Cybercrime legislation: comparing the global and GCC approaches
There is no universally agreed definition of the term ‘cybercrime’. The approach adopted by most relevant international and regional instruments has been in defining the term as a set of conducts or a collection of acts, making it an umbrella term rather than assigning a single definition. The Council of Europe Convention on Cybercrime (also known as the Budapest Convention),24 which was opened for signature in 2001, follows this model, and is considered to be the most relevant international instrument on cybercrime. As at June 2018, there were 58 state parties to the convention, not including any GCC or Arab country.25 It classifies cybercrime acts under one or more of the following four categories shown in Table 3.
Table 3: Cybercrime acts as defined in the Budapest Convention
Offences against the confidentiality, integrity and availability of computer data and systems |
Computer-related offences (e.g. credit card fraud, advance fee fraud) |
Content-related offences |
Copyright-related offences |
---|---|---|---|
Illegal access (e.g. hacking, circumventing of a password) |
Computer-related forgery |
Offences related to child pornography |
Offences related to infringements of copyright and related rights |
Illegal interception (e.g. email interception) |
Computer-related fraud |
Acts of racist and xenophobic nature* |
|
Data interference (e.g. use of malwares, spyware, creating backdoors) |
Hate speech |
||
System interference (e.g. denial of service – DoS) |
|||
Misuse of devices |
* An additional protocol to the Convention was adopted in 2003 to address racist and xenophobic materials committed through computer networks.
In defining the parameters of cybercrime, this paper follows the approach of the Budapest Convention. A similar approach is adopted by the Arab Convention on Combating Information Technology Offences,26 a League of Arab States (Arab League) convention signed by all GCC countries and ratified by all of them except for Saudi Arabia.27
Most national legislation on cybercrime follows the same approach. Only a very small number of national laws include the term ‘cybercrime’ (or variations thereof) either in the title or in the scope of their legislation.28 In the GCC, by contrast, the term ‘cybercrime’ features in the title of the legislation in all countries but Bahrain and Kuwait (see Table 4). As in most countries, however, these laws do not attempt to provide a legal definition of cybercrime. They rather attribute the term, using slightly different formulations, to include the crimes or acts referred to in the provisions of these laws.29
Analysis of the cybercrime laws of the GCC countries shows two main areas where these laws depart from international practice on cybercrime legislation. The first relates to the structure of the laws, and the second to content.
Table 4: Cybercrime laws in the GCC countries
Bahrain |
Kuwait |
Oman |
Qatar |
Saudi Arabia |
UAE |
|
---|---|---|---|---|---|---|
English translation |
Law No. (60) of 2014 on Information Technology Crimes |
Law No. (63) for the year 2015 on Combating Information Technology Crimes |
Royal Decree No 12/2011 issuing the Cyber Crime Law (a) |
Law No. (14) of 2014 Promulgating the Cybercrime Prevention Law (b) |
Anti-Cyber Crime Law, Royal Decree No. M/17, 26 March 2007 (c) |
Federal Decree-Law No. (5) of 2012 on Combating Cybercrimes (d) |
Original title |
قانون رقم (٦٠) لسنة ٢٠١٤ بشأن جرائم تقنية المعلومات (e) |
قانون رقم (٦٣) لسنة ٢٠١٥ في شأن مكافحة جرائم تقنية المعلومات (f) |
مرسوم سلطاني رقم ١٢/٢٠١١ بإصدار قانون مكافحة جرائم تقنية المعلومات (g) |
انون رقم (١٤) لسنة ٢٠١٤ بإصدار قانون مكافحة الجريمة الالكترونية (h) |
نظام مكافحة الجريمة الالكترونية، م/١٧، ٨/٣/١٤٢٨ ه (i) |
مرسوم بقانون اتحادي رقم (٥) لسنة ٢٠١٢ في شأن مكافحة جرائم تقنية المعلومات (j) |
Sources: (a): Available at http://www.qcert.org/sites/default/files/public/documents/om-ecrime-issuing_the_cyber_crime_law-eng-2011.pdf; (b): Available at http://chato.cl/blog/files/QatarCybercrimeLaw_unofficial_translation.pdf; (c): Available at http://www.citc.gov.sa/en/Rulesand Systems/CITCSystem/Documents/LA_004_%20E_%20Anti-Cyber%20Crime%20Law.pdf; (d): Available at http://ejustice.gov.ae/downloads/latest_laws/cybercrimes_5_2012_en.pdf; (e): Available at http://www.acees.gov.bh/cyber-crime/anti-cyber-crime-law-in-the-kingdom-of-bahrain/; (f): Available at https://www.e.gov.kw/sites/kgoarabic/Forms/CAITLawNo.63of2015oncombatingInformationTechnologyCrimes.pdf; (g): Available at http://www.cert.gov.om/library/publications/Cyber_Crime_Law.pdf; (h): Available at http://www.ilo.org/dyn/natlex/docs/ELECTRONIC/100242/120183/F1232109237/100242.pdf; (i): Available at: “https://www.bog.gov.sa/ScientificContent/RelatedSystems/Documents/نظام%20مكافحة%20الجرائم%20المعلوماتية%201428هـ.pdf” https://www.bog.gov.sa/ScientificContent/RelatedSystems/Documents/äÙÇã%20ãßÇÝÍÉ%20ÇáÌÑÇÆã%20ÇáãÚáæãÇÊíÉ%201428åÜ.pdf; (j): Available at http://www.wipo.int/wipolex/ar/text.jsp?file_id=316910.
Structure
The main issue in the GCC countries with regard to cybercrime legislation is in the lack of procedural laws that regulate cybercrime investigations and prosecutions. All cybercrime laws in the GCC countries include definitions of the terms used in the law, as well as substantive criminal law articles that criminalize the offences considered as constituting cybercrimes. However, few of these laws elaborate on other important aspects of the law that are found in some of the main international and regional instruments on cybercrime.30 These include: procedural law (such as search and seizure of computer hardware or data, order for stored computer data, expedited preservation of computer data); electronic evidence (such as admissibility of electronic evidence and records); jurisdiction (such as the territorial principle, nationality principle of offender, dual criminality); international cooperation; and service provider liability and responsibility (such as monitoring obligations, voluntary supply of information, liability of hosting providers).
Of the GCC countries, Qatar’s anti-cybercrime law is the most comprehensive, elaborating on, in addition to criminalization provisions:
- Evidence and investigation procedures;
- Service providers’ obligations;
- State authorities’ obligations;
- International cooperation;
- Mutual legal assistance; and
- Extradition of criminals.
The other GCC countries rely in their procedures on general rules that do not take into account the specificity of cybercrime cases. Bahrain has provisions on procedural law, but no provisions on other pertinent areas of the law mentioned above.
The absence of such provisions – which would normally be enacted in new cybercrime laws or incorporated in existing laws – seriously hampers the effectiveness of any cybercrime investigation, since these guide the work of law enforcement and the judiciary in efforts to combat cybercrime. In addition to guiding the fight against cybercrime, these provisions should also contain the necessary safeguards to ensure that the powers granted to law enforcement and the judiciary through these laws are not being abused or used in an intrusive way.
Given the transnational dimension of cybercrime, the lack of legal frameworks regulating how states deal with one another in the context of a cybercrime undermines a country’s ability to perform cross-border investigations and prosecutions in a timely manner and also raises issues of sovereignty.31 It also means that any country that lacks the appropriate frameworks is left outside global efforts aimed at identifying the best responses to the emerging challenges presented by cybercrime.
In the absence of these provisions, therefore, the capacity of states to investigate, prosecute and adjudicate on cybercrime nationally, and to facilitate cooperation in transnational investigations in a way that is conducive to successful results, is seriously constrained.32
The lacuna in dealing with electronic evidence has led in some cases to the mishandling of evidence, rendering it inadmissible. The absence of procedural law specifically applicable to cybercrime cases is thus an obstacle to all those involved in investigating, prosecuting and adjudicating cybercrime cases.
To take the example of the UAE, given the lack of special procedures for cybercrime cases, procedures for electronic evidence are governed by the Criminal Procedures Law. Judges thus apply general rules of evidence to cybercrime cases. The main issue with this is that these rules apply to ‘traditional’ types of crimes, investigation of which is primarily focused on traditional eyewitness accounts and the collection of physical evidence. There are no provisions regulating, for example, the collection, retention and disclosure of stored computer data or traffic. This lacuna in dealing with electronic evidence has led in some cases to the mishandling of evidence, rendering it inadmissible.33 The absence of procedural law specifically applicable to cybercrime cases is thus an obstacle to all those involved in investigating, prosecuting and adjudicating cybercrime cases. Key judicial figures in the UAE seem to be supportive of a new law dealing with electronic evidence,34 identifying the lack of such legislation as a major impediment to dealing with the distinct nature of electronic evidence. The need for laws regulating effective international cooperation, and cooperation mechanisms in global evidence collection and in transnational investigations, was also highlighted as a key shortcoming of the current UAE legal framework.
In Oman, moreover, one of the main obstacles to successful convictions in cybercrime cases, according to the country’s Information Technology Authority, is that judges are not incorporating the concept of computer crime, and what constitutes digital evidence, in their cybercrime cases.35 And in Bahrain, inadequacies in the legislation especially in relation to electronic evidence are in effect resulting in impunity for many apparent perpetrators.36
Content
As already stated, all GCC cybercrime laws cover in their texts offences that are broadly similar to the offences detailed under the Budapest Convention – i.e. offences against the confidentiality, integrity and availability of computer data and systems, computer-related offences and copyright-related offences. Notably, however, when it comes to the content-related offences, all GCC countries, with the exception of Bahrain,37 have introduced as part of their cybercrime laws provisions that criminalize a wide spectrum of content. Such content is not covered by the Budapest Convention and is in tension with the broad latitude given to freedom of expression in international human rights law. Table 5 sets out these provisions, along with the corresponding sanctions.38
Table 5: Content-related offences not foreseen in other international instruments39
Offence |
Kuwait |
Saudi Arabia |
Oman |
Qatar |
UAE |
---|---|---|---|---|---|
Insulting or defaming religion or religious values |
Article 6 Imprisonment: up to 1 year; and/or Fine: 5,000–20,000 KWD |
Article 6 Imprisonment: up to 5 years; and/or Fine: up to 3,000,000 SAR |
Article 19 Imprisonment: up to 3 years; and/or Fine: 1,000–3,000 OMR |
Article 35 Imprisonment: up to 7 years (if targeted at Islamic religion); and/or Fine: 250,000–1,000,000 AED |
|
Prejudicing public order, public ethics/morals and social values |
Article 4(4) Imprisonment: up to 2 years; and/or Fine: 2,000–5,000 KWD Article 6 Fine: 3,000–1,000 KWD |
Article 6 Imprisonment: up to 5 years; and/or Fine: up to 3,000,000 SAR |
Article 17 Imprisonment: up to 3 years; and/or Fine: 100–3,000 OMR Article 19 Imprisonment: up to 3 years; and/or Fine: 1,000–3,000 OMR |
Article 8 Imprisonment: up to 3 years; and/or Fine: up to 100,000 QAR |
Article 24 Imprisonment: Temporary (period not specified); and Fine: 500,000–1,000,000 AED Article 28 Imprisonment: Temporary (period not specified); and Fine: up to 1,000,000 AED |
Invading privacy, publishing news, secrets, electronic photos or photographs, scenes, comments, statements or information even if true or correct |
Article 6 Fine: 3,000–1,000 KWD |
Article 3 Imprisonment: up to 1 year; and/or Fine: up to 500,000 SAR Article 6 Imprisonment: up to 5 years; and/or Fine: up to 3,000,000 SAR |
Article 16 Imprisonment: up to 3 years; and/or Fine: 1,000–5000 OMR |
Article 8 Imprisonment: up to 3 years; and/or Fine: 100,000 QAR |
Article 21 Imprisonment: at least 6 months; and/or Fine: 150,000–500,000 AED |
Defamation and slander |
Article 3 Imprisonment: up to 1 year; and/or Fine: up to 500,000 SAR |
Article 16 Imprisonment: up to 3 years; and/or Fine: 1,000–5,000 OMR |
Article 8 Imprisonment: up to 3 years; and/or Fine: up to 100,000 QAR |
Article 20 Imprisonment: period not specified; and/or Fine: 250,000–500,000 AED Article 21 Imprisonment: at least 1 year; and/or Fine: 250,000–500,000 AED |
|
Damaging state reputation, criticizing, offending, insulting or slandering the ruler, his family, state symbols or a public official |
Article 6 Fine: 5,000–20,000 KWD |
Article 20 Imprisonment: period not specified; and/or Fine: 250,000–500,000 AED Article 29 Imprisonment: Temporary (period not specified); and Fine: up to 1,000,000 AED |
|||
Damaging/threatening national unity and security, foreign policy Overthrowing the ruling regime/changing the system |
Article 6 Fine: 3,000–10,000 KWD Article 7 Imprisonment: up to 10 years |
Article 6 Imprisonment: up to 3 years; and/or Fine: up to 500,000 QAR |
Article 24 Imprisonment: Temporary (period not specified); and Fine: 500,000–1,000,000 AED Article 28 Imprisonment: Temporary (period not specified); and Fine: up to 1,000,000 AED Article 30 Imprisonment: Life |
||
Organizing marches without permission |
Article 32 Imprisonment: period not specified; and Fine: 500,000–1,000,000 AED |
||||
Spreading false news which damage the reputation and prestige of the country (retweeting) |
Article 6 Imprisonment: up to 3 years; and/or Fine: up to 500,000 QAR For disseminating the news (e.g. retweeting) Imprisonment: up to 1 year; and/or Fine: up to 250,000 QAR |
||||
Insulting the constitution or judges and prosecutors or infringing on judicial integrity and impartiality |
Article 6 Fine: 3,000–10,000 KWD |
||||
Participating and supporting an unauthorized group |
Article 26 Imprisonment: at least 5 years; and Fine: 1,000,000–2,000,000 AED |