MENA Cybercrime Laws

When “cybercrime” laws infringe human rights: lessons from the Arab region 

Next month, the UN General Assembly (UNGA) looks set to adopt a new convention on cybercrime; despite myriad warnings from civil society that, as it stands, the convention poses serious threats to digital rights worldwide.

These threats will be particularly acute in the Arab region, where expressing your sexual orientation online, criticizing a government, or simply deleting a conversation can land you in prison for committing “cybercrimes.” If adopted, this binding UN treaty — which pays lip service to human rights while lacking any actual safeguards — will only embolden authoritarian regimes in the Arab region and worldwide to justify digital repression, at home and abroad, with a veneer of legitimacy. This, in turn, risks detering international cooperation for tackling genuine real cybercrimes, due to equally genuine human rights concerns.   

In this post, we show exactly how countries in the Arab region have been leveraging cybercrime laws to suppress digital rights — and why this should serve as a warning for governments considering ratifying the UN convention. 

Cybercrime laws built for censorship

Too often wielded by governments to silence dissent, cybercrime laws across the Arab region threaten freedom of expression.  Firstly, many of these laws outlaw various different kinds of online speech under vague and imprecise terms, such as criminalizing content that undermines the “prestige of the State” (Syria, United Arab Emirates), content deemed to “harm public morals” (Saudi Arabia, Egypt), or content perceived as diminishing “the value of Islam” (Mauritania, Jordan). 

Article 19 of the International Covenant on Civil and Political Rights (ICCPR) states that any restriction on the right to freedom of expression must comply with the principles of legality, legitimacy, necessity, and proportionality. Yet several Arab countries’ laws go well beyond these provisions, criminalizing “character assassination via social media” (Jordan), “solicitation to commit lechery” (Oman), and “condoning sins” (United Arab Emirates). These offenses are deliberately ambiguous and open-ended, allowing authorities to use them to stifle dissent, and leaving individuals uncertain and fearful as to how their online content may be interpreted, investigated, and potentially prosecuted. This undermines the right to freedom of expression and fosters a climate of self-censorship.

Secondly, there are more content-based offences outlined in the cybercrime laws of Saudi Arabia, Jordan, Libya, and others than “cyber-dependent” crimes — i.e. crimes made possible by technology. This shows how the governments in question are more interested in cracking down on dissent and in controlling online speech than in tackling genuine cybercrimes. This is why we have repeatedly warned against content-based offenses being included in either national or international cybercrime legislation. 

Thirdly, many forms of online expression are already prohibited under press laws or penal codes, which might levy fines for libel or privacy violations; yet “rebranding” them as forms of cybercrime allows for harsher criminal penalties and sanctions. For instance, Tunisia’s Cybercrime Decree-Law criminalizes defamation and libel with a penalty of up to 10 years in prison — even though these offenses are already covered under Decree-Law No. 115 on the Freedom of the Press and are punishable with a fine of USD $700. Similarly, Oman’s Cybercrime Law criminalizes defamation and slander with up to three years imprisonment, despite these offenses being addressed in the country’s Penal Code (where the maximum penalty outlined is six months). This is yet another violation of the ICCPR’s call for principles of legality, legitimacy, necessity, and proportionality to be applied when restricting the right to freedom of expression. 

In the Arab region, cybercrime laws allow governments to seize devices or deploy surveillance with little to no safeguards, imposing a kind of “state of emergency” that crushes freedom of expression under the pretext of fighting crime or preserving national security.

Privacy under threat

The human rights safeguards mentioned in the UN cybercrime convention are wholly inadequate. These fail to reflect the reality of Arab countries’ laws, which  prioritize neither human rights nor the guarantee of a fair trial and the presumption of innocence. 

Cybercrime laws in Tunisia, Mauritania, Libya, and Palestine allow for surveillance and for communications to be intercepted, without sufficient safeguards. A detailed analysis of these provisions demonstrates a complete lack of adequate safeguards for protecting the right to privacy. For example, in none of these countries are authorities required to notify individuals subjected to surveillance that an investigation has concluded, depriving them of any right to redress if the laws were violated.

Meanwhile, in Algeria, Lebanon, Palestine, Tunisia, and Egypt, cybercrime laws require telecommunications service providers to preemptively and systematically collect large amounts of user data, without the need for judicial authorization. Companies are then obliged to store this data for years, on the pretext it might be needed for future criminal investigations targeting specific individuals.  

This kind of mass data collection and processing allows for precise conclusions to be inferred about people’s daily habits and movements, their usual place of residence, their social connections, and other details. As such, this practice is excessive and disproportionate, breaching people’s rights to privacy and data protection. The Court of Justice of the European Union (CJEU) ruled as much when it found that forcing telecommunications service providers to preemptively and automatically store traffic data for all users, without any suspicion of someone having committed a specific crime, constituted an infringement of the right to the protection of personal data and private life.

Time to think twice on the UN cybercrime convention

Access Now has been actively working to help ensure that the first legally binding, UN-led cybercrime convention upholds, rather than undermines, human rights. However, we are deeply concerned that, in its current draft, the treaty’s lack of sufficient human rights safeguards will facilitate violations of international human rights law. In particular, the treaty’s broad scope means it encompasses activities that should be protected under international human rights law or that are unrelated to cybercrime.  

For instance, it will allow governments to cooperate with each other in collecting electronic evidence for “serious crimes,” defined as any offense punishable by a sentence of at least four years’ imprisonment. But this vague definition could encompass national offenses such as defamation of officials (e.g.Tunisia’s Cybercrime Decree), blasphemy (e.g. Saudi Arabia’s Cybercrime Law), or other protected activities, including online expressions of sexual orientation or LGBTQ+ identity, which, as outlined above, all carry severe penalties in their respective countries. Consequently, such provisions could activate sweeping surveillance powers and enable data sharing between countries with poor track records of protecting human rights.

In addition, the UN cybercrime convention stipulates that countries must ensure that criminal offenses outlined in other UN conventions are also considered offenses under this convention, when the former are committed using technology. For instance, inciting hatred against certain racial or religious groups, which is already prohibited by the ICCPR, would also be a crime under the UN cybercrime convention when expressed online. This could open the door to even greater cooperation on content-based offenses, further undermining freedom of expression in the Arab region in particular.

Finally, it’s important to note that the cybercrime convention does not prevent countries from sharing or using electronic evidence obtained in violation of human rights, leaving this decision for individual countries to make based on their respective, and varying, human rights commitments. But if governments can exchange and use all electronic evidence for criminal investigations, no matter how it was obtained and who from, this could create a digital equivalent of the Guantanamo Bay detention center, whereby evidence collected with minimal regard for the rule of law is used to undermine established national legal frameworks. This would set a troubling precedent, eroding trust in judicial integrity and threatening the founding principles of democracy. 

Our recommendations

In light of the above, we strongly urge UN member states reconsider their support for this treaty, and to:

  • Call a vote, and vote against or, at the very least, abstain from voting on the adoption of the convention at next month’s UNGA meeting; 
  • Resist its ratification at a national level, and ensure robust deliberation on its human rights impacts; 
  • Decline to participate in the signing ceremony held in Vietnam; and 
  • Emphasize the need for further improvements to the convention’s human rights, procedural law, and other safeguards during upcoming negotiations that will elaborate and potentially expand its definition of “serious crimes” (the Optional Protocol negotiations).

We also call on UN member states from the Arab region to revise their respective cybercrime laws to align with international human rights standards, and to do so by engaging with various stakeholders, including civil society. This would demonstrate a commitment to implementing the UN’s cybercrime convention in good faith.You can read our more detailed, Arabic-language analysis of cybercrime laws in the Arab region here.