When was the last time when you or someone you know shared a bad experience or a complaint about a person in Facebook or Twitter?  A good bet is that a longer time has passed than if this question was asked a year ago.  The reason for this is probably Republic Act No. 10175, also known as the Cybercrime Prevention Act of 2012, which President Noynoy Aquino signed into law on September 12, 2012.

A. Cybercrime Offenses

The Act primarily punishes cybercrime offenses, defining “cyber” broadly as “computer or a computer network, the electronic medium in which online communication takes place.”  These offenses are divided into three main groups, namely, a) offenses against the confidentiality, integrity and availability of computer data systems; b) computer related offenses; and c) content related offenses.

Offenses against the confidentiality, integrity and availability of computer data systems are composed of 1) illegal access; 2) illegal interception (made by technical means); 3) data interference (includes introduction or transmission of viruses); 4) systems interference; 5) misuse of devices (includes the sale and possession  of devices and password for the purpose of committing a cybercrime; and 6) cyber-squatting.

Computer related offenses are 1) forgery; 2) fraud; and 3) identity theft.

Finally, content related offenses are 1) cybersex (for favor or consideration); 2) child pornography (penalty imposed is one degree higher than that provided for in the Anti-Child Pornography Act of 2009); and 3) unsolicited commercial operation–unless (i) there is prior affirmative consent from the recipient; or (ii) primary intent of the communication is for service and/or administrative announcements from the sender; or (iii) the following conditions are present: (aa) it contains a simple, valid and reliable way for the recipient to reject receipt of further commercial electronic messages from the same source; (bb) it does not purposely disguise the source of the electronic message; and (cc)   it does not purposely include misleading information in any part of the message in order to induce the recipients to read the message; and 3) libel (as defined under Article 355 of the Revised Penal Code).

The Act also punishes aiding or abetting and attempting to commit a cybercrime.    If the punishable offenses are knowingly committed on behalf of or for the benefit of a juridical person, by a natural person who has a leading position within the structure of the juridical person, the juridical person may be held liable along with the natural person.

B. Online Libel

A very strong opposition arose against the implementation of the Act primarily because of the inclusion of “online” libel as among the offenses punishable.  Oppositionists have harped on the recent trend in other nations to decriminalize libel, to free citizens from the chilling effect that any penal statute may have on the exercise of the freedom of expression.   While new legislation and international treaties have been passed and ratified to internationally recognize and locally protect the right of persons to freely share and receive information and demand transparency, the Act is being criticized for moving a step backward to the dark days of state censorship.

Moreover, the Act is also criticized by academicians, human rights advocates, bloggers, and journalists for imposing a heavier penalty for the commission of online libel than what the Revised Penal Code proscribes.  Section 6 of the Act provides that all crimes defined and penalized under the Revised Penal Code and special laws, if committed by, through and with the use of information and communication technologies, shall be penalized by one degree higher than that provided for by the Revised Penal Code and special laws, as the case may be. The use of the cyber medium appears to be considered as an aggravating circumstance in the commission of any crime.

C. Enforcement and Implementation

The National Bureau of Investigation (NBI) and the Philippine National Police (PNP) have been tasked with the enforcement of the Act.  Both agencies have been authorized to organize a cybercrime unit to exclusively handle cases involving violations of the Act and been given the authority to conduct the following:

1)      Real time collection of traffic data (excluding the content and identities) – In this connection, if with due cause, traffic data may be collected or recorded by technical or electronic means in real time.   However, all other data to be collected, seized or disclosed, will require a court warrant.  The court warrant shall only be issued upon written application and the examination under oath or affirmation of the applicant and the witnesses he/she may produce and the showing that (i) there are reasonable grounds to believe that a cybercrime has been committed, or is being committed, or is about to be committed; (ii) there are reasonable grounds to believe that evidence that will be obtained is essential  to the conviction of any person for, or to the solution of, or to the prevention of, any such crimes; and (iii) there are no other means readily available for obtaining such evidence (Section 12).

2)      Order the preservation of content data for a period of six months from the date of the receipt of their order by the service provider.  The NBI and the PNP may order a one-time extension of another six months (Section 13).

3)      Order the disclosure of computer data (upon securing a court warrant) – In this connection, the NBI and the PNP may require any person or service provider to disclose or submit subscriber’s information, traffic data or relevant data in one’s possession or control within 72 hours from the receipt of the order in relation to a valid complaint officially docketed and assigned for investigation and the disclosure is necessary and relevant for the purposed of investigation (Section 14).

4)      Search, seizure and examination of computer data (where a search and seizure warrant is properly issued) – In this connection, the NBI and the PNP may conduct interception, and (i) secure a computer system or a computer data storage medium; (ii) make and retain a copy of those computer data secured; (iii) maintain the integrity of the relevant stored computer data; (iv) conduct forensic analysis or examination of the computer data storage medium; and (v) render inaccessible or remove those computer data in the accessed computer or computer and communications network.

Law enforcement authorities may order any person who has knowledge about the functioning of the computer system and the measures to protect and preserve the computer data therein to provide the necessary information to enable the undertaking of the search, seizure and examination.   They may also request an extension of time to complete the examination of the computer data storage medium and to make a return thereon for a period no longer than 30 days from date of approval by the court (Section 15).

In order to ensure its integrity and non-violability, all examined computer data, shall within 48 hours after the expiration of the period fixed, be deposited with the court in a sealed package, accompanied by the affidavit of the law enforcement authority stating the dates and times covered by the examination, and the law enforcement authority who may access the deposit.  They shall also certify that no duplicates or copies of the whole or any part thereof have been made, or if made, that all such duplicates or copies are included in the package deposited with the court.  The package shall not be opened, or the recordings replayed, or used in evidence, or their contents revealed, except upon order of the court, with due notice and opportunity to be heard to the person/s whose communications have been recorded (Section 16).

Upon the expiration of the periods provided in Section 13 and 15 of the Act, service providers and law enforcement authorities shall immediately and completely destroy the computer data subject of a preservation and examination (Section 17).

The Department of Justice is also authorized to exercise its exclusionary or take-down powers when a computer data is prima facie found to be in violation of the provisions of the Act (Section 18).  This new precautionary measure, which is reported to have not been included in the earlier versions of the Act but was later inserted during the amendments of the Senate plenary,  now allows the government to speedily restrict or block access to computer data sans a court order.

D. Universal Jurisdiction

The Regional Trial Court shall have jurisdiction over any violation of the Act including any violation by a Filipino national regardless of the place of commission.  It is sufficient that any of the elements of the cybercrime was committed within the Philippines or committed with the use of any computer system wholly or partly situated in the country, or when by such commission any damage is caused to a natural or juridical person who, at the time the cybercrime was committed, was in the Philippines.

On October 9, 2012, the Supreme Court issued a temporary restraining order, stopping implementation of the Act for 120 days.  We should soon know the fate of the Cybercrime Prevention Act of 2012.

(Ricky Ongkiko and Ronald P. de Vera co-authored this post.)