Summary

Pakistan’s new cyber crime law will have a far-reaching impact on global technology companies active in the country. On August 11, 2016 Pakistan’s National Assembly passed the Prevention of Electronic Crimes Act (PECA) after a failed filibuster attempt by opposition parties in Parliament. Earlier in July, the Senate proposed 50 amendments and unanimously passed the bill.

• The legislation has been heavily criticized by the technology industry and civil rights organizations for curbing human rights and free speech.
• Federal investigation agencies have been granted broad powers for surveillance, censorship, and destruction of online content.
• Over-the-Top mobile applications such as WhatsApp, Facebook Messenger, and Skype could be forced to obtain operating licenses from the government.
• Technology companies will be required to decrypt information and share content with or without court warrants.
• Companies will be mandated to remove online content or face bans if content is against national security interests or hurts religious sentiments.

Further constraints on internet freedom in Pakistan

Freedom House’s Freedom on the Net report ranked Pakistan as “not free” for internet freedom in 2015. PECA exacerbates this problem by creating a broad and far-reaching legislative framework for the surveillance and censorship of internet data. In the coming months the country’s telecom authority is set to enforce the legislation, creating an even more challenging and restrictive environment for technology companies operating in the country.

• Targets whistleblowers and political opponents. The legislation includes clauses that give broad powers to investigative agencies to target whistleblowers and political opponents. Under the law, unauthorized access, transmission, and copying of data from any information system is punishable by a jail sentence of up to seven years and/or a fine of up to Rs.10 million (approx. US$97,000).
• Permits warrantless access to data. Investigative officers have been given the authority to demand access to data and issue warrants retroactively in cases where data is “required for the purposes of a criminal investigation” and where the content “may be modified, lost, destroyed, or rendered inaccessible.”
• Legalizes censorship of online content. Despite lack of legislation, the Pakistan Telecom Authority (PTA) has already been censoring online content in the country. PECA grants PTA the legal powers to demand removal of content or use its powers to block content if it is “necessary in the interest of the glory of Islam or the integrity, security, or defense of Pakistan.” In the past, Facebook, YouTube, and other services have been blocked in the country for failing to comply with similar orders, and the passage of PECA is set to increase these demands.

A more challenging environment for technology companies

The operating environment for technology companies in Pakistan has been challenging for many years. Court directives, government orders, and sensitivities of security agencies have led to many services and websites being blocked. After the passage of PECA, companies will face an even more daunting challenge of navigating Pakistan’s technology policy landscape. Rapid advances in the storage, encryption, and transmission of data, coupled with increasing internet penetration and smartphone adoption in Pakistan will create myriad legal issues as regulatory authorities use the powers granted to them under PECA.

• Over-the-top (OTT) applications could be required to get licenses. PTA has already been working on a licensing regime for OTT applications such as WhatsApp, Skype, and Facebook Messenger. After the passage of PECA, PTA could issue directives to OTT applications to get licensed under a “general authorization” framework that could set terms for interception, backdoor access, and decryption of data. Without this authorization, OTT applications could be prevented from legally operating in the country.
• Companies must decrypt and provide access to data. Investigative authorities have been given the authority to require companies to provide access to data or devices in “unencrypted or decrypted intelligible format” for investigating any offenses made under PECA. Companies or individuals employed by companies will be required to provide “technical and other assistance” to authorized officers investigating offenses committed under PECA. Companies that store or transmit personal data or communications will be forced to provide backdoor access to investigation officers as needed.
• Companies must comply with content takedown requests. PECA gives authorities broad powers to censor content on the internet. Satirical posts or memes making fun of politicians, content that is considered immoral or indecent, and conversations that are considered to be against national security interests are all in violation of this legislation. The unregulated authority that PECA provides to investigative officers will surely result in a dramatic increase in the number of content takedown requests received by technology companies such as Facebook, Twitter, and YouTube.

PECA contains a host of offenses, many of which can be used to target political opponents, whistleblowers, and other individuals. Foreign technology companies will face a dilemma: a legal responsibility to comply with the directives of Pakistan’s investigation agencies, juxtaposed with the guarantee of data privacy to their users.

What’s Next

In the coming days Pakistani President Mamnoon Hussain will sign the law after which it will be implemented. Under PECA, the government will create a law enforcement agency or designate an existing agency to investigate offenses committed under this act. PTA will also gain expanded powers and use these to further censor and block internet content, while potentially requiring OTT applications to register under a new framework and agree to certain terms and conditions, or face legal action.

YouTube was banned for over three years after it refused to comply with directives to take down content – ultimately, Google complied and launched a localized version of the service in January 2016. If the past is any guide, PECA will be implemented on an ad hoc basis – both PTA and law enforcement agencies have limited operational capacity to implement this law on a broad scale. However, the Act will be used to block content and force technology companies to comply with the government where political, national security, or religious interests are at stake.

International technology companies in Pakistan should immediately evaluate their vulnerabilities and potential impact of this new development, especially where extra-territorial jurisdiction may be a concern for global content.

Timeline of internet censorship in Pakistan