Issuance of the Cybercrime Law

In mid-August, Law No. 175 of 2018 on the Combating of Information Technology Crimes (the “Cybercrime Law” or the “Law”) was published in the Official Gazette.[1] The controversial Law criminalizes acts that it considers as constituting a violation of “privacy” and “family values” or threatening to national security or the economy. It provides a legal umbrella for online surveillance, censorship, and monitoring of internet use in Egypt. The wide-reaching Law affects private individuals, social media users and companies, public and private sector entities, telecom operators, and any persons or companies in charge of websites or e-mail accounts. All those addressed by the law have one year to comply.

Background

Prior to the issuance of the Cybercrime Law, Egyptian law did not contain a definition of personal data, and privacy was only generally protected by the Constitution, in addition, to one clause in the Criminal Code that protects physical correspondence, private physical spaces, and telephone conversations. Other than that, Communications Law No. 10 of 2003,[2] only sets out the broadest outlines for the regulation, access and protection of information infrastructure, and remains technically outdated. For the past three years at least, various drafts of a cybercrime law have been debated. Some parts of the Law seem to have been adopted to comply with the Arab Convention on Combating Information Technology Offences.[3]

Privacy, Personal Data and State Surveillance

The new CybercrimeLaw defines personal data in a very similar way as the European data privacy legislation: any information relating to an identified or identifiable individual, one who can be identified, directly or indirectly, by combining different pieces of information. Service providers are required to collect and maintain copies of all personal data as well as traffic data and other internet and device data for 180 days and are obliged to keep them private and confidential unless a competent judicial authority orders otherwise. There are no limits, conditions or time constraints for when and how a competent judicial authority may have access to such private information, and a crime need not have been committed. Service providers must also grant the national security agencies – defined as the Presidency, the Ministries of Defence and the Interior, General Intelligence, and the Administrative Supervisory Authority – all the technical abilities required for the performance of their powers on demand, without the need for a warrant, cause or any time limitation. This in effect means those national security agencies have the right to constantly and comprehensively surveil all users en-masse, in apparent violation of Article (57) of the Egyptian Constitution, which states: “Private life is inviolable, safeguarded and may not be infringed upon. Telegraph, postal, and electronic correspondence, telephone calls, and other forms of communication are inviolable, their confidentiality is guaranteed and they may only be confiscated, examined or monitored by judicial order with reasoning, for a limited period of time, and in cases specified by the law…” Moreover, the Cybercrime Law permits Egypt to share any information with any other government if necessary for investigating a crime, and no conditions or time constraints are placed on this power. Rather than define “privacy”, Article (25) of the Law merely contains the penalty for the violation of privacy or “family values’, data-mining and other marketing and spam activities, and any publication of anything that is private - whether or not the information published is true. The Article is a catch-all provision that penalizes these violations with a minimum sentence of six months and a fine of EGP 50,000. As the Law does not define when an expectation of privacy might arise, this clause could criminalize the publication of any photograph taken without a subject’s consent, even if taken in public, or screenshots of chats even by a party to those communications, and this would apply to anyone who shares such material on social media. An even harsher minimum penalty of two years and EGP 100,000 applies to photoshopping or editing someone else’s personal characteristics in a manner that links it to content in violation of public morals, or which affects their status and honour. Neither provision distinguishes between public and private figures, and the Law does not address the use of blackmail, though arguably the relevant provision in the Criminal Code would apply to cybercrimes.

Search and Seizure

The Cybercrime Law grants employees of the National Telecom Regulatory Authority (“NTRA”), and others to be specified by the national security agencies, the right to seize and access all data, devices, and infrastructure by means of a reasoned order or warrant issued by any competent judicial authority. Such access is to last for 30 days that may be renewed once, or permanently in the event of a conviction.

Censorship

Article (7) of the Cybercrime Law sets out the mechanism for censoring and blocking websites deemed to be “a threat to national security or the national economy”, which seems as an attempt to retroactively legalize censorship practices already in place. The Law allows an investigative authority to block a website and a judge must review the order and issue a decision within 72 hours, or to request the NTRA to do it instantly, bypassing judicial review if necessary to prevent harm. Those against whom a censorship decision has been issued may appeal the block seven days after a court decision, and then every three months. The court must determine each appeal within seven days.

Hacking and Related Crimes

The Cybercrime Law criminalizes a wide variety of “unauthorized access” offenses, including hacking, surveillance and tracking, penalizing them with prison terms of upwards of six months and steep fines regardless of the severity of the offense or if harm was caused. For example, the vague language of some provisions could mean that merely accessing a blocked website or any other website deemed “forbidden”, such as by using a virtual private network (VPN) or any anonymizing software such as TOR, would be punishable by imprisonment for a year and a minimum of EGP 50,000.

Financial Cybercrime

The use of technology to commit fraud or access bank information is penalized with upwards of three months in prison and fines of over EGP 30,000.

Impersonation and Parody Accounts

The creation of accounts, profiles and emails in the name of other individuals or legal entities is criminalized, and the penalties are multiplied if the target is a public entity. For example, creating a parody page for a ministry would attract a three-year sentence and a fine of at least EGP 100,000.

“Site Administrator” Crimes

The Cybercrime Law penalizes both site and email administrators in the event of the use of said sites or email accounts to commit crimes or tamper with evidence. In addition, website and email account owners and administrators are held responsible for any crimes committed using their site or email, or even targeting their account or email, if they fail to secure these sites/accounts according to the Law. All such offenses attract prison sentences and substantial fines whether or not the perpetrator had the intent or the ability to commit a crime. For example, the victim of the hacking of a personal email could go to prison for six months and/or pay a minimum fine of EGP 10,000.

Service Provider Crimes

Service providers who fail to censor websites or surveil and track their users for the security agencies are subject to prison sentences of up to one year, to be served by managers with legal responsibility as well as the actual perpetrators, and/or fines of up to 10 million pounds. The Cybercrime Law also imposes a one-year prison sentence for service providers who disclose user data, and a fine of up to EGP 100,000 per afflicted user.

Aggravating Circumstances

If any of the offences created under the Cybercrime Law are committed “with the purpose of disturbing public order, threatening the safety and security of society, harming national security or its economic position, preventing or obstructing authorities, or to suspend the application of the constitution or any law, or harming national unity and social harmony” the penalty is increased to prison with labour for three to fifteen years. The Law does not define any of the preceding terms other than national security, defined as “anything pertaining to the independence, stability and security of the nation and the unity and safety of its territories, and anything relating to the Presidency, the National Defence Council, the National Security Council, General Intelligence, the Ministries of Defence, Military Production and the Interior, and the Administrative Supervisory Authority and their agencies.”

Reporting and Failure to Report Crimes

All those responsible for managing an entity’s website or information technology system or accounts are subject to a prison sentence of three months for failing to report to the authorities that their site, system or account was the target of a crime under the Cybercrime Law at the time that they became aware of such.

Reconciliation and Settlement

The Cybercrime Law permits those accused of any crime under this Law to settle and reconcile their offences with the victims upon approval from the NTRA in some cases. However, in order to benefit from that privilege, the accused must pay at least half of the maximum fine for that offence not refunded even in the event that the victim accepts settlement. In addition, the perpetrator remains liable for any civil damages. Other penalties include being banned from travel for an indefinite period if a prosecutor determines in his discretion that there is a need to do so in connection with a cybercrime, even if no warrant for arrest has been issued. The travel ban can be appealed every three months.   [1] Law No. 175/2018 on the Combating of Information Technology Crimes, Official gazette, Issue No. 32 (bis) (c), 14 August 2018. [2] Law No. 10/2003 Regulating Communications, Official Gazette, Issue No. 5 (bis) (a), 4 February 2003. [3] afte Association of Freedom of Thought and Expression, “Comment on the Arab Convention on Combating Information Technology Offences”, available through this link (in Arabic).