The cabinet this week gave its final approval to the draft of the Cyber Security Act 2023, which will replace the controversial Digital Security Act, making offences under all but four sections bailable. Illegal access to critical information and computer infrastructure, cyber terrorism offences, hacking-related offences and desecration of the national flag and the Liberation War will not be bailable under the proposed law, Cabinet Secretary Mahbub Hossain told reporters.

The cabinet had initially approved the draft Cyber Security Act 2023 in principle in a meeting chaired by Prime Minister Sheikh Hasina on August 7. Two days later, the draft of the act was published on the website of the Information and Communication Technology (ICT) Department, seeking the views of stakeholders within 14 days. It received around 500 responses. There is no indication however that any of these responses have been incorporated in the bill.

The final approval came from the cabinet meeting chaired by Prime Minister Sheikh Hasina at her office on Monday (Aug. 28).

"In the draft law, the offences under four sections are non-bailable, the offences under the remaining sections are bailable," said Cabinet Secretary Md Mahbub Hossain while briefing reporters after the meeting.

"The intrusion into important information infrastructures and others are in section-17, while damaging computers and computer systems are in section-19, cyber terrorist acts and committing such crimes are in section-27, and hacking related crimes are in section-33," he said.

The cabinet secretary said the already filed cases will run under the existing law- Digital Security Act as a provision was incorporated in the proposed law. However, the government is thinking of applying lesser punishment as outlined in the new law to the previous cases, according to Law Minister Anisul Haque, who spoke on the bill the day after its approval by the cabinet.

"The thing is that Article 35 of our constitution clearly states that the first thing is that the trial will be done under the law that was in force at the time of committing the crime, and the punishment mentioned in that law will be given," Haque said.

"There is a point in Article 35 that if the sentence is more than what is stipulated in the new law, then that sentence cannot be given. In the old law, that is, the law under which the crime is committed or the law that was in force at the time of committing the crime, the punishment in that law should be the same. The second is that there can be no other sentence. We've put a lot of thought into it here," the law minister also said.

"If we take Section 21 of the Digital Security Act, the section carries a 10-year jail term. Here today, the new law, i.e., the Cyber Security Act, says five years. Then, the learned Court, before the passing of this Act, if a crime has been committed while the Digital Security Act is in force, the court can give this 10-year sentence. We want to make a system there that does not conflict with the Constitution," he tried to explain.

What we could gather from his effort to explain is that in the old cases filed under the DSA where the stipulated punishment may have been more stringent, the punishments handed down by the court will be in line with the new law, in line with the provision in Section 35 of the constitution.

"Reducing the sentence should not be in conflict with the constitution," the law minister said.

He also indicated there is still a window for stakeholder views to be incorporated in the new law, although rights advocates and defenders might scoff at the suggestion, given their experience with the DSA.

"We will put together the statements of these objects within the 10-day period given by the ICT (Information and Communication Technology) Department and present everything to the Standing Committee. We will give an opportunity to those who want to make their point here to speak before the Standing Committee as they did last time," he said.

Stakeholders remain sceptical

Transparency International Bangladesh, in its reaction to the cabinet-approved draft of the Cyber Security Act, said freedom of expression and independent journalism would still be at risk.

The draft of the Cyber Security Act-2023 includes controversial sections of the controversial "Digital Security Act-2018", although some changes have been made in terms of punishment and non-bailable clauses, TIB experts said during a presentation on Wednesday (Aug. 30).

If the draft becomes a law, a person will face legal harassment if he publishes opinions and information through digital media, they said.

TIB Executive Director Dr Iftekharuzzaman, Advisor and Executive Management Professor Dr Sumaiya Khair were present at the press conference titled "Digital Security Act and Draft Cyber Security Law: A Comparative Review" at TIB Dhanmondi office.

TIB's Outreach and Communication Department Director Sheikh Manzur-e-Alam and Data Protection Officer Dr Md Tariqul Islam conducted the comparative review.

According to sections 8, 9, 10, and 11 of the proposed law, if cybersecurity is threatened, the concerned authority will ask the BTRC to remove both the data and information and 8(2) states that if the law enforcement agencies believe that any information violates the economic activities, security, defence, religious values or public order of the country or incites racial hatred or hatred. If so, law enforcement agencies can take action.

There is no specific definition of these things in this law, so there is ample scope for interpretation and misinterpretation here. In this case, we have to rely on the explanation of law enforcement, which is very dangerous.

"After all, only the name of the Digital Security Act is being changed to the Cyber Security Act. We need to be able to monitor the crimes and frauds that are taking place in cyberspace without curtailing our freedom of expression," the presentation said.

"According to the cyber security policy, security in cyberspace was talked about by 2021, but the cybercrime that has happened in the country so far shows that our technical skills have not increased and we have failed to ensure cyber security," it added.

While the proposed law has provided some hope for cyber security, after the draft was published, it appeared that the title had changed, but no changes had been made to the areas of concern, which is very disappointing.

TIB Executive Director Dr Iftekharuzzaman said, "If the draft cyber security law is passed in the Parliament, there will be a huge risk of it becoming a black law like the Digital Security Act and thereby violating the fundamental rights of the people guaranteed by the Constitution.

"The elements of the draft law, such as the right to freedom of expression, freedom of speech, conscience, thought and media, remain in effect similar to the Digital Security Act. So it's not unreasonable to think that this, like its predecessor, is going to become a restrictive law," he said.

"The situation shows that we are moving to the point of criminalising the rights to freedom of expression, speech and media clearly enshrined in the Constitution. Therefore, the level at which the law is in place cannot be acceptable," he added.

He suggested reviewing the draft law in the light of international experience involving all stakeholders, including experts from the relevant sectors, civil society and the media.

It's true that many of the clauses that made a United States government spokesman brand the Digital Security Act as 'the most draconian law against journalists in the world' are retained in similar form in the new Cyber Security Act. The decrease in non-bailable offences is a positive. The replacement of some prison sentences with only fines is also a positive. But as TIB as well as PEN Bangladesh, the local chapter of the worldwide free speech advocacy group, have pointed out, the definition of the crimes remains such that they can still lead to false or motivated accusations.

"In the proposed law, the punishment for defamatory acts using cyber platforms is set at a fine of Tk25 lakh while the prison sentence is removed. While seemingly positive, the fine amount is large enough for it to be leveraged as a silencing tool against most Bangladeshi journalists and even smaller media outlets," PEN Bangladesh mentioned in a statement prior to the cabinet's final approval.

"Furthermore, if the punishment mentioned in the Panel Code of 1860 for defamation is not amended, the new law is bound to fail. Secondly, the person concerned will have to serve in jail if he or she cannot pay the fine of Tk25 lakh. Sentences could be set as per CrPC for criminal offences and sentences related to journalism," said PEN.

PEN Bangladesh also pointed out that Section 43 of the Digital Security Act, which gives police authority to enter people's homes, search offices, frisk people, and seize their computers, computer networks, servers and everything related to digital platforms, has been retained as is. "This allows the police to arrest anyone out of suspicion without any warrant. This is tantamount to granting the police 'magisterial powers'. Retaining this clause as it is renders many of the other positive changes moot," it said.

"The reduction of sentences and increase of bailable sections is positive but reducing, increasing, or changing the sentences will not protect fundamental human rights. It is meaningless if there is no difference between the character of the DSA and the Cyber Security Act other than a change in name," PEN said.

UN recommendation brushed aside

According to the law minister, the government had been in consultation with the UN and had taken its views into account in the process of drafting the proposed CSA. But this view has been refuted by Irene Khan, UN Special Rapporteur on Freedom of Opinion and Expression, who has come out and said that the recommendations of the UN rights organisations were not reflected in the draft cyber security law.

Among the UN recommendations was the repeal of Sections 21 and 28 of the Digital Security Act. Section 28 of the Digital Security Act states, "If any person or group deliberately or knowingly publishes or disseminates on a website or any other electronic medium anything that is offensive to religious sentiments or religious values with the intention of inciting or hurting religious values or sentiments, the act shall be an offence."

"Such a provision in the law risks encouraging human rights abuses in the name of religion and is inconsistent with the requirement to provide legal guarantees under international law," Khan wrote. Therefore, she believes that Article 28 should be repealed.

"International human rights law protects individuals from intolerance, violence and discrimination based on their religion or belief, but it does not allow restriction of criticism of religious belief or sentiment, or lack of respect for religion," said Khan in a letter sent to the government on August 28, under the mandate of the special rapporteur.

Section 21 criminalises "any kind of propaganda or campaign against the liberation war, spirit of liberation war, father of the nation, national anthem or national flag." According to Section 2(u), the "spirit of liberation war" refers to "the high ideals of nationalism, socialism, democracy and secularism which inspired our heroic people to dedicate themselves to, and our brave martyrs to sacrifice their lives in, the national liberation struggle".

"While appreciating the Government's desire to protect the distinct national historical legacy of Bangladesh, the vague and broadly framed nature of this provision could lead to unlawful restriction of political expression and is not consistent with international law," said Khan in her letter.

"I encourage the government to promote respect for the liberation struggle, the martyrs, and national symbols and values through enhanced public education, awareness programmes and community based activities, instead of pursuing criminalisation," she added.

Irene Khan said, "Criticism of state authorities, including the head of state, and the right to express dissenting opinions about the state's flag, national symbols or historical events are protected by international law."

Khan also recommended that the government replace criminal defamation in the Cyber Security Act and in the Penal Code with a clear, narrowly defined provision on civil defamation, to limit the claim only to those who are directly affected, and to include public interest in the subject matter and truth as valid defences.

"While international law permits the restriction of speech to protect the reputation of others, it should be done through civil litigation by individuals, and not through prosecution by the state under criminal law," she wrote.

Section 29 on criminal defamation and Section 25 on "offensive, false or threatening data-information" of the DSA have been used frequently to detain those criticising the government, she pointed out.

Section 31 again states, "If any person intentionally publishes or broadcasts on the website or digital format anything which creates enmity, hatred or enmity between the various classes or communities concerned or destroys communal harmony or creates unrest or disorder, or causes or is likely to cause deterioration of law and order, such act by such person shall be an offence."

Khan said, "As this provision is formulated vaguely, the government's desire to protect Bangladesh's unique national historical heritage may create restrictions on political expression, which is not consistent with international law."

She also said criminalising the provision of "offensive or false information" is inconsistent with international standards of law and is not effective in combating misinformation and disinformation. The right to free expression applies to all information and ideas, including information or ideas that may offend people, according to the UN Special Rapporteur.

"Open access to a variety of sources of information, including independent and diverse media, and public awareness of digital media and media have proven to be more effective in preventing disinformation," she concluded.