The Prevention of Electronic Crimes Bill 2016 has been dubbed extremely controversial. Here is a summary of what the law provides in ordinary language: Application and Jurisdiction: The Act applies to all of Pakistan, on all Pakistani citizens inside Pakistan or outside it and on all such acts that constitute an offence or offences under the Act affecting a person, property, information system or data in Pakistan. Intermediary Liability Protection: Section 35 of the Act gives intermediary liability protection to the service provider. A service provider is not subject to civil or criminal liability unless it had specific knowledge and willful intent to “proactively and positively participate” in an offence and not just omission or failure to act. The burden of proof in this case is on the person alleging proactive or positive participation and specific content to this effect along with unique identifiers have to be produced in a court of law. The service provider is further exempted from civil and criminal liability if it informs a subscriber or user of notice in re any offense. However, if a notice is served to the service provider in the exercise of the powers of the Act, it is legally obligated to keep the exercise confidential for 14 days subject to extension by court. Any data that a service provider provides under the Act will be exempted from any liability vis-a-vis disclosure to the extent that it is required. Finally the law protects the service provider against any mandatory requirements about proactive monitoring or inquiries about content. This is a positive development as it gives service providers intermediary liability protection that did not exist in law earlier. Retention of data: Section 29 of the Act makes it mandatory for a service provider to retain “specified” traffic data for a period of one year or as the Authority (i.e. PTA) recommends. Service provider can only provide this data to investigation agency upon production of a warrant issued by court. Real time collection of data: Under Section 36 of the Act, a court can order real time collection of data through a service provider. Confidential information: Under Section 38 of the Act, a service provider or an official cannot share confidential information of its subscribers or users unless by law. However, in the event a service provider is accused of this conduct, good faith defense is available by law i.e. the service provider or the government official was acting in good faith. The burden of proof will be on the service provider or the government official. Directives from the federal government or authority: Under Section 45 of the Act, the federal government or the authority can issue binding directives to service providers to prevent the commission of an offence under the Act. Application of Pakistan Telecommunication (Re-organisation) Act 1996: For a licensee of the authority i.e. PTA, any violation of directives issued by the federal government or the authority will be treated as a violation of the licensee’s terms and conditions and shall be subject to the procedure under PTRA i.e. Section 23. Authority’s directions to licensees under the Act: Under Section 18 which deals with offences against the dignity of a natural person, Section 19 which deals with offences against modesty of a natural person or a minor and Section 21 which deals with cyber stalking, the authority can issue directions to licensees to secure, block or remove the content accordingly. These will be binding orders. PTA’s power to block online content: Section 34 of the Act gives authority the power to block content in the interest of glory of Islam, integrity and security of Pakistan, public order, morality, decency, or in relation to contempt of court. Any decision may be reviewed by the authority and the decision in review is further subject to an appeal before the high court. The authority also is required to frame the rules for this exercise and so long as there are no rules, the federal government may ask the authority to exercise its power for the time being. 1). Information system/Data/ Critical structure/natural person offences: a). Any unauthorised access to an information system is an offence; punishment of up to three months or fine up to Rs. 50,000, or both, as per Section 3 of the Act. b). Unauthorised copying or transmission of data; punishment up to six months or fine up to Rs 100,000, or both, as per Section 4 of the Act. c). Interference or damage to an information system; punishment of up to two years or fine up to Rs 500,000, or both, as per Section 5 of the Act. d). Unauthorised access to a critical infrastructure information system (which is an information system that supports critical infrastructure that is infrastructure necessary for essential services in the country); punishment of up to three years or fine up to Rs 1 million, or both, as per Section 6 of the Act. e). Unauthorised copying or transmission of critical infrastructure data; punishment of up to five years or fine up to Rs 5 million, or both, as per Section 7 of the Act. f). Interference or damage of critical infrastructure data or information system; punishment of up to seven years or fine up to Rs 10 million, or both, as per Section 8 of the Act. g). Electronic fraud; punishment of up to two years or fine up to Rs 10 million, or both, as per Section 12 of the Act. h). Making obtaining or supplying device, data, or information system used in an offence; punishment of up to six months in jail or fine of up to Rs 50,000, or both, as per Section 13 of the Act. i). Unauthorised use of identity information of another person; punishment of op to three years or fine of up to Rs 5 million, or both, as per Section 14 of the Act. j). Unauthorised issuance of SIM cards; punishment of up to three years or a fine of up to Rs 500,000, or both, as per Section 15 of the Act. k). Tampering with communication information; punishment of up to three years or a fine of up to Rs 1 million, or both, as per Section 16 of the Act. l). Unauthorised interception of transmission; punishment of up to two years or a fine of up to Rs 500,000, or both, as per Section 17 of the Act. m). Offences against a natural person; punishment of up to three years or a fine of up to Rs 1 million, or both, as per Section 18 of the Act. n). Offences against the modesty of a natural person or minor; punishment of up to seven years or fine of up to Rs 5 million, or both, as per Section 19 of the Act. o). Writing offering or making available of malicious code is an offence; punishment of up to two years or fine of Rs 1 million, or both, as per Section 20 of the Act. p). Cyber stalking: For adult victims, punishment of up to three years or fine of Rs 1 million or both. For minor victims, punishment of up to five years or fine of Rs 10 million, or both, as per Section 21 of the Act. q). Spamming: Fine of up to Rs 50,000 for the first offence; fine between Rs 50,000 and 1 million for the subsequent offences, as per Section 22 of the Act. r). Spoofing i.e. false websites etc with dishonest intent; punishment of up to three years imprisonment or fine of Rs 500,000, or both, as per Section 23 of the Act. 2). Hate speech and terrorism offences: a). Glorification of an offence relating to terrorism or a person who has committed terrorism or such offence or glorification of any proscribed organisations; punishment up to seven years or fine up to Rs 10 million, or both, as per Section 9 of the Act. b). Offences to Sections 6, 7, 8 and 9 are described as “cyber terrorism” if these are committed with the intent to create fear, insecurity or advance interfaith, sectarian or ethnic hatred; punishment up to 14 years or fine up to Rs 50 million, or both, as per Section 10 of the Act. c). Hate speech with the intent to forward interfaith sectarian or racial hatred is an offence; punishment of up to seven years and a fine or both, as per Section 10-A of the Act. d). Recruitment, funding or planning of terrorism through information system or device; punishment of up to seven years or a fine, or both, as per Section 10-B of the Act.