By: Anamika G
With the advent of the Information Revolution and the dawn of the Artificial Intelligence driven world of the Internet of things, the Global Internet community has witnessed a sporadic expansion of the virtual space. From Business to education to travel and recreation, the Cyber world is today’s generation’s first and last resort. Unsettlingly, however, users’ extreme dependence on the internet for day-to-day activities without being chary of the potential caveats it harbours has been a matter of concern. While the internet has indeed unleashed hitherto impossible possibilities to fuel human efficiency, the vastness of the World Wide Web has also spawned concerns around ‘security’ in the Cyber Space.
Consequently, sovereign nations of the world have presented a modest attempt to chart frameworks regarding their part of the borderless cyberspace in order to ensure that their citizens’ rights and national security and sovereignty is protected, as in the physical world. To that end, the recent decades have seen the formulation of numerous Cyber laws that enumerate the regulatory guidelines and the limits and protections in the virtual world. These laws include protection of intellectual property rights, freedom of speech, and public access to information, among others[1]. Among the existing Cyber laws and policies across the world, there are similarities as well as differences.
Of these, United States of America has the oldest and arguably the most robust cyber laws and cyber security frameworks. In Germany, there is a fast advancing cyber security technology and legal architecture, whereas the United Arab Emirates is an emerging arena for cyber security practices. Cybercrimes and frauds cause huge financial losses and security threats to the internet and economic ecosystems in these countries, to combat which the existing laws, although useful, are insufficient. Also, while each of these countries have delineated legal frameworks that lend themselves to national contexts, attention should also be given to voicing the need for a comprehensive and universally recognised international cyber law framework. Through a comparative study of the Cyber laws in the aforementioned three countries, this paper shall attempt to provide a critical analysis of the cyber security practices of three powers in the virtual arena.
Learn more about Cyber Laws with Enhelion’s Law Firm certified Diploma course!
CYBER LAWS – THE U.S SCENARIO
The U.S views cyberspace as an integral component of all facets of American life, including their economy and defence[2]. Being the cradle of the Internet and a superpower in the cyber domain, U.S was also among the first to discover the lethal threats that lay entwined in World Wide Web. Hence, the country has time and again returned to the question of legal regulations on the seemingly ‘un-governable’ cyberspace. As a product of continuing deliberations, the country now has a robust cyber la infrastructure.
In the U.S cyber-security concerns are tackled at the federal level through sector-specific statutes and regulations. The main cyber-security regulations include the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the Federal Information Security Management Act (FISMA). While the HIPAA addresses concerns in the health sector, The FISMA maintains cyber-security standards for federal government agencies and their contractors. Some other statutes are specific to a single subject matter like the Veterans Affairs Information Security Enhancement Act[3], passed in 2006 and they focus closely on a single government agency, which, in this case is the Department of Veterans Affairs (VA). Besides, populous states like Massachusetts, New York and California already have diverse individual cyber laws.
Some laws, however, have been subject to criticism for being too regulatory and invasive. For instance, Computer Fraud and Abuse Act (CFAA) enacted by Congress in 1986, which makes it a crime to access and subsequently share protected information, have been widely criticized for being too restrictive and dis-incentivising legitimate security research[4]. The Electronic Communications Privacy Act was passed in 1986 allows the U.S. government to access electronic communications such as email, social media messages, and more with a subpoena[5].
Furthermore, given that challenges in the cyberspace are becoming complex and multi-sectoral by the day, an acute need as felt for a uniformly defined national cyber security framework. The existence of cyber regulations at multiple levels and sectors has affected compliance, as companies must wade through different federal and state laws. Thus, in 2018, US President Donald Trump signed into law the Cyber security and Infrastructure Security Agency Act of 2018[6]. In addition to this, U.S has actively pushed the case for international cooperation and some uniformity in regulations in order to face the growing challenges in the cyberspace today.
Learn more about Cyber Laws with Enhelion’s Law Firm certified Diploma course!
GERMAN LAW IN THE CYBERSPACE
Germany has a long history and well implemented tradition of data privacy and the right to personal freedom. German data protection laws are strict and governmental rights to observe people in the cyberspace are limited. However, as cyber-attacks on companies and individuals are becoming much more prevalent, legal developments and deliberations show the necessary, but difficult balancing act between safety and freedom in cyberspace.
Cyber security is governed by several acts in Germany. Sec. 202a and 303a of the Strafgesetzbuch [German penal code] protects data and communication against misuse, hacking and sabotage. Section 303b of the same Code directs punitive action against computer sabotage[7]. The main legal act relating to cyber security is the German IT Security act of 2015. Under the act, Critical infrastructure operators are required to adhere to a minimum level of IT security as well as to report any IT security incidents to the Federal Office for Information Security [BSI], which is Germany’s national Cyber security agency. Also, every company in Germany which processes personal data is subject to the surveillance of either the federal or one of the 16 local data protection authorities
In 2017, Germany passed its new Federal Data Protection Act (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU, the Act). The Act implements the European General Data Protection Regulation (GDPR) and entered into force on 25 May 2018[8] It replaced the former German Data Protection Act (BDSG). Although the Act is only a supplement to the GDPR, it includes various additional provisions that need to be followed: the appointment of Data Protection Officers (DPOs), sensitive personal data, the rights of data subjects; the change of the purpose of processing; video surveillance; fines and sanctions; creditworthiness and scoring etc.
So far, the German legal system has been able to put a good fight against the pressing problems of cybercrime. However, as the German data privacy regime is one of the strictest worldwide[9], the trade-off between security and freedom in cyberspace is a nuanced arena. Nevertheless, Germany has put in a robust cyber law regime to defend it digital sovereignty and data security.
UNITED ARAB EMIRATES AND CYBER-LAWS
The UAE, though an emerging economy, has increasingly been targeted by cybercriminals in the recent past[10] owing to its high levels of economic activity, booming oil industry and fast-paced technological advancements. For instance, one of the major threats during the recent COVID-19 pandemic was sinister cyber-attacks launched by hackers on the servers of the companies thereby causing fear and financial insecurities[11]. Catching up with the time, UAE also has one of the most comprehensive cyber law structures in the Arabian-Middle east region.
The UAE-Law No. 5 of 2012, better known as the Cyber Crimes Law 2012, deals with the Combating of Information Technology Crimes. This law replaced the earlier Cyber Crimes Law 2006.
The UAE CERT (Computer Emergency Response Teams) was established under the supervision of Telecom Regulatory Authority of UAE to help the Government for cyber security information sharing and improving the overall Cyber Security condition in the country. They collaborate with different law enforcement agencies to design policies and methodologies to counter the Cyber Threats. aeCERT collaborates and shares data with other countries CERTS around the globe, which provides opportunities for researchers to improve the posture of information security. UAE’s National Electronic Security Authority (NESA) is the federal body set up to oversee the country’s cyberspace.
The National Cyber Security Strategy 2019 of UAE aims to ‘create a safe and strong cyber infrastructure in the UAE that enables citizens to fulfil their aspirations and empower businesses to thrive.’[12] . The legal framework will cover data privacy and protection, artificial intelligence, block chain, cloud services, and digital signatures etc.
CONCLUSION
From an analysis of the Cyber security legislations and practicing the three countries – USA, UAE, and Germany – Cyber safety is an actively discussed domain in the develop world as well as emerging economies. While all three nations have certain fundamental regulations in common, there are areas of differences as well. Germany, for instance, has a relatively strict policy on protection of citizens’ privacy which puts limits on states surveillance practices.
Considering the rapid advances in technology, cyber-security is still an evolving realm, which requires nation states to be constantly vigilant about emerging threats while concomitantly correcting the existing ambiguities in the Cyber laws.
At the same time, because Internet is a ‘Borderless’ ecosystem, mere national legislations will not solve the issue of cross border cyber terrorism, fraud or conflicts in determining jurisdictions. Hence, there is a need for international basic law that creates a basic uniform cyber law practice across the nations. Therefore, an effort by the three countries that are cognisant of the importance of cyber safety to make allowance for international cooperation in their cyber-security legislations should be forthcoming.
Learn more about Cyber Laws with Enhelion’s Law Firm certified Diploma course!
[1] US Legal, I. (n.d.). Find a legal form in minutes. Retrieved November 13, 2020, from https://definitions.uslegal.com/c/cyber-law/
[2] The White House, 2018, National Cyber Strategy for USA. Retrieved November 8,2020 from https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf [pg.3]
[3] Craig, L. (2006, December 22). S.3421 – 109th Congress (2005-2006): Veterans Benefits, Health Care, and Information Technology Act of 2006. Retrieved November 8, 2020, from https://www.congress.gov/bill/109th-congress/senate-bill/3421
[4] Reforming the Computer Fraud and Abuse Act. (2018, July 30). Retrieved November 09, 2020, from https://www.charleskochinstitute.org/blog/is-the-computer-fraud-and-abuse-act-ripe-for-reform/
[5] Electronic Communications Privacy Act of 1986. (n.d.). Retrieved November 09, 2020, from https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285
[6] McCaul, M. (2018, November 16). H.R.3359 – 115th Congress (2017-2018): Cybersecurity and Infrastructure Security Agency Act of 2018. Retrieved November 12, 2020, from https://www.congress.gov/bill/115th-congress/house-bill/3359
[7] Cyber Crime Law. (n.d.). Retrieved November 10, 2020, from https://www.cybercrimelaw.net/Germany.html
[8] Federal Data Protection Act of 30 June 2017 (Federal Law Gazette I p. 2097), as last amended by Article 12 of the Act of 20 November 2019 (Federal Law Gazette I, p. 1626). (n.d.). Retrieved November 10, 2020, fromhttps://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0014
[9]Germany: Land of Data Protection and Security – But Why? (2018, December 05). Retrieved November 11, 2020, from https://www.dotmagazine.online/issues/security/germany-land-of-data-protection-and-security-but-why
[10] Freelance, M. (2020, May 19). Four of five organisations in UAE faced at least one ‘cyber-attack’ in 2019-study. Retrieved November 11, 2020, from
[11] Sanderson, D. (2020, April 26). Coronavirus: Cyber criminals launch Covid-19 attack barrage. Retrieved November 11, 2020, from https://www.thenationalnews.com/uae/coronavirus-cyber-criminals-launch-covid-19-attack-barrage-1.1009181
[12] National Cyber Security Strategy. (2019). Retrieved November 11, 2020, from https://u.ae/en/about-the-uae/strategies-initiatives-and-awards/federal-governments-strategies-and-plans/national-cybersecurity-strategy-2019