Ombudsman Intervention Public Seminar: “Building Bridges to Digital Rights and Addressing Legislative Gaps”

Intervention by the Provedor for Human Rights and Good Governance (PDHJ)
Public Seminar: “Building Bridges to Digital Rights and Addressing Legislative Gaps”

15 January 2026 | Suai Room, Timor Plaza Hotel

Topic: Legislative Gaps (Lakuna Lejislativa) – Protecting People, Not Just Systems

1. The Court Decision on the Absence of a “Data Protection Law”: A Constitutional Mandate

Last year, in 2025, the PDHJ took a historic and necessary legal action. We submitted a Petition for Omission to the Court of Appeal. Our argument was straightforward and rooted in the Constitution: the state’s prolonged and unjustified failure to enact a comprehensive data protection law represents an omission of its duty to uphold the fundamental right to privacy enshrined in our law.

The Court agreed with our position.

This judicial ruling is far more than a symbolic victory. It is a binding legal mandate. It establishes a clear precedent: every single day that Timor-Leste operates without a robust Data Protection Law and a carefully balanced Cybercrime Law, our nation exists in a state of official legal failure. This judicial directive places a clear responsibility on the legislature to act with both urgency and profound wisdom to correct this constitutional omission. The time for discussion is over; the time for deliberate, informed action is now.

2. Clarifying the Core Laws: Understanding the Foundation

To build effectively, we must first understand the materials. Let us be absolutely clear on the purpose and nature of the two critical laws we are crafting.

• What is a Data Protection Law?
  In essence, a data protection law is legislation that formally recognizes that your personal information is an extension of your personhood and belongs to you.It is not an asset for companies or government databases to exploit without limit. This law establishes a clear set of rules, responsibilities, and rights governing the entire lifecycle of personal data from the moment it is collected, through how it is used and stored, to when it is shared or deleted. Its core purpose is to safeguard individual privacy, autonomy, and dignity in an increasingly digital society, giving you control over your digital identity.
• What is a Cybercrime Law?
  A cybercrime law is legislation that defines, criminalizes, and provides procedures for prosecuting illegal acts that are committed using computers, networks, and information systems as either the tool or the target. This includes crimes like hacking into private networks, committing fraud through online platforms, stealing vast digital datasets, and serious online harms such as systemic harassment or the distribution of child sexual abuse material. Its fundamental goal is to provide security and safetyto protect individuals, businesses, and our national infrastructure from digital threats and violence, ensuring the online space is not a lawless frontier.

These two laws are deeply interconnected. One data protection is primarily defensive, protecting your digital self. The other cybercrime is primarily responsive, protecting you from digital harm. They are two essential and complementary shields for our citizens in the 21st century.

3. Learning from Global Experience: A Guide to Success and a Warning Against Failure

As a young nation, we have the unique advantage of learning from the decades of experience both good and bad of other countries. We must study this history carefully to avoid their pitfalls and adopt their best practices.

On Data Protection Law:

• The Positive Example – The EU’s GDPR:The General Data Protection Regulation (GDPR) is considered the global benchmark because it places power directly in the hands of the individual. It mandates that organizations must be transparent about what data they collect, must obtain clear and informed consent, and must respect a suite of individual rights, including the right to access your data, correct it, and even have it deleted. This strong framework does not stifle innovation; rather, it builds public trust, which is the single most important foundation for a thriving and sustainable digital economy. People are more willing to engage online when they feel in control.
• The Negative Examples – Laws That Fail in Practice:We must be wary of two dangerous failures. First, there are data protection laws that are strong on paper but weak in practice, featuring underfunded enforcement bodies with no real power to investigate or sanction violators. This creates a dangerous illusion of protection. Second, and more sinister, are laws that use the language of “data sovereignty” or “national security” as a pretext for legitimizing mass state surveillance of citizens, turning data protection into its opposite a tool for control. Our law must explicitly guard against this by ensuring the supervisory authority is fiercely independent from political influence.

On Cybercrime Law:

• The Positive Example – The Budapest Convention:This international treaty provides a proven, balanced blueprint. It effectively criminalizes tangible harms like network intrusion, fraud, and child exploitation, while its procedural chapters enable vital international cooperation. Crucially, it is designed with safeguards for human rights, requiring that domestic implementations respect principles of proportionality and freedom of expression. It focuses on criminalizing specific, harmful actions, not criminalizing unpopular speech.
• The Negative Example – The Weaponization of Law:We have a solemn duty to learn from the tragic examples in other nations where poorly drafted cybercrime laws have become the primary instrument for authoritarian overreach. Vague provisions criminalizing “false news,” “online insult,” or “causing public alarm” are routinely used to arrest journalists, imprison activists, and criminalize political dissent. This transforms a law meant to ensure security into a law that strangles democracy itself. Our drafting process must be meticulous to ensure our cybercrime law is a precise tool for justice, not a blunt weapon for repression.

4. Three Critical Pillars to Guide Our Legislation

Drawing from our mandate and these global lessons, the PDHJ asserts that any credible digital legislation must be constructed upon three foundational pillars. These are non-negotiable for laws that will stand the test of time and protect our democracy.

Pillar 1: Precision, Not Vagueness – The Foundation of Legal Certainty.
Every single article, every defined crime, every granted authority must be drafted with crystal-clear legal precision. What, exactly, constitutes “illegal access” to a system? How is “personal data” specifically defined? What precise actions cross the line into “criminal defamation” as opposed to protected political criticism? Legal ambiguity is the enemy of justice; it creates a chilling effect where citizens and journalists self-censor for fear of crossing an invisible line. It also grants excessive, dangerous discretion to those in power. Our laws must be so clear that a university student, a small business owner, and a police officer can all understand where the legal boundaries lie.

Pillar 2: For Every Power, a Check and Balance – The Core of Good Governance.
These laws will necessarily grant new powers to state authorities, powers to investigate, to request data, to intercept communications. This is necessary for enforcement. However, each and every one of these powers must be immediately counterbalanced by a robust, independent oversight mechanism. If the police can request user data from a telecom company, that request must, by law, require prior authorization from an independent judge based on demonstrated probable cause. If content can be taken down, there must be a swift, transparent, and accessible appeals process for the affected party. Checks and balances are not bureaucratic obstacles; they are the essential architecture that prevents state power from curdling into state abuse. This is the very essence of good governance.

Pillar 3: An Independent Guardian – The Sanctuary for Citizens.
A Data Protection Commission cannot be a symbolic office buried within a government ministry. It must be established by law as a truly independent institution, independent in its leadership appointment, its budget, and its operational decisions. It must be staffed by experts and empowered with real “teeth”: the authority to conduct unannounced audits, to compel testimony, to issue binding decisions, and to levy meaningful fines for violations. It must be a visible, trusted, and accessible sanctuary where any citizen can turn for help when they feel their digital rights have been trampled. This independent guardian is the ultimate guarantee that the law will function in practice.

(Note: While the PNTL, PSIK, PDHJ, ANC, and TIC Timor-Leste are indispensable institutions, they lack the singular focus and authority to enforce data protection law across all of society. The police target criminal acts, not systemic corporate negligence. The Ombudsman investigates government maladministration but does not regulate private entities. The ANC oversees telecom services, not data governance in health, finance, or public administration. What is critically missing is an independent watchdog with the power to oversee everyone—including the government itself. A dedicated Data Protection Commission is that guardian: empowered to audit ministries, fine corporations, and hold both public and private sectors accountable to the same privacy standards. Without such a body, there is no credible mechanism to prevent the state from misusing citizen data or to ensure businesses respect personal information. It is the essential, independent check that transforms legal principles into tangible protection for every Timorese citizen in the digital age.)

5. Beyond the Text: The Law is a Bridge, But We Must Build the Road to It

We must confront an uncomfortable truth: a perfectly drafted law in a wholly unprepared country is merely a bridge to nowhere. If we lack the capacity to implement and enforce it, the “legislative gap” we close today will immediately reopen as a wider, more damaging “implementation gap.” The citizen will see a law on the books but experience no change in their vulnerability. We must therefore address our national unpreparedness with the same seriousness as we address the legal text.

1. The Institutional & Technical Capacity Gap: We Lack the “Who” and the “How”.
   Let us ask ourselves honestly: How many of our judges are trained to evaluate digital evidence? How many police investigators are certified in digital forensics? Do our courts have secure, reliable systems to store and process this evidence without corruption? The realistic answer is that we are starting from near zero.

• The Dire Risk:Without this capacity, a cybercrime law becomes a dead letter, crimes are reported but cannot be investigated or prosecuted. A Data Protection Commission becomes a “paper tiger,” unable to conduct technical audits or understand complex data breaches.
• The Integrated Solution:Therefore, the laws themselves must mandate and fund a National Digital Capacity Building Plan. This is not a separate project; it is part of the law. The legislation must include provisions and budget lines for the systematic, ongoing training of a core cadre of specialists, cyber-investigators, digital forensics experts, data protection auditors, and judges. It must also fund the necessary secure IT infrastructure for the judiciary and the new Commission.

2. The Public & Professional Literacy Gap: We Lack the “Understanding”.
   A right that is unknown is a right that cannot be claimed. A responsibility that is misunderstood is a trap for well-meaning people.

• The Dire Risk:If our citizens do not know what data privacy is, they cannot demand it. If our small business owners do not understand basic data protection rules, they will unintentionally violate the law and face penalties, stifling entrepreneurship. This breeds public mistrust and widespread non-compliance.
• The Integrated Solution:Consequently, these laws must mandate a sustained National Digital Literacy and Awareness Campaign. The Data Protection Commission should have a statutory duty for public education. We must translate the core principles of these laws into simple, accessible Tetum and Portuguese for radio programs, school modules, and community workshops. We must proactively train journalists, civil servants, and local entrepreneurs on their new digital rights and duties.

3. The Procedural & Coordination Gap: We Lack the “Cooperation”.
   Cybersecurity and data protection are not the domain of a single ministry. They involve the Ministry of Justice, the Ministry of Transport & Communications, the Ministry of the Interior, the proposed Data Protection Commission, and telecom regulators. Without pre-established rules, these bodies will operate in confusing silos or, worse, in conflict.

• The Dire Risk:When a major data breach occurs at a bank, who investigates? The police? The data commission? The telecom regulator? Confusion leads to delay, and delay allows harm to spread. Critical evidence can be lost in bureaucratic turf wars.
• The Integrated Solution:Thus, the primary laws must require the creation of detailed Implementation Protocols. They should mandate the drafting of Memoranda of Understanding (MoUs) between all relevant agencies, clarifying roles and data-sharing protocols. They should require the establishment of Standard Operating Procedures (SOPs) for incident response, evidence handling, and cross-agency collaboration. This framework for cooperation must be built by law.

Conclusion: Let Us Build Both the Bridge and the Road

We are gathered here to launch more than a legislative process; we are launching a national project for digital maturity and democratic resilience.

Let us not repeat the classic mistake of passing elegant laws that immediately collapse under the weight of our own systemic unpreparedness. The Cybercrime Law and the Data Protection Law are the essential bridge to a secure and rights-respecting digital future. But we must, with equal determination and resources, build the road that leads to that bridge, the road paved with institutional capacity, public understanding, and seamless inter-agency coordination.

The Court has issued its instruction. The Constitution provides our compass. The people await our protection.

Let this seminar be the moment we commit not only to passing laws but to building a functional system. Let us commit to laws that work not only in the halls of Parliament but in the police stations of Bobonaro, the markets of Dili, and the daily online lives of every Timorese citizen.

Thank you. The Provedoria for Human Rights and Good Governance stands ready to collaborate deeply with all of you—government, civil society, the private sector, and our international partners—to build this bridge and this road, together. Muito Obrigado.

ANNEX: EXPANDED INTERNATIONAL & REGIONAL FRAMEWORKS FOR DIGITAL GOVERNANCE

1. United Nations Instruments & Resolutions

1. UN General Assembly Resolution on the Right to Privacy in the Digital Age (A/RES/76/211 and predecessors)

• Core Principle:Affirms that the same rights people have offline must also be protected online, particularly the right to privacy.
• Key Relevance for Timor-Leste:It condemns unlawful or arbitrary surveillance and collection of personal data, and calls for states to review their procedures and laws to ensure transparency and oversight. This resolution is a direct UN mandate for Timor-Leste to establish its data protection framework with strong safeguards against state overreach.

1. UN Human Rights Council Resolution on Freedom of Opinion and Expression (A/HRC/RES/49/21)

• Core Principle:Emphasizes that freedom of expression is essential in the digital age and a driver for all other rights.
• Key Relevance for Timor-Leste:It specifically calls on states to refrain from using criminal defamation laws to stifle criticism and to ensure any restrictions on online content comply with the strict three-part test of international law: they must be (1) provided by law, (2) necessary for a legitimate aim (like national security or public order), and (3) proportionate. This is a crucial test for any content-related provision in a cybercrime law.

1. UN Guidelines for the Regulation of Computerized Personal Data Files (1990)

• Core Principle:An early but foundational UN document outlining principles of lawfulness, accuracy, purpose-specification, and individual participation in data processing.
• Key Relevance for Timor-Leste:While superseded by more modern frameworks, it provides a basic, universally-agreed ethical foundation for why data protection is a global concern, supporting the argument that Timor-Leste is not creating a new right but implementing an established international norm.

2. Regional Frameworks (Asia-Pacific & ASEAN)

1. ASEAN Framework on Personal Data Protection (2016)

• Core Aim:To promote harmonization of data protection laws across ASEAN member states to facilitate regional economic integration while protecting personal data.
• Key Principles:Includes core principles similar to GDPR: Consent, Notification, Purpose Limitation, Access & Correction, Accuracy, Security, and Accountability.
• Key Relevance for Timor-Leste:As an ASEAN member, aligning with this framework ensures Timor-Leste’s law is regionally interoperable, easing data flows with neighboring countries and supporting digital trade. It demonstrates that high standards are consistent with ASEAN membership.

1. Asia-Pacific Economic Cooperation (APEC) Privacy Framework (2005, updated 2015)

• Core Aim:To promote a flexible, cross-border approach to data privacy protection that fosters economic growth and trade in the APEC region.
• Key Mechanism:The APEC Cross-Border Privacy Rules (CBPR) System is a voluntary certification system for companies to demonstrate compliance with regionally agreed privacy standards, facilitating trusted data transfers.
• Key Relevance for Timor-Leste:Offers an alternative, business-enabling model for cross-border data governance. Understanding this framework helps drafters consider provisions for international data transfers that are practical for economic development while maintaining safeguards.

3. Standards from Other Relevant Jurisdictions

1. Nigeria’s Data Protection Act (2023) – A Recent Global South Example

• Notable Feature:Created a full-fledged, independent Data Protection Commission with broad powers. It blends GDPR-style principles with context-specific provisions.
• Key Relevance for Timor-Leste:Provides a concrete example of a comprehensive data protection law drafted and implemented in a similar socio-economic context. It shows the feasibility of establishing a strong, independent authority outside of Europe.

1. Philippines’ Cybercrime Prevention Act (2012) – A Cautionary Tale

• Notable Feature:Included a highly controversial “cyber-libel” provision (libel under the Revised Penal Code applied online with a higher penalty). This has been widely criticized and used extensively to prosecute journalists and critics.
• Key Relevance for Timor-Leste:Serves as a direct regional warning of what to avoid. It highlights the dangers of simply transplanting offline criminal provisions into cyber law without considering proportionality and the chilling effect on free speech.

4. Technical & Implementation Guidelines

1. International Organization for Standardization (ISO) Standards:

• ISO/IEC 27001:The international standard for Information Security Management Systems (ISMS). It provides a framework for organizations to manage the security of assets like financial information, intellectual property, and employee data.
• Key Relevance for Timor-Leste:The Data Protection Law can reference or encourage alignment with such internationally recognized security standards. This gives companies a clear, global benchmark for the “security measures” they are legally required to implement.

1. Global Forum on Cyber Expertise (GFCE)

• Core Function:A global platform for countries, international organizations, and private companies to share best practices, expertise, and assistance on cyber capacity building.
• Key Relevance for Timor-Leste:A direct resource for addressing the “national unpreparedness” gap. Timor-Leste can leverage GFCE initiatives and partners to access the technical assistance, training programs, and expertise needed to implement the cybercrime law and build a functional Data Protection Commission.

5. Summary: Budapest Convention on Cybercrime

What it is: The first international treaty to combat cybercrime, created by the Council of Europe in 2001. It serves as a global blueprint for national cybercrime laws.

Core Purpose: To harmonize laws, improve investigative methods, and boost international cooperation against crimes committed via the internet and computer systems.

Key Elements:

1. Criminalizes Specific Acts:Requires countries to outlaw core cybercrimes: illegal access (hacking), data interference, system interference, computer-related fraud/forgery, and child sexual abuse material online.
2. Provides Investigative Powers:Grants law enforcement tools like preserving data, real-time interception, and search/seizure of digital evidence.
3. Mandates International Cooperation:Establishes a 24/7 network for urgent assistance and streamines cross-border investigations.
4. Safeguards Human Rights:Article 15 requires all measures to respect human rights—including privacy and freedom of expression—and to be proportionate.

Why it matters for Timor-Leste: It offers a ready-made, balanced framework. Adopting its principles ensures a law focused on prosecutable actions (like hacking) rather than criminalizing speech, and it facilitates vital global police cooperation.

6. Summary: European General Data Protection Regulation (GDPR)

What it is: A comprehensive data protection regulation that became EU law in 2018. It is the global gold standard for privacy, establishing that personal data protection is a fundamental right.

Core Philosophy: Puts individuals in control of their personal data. The regulation is based on principles of lawfulness, fairness, transparency, and accountability.

Key Elements:

1. Individual Rights:Grants powerful rights to citizens, including access, rectification, erasure (“right to be forgotten”), data portability, and the right to object to processing.
2. Organizational Obligations:Requires any organization processing data to have a lawful basis (e.g., consent), implement “data protection by design,” conduct impact assessments for high-risk activities, and report data breaches within 72 hours.
3. Strong Enforcement:Establishes independent national Data Protection Authorities (DPAs) with power to investigate and impose severe fines (up to 4% of global annual turnover or €20 million).
4. Extraterritorial Scope:Applies to any organization worldwide that processes the data of individuals in the EU.

Why it matters for Timor-Leste: It demonstrates that strong privacy rules build public trust, which is the foundation of a digital economy. It provides a model for a citizen-centric law enforced by an independent watchdog, ensuring the law has real power.

This post is also available in: Tetun