Cybercrime Law in Pakistan: PECA 2016 Offences, Penalties, and How to File a Complaint with the FIA

Pakistan passed the Prevention of Electronic Crimes Act (PECA) in August 2016, creating the country's first dedicated statutory framework for cybercrime. Before PECA, prosecutors had to stretch provisions of the Pakistan Penal Code 1860 and the Electronic Transactions Ordinance 2002 to fit conduct that those older laws were never designed to address. PECA filled that gap by defining specific electronic offences, prescribing penalties, establishing investigation procedures, and designating the Federal Investigation Agency (FIA) as the primary enforcement body.

Since its enactment, PECA has been invoked in thousands of cases ranging from hacking and online fraud to harassment, defamation, and the non-consensual sharing of intimate images. It has also attracted criticism, particularly Section 20 (offences against the dignity of a natural person), which civil liberties organisations have argued is too broadly drafted and has been misused to suppress legitimate speech. The Islamabad High Court struck down parts of Section 20 in 2022, and the debate over the proper scope of the Act continues.

This article provides a section-by-section guide to the principal offences under PECA, the penalties they carry, the procedure for filing a complaint with the FIA, and practical considerations for both complainants and persons accused.

Offences Against Information Systems (Sections 3 to 8)

The first category of offences under PECA deals with unauthorised access to, and interference with, computer systems and data. These are the "hacking" offences, though the Act does not use that word.

Section 3: Unauthorised access to information system or data. Any person who intentionally gains unauthorised access to an information system or data is liable to imprisonment of up to three months, a fine of up to Rs. 50,000, or both. This is the baseline offence and covers any form of access without permission, including guessing passwords, exploiting vulnerabilities, or using stolen credentials.

Section 4: Unauthorised copying or transmission of data. If the person who gains unauthorised access goes further and copies or transmits the data, the penalty increases to imprisonment of up to six months, a fine of up to Rs. 100,000, or both. This section is commonly invoked in cases of corporate espionage, employee data theft, and the unauthorised extraction of customer databases.

Section 5: Interference with information system or data. Anyone who intentionally interferes with or damages an information system or data is liable to imprisonment of up to two years, a fine of up to Rs. 500,000, or both. "Interference" includes introducing viruses, ransomware, or other malicious code, as well as denial-of-service attacks that render a system unusable.

Section 6: Unauthorised access to critical infrastructure. When the target is a "critical infrastructure information system" (defined to include systems related to defence, banking, public health, transport, energy, and communications), the penalties increase sharply. Unauthorised access alone carries imprisonment of up to three years, a fine of up to Rs. 1 million, or both.

Section 7: Unauthorised copying of critical infrastructure data. Copying or transmitting data from a critical infrastructure system is punishable with imprisonment of up to five years, a fine of up to Rs. 5 million, or both.

Section 8: Interference with critical infrastructure. Interfering with or damaging a critical infrastructure system carries imprisonment of up to seven years, a fine of up to Rs. 10 million, or both. This is one of the most serious offences under PECA, short of cyber terrorism.

Cyber Terrorism and Glorification (Sections 9 and 10)

Section 9: Glorification of an offence. Any person who prepares, displays, distributes, or makes available information that glorifies an offence relating to terrorism, or that is intended to advance religious, ethnic, or sectarian hatred, is liable to imprisonment of up to five years, a fine of up to Rs. 10 million, or both.

Section 10: Cyber terrorism. This is the most severely punished offence under PECA. If any of the acts described in Sections 6 through 9 are committed with the intent to coerce or intimidate the government or the public, advance inter-faith or sectarian hatred, or advance the objectives of proscribed organisations, the offender faces imprisonment of up to fourteen years, a fine of up to Rs. 50 million, or both. The broad language of this section gives prosecutors significant discretion, and it has been invoked in cases ranging from actual attacks on government IT systems to the online dissemination of propaganda by banned groups.

Electronic Fraud and Forgery (Sections 13 to 16)

Section 13: Electronic forgery. Creating, altering, or using a false electronic document with dishonest intent is punishable with imprisonment of up to three years, a fine of up to Rs. 250,000, or both. This covers fabricated emails, doctored screenshots, forged digital certificates, and manipulated electronic records.

Section 14: Electronic fraud. Any person who, by means of any information system, device, or the internet, interferes with or uses any data, programme, or system with dishonest intent to cause damage or injury to the public or any person, or to make or obtain any financial gain, is liable to imprisonment of up to two years, a fine of up to Rs. 10 million, or both. This is the principal provision used to prosecute online scams, phishing attacks, and e-commerce fraud.

Section 15: Unauthorised issuance of SIM cards. Issuing, obtaining, or selling a SIM card in contravention of the applicable regulations carries imprisonment of up to three years, a fine of up to Rs. 500,000, or both. This section was included because anonymous SIM cards were being used extensively in criminal operations, from extortion to terrorist coordination.

Section 16: Tampering with communication equipment. Changing, altering, or reprogramming the unique device identifier of a communication device (such as an IMEI number) without authorisation is punishable with imprisonment of up to three years, a fine of up to Rs. 1 million, or both.

Offences Against Persons (Sections 20 to 24)

Section 20: Offences against the dignity of a natural person. This is by far the most frequently invoked and most controversial section of PECA. It criminalises the preparation or display, through any information system, of information that is "false and intimidating, or immoral," and that harms the "reputation or privacy of a natural person." The penalty is imprisonment of up to three years, a fine of up to Rs. 1 million, or both. In February 2022, the Islamabad High Court struck down parts of Section 20 as unconstitutional, holding that the section's vague language violated the fundamental right to free speech under Article 19 of the Constitution. The government subsequently introduced amendments, and the section remains operational in modified form, though its precise scope continues to be litigated.

Section 21: Offences against modesty of a natural person and minor. Intentionally sharing or transmitting a person's photographs or videos in a sexual context, without that person's consent, is punishable with imprisonment of up to five years, a fine of up to Rs. 5 million, or both. Where the victim is a minor, the penalty increases to imprisonment of up to seven years, a fine of up to Rs. 5 million, or both. This section is the primary tool against the non-consensual sharing of intimate images, commonly referred to as "revenge pornography."

Section 22: Child pornography. The production, distribution, or possession of child pornography through an information system carries imprisonment of up to seven years, a fine of up to Rs. 5 million, or both.

Section 24: Cyberstalking. Any person who, with the intent to coerce, intimidate, or harass another person, uses an information system, the internet, or any other electronic means to engage in conduct directed at that other person, is liable to imprisonment of up to three years, a fine of up to Rs. 1 million, or both. This includes repeated unwanted contact, monitoring, surveillance, and threats communicated electronically.

Spamming and Spoofing (Sections 25 and 26)

Section 25: Spamming. Transmitting harmful, fraudulent, misleading, illegal, or unsolicited information to any person without permission is punishable with a fine of up to Rs. 50,000 for a first offence and imprisonment of up to three months for subsequent offences.

Section 26: Spoofing. Establishing a website, or sending an email or message, with a false source address or origin information with the intent to harm or deceive, carries imprisonment of up to three years, a fine of up to Rs. 500,000, or both.

How to File a Cybercrime Complaint with the FIA

The FIA's Cyber Crime Wing is the designated investigation agency for PECA offences. It operates through the National Response Centre for Cyber Crime (NR3C). There are several ways to file a complaint.

Online portal. The FIA maintains an online complaint registration system at complaint.fia.gov.pk. The complainant must create an account, fill out the complaint form with details of the offence, and upload supporting evidence (screenshots, URLs, copies of messages, transaction records). The system generates a complaint number that can be used to track progress.

Helpline. The FIA's cybercrime helpline number is 1991. Callers can report offences and receive initial guidance on the complaint process.

In person. Complaints can also be filed in person at any FIA regional office. The NR3C has offices in Islamabad, Lahore, Karachi, Peshawar, Quetta, Rawalpindi, Faisalabad, Multan, and several other cities.

What to include. A well-prepared complaint significantly improves the chances of effective investigation. The complaint should include: a clear description of the offence; the date(s) and time(s) the offence occurred; screenshots or recordings of the offending content (preserved before the perpetrator can delete them); the URL, social media profile, email address, or phone number involved; any identifying information about the suspect; and copies of any financial transactions if the complaint involves fraud.

What happens after filing. The FIA will assign an investigation officer, who may contact the complainant for further details or to take a formal statement. The investigation may involve obtaining data from internet service providers, social media platforms, or banks. If sufficient evidence is gathered, the FIA will register an FIR under the relevant sections of PECA and refer the case for prosecution in the designated Cyber Crime Court (which, in practice, is the Sessions Court exercising special jurisdiction).

Bail and Anticipatory Bail in PECA Cases

Most PECA offences are bailable, meaning the accused has a right to bail as a matter of course if arrested. The exceptions are the more serious offences: cyber terrorism under Section 10, offences against the modesty of minors under Section 21 (where the victim is a minor), and child pornography under Section 22. For these offences, bail is at the discretion of the court.

Pre-arrest (anticipatory) bail is available under Section 498 of the Code of Criminal Procedure 1898. It is common for persons accused under Section 20 (dignity offences) or Section 24 (cyberstalking) to seek pre-arrest bail from the Sessions Court or the High Court before surrender. The courts have generally been willing to grant anticipatory bail in PECA cases where the accusation appears to be motivated by personal enmity or commercial rivalry, particularly given the well-documented pattern of Section 20 being used as a tool of harassment.

Practical Considerations for Accused Persons

Being named in a PECA complaint does not mean arrest is imminent. The FIA's investigation process can take weeks or months. An accused person who learns of a complaint should immediately consult a lawyer, preserve any evidence that supports their defence (such as evidence that the complainant consented to the communication, or that the allegedly defamatory statement was true), and consider filing for anticipatory bail if arrest appears likely.

It is also worth noting that PECA provides for compounding of offences. Under Section 41, many PECA offences can be settled between the parties with the permission of the court. If the complainant and accused reach a settlement (often involving an apology, deletion of offending content, and a financial payment), the court may dismiss the case. This is particularly common in Section 20 and Section 24 cases arising from personal disputes.