South Asia: how trends in ICT law and policy are impacting digital rights

The Indian government is currently considering a report that argues for tougher laws to criminalise online hate speech through amending existing penal provisions. This report comes two years after the Supreme Court of India struck down a provision of the Information Technology Act (S.66A) as vague, arbitrary, and a violation of the fundamental right to freedom of speech and expression. We are now concerned that the amendments proposed in the report use the same kind of vague phrases, and in effect reanimate S.66A since they would be just as prone to misuse as the ones the Supreme Court struck down.

This recent development is just one of many that are important for the future of free expression in the South Asian nations of India, Pakistan, and Bangladesh — collectively home to about 418 million internet users. There are key trends in information and communication technology (ICT) law and policy in the last two decades in South Asia that hold lessons for those fighting for digital rights:

  • ICT laws created in earlier contexts are sometimes expanded and misapplied: What started out as legislation to provide legal recognition for electronic transactions, documents and signatures — and to stop some forms of computer-related offences — today are used to cover a wide range of cyber crimes, including hate speech.
  • Expansion and updates to the legislation has in some cases led to human rights abuse: Lawmakers have often made amendments and updates to the law to cover new crimes in response to increasing concern over terrorism and restoring public order, particularly in the wake of terror incidents. These changes have opened the law to abuse, triggering protest from rights groups, including challenges in constitutional courts.
  • Instead of protecting citizens, these laws often work to undermine digital security and chill speech: Even though updates to the law are intended to provide a safe virtual space for people in South Asia, enforcement has either led — or is likely to lead — to poor digital security, and to have a chilling effect on the freedom of expression.

So what do we do about it? Today we launch a three-part series to decode the development and application of laws across these South Asian nations with reference to two inter-related concepts — digital security and freedom of expression. Our hope is that we can help stakeholders, policymakers, and the public understand the context for current developments and map out a pathway for legislation and policymaking that protects fundamental rights and the future of the free and open internet in South Asia and across the globe.

Below, we begin with an examination of the context, examining the laws that lay the foundation for the expansion and/or misapplication of information technology statutes that endanger fundamental rights.

Context: laws on computer-related offences and online content in India, Pakistan, and Bangladesh

In the year 2000, India enacted the Information Technology Act (IT Act). Pakistan followed suit in 2002, promulgating the Electronic Transactions Ordinance. Then, in 2006, Bangladesh enacted the Information and Communication Technology Act (ICT Act). As we note above, these laws were primarily aimed at providing legal recognition for electronic transactions. However, they also covered offences that can be classified in two categories: computer-related and content-related.

Laws for computer-related offences — missing the crucial element of intent

Here’s a look at relevant provisions and the major issues for digital rights.


IT Act
S.43 – computer-related offences – Providing for damages for a person so affected, for a number of acts if done without the permission of the owner or person in charge of computer, system, or network

S.66 – hacking – Punishable with imprisonment and fine

– Wide range of acts with varying degrees of harm clubbed together – copying of data stands at par with introducing a computer virus.

– No requirement of intent to cause damage in S.43, though there is a requirement of intent in S.66

S.54 – computer-related offences

S.56 – hacking

Both punishable with imprisonment and fine

– It appears that the Indian IT Act provisions have been reproduced, but with more severe punishments and fines (instead of damages)
Electronic Transactions Ordinance
S.36 – Criminalises and severely penalises unauthorised access to an information system

S.37 – Criminalises and penalises several unauthorised but intentional acts and attempts with respect to any information

– No requirement of intent to gain information or even knowledge of nature of content in S.36

– General acts with varying degrees of harm, all grouped together (alter, modify, delete, transmit, store, hinder access)


With catch-all provisions and in the absence of text for specific criminal intent, there is always the danger that the law will criminalise innocuous acts. Such has been the unfortunate experience with the Computer Fraud and Abuse Act in the US. An Expert Committee conducting a review of the Indian IT Act in 2005 also partly identified this an issue of concern, and recommended that Section 66 be amended to say that only when the acts mentioned in Section 43 are done dishonestly or fraudulently should there be a criminal penalty. The rationale was to provide for gradation of offences based on severity, so that acts done unintentionally, for lack of knowledge or out of curiosity, are not criminalised, especially in the early years of internet adoption and integration in daily life.

When the law does not require specific criminal intent, it can also adversely impact people’s capacity to undertake actions that are legitimate and useful for ensuring their own digital security. We will explain how and why in the second post in this series.

Laws for content-related offences — vague and sweeping

In India and Bangladesh, information technology laws also dealt with content-related offences. Here are the relevant provisions and major concerns for digital rights:


IT Act
S.67 – Criminalising obscene content

– Obscene content could be anything which is “lascivious,” appeals to “prurient interest,” or which tends to be “depraved or corrupt”

– Subjective terms that are not explicitly defined in the law

– Provision is evidently reproduced from penal code without the exemptions or protections incorporated in the penal code

S.57 – Criminalising in electronic form content which is:
– fake
– obscene
– hurts religious sentiments
– which could deteriorate law and order
– which could instigate another person
– which could prejudice image of state
– Subjective terms; no definition of any of the terms provided


Using undefined terms in a law that not only censors but also criminalises speech in electronic form is problematic on two counts: (1) there is no framework for citizens to regulate their own conduct, and (2) it places undue and unreasonable restrictions on speech and expression. The right to free expression is a constitutionally protected freedom in India, Bangladesh, and Pakistan. It is also a cherished human right under international human rights law (see Article 19 of the International Convention on Civil and Political Rights, which has been ratified by all the three countries).

In our third post in this series, we will explore how vague, broad provisions make online speech vulnerable to motivated attacks or misapplication of the law, making cyberspace less secure while also chilling free expression.

Expansion: amendments to national ICT laws widen the net of cyber crimes

In 2006, lawmakers in India introduced a Bill in Parliament to amend the Indian IT Act, proposing big changes. Some changes were recommended by the Expert Committee and some were completely novel, like the infamous S.66A which criminalised publishing offensive content (and which seems to have been inspired by the enactment of Section 57 of the Bangladesh ICT Act in October 2006). But before the bill would become law in 2008, there were major developments, most notably the November 2008 Mumbai terror attacks. As an immediate response, lawmakers included additional sections to recognise a wide gamut of new crimes. India intended to supplement this with the National CyberSecurity Policy in 2013, unfortunately without even adequately defining “cybersecurity.”

In 2015, Pakistan introduced the Prevention of Electronic Crimes Act acknowledging that existing laws are not sufficient to deal with newer cyber crimes and criminals. Through the Act, which was enacted in 2016, lawmakers replaced Sections 36 and 37 of the Ordinance and provided for a wide range of offences, again in the context of a number of major terrorist incidents and the spreading influence of international terrorist groups. It is noteworthy that as soon as the law was enacted, it was challenged in the Lahore High Court on the grounds that it violates fundamental rights.

Bangladesh is currently in the process of reviewing the draft Digital Security Act, approved by the Cabinet in 2016. The draft of the Act does not expressly replace any existing provisions of the ICT Act, and therefore, is likely to be read together, creating the possibility of overlapping laws. However, some newspapers have reported that the Law Minister has said that the Act would replace Section 57 of the ICT Act, which has come under heavy criticism for gross misuse (as we mention above, Section 66A of Indian IT Act, loosely based on Section 57, has been declared unconstitutional by the Indian Supreme Court). However, from the draft version, it appears that instead of replacing section 57, it might be reinvigorated.

Issues moving forward: digital security and free expression

The laws have expanded, but what activities do they cover? Here’s are the common types of activities designated as cyber crimes in laws or proposed legislation in India, Bangladesh, and Pakistan:

Computer-related offences:

  • Identity theft or unauthorised use of identity
  • Violation of privacy
  • Cyber-terrorism

Content-related offences:

  • Child-pornography
  • Obscenity
  • Hate speech

Notably, apart from this, the laws provide for procedural powers to state authorities to access, intercept, monitor, and collect data, as well as to demand decryption.

As we have shown, the three countries seem to have responded to changing realities in somewhat similar ways, exhibiting a broader South Asian regional trend. This trend, unfortunately, also triggers consequences for digital rights — specifically, undermining digital security and imposing a chilling effect on freedom of expression. We will explore both of these themes in the posts to follow.