such as fraud, online stalking, and harassment. When it was finally pushed through the Parliament, the public was introduced to a poorly drafted law laced with ambiguity, vagueness, and over-breadth. The Act criminalizes free speech and delegates massive sweeping powers to the Pakistani law enforcement authorities. In pure constitutional terms, PECA violates Articles 4, 10-A, 14, and 19 of the Constitution of the Islamic Republic of Pakistan 1973. The aforementioned articles relate to certain universal fundamental rights which are the cornerstones of a democratic polity. Therefore, it is important that they should not be sidelined in the name of national security.
Owing to the recent wave of cybercrime laws globally, most nations have struggled to frame them within their existing legal structures. As of now, there is a dire need to revamp the PECA in order to ensure that the citizen’s rights to privacy and freedom of speech are not compromised. PECA needs to be rebuilt from the ground up so as to preserve the due process rights of those who are tried under it. Moreover, the law must be drafted in compliance with the ICCPR. Cybercrime laws are a new development and the existing laws need to be able to address a wide spectrum of problems relating to online spaces. With cyber-attacks and data leaks like the Cambridge Analytica Scandal, Careem, and PITB-NADRA data breaches becoming a norm, undoubtedly, there is no disagreement that comprehensive cybercrime laws are the need of the hour. However, it is important that they are enacted in such a manner that upholds the rights and freedoms of the citizenry, instead of violating them.