IT and Cyber Security Bill  draft

Some weeks back, the Ministry of Communications and Information Technology made public a draft bill on IT and cyber security in its website and sought feedback on it. Freedom Forum went through the draft bill and made initial observation. Although the bill is relatively progressive for it has included new issues, it has not yet been clear on how it could promote and protect human rights, especially freedom of expression, privacy and citizen’s data online and cyber space.

The bill has been brought to regulate IT and cyber security. As the IT bill tabled in the parliament five years back drew wider criticism, it could not pass. Then development and IT committee under the House of Representatives had proposed comprehensive amendment on it. Similarly, the Ministry had brought Cyber Security Bill last year, which too could not move ahead. As these efforts went abortive, there no option but to formulate new bill on these sector.

With the IT regulation, the present bill covers data protection, cybercrime, cyber security, and privacy. The 47-page bill has 18 chapters, 60 clauses, and a schedule.

In its observation, FF has found vague definitions. Chapter-1 (b) having definitions and later provisions have however unclear words as ‘disrespect of labour’, ‘abetment of untouchability’, ‘indecent content.’

In the definition, guarantee of ‘free, secure and open internet’ is missing in relation to internet freedom. Similarly, ‘access’ is also narrowed. The personal detail is also inconsistent with Privacy Act.

The public agencies are defined in a way they would be understood in a broad manner. The bill must ensure internet freedoms and human rights on cyberspace, but the provisions in it create doubt on it.

Chapter 6 Clause 67 (5,6 and 7) mandates renewal of domain names, and registration of existing domain names within six months of the introduction of this Act are hostile to software freedom. They will curtail citizen’s access to internet.

Section 79 under Chapter 8 is quite problematic. It is challenging in terms of freedom of expression. Value and unclear terminologies including ‘good relations among federal units’, ‘intention to commit illegal act’, ‘dignity’, ‘indecent content’ will brew space for suppression, as these terms can be misused and misinterpreted for lack of clear definition.

Similarly Section 79 (5) mentions ‘other arrangement on it would be as per assigned/delegated’ is highly likely to be misused. It will be misused in the way Section 47 of Electronic Transaction Act is misused.

There are several other points that promote surveillance at the cost of citizen’s privacy and data, investigative journalism and free reporting. Privacy of public agencies/person and individual citizen are different. Public persons/agencies warrant accountability and transparency while common citizen do not need to as equally accountable as public officials are.

It is good point that the Nepal government has been asked to set up a center for excellence for research and development of new technologies such as AI, machine learning, and blockchain. However, it is silent on what would be role and existence of existing mechanism as e-governance commission which is taking ahead digital issues.

Similarly, although the draft bill on IT and cyber security has sought transparent, accountable and safe use of artificial intelligence, machine learning, blockchain, and the internet of things (IoT), it has failed to defining these technical jargons.

As per bill, under data safety, none is allowed to disrupt harmonious relations among federal units, nationality or national unity, dignity, national security, sovereignty, and territorial integrity by the means of the electronic system. It is problematic for having vague and over broader terms ‘dignity’, ‘national unity’, ‘relations among federal units’. There are similar other vague and broader terms that needs to either defined properly or whetted thorough debate accordingly.