Punishments:
Imprisonment from 91 days to two years, or cash fine of 5 million to 40 million rials, or both
Article 18: Any person who uses computer and telecommunication systems to publish, or share publically by other means, lies and libellous material, with the intention of harming another person, or agitating and upsetting the minds of people or the state officials; or anyone, who – with the same intentions as the above mentioned ones – attributes some statements and conducts falsely and in a manner contrary to the actual events, either independently or indirectly and by quoting third parties – regardless of whether or not these actions inflict material losses on others, or damage their reputation and character, then in addition to the damages they have to pay to restore someone’s loss of reputation (if needed), they will be sentenced to prison term, ranging from 91 days to two years, or to cash fine of 5 million to 40 million rials, or both.
The crime the above Article refers to consists of two different criminal dimensions:
A) Spreading lies and libellous material
B) Falsely attributing some actions and deeds to another person
In both these dimensions, however, the purpose and reason behind committing that crime must be one of these two:
I) Causing harm and loss to someone else; or
II) Agitating the minds of the public or the state authorities.
In view of the content of Article 18 of the Cyber Crimes Law, the actions and conducts which constitute the means for the occurrence of the crime the Article refers to consist of the following:
A) With the intention of causing someone else to suffer from harms and losses, or agitating and disturbing the minds of the public or the state authorities, the perpetrator: A1) Publishes some lies and libellous material; or A2) Provides people with some false and libellous material; or B1) Falsely attributes some statements or actions to someone else, either directly, or indirectly and through citing a third party.
* It does not make any difference whether the party about whom false information is published is a private individual or a corporate entity.
* If the above-mentioned actions take place through computer and telecommunication systems, then the provisions of Article 18 of the Cyber Crime Law will apply to the crime which has taken place; otherwise the crime will come under the provisions of Article 698 of the Islamic Penal Law.
* The question about the actual occurrence of the crime is not affected by whether or not the perpetrator’s action has caused any harm or losses to the person about whom lies have been published and spread across society.
It is very important to pay attention to this point that providing a correct or incorrect account of something and sharing it with the rest of the public should revolve around news and information, rather than theoretical and analytical material. In other words, if someone makes a comment about social, historical and political issues through the channel of computer and telecommunication systems, he will not be committing any kind of criminal activity, no matter how incorrect and flawed his comment and analyses may be.
Point: Considering as a criminal activity the publication or sharing of incorrect information, or the false attribution of actions and statements to someone – when there is a clear intention to damage and harm that person (regardless of whether or not any damage or harm has been caused) is in contravention of the principle of freedom of expression. The only benefit and positive result that it produces is to pave the way for censorship, and provides a legal basis and justification for the government to impose greater control over computer and telecommunication systems. In addition, the channels and opportunities for any kind of criticism and analysis are closed off, and the Judiciary will be able to confront Internet users and in general the political, security and judicial authorities will be able to easily restrict the freedom of expression for people using computer and telecommunication systems.
* This crime is one which is centred on intent, and for its actual materialization, the following need to be proven:
First: The perpetrator must be aware in advance about the falseness of the material he is publishing about someone else.
Secondly: The perpetrator should be fully aware of the unlawfulness of his action – that is to say the publication and spread of lies about someone through computer and telecommunication systems.
Thirdly: The defendant has perpetrated the crime with full intent
Fourthly: The defendant has intended to cause harm and damage to others, or to agitate and disturb the public, or the state officials.
Punishments:
A) Obligation to restore the reputation and character of the plaintiff (that is if the court orders him to do so)
B) Imprisonment from 91 days to two years; or
C) Payment of cash fine of 5 million to 40 million rials, or both
Article 19: If cyber crimes are perpetrated under the name and auspice of a corporate entity and in pursuit of its interests, the corporate entity involved will bear criminal liability in the following circumstances:
A) When the head of the corporation has personally committed the cyber crime
B) When the head of the corporate entity has directly issued the orders for the perpetration of the cyber crime, which they is actually materialized
C) When one of the employees of the corporate entity perpetrates the crime either with the full information and knowledge of the head of the corporation, or as a result of the top man’s failure to exercise supervision and scrutiny
D) When all or at least a part of the activities of the corporate entity is concentrated on perpetration of cyber crimes.
Note 1: By the term “head”, the Article is referring to a person who has the authority and responsibility for decision making and supervision over the staff and management of the corporation
Note 2: The criminal liability of the corporate entity will not save the actual perpetrator from punishment. When there are no grounds to blame the corporate entity for the crime which has taken place, then punishments will be applied only to the individuals working within that corporation, rather than to the corporate entity as a whole.
Question: Who is a “corporate entity”?
Answer: All private, governmental, non-profit making companies and corporations, when they are registered officially as companies, rather than individuals, based on the procedures clarified by the law. Each of these companies and organizations consist of a number of share-holders and stake-holders, who have a private, individual legal status, which is separate and independent from the corporate legal status of the companies and organizations they are affiliated with.
According to this law, a corporate entity is deemed to deserve punishment when the following criteria are met:
A) When the cyber crime in question has been committed in the name and on behalf of a corporate entity
B) When the cyber crime is committed in pursuit of the interests of the corporate entity
Question: What is the criteria for determining if the cyber crime has been committed in the name, and on behalf of a corporate entity?
Answer: These criteria have been specified by this law. Whenever cyber crimes are committed under conditions which the law mentions, they should be considered as crimes perpetrated by the corporation in pursuit of its organizational interests. The conditions that the law describes are the following:
1. The top manager of the corporate entity personally perpetrates a cyber crime under the corporation’s name and auspice and in pursuit of its interests. In other word, if Mr A, who also happens to be the boss of Company B at the same time, copies some data and information from the computer terminals of a third party and then shares them with others, one can apply the provisions of Article 19 to his actions when:
Mr A has committed this action under the name of Company B and in his capacity as its manager, and his purpose and intention has been to facilitate the advancement and growth of Company B and its interests.
However, when Mr A acts as a private individual and person, rather than as the manager of Company B, to commit the crime of unlawfully copying data and information from someone else’s computer terminal and then sharing the information with others through the means of computer and telecommunication systems, and if he does so in pursuit of personal objectives rather than for safeguarding the interests of Company B, then the provisions of Article 19 will not apply to this case.
Moreover, if the manager of Company B commits a cyber crime under the name of his corporation, but his action is not aimed at ensuring the corporation’s interests, once again the provisions of Article 19 will not be applicable here, and Company B will not carry any legal responsibilities as a corporate entity.
2. A case when the manager of Company B issues an order to make copies from data available in the computer terminals of another company, let us say Company C, or the computer system of an individual, for example Mr D, and if these data are then shared with others through the means of computer and telecommunication systems, two scenarios are possible here:
A) The computer data of Company C or Mr D are copied and distributed among others on the basis of orders by the manager of Company B. In this case, if the crime was committed in pursuit of the Company B’s interests, then it would be covered by Article 19, and the corporate entity would be the subject of the legal punishments. However, if some actions occur as a result of orders issued by the manager and these actions constitute cyber crimes, the provisions of Article 19 will not apply to them if they are not in pursuit of the corporation’s interests, and as such, Company B will not harbour any criminal liability.
B) No crime can be said to have occurred when computer data belonging to others are copied on the orders from the manager of the corporation, but the copied information is not shared with others, or nothing is done following the order by the manager.
3.1. If an employee of Company B embarks on copying the computer data of others and shares them with others with the knowledge of his company’s manager, then Article 19 will applicable and Company B will carry criminal liability.
3.2. If an employee of a company commits a cyber crime as a result of lack of supervision by that company’s manager, and this crime serves the interests of that company and is committed under its name and authority, then the provisions of Article 19 will apply to the case.
4. If some of the activities of a corporate entity, such as Company B for instance, concentrate on copying the computer data of others, or to committing any other cyber crime, then that corporate entity will be criminally culpable.
Point: In Note 1 of this Article, a manager has been defined as someone who has the authority to represent a corporate legal entity, exercise supervision over it, and make decisions on its behalf.
Question: Normally, will one person hold the responsibility for representing a corporate legal entity, and making decisions on its behalf?
Answer: No, because: First, managing, representing and supervising a corporate legal entity is usually the responsibility of a board, who are elected by the share-holders and owners of the company. As such, usually one person does not hold all the key responsibilities. Secondly, corporate legal entities can also legally become members of the management board and leadership team of a corporate legal entity. For example, Company A can be selected as the top director, or a member of the management board, of Company B.
Therefore, the management board can be made up by a collective of individuals, or by a mixture of individuals and corporate legal entities. In this manner, if in a given corporation, one of the members of the management board orders an employee of the company to perpetrate a cyber crime, and this order is not a part of collective decisions adapted by the company’s management board, even though the employee perpetrates it believing that it was an order by the management of the company, then in the case of this criminal activity, only the person who has issued the order will be culpable from a legal point of view, and the corporate legal entity running the company will not carry any criminal liabilities.
Note 2: This note emphasizes that the criminal liabilities of a corporate entity do not excuse private individuals who are among the management board of a company from their own criminal liabilities. In this case, if the company’s top manager is a corporate entity, it seems that the applicable punishments will be handed out to the individuals who have attended the meetings of the management board and adapted positions and decisions there as representatives and on behalf of the said corporate entity.