INTRODUCTION:

The swift progression of technology and the extensive use of the internet have transformed
communication, business, and government, facilitating unparalleled chances for development
and innovation. Nonetheless, this digital shift has introduced considerable obstacles, notably the
increase in cybercrimes. Crimes include hacking, identity theft, online harassment, cyber fraud,
and unauthorised access to sensitive information jeopardise individual privacy and financial
security, while also threatening organisational operations and national stability. In response to
these threats, Pakistan enacted the Prevention of Electronic Crimes Act (PECA) 2016, a
thorough legislative framework designed to tackle the intricacies of cyber offences while
conforming to international best practices. PECA aims to deter and punish actions that jeopardise
the integrity of information systems, impair essential infrastructure, or violate individual rights in
cyberspace. The Act aims to safeguard individuals, enterprises, and the state from the escalating
threats of the digital realm by instituting comprehensive regulations for the investigation,
prosecution, and adjudication of cybercrimes. It also enables law enforcement authorities to
execute prompt and effective measures while preserving a balance between technical
enforcement and the safeguarding of constitutional rights, including privacy and due process.

The law designated the Federal Investigation Agency (FIA) as the principal investigative
authority under Section 26 of PECA for the successful implementation of these provisions. The
FIA Cybercrime Wing was tasked with tackling violations delineated by the Act, including
unauthorised access to information systems, data breaches, and electronic fraud. “In light of the
growing complexity and frequency of cybercrimes, a notification from the information ministry
in The Gazette of Pakistan states that the National Cyber Crimes Investigation Agency (NCCIA)
was established under Section 51 of the Prevention of Electronic Crimes Act 2016 (Peca), and
the FIA will no longer serve as the designated investigative agency under this act.”

The NCCIA is conceived as a dedicated organisation designed to address the complexities of

contemporary cybercrime investigations, emphasizing efficacy and global collaboration. The
transfer of responsibility from the FIA Cybercrime Wing to the NCCIA is in progress, however
the operational status of this new organisation remains ambiguous. “The federal government
rescinded the regulations overseeing the National Cyber Crime & Investigation Authority
(NCCIA), an entity established earlier this year to address cybercrime, internet-related offences,
and data protection, as reported by Dawn, thus complicating the enforcement framework.”
Currently, the FIA (Cybercrime Wing) retains the ability to examine such situations until further
notice. The comprehensive method for investigation is outlined in the PECA Rules, 2018.

In addition to inquiry, data retention is a crucial element of PECA's enforcement, with relevant
parts elucidating the rapid preservation and acquisition of data, the management of seized data or
information, and the secrecy of such information. The data retention policy has ignited
discussions on its effects on personal privacy, data security, and the compliance obligations of
service providers. The conflict between national security and the protection of people' digital
rights highlights the necessity for meticulously designed laws and regulations.

This assignment rigorously analyses the stipulations of the Prevention of Electronic Crimes Act
(PECA) 2016 concerning the investigation of cyber offences and the principle of data
preservation. This analysis examines the procedural framework established by PECA and its
implementing regulations, emphasizing the functions of investigative bodies like the Federal
Investigation Agency (FIA) and the developing role of the National Cyber Crimes Investigation
Agency (NCCIA). The report examines critical elements such search and seizure techniques,
judicial monitoring, international collaboration, and the data retention obligations placed on
service providers. The paper assesses the legal, ethical, and practical ramifications of these laws,
evaluating the equilibrium PECA maintains between combatting cybercrime and protecting
constitutional rights.

PROCEDURE OF INVESTIGATION OF OFFENCES UNDER PECA:

Section 26 of PECA 2016 enabled the federal government to establish an agency known as the
FIA. Rule 3(1) of the PECA Rules, 2018 designates the Federal Investigation Agency as the
investigative body for offences under the act, tasked with executing its functions in accordance
with the act and the rules through the Cybercrime Wing, under the supervision of the Director
General. Section 27 of Peca stipulates that only an authorised officer of the agency may
investigate the matter, while rules 3(2) and 3(3) of the Peca rules further clarify that the circle in
charge shall serve as the authorised officer for the purposes of registering a complaint and
conducting an investigation. The additional director general may delegate matters to any
appropriate person within the Cybercrime wing for investigation under the statute. Rule 4 of
these Regulations pertains to the overall operations of the Cybercrime Wing, with sub-rule (4)
assigning the investigation division of the wing the responsibility for conducting enquiries into
complaints under the act.

The investigative procedure commences with the lodging of a complaint. As per Rule 6(3), a
complaint may be submitted online or in person at cybercrime reporting centers. “The Criminal
Laws (Amendment) Act of 2023 broadened this jurisdiction in response to the pervasive
existence of digital evidence across many offences. Now, provincial police can also register
cases related to these offences under PECA.”

Upon the filing of a complaint, the circle in-charge (the general supervisor of each cybercrime
reporting center within the cybercrime wing) may authorise the registration of a case based on
the complaint and designate an Investigation Officer as stipulated under Rule 7 of the Peca
Rules, 2018. The Investigating Officer (I.O.) will subsequently execute the investigation
according to a well-defined work plan, which must receive approval from the circle in-charge as
outlined in Schedule IV of the Rules. “This requires that, as part of the Work Plan Steps &
Timelines, the I.O. identifies interviewees, their contact information, and a provisional schedule.
Additionally, as part of the Evidence/Records Preservation and Collective program, an
Investigating Officer must first identify known and potential sources of evidence and delineate
the methods for protecting those sources and collecting records, such as files and electronic
data, and ensure their retention. Upon the conclusion of investigations, the Schedule mandates
the submission of an Investigation Report Structure as outlined in Annex-B within sixty days
from the case registration date. The I.O. will encompass the case history, individuals involved,
pertinent legal provisions, investigative procedures, results, and ultimately, the conclusion.”

If a cognizable offence has occurred under the Act, the circle in-charge, upon obtaining legal
counsel, shall direct the registration of the case, contingent upon the previous permission of the
Additional Director in the zone. In the event of a non-cognizable offence, the circle in-charge
must get authorization from the appropriate Court to conduct an inquiry under to section 155 of
the Code. Finally, despite the obligation to submit an interim challan, the Additional Director in
a zone shall permit the filing of the final challan pursuant to section 173 of the Code.

Search and Seizure:

Rule 5 authorizes these authorized officers for the purpose of an investigation under the act, in
their area of jurisdiction, have such powers, including powers relating to search and seizure of
property, arrests of persons and such duties and responsibilities as the officers of a police station
have in relation to the investigation of offences under the Code. For the purpose of search and
seizure, Rule 8 of the PECA Rules 2018 mandates that the investigating officer execute searches
and seizures in strict compliance with the Act's requirements, obtaining a previous warrant from
the Court where necessary. The officer must ensure that only data or equipment critical to the
inquiry is confiscated and must uphold the chain of custody and integrity of the seized materials,
adhering to the protocol outlined in Schedule V. Comprehensive documentation, encompassing a
crime scene sketch, video recordings, and pictures, is essential to maintain the integrity of the
crime scene and ensure appropriate evidence management. Infringements of these regulations
lead to misbehavior and disciplinary measures against the officer. Section 30 of the PECA Act
2016 delineates the procedure for acquiring a warrant. An authorized official may get a warrant
from the Court by presenting sufficient justification to access and confiscate information
systems, data, devices, or other items pertinent to a criminal investigation or legal procedures. In
urgent situations, such as those specified in Section 10, when acquiring a warrant might
jeopardise the preservation of evidence, a Gazetted officer from the investigative agency is
authorised to execute a search and seizure without a warrant. This action must be notified to the
Court within 24 hours, allowing the Court to examine and issue suitable orders. The Additional
Director of the Cybercrime Wing may propose the transfer of an investigation to another zone,
contingent upon the permission of the Additional Director General, who is required to document
the rationale in writing. Any party unsatisfied with the transfer order may appeal to the superior
officer of the investigating agency, who has the authority to sustain, alter, or rescind the decision
depending on the case's specifics. Nonetheless, an inquiry may not be reassigned more than
twice under this regulation.

Rule 9 of the Peca Rules mandates that during investigations of offences against the modesty
and dignity of individuals, the investigating officer must uphold confidentiality and avoid
revealing the identities of both the victim and the accused, except when required by law or
essential for the advancement of the investigation. Any unauthorised revelation of sensitive
information or alteration of digital evidence constitutes misconduct, rendering the accountable
officials liable to disciplinary measures in line with the regulations of the investigative agency.
The investigating officer must aid the affected persons in petitioning the Authority to eliminate,
erase, or restrict access to information that violates their dignity or modesty.

Finally, Rule 20 mandates that the Cybercrime Wing must adhere to fundamental concepts and
values throughout investigations, guaranteeing natural justice, due process, and equity while
protecting the rights of all parties concerned. Investigators must exhibit honesty, professional
competence, impartiality, and secrecy, especially in safeguarding witnesses and preserving
objective. The investigative method must concentrate on revealing facts, with conclusions drawn
from substantiated evidence and comprehensive analysis, eschewing preconceptions or bias.
Conclusions must succinctly encapsulate the verified facts, correlating them with the accusations
and the legislation.

DATA RETENTION PRINCIPLES UNDER PECA 2016:

The Prevention of Electronic Crimes Act (PECA) 2016 creates a thorough framework for data
preservation, retention, and management in criminal investigations, guaranteeing procedural
integrity and adherence to legal standards. The Act delineates the obligations of authorised
officials, service providers, and information system proprietors in the preservation, acquisition,
and retention of data to facilitate investigations, while ensuring the protection of privacy and
equity.

Accelerated Preservation and Acquisition of Data:

According to Section 28, authorised officials may mandate the retention of certain data if it is
deemed reasonably relevant for a criminal investigation and is at danger of being lost, destroyed,
or changed. A formal notification is issued to the individual or institution overseeing the
information system, mandating the retention of data for a maximum duration of 90 days. The
officer is required to notify the Court of the acquisition within 24 hours, enabling the Court to
assess the situation and issue suitable orders, including the potential extension of the preservation
period if warranted. This system guarantees prompt action while preserving court supervision.
Preservation of Traffic Data:
Section 29 requires service providers to preserve traffic data for a minimum of one year or as
otherwise directed by the Authority. Such data shall be retained in accordance with the data
preservation and authenticity criteria specified in the Electronic Transactions Ordinance, 2002.
Service providers are obligated to give the kept data to investigators upon the issuance of a court
demand. Non-compliance by unlicensed individuals is subject to penalties of up to 10 million
rupees for initial offences, with imprisonment or further fines for subsequent infractions.
Violations by licensees are regarded as infringements of licensing conditions pursuant to the
Pakistan Telecommunication (Re-organization) Act, 1996.

Revelation of Content Data:

Section 31 permits authorised personnel to get a judicial warrant to obtain content data kept in an
information system when essential for a criminal investigation. The warrant may be first issued
for seven days and thereafter extended upon additional application, so assuring court oversight of
the disclosure process.

Managing Seized Data or Information Systems:

Section 33 delineates the protocols for managing confiscated data or systems subsequent to a
search or seizure. Authorised personnel are required to record and furnish a list of confiscated
objects to the appropriate parties in the presence of witnesses. Forensic photographs of the
confiscated data or systems may be supplied to the owner upon request and payment of the
required fees, unless such provision would compromise the investigation, ongoing proceedings,
or another criminal case. In such instances, the officer must get a court order within seven days
to limit access. The Court, upon evaluating the circumstances, may issue suitable orders that
reconcile investigative requirements with the rights of the parties concerned. The asking party
incurs the costs for these processes. Another significant element is addressed in Section 39 of
PECA 2016 and Rule 18 of the PECA Rules, which stipulates that the Federal Government, via
the FIA, promotes international collaboration in cybercrime matters. This includes the exchange
or acquisition of electronic evidence, the preservation of data, or the facilitation of investigations
with foreign governments or international entities. The FIA may partner with organizations like
as INTERPOL while maintaining secrecy and compliance with Pakistani legislation. Requests
may be denied if they infringe upon sovereignty, public interest, or constitutional rights.

Critical Examination of Investigative and Data Retention Provisions within PECA:

The Prevention of Electronic Crimes Act (PECA) 2016 establishes a thorough legislative
framework to address cybercrimes in Pakistan. The Act establishes essential tools for
investigating cyber offences and data retention for law enforcement, although several aspects
offer considerable issues regarding procedural clarity, privacy rights, and the risk of misuse.
Investigation Pursuant to PECA: Deficiencies and Issues:
PECA designated the Federal Investigation Agency (FIA) as the principal authority for
investigating offences under its provisions. Nonetheless, procedural inconsistencies about its
position and authority provide problems to enforcement. The FIA frequently references the FIA
Act of 1974 during investigations, even though PECA offences are not enumerated in the
Schedule of the FIA Act. The Supreme Court's ruling in Director General FIA vs. Kamran Iqbal
elucidated that the FIA is required to function only under PECA and adhere to the Code of
Criminal Procedure (CrPC) just in instances when PECA is silent.

The commencement of enquiries into non-cognizable offences is notably challenging, since Rule
7(5) of the PECA Investigation Rules 2018 and Section 155 of the CrPC mandate that the FIA
get authorisation from a court. This guarantees judicial review; nonetheless, delays in approvals
and uneven application of court scrutiny undermine the process. Magistrates sometimes face
criticism for inadequate due diligence, as evidenced by case law when orders lacked sufficient
logic and judicial consideration.

Search and seizure protocols under Section 33 of PECA necessitate warrants, therefore
guaranteeing legal protections. Section 31, which allows for rapid data gathering without
previous judicial authorisation, confers extensive discretionary authority to investigators. The
absence of explicit criteria for assessing "reasonable requirement" facilitates abuse, potentially
infringing against the right to privacy as stipulated in Article 14(1) of the Constitution. Such
measures undermine public trust and threaten basic rights. The stipulation for international
collaboration under Section 42 elicits further apprehensions. This clause permits free data
sharing with foreign companies without judicial review, so exposing sensitive information to
potential misuse. The lack of accountability measures compromises openness and endangers both
individual and national security.
Data-Retention:
Section 32 of PECA mandates that ISPs retain customer data for a minimum
duration of one year. This assists law enforcement in safeguarding essential
evidence, although it also prompts ethical and legal dilemmas. The
prolonged retention term facilitates mass monitoring, violating international
privacy rules, including those established by the European Union’s General
Data Protection Regulation (GDPR).
The lack of a strong data protection framework intensifies these problems.
Pakistan now does not possess a specialised data protection authority, and
the provisions of PECA offer minimal assurance for responsibility over data
breaches or abuse. These loopholes render persons susceptible to
infringements of their private rights as stipulated in Article 14(1) and Article
17 of the ICCPR, which forbids arbitrary interference with personal data.
Moreover, Section 42(2) permits unilateral data exchange with foreign
businesses without the necessity of court authorization. This clause, along
with insufficient controls, facilitates intrusive data activities that can be used
for political or commercial purposes. The inadequately formulated language
of this provision exacerbates its implementation, underscoring the necessity
for legislative revisions to guarantee openness and accountability.

Recommendations:

1. Optimizing Investigative Procedures:

 Revise the FIA Act of 1974 to incorporate PECA crimes in its Schedule for enhanced
procedural clarity.
 Explicitly delineate the FIA's jurisdiction under PECA to prevent inconsistent
dependence on alternative statutes.
 Deliver specialised training for magistrates to guarantee judicial examination of FIA
requests and mitigate delays.

2. Augmenting Protections Against Search and Seizure:

 Mandate judicial monitoring for data gathering pursuant to Section 31 to avert the misuse
of discretionary authority.
 Define explicit criteria for evaluating "reasonable requirement" to prevent subjective
interpretation. Enhance procedural protections in foreign collaboration (Section 42) to
guarantee court authorisation for data exchange.

3. Enhancing Data Retention Protocols:

 Decrease the one-year data retention duration (Section 32) to conform with international
privacy regulations, including the GDPR.
 Establish a specialised Data Protection Authority to oversee data retention, mitigate
abuse, and guarantee responsibility for violations.
 Impose stringent penalties for unauthorised access or abuse of preserved data to
safeguard people' privacy rights.

4. Mitigating Privacy Issues in Data Dissemination:

 Obtain judicial approval for all data exchanges with foreign companies to improve
openness and accountability.
 Establish explicit protocols and protections for overseas data transfers to secure sensitive
information from exploitation.

5. Amendments to Legislation and Transparency Initiatives:

  Revise unclear sections, especially Section 42, to guarantee exact phrasing and enforced
execution.
 Implement regular audits and public reporting systems to oversee the use of investigative
authorities under PECA.

By implementing these steps, PECA may achieve a balance between addressing cybercrime and
preserving constitutional rights, so maintaining openness and public confidence in its
enforcement.

CONCLUSION:

The Prevention of Electronic Crimes Act (PECA) 2016 constitutes a crucial legislative measure
aimed at combating the escalating menace of cybercrimes in Pakistan. Nonetheless, its
stipulations for inquiry and data preservation provoke significant apprehensions about procedural
transparency, privacy rights, and accountability. Extensive discretionary authority, particularly
regarding data collection and worldwide data exchange, jeopardises individual privacy and
erodes public confidence in law enforcement. The absence of a comprehensive data protection
framework and judicial monitoring intensifies these weaknesses, rendering specific provisions
prone to exploitation. To guarantee that PECA fulfils its aims without infringing upon basic
rights, certain amendments are required. These encompass enhancing judicial control,
delineating the parameters of discretionary powers, harmonising data retention policies with
international norms, and establishing a specialised data protection body. By confronting these
problems, PECA may transform into a framework that not only successfully combats cybercrime
but also maintains constitutional protections, promoting a safe and rights-respecting digital
landscape.

References:

1. https://www.dawn.com/news/1517355
2. https://www.pakistanpressfoundation.org/government-repeals-
cybercrime-authority-rules-sparking-confusion-over-future-of-online-
crime-regulation/
3. https://rsilpak.org/2024/use-of-digital-forensics-and-criminal-
investigations-in-pakistan/
4. Order Sheet (2023). Bail Application No. 1614 of 2023. High Court
Karachi.
Available at:
https://caselaw.shc.gov.pk/caselaw/view-file/MjAxMDI0Y2Ztcy1kYzgz
5. https://sahsol.lums.edu.pk/node/12862
6. Dr. Shaukat Hussain Bhatti, Dr. Sheikh Muhammad Adnan & Abdul
Khaliq. (2021) Volume 2, Number 1, Pages 79 – 89 “Cybercrimes and
Role of Law Enforcement Agencies a Critical Analysis” Available at:
file:///C:/Users/user/OneDrive/Desktop/7.7+Cybercrimes+and+role+of
+law+enforcement+agencies+a+Critical+analysis.pdf
7. https://digitalrightsfoundation.pk/wp-content/uploads/2023/10/Chapter-
2-%E2%80%93-Interpreting-PECA-with-Authorities_-Comprehending-
Cyber-Offenses.pdf
8. Pakistan Electronic Crimes Act, 2016.
9. Pakistan Electronic Crimes Act Rules, 2018.
10. Nizamani, A. (2019). What the court and FIA ought to do in cyber
crime cases. Courting the Law. Available at:
https://courtingthelaw.com/2019/10/18/commentary/what-the-
courtand-fia-ought-to-do-in-cyber-crime-cases/
11. The Nation. (2020). Amending PECA 2016. Available at:
https://www.nation.com.pk/21-Jun-2020/amending-peca-2016