In his book on the Introduction to the Philosophy of Law, celebrated American jurist, Professor Roscoe Pound observed:
“…I am content to think of law as a social institution to satisfy social wants…”
Taking cue from his statement, one may infer that modern states have tried to respond to challenges of cyberspace (social wants) through the (social) institution of law. The law on cyberspace, therefore, often takes the form of either regulatory law or criminal law. For example, the US has a very vibrant competition law (the Sherman Anti-Trust Act, 1890) that looks at the regulation of market share of technology companies and affects their conduct through enforcement actions that are punitive and criminal in nature. While the US, along with introducing new laws, has used an old law to regulate the freedom of private companies in cyberspace, the European Union (EU), in 2016, has enacted the EU General Data Protection Regulation 2016/679 (GDPR) that regulates the data of big technological companies and has influenced their online conduct by according privacy of individuals overriding significance vis-à-vis commercial interests of big companies. Recently, the EU has introduced the Digital Markets Act that will come into force in 2023 and aims at regulating the conduct of online digital platforms that connect goods and services. On the criminal side, the US enacted the Computer Fraud and Abuse Act, 1986 that covers most of the online frauds and is its main cybercrime law. In the UK, the Computer Misuse Act, 1990 is the substantive criminal law to deal with cybercrimes. In the same spirit, Pakistan has introduced a legal framework that addresses the regulatory and criminal law regimes. This article is exploratory in nature and will try to explore the legal framework in some detail.
The origins of Pakistan’s legal framework qua cyberspace have to be traced back to the Constitution of Pakistan, 1973 that does not directly refer to the information technology or cyberspace. It, however, lists the items of legislation in the Federal Legislative List to the Fourth Schedule of the Constitution that confers legislative powers to the Federation with regards to communications (Item 7), copyright, inventions and designs (Item 25), international treaties and conventions (Item 32), the State Bank of Pakistan (Item 28) implying e-banking and e-commerce mechanisms, and insurance law (Item 29). On the criminal side, the constitutionality of powers of the Federation rests on articles 142 and 143 of the Constitution of Pakistan that declare criminal law, criminal procedure and law of evidence as shared responsibility of the Federation and the Provinces. Based on this constitutional edifice, the Federation has passed many laws that deal with cyberspace. The chief amongst these legislations are: (1) the Federal Investigation Act, 1974, (2) the Pakistan Telecommunication (Re-Organization) Act, 1996 and (3) the Prevention of Electronic Crimes Act, 2016. This adumbration is introductory in nature to disseminate base knowledge for any detailed research on the subject; each legislation is being discussed briefly:
- THE FEDERAL INVESTIGATION AGENCY ACT, 1974
The Federal Investigation Agency (FIA) is the lead federal police organization constituted under the Federal Investigation Agency Act, 1974. Like many police laws in Pakistan, its superintendence lies with the Federal Government, whereas its administration is vested in the Director General who has powers of an Inspector General of Police. The powers of members of the FIA are equal to that of police officers of the Provincial Police for arrest of persons and seizure of property, which they may exercise throughout Pakistan. The field units are the territorial and functional directorates that are headed by police officers of the rank of the Deputy Inspector General of Police and each directorate has police stations. Each police station, like provincial police stations, have officers in charge (Station House Officers). These SHOs are not below the rank of Sub-Inspectors of Police. There is a Schedule at the end of the Act, which states offences and laws that fall in the jurisdiction of FIA. Most important areas that are dealt by the FIA are: human smuggling, trafficking in person, immigration, cybercrimes, official secrets law, corporate crimes, money laundering, counter terrorism financing and high treason. From the viewpoint of cybercrimes, it is the most important and only authorized investigation agency to investigate offences that relate to computers, internet and illegal use of information technology. The organization also has powers to initiate legal actions under extra-territorial jurisdiction in criminal matters, which make it an important player in the national security apparatus of the country insofar as the internal security of the country is concerned. The cross border mandate of the FIA under the law is further strengthened due to its power to house National Central Bureau (NCB) to singularly coordinate with the INTERPOL (the International Police Organization). In the emerging scenario, when the rule of law approach to fight counterterrorism and cybercrimes is increasingly being used, the role of the FIA is becoming important as a lead agency in inter-provincial and transnational organized crime.
- THE PAKISTAN TELECOMMUNICATION (RE-ORGANIZATION) ACT, 1996
On preventive and regulatory side, the most important role in initiating policing actions of blocking websites and content regulation under the law and in coordination with the Social Media Companies (SMCs) is with the Pakistan Telecommunication Authority (PTA). PTA is a product of the Pakistan Telecommunication Authority (Re-organization) Act, 1996. The primary purpose of the PTA was to ensure competition in deregulated market/field of telecommunications after Pakistan entered into the General Agreement on Trade in Services (GATS) under the World Trade Organization Agreement in 1994. The PTA, with the passage of time and due to absence of a regulator of the telecommunication media, discharges functions of policing under different sets of delegated legislation that include: a) the Citizens Protection (Against Online Harm) Rules, 2020; b) the Critical Telecom Data and Infrastructure Security Regulations, 2020; c) Mobile Device Identification, Registration & Blocking (Amendment) Regulations, 2018; d) Data Retention of Internet extended to Public Wi-Fi-Hotspots Regulations, 2018; e) Subscribers Antecedents Verification Regulations, 2015; and f) the Telecom Consumer Protection Regulations, 2009. It also supplements and coordinates the mandate of providing the computer emergency response teams for protection of critical infrastructure as required under section 49 of the Prevention of the Electronic Crimes Act, 2016.
- THE PREVENTION OF ELECTRONIC CRIMES ACT, 2016
The Prevention of Electronic Crimes Act, 2016 (PECA) is the principal criminal law dealing with cybercrimes in Pakistan. It criminalizes different conducts that involve cyberspace and digital devices. In all, the law has enacted twenty three offences that include accessing and interfering with data, critical infrastructure, glorification of other cybercrimes, cyber terrorism, hate speech on cyberspace, electronic forgery, electronic fraud, unauthorized use of identity of another person, unauthorized interception, offences against dignity and modesty of natural persons, child pornography, cyber stalking (criminal intimidation), spamming and spoofing. Out of these twenty three offences, only three offences (cyber terrorism and offences related to dignity and modesty of natural persons) are cognizable (as per section 43), which means that except these three offences the legal action has been linked to judicial order, which, in practice, affects legal rights of people who reach out to executive authorities/police for redress of their grievances. PECA is not only a criminal substantive law, but is also procedural and regulatory in nature. On criminal procedural side, it states that only authorized investigation agency shall investigate cybercrimes. The Prevention of Electronic Crimes Investigation Rules, 2018 (PEC Rules) enacted under section 51 of PECA authorize only the FIA to investigate cybercrimes. The non-authorization of provincial police organizations is likely to be reviewed due to the all-pervasive nature of cybercrimes and the use of digital devices in all sorts of crimes. It may be noted that the PECA has a full-fledged chapter on preventive measures that include power of the Federal Government to issue directions to owners of information systems and constitution of Computer Emergency Response Team(s) (CERT). The PECA also provides for issuance of warrant for search and seizure and warrant for disclosure of content data besides obliging service providers to retain and provide data and information expeditiously to the authorized police officers. Detailed procedure to be adopted by authorized officer on seizing data is also given in the law. The PEC Rules provide for Cybercrime Wing of the FIA that must have a cybercrime investigations’ section, forensics section and data and network security section. The PEC Rules also provides for a cybercrime complaints registry mechanism to redress the complaints of citizens efficiently. These Rules also provide for training of officers of Cyber Wing and for the procedure to be followed for transfer of investigations related to cybercrimes. The Rules expand on the procedure of international cooperation with INTERPOL and on the principles and values that must be adhered by the authorized officers while conducting investigations especially with regards to victim confidentiality and witness protection.
The aforementioned legal framework is being further fortified by the safe city authorities’ mechanisms that have been translated into provincial laws especially in the Punjab and the Khyber Pakhtunkhawa. The policing of cyberspace is evolving rapidly due to high tele-density and subscribers’ base in the country that is fast entering the e-commerce realm. Policing cyberspace also requires robust data protection law so that legal safeguards can be ingrained in information systems and no invasion on the privacy of citizens can take place.