***This article was originally published in June 2015 via The Trinidad Guardian & TechnewsTT. It is being republished given the reading of the Cybercrime Bill, 2017, into Parliament on 5th May 2017.***
I previously presented a partial analysis on the Trinidad & Tobago Cybercrime Bill 2014, entitled “T&T Cybercrime bill demands multi-stakeholder input” which can also be found on my website www.pinaka.co.tt/publications. Within this analysis, some light was shone on perceived problems with outputs of the Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean (HIPCAR) and Electronic Government for Regional Integration Project (EGRIP) model law exercises. Several Caribbean nations have subsequently used the HIPCAR and EGRIP model laws to develop their proposed cybercrime legislation.
A subsequent December 2014, Council of Europe discussion paper, entitled “Cybercrime Model Laws“, has come to light which examines the various cybercrime outputs from model law exercises in the context of the Budapest Convention. This Budapest Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security.
In this discussion paper, the importance of having proper model law upon which to base legislation development is explained by the author, Zahid Jamil, Barrister-at law. The paper goes further to explain problems of developing legislation based on poor model law by describing the possible situation which states may find themselves in, when seeking international cooperation:
Thus, poorly drafted and divergent model laws can cause countries to enact cybercrime legislation with gaping lacunas whilst at the same time criminalizing and labelling conduct as cybercrime which other countries (especially many members to the Convention) from whom they may seek cooperation would never view as cybercrime.
The paper is also very critical of the methodology adopted in carrying out some model law exercises. For example, in summarizing the methodology employed in the ITU run @CP-ICT Programme which resulted in three model law exercises including HIPCAR, the paper states:
The Models largely appear to have been prepared through input from participants at workshops rather than representatives or experts with an official mandate from State parties and have not received any official assent from the general body of the ITU.
Of interest to the Caribbean, the paper includes analysis and discussion of the HIPCAR and EGRIP model law exercises and highlight significant problems with not only the methodology but also the eventual outcome of these exercises. For example, specific to the HIPCAR model law output, the paper highlights various deficiencies, continuing:
Its greatest challenge, however, stems from its deviation and attempts to improve upon the language of the Convention (Budapest Convention) whilst inserting unique new offences within the scope of cybercrime, the language of which border on technical and legal absurdities.
The question which comes to my mind at this point is: are there any instances of problematic model law clauses which have been subsequently incorporated into actual Caribbean cybercrime legislation? In performing analysis on the HIPCAR model law, the paper cites several instances of ‘invention of offences’. Among these is one item in particular concerning illegally remaining on a system:
It attempts to invent an offence of “Illegal Remaining” which relates to conduct after the initial illegal access of the computer system. The offence considers the conduct of remaining logged in by the offender without any further action or consequence to be an aggravated offence of illegal remaining.
Subsequent analysis of Trinidad and Tobago Cybercrime Bill, 2015, reveals clause 6 which speaks to an offence of illegally remaining on a system as described above. Hence, is Trinidad and Tobago considering the creation of an offence which is inconsistent with international best practice? There are some other instances of problems with the HIPCAR cybercrime model law, as cited within the paper, which seems to have been subsequently integrated into our cybercrime legislation; however, I leave this up to others to explore and comment.
Is this kind of deviation from international norms a legitimate concern? There may very well be legitimate reasons for these deviations, but it is incumbent upon the Government to explain same. The question also arises as to which other Caribbean states may have issues with their proposed cybercrime legislations based on HIPCAR and EGRIP exercises? The paper cites that the EGRIP model law is even more divergent and problematic than the HIPCAR model law and highlights the case of Grenada which needed to remove certain EGRIP derived clauses from its cybercrime legislation.
In my previous July 2014 article I commended the efforts of Dominica to go beyond the HIPCAR and EGRIP model law efforts in seeking out assistance from the Council of Europe, OAS and Commonwealth Secretariat to review their proposed cybercrime legislation and ensure compliance with the Budapest Convention. Is this the solution which other Caribbean states should be exploring?
At this juncture when we debate the future of own cybercrime bill, I again make the call for better stakeholder engagement in the development of this legislation and maybe even a review in light of the findings of this paper.
Additional food for thought…
What about the other laws within Trinidad & Tobago’s e-Legislative agenda which were derived from the HIPCAR exercise?
Do the methodology problems found in the HIPCAR cybercrime model law exercise extend to these other model laws as well?
How sufficiently differentiated is our e-Legislative agenda from the HIPCAR model laws?