Opinion: What you need to know about Papua New Guinea’s new Cybercrime Act


This month, Papua New Guinea’s Parliament passed the Cybercrime Code Act, which applies to defamation, cybersecurity, spam, hacking, forgery and computer fraud. Zinnia Dawidi, a lawyer specialising in IT & Telecommunications law, outlines the implications for businesses and individuals.

ICT lawyer Zinnia Dawidi

ICT lawyer Zinnia Dawidi

The formulation and drafting of Papua New Guinea’s law on Cybercrime was commenced in 2011 as part of a general drive within the Pacific region to reform and develop the region’s ICT laws. The aim was to achieve enhanced uniformity and harmonisation with the global community.

Papua New Guinea is one of the last countries in the region to legislate and is many, many years behind the wider international community.

‘In terms of Cybersecurity … the most important provisions relate to cyber attack … This criminalises attacks on critical infrastructure’

The Cybercrime Code Act 2016 criminalises many activities:

  • hacking;
  • cyber bullying;
  • child online grooming;
  • unlawful advertising;
  • cyber harassment (which includes, cyber stalking and the use of profanities);
  • electronic fraud (covering bank fraud);
  • forgery;
  • gambling by children;
  • identity theft;
  • unlawful disclosure (the unlawful publication of private and confidential data and sensitive personal data alike);
  • infringement of intellectual property rights such as trademarks, copyright, patents and industrial designs;
  • the production, possession and publication of child pornography and animal pornography;
  • the production and publication of (adult) pornography;
  • the design and distribution of illegal devices and many other technical offences.

In terms of Cybersecurity (which over arches Cybercrime), the most important provisions relate to cyber attack (known in some jurisdictions as ‘cyber warfare’). This criminalises attacks on critical infrastructure such as our national power grid, water supply, LNG plant, air services and health systems.

Defamation criminalised

Member countries were left to decide whether or not to criminalise defamation. Under PNG’s existing Defamation Act, the only provisions criminalizing defamatory publications related to members of Parliament.

Story continues after advertisment...

Every other citizen had to resort to a claim for damages under the civil jurisdiction of the court.

In the interests of justice, and in light of the exorbitant costs one must inevitably incur when bringing a civil claim for defamation, it was decided that the criminal provisions should be made available to everyone—member of parliament and ordinary citizen alike.

‘The legal principles governing defamation are maintained: the defences of truth, fair comment, good faith and public interest benefit are available.’

Defamatory publications are now also criminalised. Previously, one could only be charged criminally for defaming a member of Parliament. Every other citizen had to resort to the civil jurisdiction of the court. This meant that there was no point in taking any action for redress against a penniless person for defaming you.

Under the new Act you will now be able to file a criminal complaint for defamation against a poor person for some redress—and you don’t have to be a member of parliament to do that.

The legal principles governing defamation are maintained. The defences of truth, fair comment, good faith and public interest benefit are available to anyone who finds himself on the wrong end of the new Act.

Service providers’ liability

ICT service providers such as Web masters or administrators may be held criminally responsible for a defamatory publication by a user if they are found to have negligently allowed, or enabled, the publication complained of.

Under the Act, ICT service providers (ISPs, telcos, etc) would attract criminal liability if they actively monitor the use of their services by subscribers in the absence of a court order; or where, due to their negligence, such unauthorised monitoring is conducted by an employee.

Monitoring is only to be authorized by the court through a specifically termed court order under strictly prescribed guidelines and supervision by the court.

‘It is now possible to admit into court evidence derived from mobile phones.’

The Act also prescribes certain procedural tools to enable law enforcement to obtain, preserve and protect electronic evidence from being manipulated or tampered with. Procedures for search and the provision of assistance to law enforcement are also provided for.


The new law necessitated some amendments, perhaps the most notable of which relates to the Evidence Act. These were primarily to enable the admissibility of electronic evidence which was previously not possible.

It is now possible to admit into court evidence derived from mobile phones, which was previously restricted by the narrow definition accorded to “computer” and “computerised information”.

‘We cannot legally complain of a wrongdoing, for instance, online (bank) fraud if it’s not an offence in our country!’

Cybercrime knows no jurisdictional boundaries and is capable of being committed over multiple jurisdictions. Accordingly, the investigation and prosecution of Cybercrime hinges on the doctrine of dual criminality.

This means that in order for our police, or courts, to deal with a foreign offender, both our jurisdiction and the jurisdiction in which the offender is domiciled or resident must have similar criminal provisions.

Without dual criminality other mechanisms such as extradition for the purpose of prosecution, would be futile. And of course, we cannot legally complain of a wrongdoing of, for instance, online (bank) fraud if it’s not an offence in our country!


The penalties and imprisonment terms may be regarded  at face value as rather extreme, but it must be appreciated that in the formulation of these penalties the following concerns needed to be taken into account –

  1. the level of anonymity one is able to enjoy in cyberspace;
  2. the far reaching, often unpredictable damage or loss that can result from the commission of an offence (the losses may range from nothing to millions of kina); and
  3. more often than not, the inherent level of sophistication of the perpetrator.

The cited maximum penalty is not mandatory. A maximum penalty is set to accord the court sufficient discretion when considering the penalties that ought to be imposed in a given set of circumstances.

Monetary penalties can range from zero to the maximum amount prescribed. For custodial sentences, the term of imprisonment can only be imposed up to, and not exceeding, the maximum term prescribed. Such elasticity was necessary.

Not sinister

The Cybercrime Code Act 2016 is not the result of some sinister ploy by the Government to shut out our right to freedom of speech (which in any case, is a qualified Constitutional right) or opinions on corruption.

It is a law that has been a long time coming and should have been enacted years ago.

It is highly technical because it deals with sophisticated technology. If in doubt, therefore, it would be advisable to seek legal advice or guidance prior to engaging in public commentary regarding the new Act.

Zinnia Dawidi is a board member of the National Information and Communications Technology Authority’s (NICTA) Universal Access and Service Secretariat (UAS).



  1. Alva Akia Arua says:

    Do we have law that deals with GPL license of some software or constant on line? General Public Lincense has given legalised for Australia and other Commonwealth Regime.

  2. Emily Papa says:

    Facebook is a a giant social media with a lot of cyber crimes, especially cyber bullying, pornographic materials being posted, identity theft and many others. If I was bullied in either one of the crimes above, will I be able to sue that person based on the Cyber crime code Act? Will my case be legally justifiable?

  3. Ladong Belari says:

    Where or whom can I get help from if I am a victim of Cyber Crime?

  4. Is cyber crime act in PNG effective?

  5. Bruce Monuo says:

    We need to carry more awareness on cybercrime issues!! People in the rural areas are also using mobile phones but are not really aware on such issues! We need to minimise the penalties to bring a balance on the society! Look at USA and other countries who are more developed and advanced! Their penalties are much lesser than us! What are we trying to prove here! Can we minimise the penalties

  6. Richard says:

    Where/who do I file a formal complaint to if I’m a victim of cyber crime?

    • Richard says:

      What are the formal procedures in place for filing a formal complaint for being a victim of cyber crime.

  7. Barry Sinemaue says:

    very informative……..

  8. David Ealedona says:

    Excellent. The people on social sites have forced this on themselves. It will also develop and build the capacity of people to respect others right to live in peace as a private or public figure.

  9. Thresca Kivori says:

    I have been harassed recently on FB. Is there a law that deals with this kind of people?

  10. Kimberly Kanimba Buka says:

    Excellent job Nicta and Zinnia!

  11. Nicolas Bulu Jnr says:

    Would like to know more on this topic “The Cyber crime Code Act 2016”

Leave a Reply