Sections of the draft seen by DRM indicates ultra vires sections, going beyond the scope of Section 37 of PECA
Islamabad, 9 October 2020: Sources at Pakistan Telecommunication Authority, Ministry of IT and the Consultative Committee constituted for the revision of Citizen Protection Rules (Against Online Harms) 2020 remain unable to share the document listing the Rules even as media reports indicate that implementation of the Rules has already begun.
Sections of the draft acquired by DRM indicate that the Rules have been renamed “Rules for removal and blocking of unlawful online content (procedure, oversight and safeguards) Rules 2020”. The revised draft of the Rules, created by the consultative committee, was submitted by Secretary IT Shoaib Ahmed Siddiqui, to Cabinet Committee for Disposal of Legislative Causes on 6th October 2020.
Obligations for service providers and social media companies
Various obligations have been defined for social media companies including publication of community guidelines pre defined in the Rules. Guidelines in the rules seek to “inform the user of the online systems not to host, display, upload, modify, publish, transmit, update or share any online content that among other things, “violates or affects religious, cultural, ethical sensitivities of Pakistan or threatens the integrity, security or defence or Pakistan, or public order or causes incitement to any offence under the Act (PECA)”.
Monitoring & regulation obligations on social media companies
In addition, social media companies have been obligated to “deploy appropriate mechanisms for identifying online content” specified within the community guidelines and blocking it from being uploaded and published.
Social media companies have also been asked to create mechanisms to stop live streaming of content that may be linked yo “terrorism, extremism, hate speech, pornography, incitement to violence and detrimental to national security”.
Registration and local presence
The Rules also make it mandatory for social media companies with half a million Pakistan based users to register with the PTA and to establish a permanent registered office in Pakistan within nine months of notification of the Rules and appoint a focal person based in Pakistan within three months of the notification of the Rules.
Consumer Data Provision
The Rules also ask the companies to establish “one or more database servers in Pakistan” within 18 months, to record and store data within Pakistan, for “citizen’s data privacy”. The Rules also create obligations for provision of data, including “subscriber information, traffic data, content data and any other information or data” in “decrypted, readable and comprehensible format or plain version” as and when required for investigations.
Written Orders for Content Blocking
Sections of the draft seen by DRM indicate that any decision to block or remove content as a result of a complaint should be made through a written order, recording the reasons for the Authority’s decision. However the same clause also provides an alternative to the written order stating that the Authority may simply issue directions to the service provider, social media company, owner of information system, owner of internet website or web server and user for removal and blocking access”. It is not clear whether these instructions would include details about the reasons for blocking and removal.
According to the Rules, Authority “may on its own motion take cognizance of any unlawful online content and may pass appropriate directions”.
Sections of the Rules seen by DRM indicate that in addition to natural persons, ministries, divisions, attached departments, subordinate offices, provincial and local departments, offices, law enforcement and related groups, and public companies have all been empowered to file a complaint against content that aggravates them.
Some sections of the Rules indicate that complaints against content may not be entertained if necessary information and relevant documents are not provided, hearings are not attended, or it isn’t possible to decide on the basis of records made available. Complaints against sub judice matters won’t be heard either. Review applications and appeals against Authority’s decision at the high court, are defined as a part of the procedure.
Contradictions with PECA
While the Rules are defined under Section 37 of PECA 2016, various of the sections reviewed by DRM appear to be ultra vires to the parent Act. PECA limits the liability on service providers and social media companies, while the Rules create extensive obligations and new offences and legal liabilities on these companies. In addition, new punishments have been defined including “blocking of entire online systems” provided, owned or managed by service providers or social media companies. These obligations and punishments remain ultra vires and contradictory to the protections provided for intermediaries in PECA.
It is important to note that the draft being circulated in the media, and seen by DRM has been acquired through sources and has not been shared through any official channels as yet.