After hastily approving 14 articles of Egypt’s cybercrime prevention bill on Tuesday, Parliament’s Communications and Information Technology Committee (CITC) convened another meeting the following day to further review the proposed legislation.
Members of the committee were largely absent from the Wednesday discussion, which, as with previous meetings, was attended by a significant number of state officials, including representatives from the State Information Service and the ministries of defense, interior and culture.
The CITC endorsed six more articles of the government-drafted bill which, if passed, would be the first piece of legislation to regulate what is published on social media, establish principles to confront cybercrimes and set a precedent in regulating web censorship.
Three committee sessions have been held so far, the first of which was on March 5, and 27 of the bill’s 45 articles have been approved.
The sections approved in the earlier meetings included articles pertaining to the regulation of web censorship, appeals against blocks on access to websites, travel bans and a definition of national security, while discussions on the definition of “website” and several portions of the proposed law that were contested by state and military representatives were postponed.
Nidal al-Saeed, the head of the CITC, affirmed on Wednesday that all comments on the bill would be taken into account. “The Communication [and Information Technology] Ministry’s role ended once the bill was referred to us. It is our responsibility, and we will not approve anything that we do not agree with,” he said. “All remarks will be taken into account. This task was commissioned to us by the speaker of Parliament.” Saeed, however, did not specify how many CITC meetings were scheduled for further discussion of the bill.
During the most recent meeting, an amendment was made to Article 22, which provides for a minimum fine of LE100,000 and a six-month prison sentence for anyone who intentionally blocks, crashes, impairs the functioning of or interrupts an information network in any way. The amendment, which was proposed by one of the many state officials in attendance, extends the penalty to anyone who damages or interrupts a network unintentionally.
The article adds: “If the offense is committed on an information network that is affiliated with, administered by or owned by the state or a public legal person, the penalty shall be imprisonment in a maximum security prison and a fine of no less than LE500,000 and no more than LE1 million.”
The CITC approved Article 23 without any amendments. The article provides for a minimum two-year prison sentence and a fine of between LE300,000 and LE500,000 for anyone who “possesses, obtains, acquires, sells, makes available, manufactures, produces, imports, exports or circulates any devices, equipment, software, passwords, access codes or similar data without authorization from the agency, and is proven to have done so with the intent of committing or facilitating any of the crimes outlined in this law, or concealing the evidence or outcomes thereof.”
The article pertaining to credit card and online payment fraud was also passed with amendments. Article 24 states that anyone who uses an information network or information technology to unlawfully access bank card data or that of other online payment methods will face a minimum three-month prison sentence and a fine of between LE30,000 and LE50,000. Stricter penalties are imposed if the above is carried out with the intention of acquiring the property of others. The amendments, however, reduced these from a one-year sentence and minimum LE100,000 fine to a six-month sentence and a minimum LE50,000.
Saeed praised the amended article, calling it one of the most significant parts of the bill. “This is the year of financial inclusion, one that requires a legislative atmosphere to outlines obligations and rights,” he said.
Crimes involving fraudulent websites, personal accounts and email addresses are addressed in Article 25. Anyone found to have created a fraudulent site or account and attributed it to a natural or legal person will face a minimum of three months in prison, and a fine of between LE10,000 and LE30,000. This increases to a one-year sentence and a fine of between LE50,000 and LE200,000 if the websites, personal account or email address causes harm to a person. If the victim of the crime is a public legal person the fine increases to between LE100,000 and LE300,000.
Among the approved portions of the bill was Article 26, which criminalizes the violation of citizens’ privacy and “illegal” digital content.
During the Wednesday meeting, Mohamed Hegazy, the Communication and Information Technology Ministry’s representative, raised the issue of the potential use and misuse of personal data. “This is something a lot of people suffer from, which is why the bill tackles the use and exploitation of citizens’ data, especially in regards to club and syndicate elections,” he said.
He mentioned the German Center for the Extermination of Insects and Rodents, which he cited as an example of an instance in which promotional text messages were sent to citizens in a way that violated their rights and misused their personal data. “The bill extends to social aspects. It is not intended to legislate against the freedom of expression,” he said. “This law has come 17 years late.”
The article stipulates a minimum prison term of six months and/or a fine of between LE50,000 and LE100,000 for anyone who is found to have “violated the family values observed in Egyptian society or someone’s personal life, frequently sent a large number of electronic messages without recipients’ consent, sold [their] data to an electronic platform or website for the promotion of goods or services without their consent or used the internet or information technology to publish information, news, photos or the like which violate any person’s privacy, regardless of the truthfulness or falseness of such information.”
Another provision approved on Wednesday stipulates penalties for anyone who “intentionally uses a computer program or a piece of information technology to process the personal data of another with the intention of associating them with content that is contrary to public morals or presenting them in a manner that would tarnish their image or reputation.” Article 27 imposes a minimum two-year prison sentence and a fine of between LE100,000 and LE300,000.
Contention over Article 2, which pertains to the obligations and duties of ISPs regarding cooperation with security bodies, was also resolved during the most recent meeting.
The Defense Ministry’s representative had raised objections on Tuesday about the phrasing of a section of the article that requires ISPs and their affiliates to make all technical resources available to security bodies upon their request.
Where the initial phrasing stipulated that ISPs shall be required to provide “all available technical resources,” the CITC amended and subsequently approved the article in line with the ministry representative’s suggestions. The amended version states that, in accordance with the guarantees to private life enshrined in the Constitution, ISPs and their affiliates must undertake to provide “all technical resources including equipment, systems and software” upon the request of national security bodies.
The ministry representative’s concern rested on the word “available,” which he said had been added after the State Council’s Legislative and Fatwa Committee reviewed the bill, and which was subsequently removed. Saeed explained during Wednesday’s meeting that the CITC elected to use the phrasing “all technical resources” without “available,” which he said was intended to avoid the withdrawal of cooperation by ISPs.
“National security entities are entitled to make requests of ISPs for the general good of the country, and ISPs must cooperate with them. They would never infringe on rights. They will only request such resources for the greater good,” said Saeed.
Several attempts have been made in recent years to pass cybercrime legislation. The Justice Ministry submitted a bill to the Cabinet in March 2015, and, in May 2016, member of Parliament Tamer al-Shahawy submitted another draft which bore a striking resemblance to the ministry’s proposed legislation. Several rights organizations voiced concern regarding the bill at the time and said that it “violate[d] the principle of equality before the law and penalize[d] the use of information technology,” arguing that “the legislators who drafted the law have reached a maximum level of animosity toward the internet. If such a strict law passes, there would be no room for any further measures short from a total ban on internet use.”
Several months later, in September 2016, the Cabinet’s Legislation Reform Committee submitted another bill called the “IT Crimes Law,” which is the most similar to the legislation currently under discussion.