In early 2014, Pakistan’s Ministry of Information Technology and Telecommunication introduced a draft cybercrime ordinance, the Prevention of Electronic Crimes Act. At the time, human rights advocates, including the Centre for Law and Democracy, criticised the draft as a threat to Pakistan’s burgeoning online community and cautioned that its broad language threatened to turn millions of ordinary Internet users into criminals. A slightly revised version (the draft) has now been tabled and we note with concern that few of the main problems have been fixed.
“It is troubling to see that Pakistan is considering adopting this law without having addressed many major concerns,” said Toby Mendel, Executive Director of CLD. “With its Internet community still developing, it is vitally important for Pakistan to craft legislation in this area which adequately respects human rights.”
There have been some positive changes, but these do not go nearly far enough. The rule that made it a criminal offence to create or supply any device that could be used for cybercrime now only applies to devices which are used primarily for committing offences. However, many types of legitimate software would still be covered since modifying user data to create an inauthentic result remains a criminal offence. This could criminalise programmes designed to facilitate online privacy, such as Tor, which functions by altering a user’s identifying information. The draft also makes it an offence to use a website or information system in ways which have not been authorised, effectively turning anyone who violates a website or programme’s terms of service, which are often very unclear, into a criminal. The draft also creates a new offence of harming the reputation of a woman online, essentially a criminal defamation provision.
These problems are compounded by the draft’s data retention requirement, mandating that electronic communication service providers store user data for 90 days. Parallel schemes have been found to be unconstitutional in several jurisdictions, most notably by the European Court of Justice, which held that European Union’s Data Retention Directive was incompatible with the privacy and data protection provisions of the Charter of Fundamental Rights of the European Union in April 2014.
The new draft is currently before a four-member committee of parliamentarians, who have been charged with reviewing and finalising its language. We urge the parliamentary committee to ensure that the provisions of this law are brought into line with international human rights standards before it is passed.