In his book the Introduction to the Philosophy of Law, celebrated American jurist, Professor Roscoe Pound observed:
“…I am content to think of law as a social institution to satisfy social wants…”
Taking a cue from his statement, one may infer that modern states have tried to respond to the challenges of cyberspace (social wants) through the (social) institution of law. The law in cyberspace, therefore, often takes the form of either regulatory law or criminal law. For example, the US has a very vibrant competition law (the Sherman Anti-Trust Act, 1890) that looks at the regulation of the market share of technology companies and affects their conduct through enforcement actions that are punitive and criminal in nature.
Read more: Organizational justice in police of Pakistan
While the US, along with introducing new laws, has used an old law to regulate the freedom of private companies in cyberspace, the European Union (EU), in 2016, enacted the EU General Data Protection Regulation 2016/679 (GDPR) that regulates the data of big technology companies and has influenced their online conduct by according to the privacy of individuals overriding significance vis-à-vis commercial interests of big companies. Recently, the EU introduced the Digital Markets Act that will come into force in 2023 and aims at regulating the conduct of online digital platforms that connect goods and services.
On the criminal side, the US enacted the Computer Fraud and Abuse Act, of 1986 which covers most of online frauds and is its main cybercrime law. In the UK, the Computer Misuse Act, of 1990 is the substantive criminal law to deal with cybercrimes. In the same spirit, Pakistan has introduced a legal framework that addresses the regulatory and criminal law regimes. This article is exploratory in nature and will try to explore the legal framework in some detail.
The origins of Pakistan’s legal framework of cyberspace have to be traced back to the Constitution of Pakistan, 1973 which does not directly refer to information technology or cyberspace. It, however, lists the items of legislation in the Federal Legislative List to the Fourth Schedule of the Constitution that confer legislative powers to the Federation with regards to communications (Item 7), copyright, inventions and designs (Item 25), international treaties and conventions (Item 32), the State Bank of Pakistan (Item 28) implying e-banking and e-commerce mechanisms, and insurance law (Item 29).
On the criminal side, the constitutionality of the powers of the Federation rests on articles 142 and 143 of the Constitution of Pakistan that declare criminal law, criminal procedure and the law of evidence as a shared responsibility of the Federation and the Provinces. Based on this constitutional edifice, the Federation has passed many laws that deal with cyberspace. The chief among these legislations is: (1) the Federal Investigation Act, 1974, (2) the Pakistan Telecommunication (Re-Organization) Act, of 1996 and (3) the Prevention of Electronic Crimes Act, of 2016. This adumbration is introductory in nature to disseminate base knowledge for any detailed research on the subject; each legislation is being discussed briefly:
THE FEDERAL INVESTIGATION AGENCY ACT, OF 1974
The Federal Investigation Agency (FIA) is the lead federal police organization constituted under the Federal Investigation Agency Act, of 1974. Like many police laws in Pakistan, its superintendence lies with the Federal Government, whereas its administration is vested in the Director General who has the powers of an Inspector General of Police. The powers of members of the FIA are equal to that of police officers of the Provincial Police for the arrest of persons and seizure of property, which they may exercise throughout Pakistan. The field units of are the territorial and functional directorates that are headed by police officers of the rank of the Deputy Inspector General of Police and each directorate has police stations. Each police station, like provincial police stations, has officers in charge (Station House Officers).
Read more: Decolonization, fraser report and police reforms in Pakistan
These SHOs are not below the rank of Sub-Inspectors of Police. There is a Schedule at the end of the Act, which states offences and laws that fall in the jurisdiction of FIA. Most important areas that are dealt with by the FIA are human smuggling, trafficking in person, immigration, cybercrimes, official secrets law, corporate crimes, money laundering, counter-terrorism financing and high treason. From the viewpoint of cybercrimes, it is the most important and only authorized investigation agency to investigate offences that relate to computers, the internet and the illegal use of information technology. The organization also has powers to initiate legal actions under extra-territorial jurisdiction in criminal matters, which makes it an important player in the national security apparatus of the country insofar as the internal security of the country is concerned.
The cross-border mandate of the FIA under the law is further strengthened due to its power to house National Central Bureau (NCB) to singularly coordinate with the INTERPOL (the International Police Organization). In the emerging scenario, when the rule of law approach to fight counterterrorism and cybercrimes is increasingly being used, the role of the FIA is becoming important as a lead agency in inter-provincial and transnational organized crime.
THE PAKISTAN TELECOMMUNICATION (RE-ORGANIZATION) ACT, 1996
On the preventive and regulatory side, the most important role in initiating policing actions of blocking websites and content regulation under the law and in coordination with the Social Media Companies (SMCs) is with the Pakistan Telecommunication Authority (PTA). PTA is a product of the Pakistan Telecommunication Authority (Re-organization) Act,1996. The primary purpose of the PTA was to ensure competition in deregulated market/field of telecommunications after Pakistan entered into the General Agreement on Trade in Services (GATS) under the World Trade Organization Agreement in 1994.
The PTA, with the passage of time and due to the absence of a regulator of the telecommunication media, discharges functions of policing under different sets of delegated legislation that include: a)the Citizens Protection (Against Online Harm) Rules, 2020; b) the Critical Telecom Data and Infrastructure Security Regulations, 2020; c) Mobile Device Identification, Registration & Blocking (Amendment) Regulations, 2018; d) Data Retention of Internet extended to Public Wi-Fi-Hotspots Regulations, 2018; e) Subscribers Antecedents Verification Regulations, 2015; and f) the Telecom Consumer Protection Regulations, 2009. It also supplements and coordinates the mandate of providing computer emergency response teams for the protection of critical infrastructure as required under section 49 of the Prevention of Electronic Crimes Act, 2016.
Read more: System of police in Pakistan: An introduction
THE PREVENTION OF ELECTRONIC CRIMES ACT, 2016
The Prevention of Electronic Crimes Act, 2016 (PECA) is the principal criminal law dealing with cybercrimes in Pakistan. It criminalizes different conducts that involve cyberspace and digital devices. In all, the law has enacted twenty-three offences that include accessing and interfering with data, critical infrastructure, glorification of other cybercrimes, cyber terrorism, hate speech on cyberspace, electronic forgery, electronic fraud, unauthorized use of the identity of another person, unauthorized interception, offences against dignity and modesty of natural persons, child pornography, cyberstalking (criminal intimidation), spamming and spoofing.
Out of these twenty-three offences, only three offences (cyber terrorism and offences related to dignity and modesty of natural persons)are cognizable (as per section 43), which means that except for these three offences, the legal action has been linked to a judicial order, which, in practice, affects legal rights of people who reach out to executive authorities/police for a redress of their grievances. PECA is not only criminal substantive law but is also procedural and regulatory in nature. On the criminal procedural side, it states that only authorized investigation agencies shall investigate cybercrimes. The Prevention of Electronic Crimes Investigation Rules, 2018 (PEC Rules) enacted under section 51 of PECA authorize only the FIA to investigate cybercrimes. The non-authorization of provincial police organizations is likely to be reviewed due to the all-pervasive nature of cybercrimes and the use of digital devices in all sorts of crimes.
It may be noted that the PECA has a full-fledged chapter on preventive measures that include the power of the Federal Government to issue directions to owners of information systems and the constitution of the (CERT). The PECA also provides for the issuance of warrants for search and seizure and warrants for disclosure of content data besides obliging service providers to retain and provide data and information expeditiously to authorized police officers. Detailed procedure to be adopted by an authorized officer on seizing data is also given in the law. The PEC Rules provide for the Cybercrime Wing of the FIA must have a cybercrime investigations section, a forensics section and data and network security section.
Read more: Criminology, police corruption and police reforms
The PEC Rules also provide for a cybercrime complaints registry mechanism to redress the complaints of citizens efficiently. These Rules also provide for the training of officers of the Cyber Wing and for the procedure to be followed for the transfer of investigations related to cybercrimes. The Rules expand on the procedure of international cooperation with INTERPOL and on the principles and values that must be adhered to by the authorized officers while conducting investigations, especially with regard to victim confidentiality and witness protection.
The aforementioned legal framework is being further fortified by the safe city authorities’ mechanisms that have been translated into provincial laws, especially in Punjab and Khyber Pakhtunkhwa. The policing of cyberspace is evolving rapidly due to high teledensity and subscribers base in the country that is fast entering the e-commerce realm. Policing cyberspace also requires robust data protection law so that legal safeguards can be ingrained in information systems and no invasion of the privacy of citizens can take place.
Kamran Adil is currently serving as Deputy Inspector General of Punjab police. He studied law at Oxford University and writes and lectures on international law. The views expressed in the article are the author’s own and do not necessarily reflect the editorial policy of Global Village Space.