On September 12, Peru's Congress approved [es] the IT Crimes Act, one that has generated serious questions since the release of its Pre Dictamen [es]. This has been based not only on the assumption that a good part of the text was copied from various sources, but also because it constitutes a likely threat to privacy and freedom of expression on the Internet [es].
Despite criticisms [es], the bill, known informally as the Beingolea Act [es] (named after Alberto Beingolea, original proponent of the bill), continued along its course and was approved with 79 votes in favor and none against. Congress reached a final text and voted in what many felt was a quick and questionable process.
The text of the law [es] (filtered) states that its objective is “to prevent and sanction illicit practices that affect computer systems and data, and other legal rights of criminal relevance, committed through the use of information or communication technologies, in order to ensure the effective fight against cyber crimes.” The law establishes sentences of up to ten years in prison for those who commit the offenses, which include crimes against data and computer systems, cyber crimes against sexual indemnity and freedom, and cyber crimes against the privacy and secrecy of communications, among others.
The penalties applied to each offense vary, meaning if someone commits a crime against data and computer systems, a measure written so vaguely that it could refer to various perfectly legal activities, he or she could receive a prison sentence of three to six years. In general, it is easy to see how the police or lawmakers could interpret the law in a way that could be restrictive to the exercise of fundamental rights online.
Despite the dangers that this legislation carries, there have not been as many reactions on the Internet as expected. Twitter user Blackhand @Yonzy commented on some of the legal text's shortcomings:
— BlackHand (@yonsy) September 16, 2013
#CyberCrimeLaw if I built a database of people with information freely available, am I committing a crime, @CongresoPeru?
— BlackHand (@yonsy) September 16, 2013
The user also said it would be impossible to download tools for “ethical hacking,” noting that it is already “a crime to even have them.”
Internet law experts at Hiperderecho recounted the back-and-forth process that the bill went through at different moments, the presentation of a similar bill [es] on behalf of the executive branch, and the turn of events that took place on September 12, when the bill was approved:
[P]ocas horas luego del debate, el congresista Eguren volvía a someter al debate un nuevo texto de la Ley Beingolea que solo conocían los parlamentarios y que fue “plenamente consensuado con los representantes del Poder Ejecutivo, ya que tenían un proyecto de ley presentado que pretendía legislar las mismas materias”. El nuevo texto del Proyecto de Ley incorporaba casi todos los demás proyectos de ley presentados [anteriormente], pese a que no se habían revisado ni votado en Comisión previamente. Sin embargo, el nuevo texto apenas mereció un par de intervenciones menores y fue inmediatamente aprobado…
A few hours after the debate, Congressman Eguren came back to submit a new text of the Beingolea Act for debate, which only the parliamentarians knew about and was “fully agreed upon with the representatives of the Executive Branch, since they had introduced a bill that sought to legislate the same topics.” The new text of the bill incorporated almost all of the [previously] introduced bills, although it had not been reviewed nor voted on in the Commission before. Nonetheless, the new text was barely afforded a few minor interventions and it was immediately approved…
As such, without further debate and with a practically secret text, the Congress approved a bill that, despite eliminating some of the problems of the Beingolea Act, incorporated new ones. Miguel Morachimo of Hiperderecho expressed [es] his opinion:
La aprobación de la Ley Beingolea es el ejemplo perfecto de cómo no se debe llevar a cabo un proceso legislativo. En primer lugar, tienen un texto muy criticado durmiendo por más de un año en la agenda. Luego, lo someten a debate y en cuestión de horas cambian completamente el texto incorporando propuestas nuevas que no han pasado por ningún filtro en Comisión, como la de grooming o discriminación por Internet. Este nuevo texto solo lo conocen los congresistas y todos los demás ciudadanos tenemos que ver por televisión como es aprobado por unanimidad sin que sepamos qué dice. ¿No pensaron que si la primera versión había recibido tantos comentarios críticos era necesario someter a comentarios de la sociedad civil también la segunda?
The approval of the Beingolea Act is a perfect example of how a legislative process should not be carried out. First of all, they have a heavily criticized text hibernating for over a year on the agenda. Then they submit it for debate and in a matter of hours completely change the text, incorporating new proposals that have not passed through any filters in the Commission, such as grooming or discrimination on the Internet. This new text is known only to Congress members while the rest of the citizens have to watch it being approved unanimously on television without knowing what it says. Did they not think that if the first version had received so many criticisms, it would be necessary to submit the second one to civil society for comments?
From the blog V de Verguenza, author Chillinfart's attention was brought to one of the Modifying Supplementary Provisions, specifically the one amending the Criminal Procedure Code: “The licensees of telecommunications public services must immediately provide the geolocation of mobile telephones and records of interception, recordings, or registration of communications that has been ordered by the court, uninterrupted and in real time, 24 hours a day, 365 days a year…” Chillinfart comments:
[esto da] a entender un almacenamiento obligatorio de todo dato de localización generado por los usuarios de telecomunicaciones, independientemente si eres un criminal o no; pero claro, barajando que solo se tocara esa información cuando venga un mandato judicial. El problema de esta intrusion a la privacidad es que puede ser foco de otros crimenes al tener esos datos personales en manos muy dudosas, como pasó con Claro en Chile, Republica Dominicana y Perú (El caso Rosendo Arias).
[this explains] a mandatory storage of all localization data generated by telecommunications users, regardless of whether you are a criminal or not; but of course, thinking that this information would be touched only in the instance of an injunction. The problem with this intrusion of privacy is that it can be the focus of other crimes once this personal data is in very questionable hands, like the case of Claro in Chile [es], the Dominican Republic [es] and Peru (the Rosendo Arias case [es]).
Erick Iriarte of IALAW published a copy [es] of some of the Comments on the Signing of the IT Crimes Bill, which he has forward to Congress. The article is quite extensive and detailed, commenting on and making suggestions article by article, additionally including final comments in which the following is proposed:
la autógrafa no puede continuar como se encuentra, debe volver a Comisión en el mejor de los casos, o pasar al archivo y volverse a plantear una propuesta de la adhesión del Perú al Convenio de Cybercrimen, en un marco de respeto irrestricto a las libertades y derechos constitucionalmente protegidos, y en dicho marco plantear una legislación en materia de delitos informáticos, analizar que hacer con los delitos por medios informáticos y brindar herramientas de informática forense a la Policia.
the signing cannot continue as is, it must return to the Commission in a best case scenario, or be filed and re-sent as a proposal from Peru in support of the [Budapest] Cyber Crime Convention within a framework of unrestricted respect for constitutionally protected rights and liberties, and to propose legislation on the topic of cyber crimes in said framework, analyze what to do with cyber crimes and afford forensic cyber tools to the police.
Following approval, the bill requires a signature from the President of the Republic to officially become law. Given that the bill incorporates parts of the proposal made by the executive branch itself, there is a good chance that the bill will be pushed through without much further delay.