Opinion: What you need to know about Papua New Guinea’s new Cybercrime Act

 

This month, Papua New Guinea’s Parliament passed the Cybercrime Code Act, which applies to defamation, cybersecurity, spam, hacking, forgery and computer fraud. Zinnia Dawidi, a lawyer specialising in IT & Telecommunications law, outlines the implications for businesses and individuals.

The formulation and drafting of Papua New Guinea’s law on Cybercrime was commenced in 2011 as part of a general drive within the Pacific region to reform and develop the region’s ICT laws. The aim was to achieve enhanced uniformity and harmonisation with the global community.

Papua New Guinea is one of the last countries in the region to legislate and is many, many years behind the wider international community.

‘In terms of Cybersecurity … the most important provisions relate to cyber attack … This criminalises attacks on critical infrastructure’

The Cybercrime Code Act 2016 criminalises many activities:

• hacking;
• cyber bullying;
• child online grooming;
• unlawful advertising;
• cyber harassment (which includes, cyber stalking and the use of profanities);
• electronic fraud (covering bank fraud);
• forgery;
• gambling by children;
• identity theft;
• unlawful disclosure (the unlawful publication of private and confidential data and sensitive personal data alike);
• infringement of intellectual property rights such as trademarks, copyright, patents and industrial designs;
• the production, possession and publication of child pornography and animal pornography;
• the production and publication of (adult) pornography;
• the design and distribution of illegal devices and many other technical offences.

In terms of Cybersecurity (which over arches Cybercrime), the most important provisions relate to cyber attack (known in some jurisdictions as ‘cyber warfare’). This criminalises attacks on critical infrastructure such as our national power grid, water supply, LNG plant, air services and health systems.

Defamation criminalised

Member countries were left to decide whether or not to criminalise defamation. Under PNG’s existing Defamation Act, the only provisions criminalizing defamatory publications related to members of Parliament.

Every other citizen had to resort to a claim for damages under the civil jurisdiction of the court.

In the interests of justice, and in light of the exorbitant costs one must inevitably incur when bringing a civil claim for defamation, it was decided that the criminal provisions should be made available to everyone—member of parliament and ordinary citizen alike.

‘The legal principles governing defamation are maintained: the defences of truth, fair comment, good faith and public interest benefit are available.’

Defamatory publications are now also criminalised. Previously, one could only be charged criminally for defaming a member of Parliament. Every other citizen had to resort to the civil jurisdiction of the court. This meant that there was no point in taking any action for redress against a penniless person for defaming you.

Under the new Act you will now be able to file a criminal complaint for defamation against a poor person for some redress—and you don’t have to be a member of parliament to do that.

The legal principles governing defamation are maintained. The defences of truth, fair comment, good faith and public interest benefit are available to anyone who finds himself on the wrong end of the new Act.

Service providers’ liability

ICT service providers such as Web masters or administrators may be held criminally responsible for a defamatory publication by a user if they are found to have negligently allowed, or enabled, the publication complained of.

Under the Act, ICT service providers (ISPs, telcos, etc) would attract criminal liability if they actively monitor the use of their services by subscribers in the absence of a court order; or where, due to their negligence, such unauthorised monitoring is conducted by an employee.

Monitoring is only to be authorized by the court through a specifically termed court order under strictly prescribed guidelines and supervision by the court.

‘It is now possible to admit into court evidence derived from mobile phones.’

The Act also prescribes certain procedural tools to enable law enforcement to obtain, preserve and protect electronic evidence from being manipulated or tampered with. Procedures for search and the provision of assistance to law enforcement are also provided for.

Jurisdictions

The new law necessitated some amendments, perhaps the most notable of which relates to theEvidence Act. These were primarily to enable the admissibility of electronic evidence which was previously not possible.

It is now possible to admit into court evidence derived from mobile phones, which was previously restricted by the narrow definition accorded to “computer” and “computerised information”.

‘We cannot legally complain of a wrongdoing, for instance, online (bank) fraud if it’s not an offence in our country!’

Cybercrime knows no jurisdictional boundaries and is capable of being committed over multiple jurisdictions. Accordingly, the investigation and prosecution of Cybercrime hinges on the doctrine of dual criminality.

This means that in order for our police, or courts, to deal with a foreign offender, both our jurisdiction and the jurisdiction in which the offender is domiciled or resident must have similar criminal provisions.

Without dual criminality other mechanisms such as extradition for the purpose of prosecution, would be futile. And of course, we cannot legally complain of a wrongdoing of, for instance, online (bank) fraud if it’s not an offence in our country!

Penalties

The penalties and imprisonment terms may be regarded  at face value as rather extreme, but it must be appreciated that in the formulation of these penalties the following concerns needed to be taken into account –

1. the level of anonymity one is able to enjoy in cyberspace;
2. the far reaching, often unpredictable damage or loss that can result from the commission of an offence (the losses may range from nothing to millions of kina); and
3. more often than not, the inherent level of sophistication of the perpetrator.

The cited maximum penalty is not mandatory. A maximum penalty is set to accord the court sufficient discretion when considering the penalties that ought to be imposed in a given set of circumstances.

Monetary penalties can range from zero to the maximum amount prescribed. For custodial sentences, the term of imprisonment can only be imposed up to, and not exceeding, the maximum term prescribed. Such elasticity was necessary.

Not sinister

The Cybercrime Code Act 2016 is not the result of some sinister ploy by the Government to shut out our right to freedom of speech (which in any case, is a qualified Constitutional right) or opinions on corruption.

It is a law that has been a long time coming and should have been enacted years ago.

It is highly technical because it deals with sophisticated technology. If in doubt, therefore, it would be advisable to seek legal advice or guidance prior to engaging in public commentary regarding the new Act.

Zinnia Dawidi is a board member of the National Information and Communications Technology Authority’s (NICTA) Universal Access and Service Secretariat (UAS).

Copyright © 2016 Business Advantage International.