Since the executive regulations of the Anti-Cyber and Information Technology Crimes Law (Cybercrime Law) were issued, the General Prosecution has expanded in referring cases of digital nature to the Economic Court, being the competent court for hearing this type of crimes.1 During the period following the issue of the executive regulations – more than 18 months – the problems related to the lack of accuracy and clarity of law texts began reflecting obviously in the judicial practices, especially the text of Article 27 as it is considered one of the most used articles by the General Prosecution to charge social media users. It can be said that there is a great expansion in using Article 27 for charges in the General Prosecution orders of referral and registration/description of cases of digital nature. This caused anybody who committed a crime through a website, an account, an email, or even through instant messaging apps like WhatsApp, to be considered an administrator of a website or an account. This proves that there is a mistaken understanding by the General Prosecution of the legislative objectives meant for the Article’s text, which will be explained later, thus forcing the courts to interpret it and remove it from the list of charges. The danger of clarity absence of the text creates a situation that contributes in one way or another to legal instability and fears that clearly impact a set of rights and freedoms, which questions the constitutionality of the article.
The concept of the crime of administering and using a website or an account with the purpose of committing a crime punishable by law
In other cases, not specified by this law, whoever established, administered, or used a website or a private account on an information network aiming to commit, or facilitate committing a crime punishable by law, is punished by no less than two years in prison and a fine of no less than a hundred thousand bounds and no more than three hundred thousand bounds, or by either of these two punishments.
Article (27), Law 175/2018, concerning Anti-Cyber and Information Technology Crimes “Crimes Committed by Website Administrator”
Article 27 is among the articles of Chapter 4 of the Cybercrime Law under the title “Crimes Committed by Website Administrator.” It is understood in this legislative context that the common link in the articles of this chapter of the law – Articles 27, 28, and 29 – is that the legislator doesn’t imagine the crimes specified to be committed by anybody who doesn’t have the job of a website administrator. The subject of this text then is whoever the description is applicable to him/her and nobody else, as per the definition of this description at the beginning of the law which is “every person responsible for organizing, administering, monitoring, or preserving one or more websites on the information network, including the rights of access to all the users, design, creating and organizing pages or content, or being responsible for the website.”
Article 11 of the executive regulations of that law has explained the responsibilities of the website administrator, as it stipulated that “everyone responsible for administering a website, a private account or email, or an information system, whether a natural or a legal person as per Article 29 of this law, is responsible for taking the technical security measure and procedures required as per the responsibilities specified by Article 2 of these regulations concerning administrators of information technology service providers websites. Administrators of websites of information technology service providers, which own, administer, or operate critical infrastructure are responsible for the obligations specified by Article 3 of these regulations. The legal representative and actual manager of information technology service providers are responsible for proving that the facilities enable website administrators of taking the measure and security precautions required for his/her/its job. In all cases, the legal representative, the actual manager, and the website administrator of any service provider are responsible for making available the encryption codes of it to the competent court, or investigative entities in case of an investigation of any complaints, filed claims, or lawsuits when officially demanded by these entities.”
It is clear by the above that the legislator has formulated a specific definition of the website administration job, setting a specific number of technical and technological responsibilities, and obligations for it, and has set criminal penalties aiming to punish the website administrator for misconducting or neglecting any of them, or abusing his/her/its job competencies. Holding a person accountable for any of the crimes specified by articles 27, 28, and 29, is conditioned by the proof of legal or factual status before committing the crime, which is being a website administrator. This status is subject to the rules and provisions stipulated in this law and its executive regulations.
Problems related to the wording of Article 27 of the Cybercrime Law
A – Expansion of assigning the concept of websites and account administrator
The direct reading of Article 27 text and the definitions related to the concept of website administrator clear that applying the text of the article is conditioned by the status of website administrator, as it is a pre-assumed element for the materialization of the crime. This also is applicable to the crimes specified by articles 28 and 29 of the law. However, by reading the texts of these three articles; the legislator has explicitly specified this pre-assumed element. Article 28 stipulates that “anyone responsible for administering a website, a private account or email, or an information system, is punishable by no less than six months in prison, and a fine of 20,000 – 200,000 EGPs, or either of the two punishments if he/she hid or tampered with digital evidence.”
Also, in the first paragraph of Article 29, which stipulates that “anyone responsible for administering a website, a private account or email, or an information system, is punishable by no less than a year in prison, and a fine of 20,000 – 200,000 EGPs, or either of the two punishments, if he/she exposes any of them to any of the crimes specified in this law.” Also, in the second paragraph of the same article “anyone responsible for administering a website, a private account or email, or an information system, is punishable by no less than six months in prison, and a fine of 10,000 – 100,000 EGPs, or either of the two punishments, if he/she by negligence, has caused any of them to be exposed to any of the crimes specified in this law.”
While the text of Article 27 came absolute and addressed everybody without limiting itself to website administrators exclusively, as it stated that “In other cases, not specified by this law, whoever established, administered, or used a website or a private account on an information network aiming to commit or facilitate committing a crime punishable by law, is punished by no less than two years in prison and a fine of no less than a hundred thousand bounds and no more than three hundred thousand bounds, or by either of these two punishments.” By this exception the article’s text has sunk into great ambivalence, so its content became unspecified, hidden, and unclear, thus the truth of its aim became absent, and its application became relative to personal dispositions and interpretation stemming from a special understanding of those applying it.
B – The contradicting judicial applications and interpretations due to the vagueness of Article 27
Judiciary rulings and interpretations of Article 27 of the Cybercrime Law have been contradictive due to this vagueness and unclarity. This appeared in the criminal courts’ rulings issued by the Economic Court, and the charging orders issued by the General Prosecution. Some see that the content of this text addresses everybody, and others see that it addresses only website administrators exclusively – as per the law and its executive regulations – thus excluding out of criminalization and punishment whoever didn’t have the status of website administrator, with criminal responsibility limited to them and not expanding to others except as associates to the crime. The second interpretation was supported by some judiciary ruling; so a ruling by Cairo Economic Court (CEC) states “the legislator as per the text of Article 27 has meant by website administrator those concerned with managing and operating websites used by regular users, and the legislator didn’t address the matter of regular users using their personal private accounts, thus both the material and ethical pillars of this crime are absent, and the use of the defendant of his own personal private account on social media application WhatsApp is not criminalized by Article 27 of law 175/2018 as he is a user of his personal account.”2
By the ruling of the same court, “the court should, before investigating the material and ethical pillars of this crime, make sure that the pre-assumed condition is established, which is the pre-assumed and basic condition of this crime to be established, as assigned to its perpetrator, as it is a crime of those with specific status for whose establishment the law has set the condition that its perpetrator should have a special status which is being the website administrator, and which is not the case of the defendant being no more than a regular user of an account on a social media site (Facebook, WhatsApp, …) and not an administrator of these websites which are managed by its in charge managers responsible for the policy and security of the website, and other responsibilities specified by the executive regulations of the law. Accordingly, this pillar has collapsed, which is a pre-supposed condition for establishing this crime. By its collapse, the act committed by the defendant is excluded from the criminalization domain specified by article 27 of law 175/2018, as the defendant is not addressed by it, and is not subject to the provisions of this chapter, and its origin is absent form the documents, by which the court finds the defendant unguilty of this charge as per what will be stated in the wording of this ruling.”3
The court also added “as it became evident for the court by reading the lawsuit documents and what the defendant has committed as a criminal act out of the applicability domain of Article 27of law 275/2018 concerning Anti-Cyber and Information Technology Crimes as the mentioned law has clarified in it’s general provisions chapter that it has set the terminology of the mentioned law by defining the user to be any normal or legal person who used information technology services or benefits from them by any means; the website to be a virtual domain or place with a specific address on an information network, aiming to make available data and information for the public or for specific group; website administrator to be: every person responsible for organizing, administering, monitoring, or preserving one or more websites on the information network, including the rights of access to all the users, design, creating and organizing pages or content, or being responsible of the website; private account to be: a set of information of a natural or a legal person, authorizing him only to enter to the service available or using them through a website or an information system. This was confirmed by the executive regulations of the law issued by the Prime Minister order 1699/2020 concerning the procedures that website administrators and service providers must follow and enact, which are specified in articles 2 and 3 of the regulations. The defendant, as evident by lawsuit documents, is a user of a private account on social media sites Facebook and YouTube, whose status as per the terminology specified by the mentioned law is a user of a private account within social media sites Facebook and YouTube, his crimes are not categorized under those of a website administrator which were specified by Article 27 of the mentioned law, as this Article has addressed website administrator with his identifying description pre-specified and whose competencies and obligatory procedures that he must follow and implement were confirmed by the executive regulations of the law in articles 2, 3 and 11. Especially as the defendant in this lawsuit as a user of an account on social media site Facebook or any natural person who has a private account on social media sites doesn’t have the competency to implement what articles 2 and 3 of the above mentioned executive regulations require, and by which the court concludes as per the preset rules that those concerned with applying the provision of Article 27 of the mentioned law are Internet website administrators, and managers of CIT service providers which own, manage or operate the critical information infrastructure, as for the crimes they commit in person or by their supervisory status specified by the mentioned article and the executive regulations, while the crimes committed by the defendant of this lawsuit are punished under the provisions of the Egyptian Criminal Law, and law 10/2003 concerning telecommunications regulation, thus the provision of Article 27 of the mentioned law which was assigned to him by the General Prosecution is not applicable, and hence the court finds him not guilty for this charge as per what will be stipulated by the ruling text.”4
Not everybody has agreed to this interpretation of Article 27 text as others think that it addresses everybody as per its appearance and as per what came in the statement “whoever established, administered, or used a website or a private account on an information network.” And because of failing to specify explicitly the status of those who are addressed by the article, as was the case in articles 28 and 29 in the statement “whoever is responsible for administering a website, a private account or email, of an information system,” which was part of both.
C – Equaling different forms of crime as per Article 27
Website administrators and users are generally subject to the same rules of accountability that were specified by the Cybercrime Law. The legislator however adds to these rules another dimension applicable to website administrators. The law offers texts criminalizing any act related to website administration if its aim was to commit one of the crimes punished by law. What is meant by crimes punished by law is committing a crime specified by any of the Egyptian penal laws like the ones specified by the Penal Code for instance.
The law has distinguished between the provisions addressing website administrators and the legislator tried to enumerate forms of criminalization to include three forms which are:
- The crime of establishing a website with the purpose of committing a crime punishable by law.
- The crime of administering a website with the purpose of committing a crime punishable by law.
- The crime of using a website with the purpose of committing a crime punishable by law.
It is a violation of legislative wording rules that the legislator makes equal the acts of establishment, administration, and use of websites for many reasons, of them, are:
- The different motives related to committing the crime and how provable they are.
- Lack of proportionality among the forms of criminalization and the consequent punishments, as those who establish a website and those who used it face the same punishment of imprisonment for no less than two years and a fine of no less than 100,000 EGPs.
In addition, the crime of website administration with the purpose of committing one of the crimes punishable by law is considered a complex crime whose establishment needs several elements and conditions. Some of these conditions are in the texts that criminalize a specific act other than website administration, which makes this crime more complicated, as the legislator has used in the beginning the statement “whoever established, administered, or used a website or a private account on an information network with the purpose of committing a crime punishable by law.” The semantic context related to the words “with the purpose of” is different from other wordings of crime establishment and materializations. Purposing is a preliminary act that doesn’t imply the materialization of the crime, which is difficult to prove in general as it needs a continuous legal status constituted of more than one act so that the purpose is proved. Additionally, the materialization of a crime is not conditioned by a proven purpose. The criminal act may occur accidentally for once with no purpose of repetition.
A website that publishes content insulting an official entity, the Shura Council, or the Parliament, will be proven to commit the crime of insulting an official entity if its pillars were available. This, however, doesn’t necessarily mean that the website that published the statements constituting the insult was established or administered basically for the purpose of committing the act of insult, as there is a difference between the two acts.
Aspects of unconstitutionality of Article 27 of the Cybercrime Law
First Aspect: Vagueness of the articles criminalizing text as for the description of the perpetrator, violating the principle of criminalization and punishment.
Unconstitutionality of Article 27 is suspected in a major element representing a pillar that the crime – criminalized by its text – can’t be established without it. With the absence of this pillar, the crime is void and the act is excluded from the domain of incrimination to the domain of permissibility being the general mode; this element is the description of the crime perpetrator.
As explained above, articles 27, 28, and 29 have been included in a chapter with the title “Crimes Committed by Website Administrator.” However, contradicting both articles 28 and 29, directly addressing website administration officials, Article 27 doesn’t address anybody by his/her description. This vagueness of the article’s wording led to contradictions in understanding and determining the description of the crime perpetrator causing the article to be suspected of unconstitutionality.
Second Aspect: Article 27’s text violates the criminalization and punishment principle
When setting penal provisions, criminalized acts should be specified narrowly and tightly. The specification shouldn’t be loose in describing the prohibited act. It also shouldn’t be vague, general, loose, or overlapping legal acts forms. The penal provisions should be formulated with the highest degree of professionality and accuracy to guarantee they are clear, specific, and decisive, so that those addressed by them may be aware of the acts they criminalize with no need for using personal assessment and allowing the judge to come out with the pillars of the committed crime.5
It is prescribed and settled in the Supreme Constitutional Court’s judgment that constraints set by penal laws on personal freedom require their provisions to be formulated so that no argument is raised as for the truth of their content reaching a degree of certainty beyond arguing, and preventing public authority official from selectively applying them, as per personal criteria, adulterated with dispositions, and damaging innocents for lack of objective basis required for their rigor.6
Third Aspect: Violation of the principle of proportionality between the crime and punishment
The text of Article 27 contradicts the principle of proportionality between the punishment and the crime, as the punishments specified by it were irrational. As per the Article, the legislator has set a criminal penalty in consequence of the acts criminalized by this text which are establishing, administering, or using a website or a private account on an information network with the purpose of committing or facilitating a crime punishable by law. The legislator joined freedom deprivation to financial fine as options for the case judge if he/she found the defendant guilty. This part however came violating the provisions and text of the Constitution on one side and is unproportional with the crime it is specified for on the other side. The text of Article 27 joined the freedom deprivation and financial punishments as preliminary options for the court judge if he/she found the defendant guilty and set a minimum for both punishments; punishing the perpetrator of any of these acts with imprisonment – as a freedom deprivation punishment – for no less than two years, as well as with a fine that is no less the 100,000 EGPs.
The basic rule of incrimination and punishment policy states that there can be no punishment for preparatory acts. This is confirmed by Article 45 of the Penal Code, which states that “It is not considered an initiation of a felony or a misdemeanor the mere intention to commit it, nor are the preparatory acts for this.” If the legislator thinks some preparatory acts are posing special dangers, they should be criminalized, which are known as the danger crimes.7 This leads us to see that the legislator has ended up in Article 27 with punishing a mere means that might be used for committing a crime punishable by law or not. He made using it a crime on its own, and not a preparatory act, or just a form of criminal association.
As per this text there becomes two types of crimes; the first is the original crime punishable by law in cases other than the ones specified by this law, and the other is the crime criminalized by this text, which is a subsidiary of the original crime, and can’t be imagined materializing if the original crime wasn’t committed.
It is inconceivable that the punishment set for a subsidiary crime is more strict and harsher than the punishment set for the original crime as it is unacceptable that the one administering the website or the private account is punished by imprisonment for two years and a fine no less than 100,000 EGPs, or either of them, as a minimum punishment set for this crime, while this who intentionally abused the website or the private account with the purpose of disturbing or harassing others is punished by imprisonment for 24 hours and a fine of no less than 500 EGPs or either of them, as a minimum punishment set for this crime.
Fourth Aspect: The article’s text contradicts the right to use means of communications
The liberty deprivation punishment set as a criminal penalty in Article 27’s text contradicts the right to free expression guaranteed by the running Constitution as well as previous ones and international agreements. It also contradicts the right of publishing which is one of the rights stemming from the right to free expression as it is one of the means of expressing opinions.
Article 65 of the Constitution states that “The freedom of thought and opinion is guaranteed. Every person has the right to express their opinion by speech, writing, painting, or any other means of expression of publicity.” The second paragraph of Article 71 of the Constitution states that “No liberty deprivation penalty is applied to crimes committed by means of publishing or publicity. As for the crimes related to incitement of violence or discrimination among citizens or libel, their penalties are set by the law.” The second paragraph of Article 57 of the Constitution states that “The state is committed to protecting citizens’ right to use public means of communications of all sorts. They are not to be obstructed or suspended, or citizens deprived of using them with no reason and all this to be regulated by law.”
It is clear from the above that the Constitution has set constitutional protection for the right to express opinions as one of the most important and sacred human rights. The Constitution has enumerated several forms of practicing this right including the rights to publishing, writing, painting, and else. The Constitution has also set another protection for the right to free expression as it constrained the principle of incrimination and punishment and prohibited the liberty deprivation punishments of all forms and kinds for crimes of publishing and publicity as a general base, excluding only three forms of these crimes exclusively which are the crimes related to incitement of violence and discrimination between citizens or libel. It has also set constitutional protection of the right to use public means of communication of all sorts and prohibited depriving citizens of their use.
The aim of prohibiting applying liberty deprivation punishments for crimes of publishing and publicity as a general rule is to protect individuals addressed by the Constitution provisions from any terrorization or threats against their personal freedoms that they might be exposed to by the executive or legislative authorities as a result of expressing their opinions.
1 Prime minister order 1699/2020 issuing the executive regulations of law 175/2016 concerning combating information technology crime, the official gazette, issue 35-C, 2020-08-27.
2 Cairo Economic Court, January 29, 2022, hearing, lawsuit 2084/2021, economic misdemeanors.
3 Cairo Economic Court ruling, January 24, 2022, hearing, lawsuit 2262/2021, economic misdemeanors, and March 29, 2022, hearing, lawsuit 199/2022 economic misdemeanors.
4 Cairo Economic Court ruling, November 29, 2021, hearing, lawsuit 1592/2021 economic misdemeanors.
5 Egyptian Ministry of Justice, ARE Guide for Preparation and Formulation of Law Drafts, First Edition, July 2018, p. 51.
6 Supreme Constitutional Court ruling, November 4, 2012, hearing, lawsuit 183 for the 29th judicial constitutional year.
7 Mostafa Fahmy El-Gohary, Penal Law Explanation, General Section, General Crime Theory, 2017, Arab Nahda House, p. 148.