Cybersecurity Bill Puts Freedom of Expression and Data Rights at Risk

Kathmandu: Digital Rights Nepal has expressed concern that the Information Technology and Cyber Security Bill 2082, presented by the government to the House of Representatives, contains provisions that could seriously affect freedom of expression, data security, and digital rights. In a detailed review of various sections of the bill, the organization pointed out the legal complications and risks of misuse it may cause.

Analysis of unclear definition and impact on freedom of expression
Section 88 (1) of the bill states that “obscene material” should not be produced, collected, sold, distributed, published, broadcast, or displayed. Those involved in such acts are punishable by imprisonment of up to two years, a fine of two hundred thousand rupees, or both.

However, the analysis paper states that since there is no clear definition of obscene material, this section may be misused and directly affect freedom of expression and artistic freedom of the media, artists, or the general public. Digital Rights Nepal has suggested that obscene material should be defined clearly, contextually, and legally.

Incomplete data protection provisions
While Chapter 10 of the bill makes some positive provisions for protecting personal privacy, they have been found to be insufficient. According to Digital Rights Nepal, the bill leaves out basic provisions such as the right of data subjects to access, rectify, delete, or object to the misuse of their data.

The special security measures for sensitive data (such as health and finance) and the standards for cross-border data transfer are unclear. In addition, Digital Rights Nepal argues that the ambiguity of the data retention period (Section 65) leaves service providers uncertain and increases the risk of unnecessary surveillance of personal data.

Undefined scope of "sensitive information infrastructure"
The bill obliges owners of “sensitive information infrastructure” to provide the National Cyber Security Center with necessary information, conduct security audits, and assist in monitoring (Sections 55–58 and 47). However, the bill does not define sensitive information infrastructure and empowers the government to specify it by publishing a notice in the Nepal Gazette (Section 54). Digital Rights Nepal has stated that this creates a risk of misuse by allowing arbitrary restrictions on the information infrastructure of critics of government policies or certain individuals and groups.

Silence on the definition of gender-based violence and cybercrime
This bill, which repeals the current Electronic Transactions Act, has been found unable to address crimes such as gender-based violence, cyberstalking, cyberbullying, and sextortion committed using technology. Although the government has acknowledged the need for a new law to address such crimes, the analysis paper has raised concerns about the absence of such provisions in this bill.

The definition of cybercrime and its system of punishment also fail to clearly reflect current realities. The lack of a minimum punishment limit poses a risk of inequality in judicial discretion.

Complexity in domain name management
Chapter 5 of the bill makes provisions for domain name registration, management, and regulation. Although Section 39 gives the Department of Information and Technology responsibility for managing and regulating all domains, it has been noted that this provision is broad and impractical, since the regulation of international top-level domains like .com and .org does not fall under Nepal’s jurisdiction.

In addition, there is no clarity about the selection process for domain name operators or the future of the current .np system. It has also been pointed out that the provision of keeping geographical, touristic, and religious names on the safe list (Section 41) limits freedom and commercial use by legitimate users, while the requirement of mandatory approval from the ministry for each name is impractical.

Liability and definition of service provider
Section 2 (a, d) of the bill narrows the definition of service provider, suggesting that it should include Internet service providers, network service providers, hosting service providers, domain service providers, and others.

Although Section 64 exempts service providers from liability for third-party information, Digital Rights Nepal argues that the provision of liability for incitement or assistance in illegal activities undermines the concept of a free internet.

Double provisions and imbalance in punishment
The provision on violation of personal privacy in Section 86 of the bill already exists in Section 19 of the Privacy Act, 2075, creating duplication in the law. Since the punishment limits for the same type of offense differ in both laws, questions have been raised about judicial impartiality.

Digital Rights Nepal concluded that although the objective of the Information Technology and Cyber Security Bill is important, its vague definitions, duplications, and incomplete provisions raise serious questions about its intent and constitutional basis. The organization emphasized that extensive consultations and necessary amendments should be made before the bill is passed in parliament, so that it becomes clear, citizen-oriented, human rights-friendly, and supportive of information technology development.

 

पछिल्लो अध्यावधिक: भदौ १, २०८२ १८:३६

टिप्पणीहरू