The Road Ahead for Data Protection and Privacy Laws in Pakistan
With rapid advancement in technology and digitalization all over the world, the need for data protection laws is becoming even more urgent. Over the years, many positive developments have taken place internationally with respect to the introduction of effective laws meant to safeguard the personal data of individuals. However, with respect to the situation in Pakistan, the question remains as to why no formal and binding data protection law has been officially approved and adopted by Parliament yet. There is also not much awareness among citizens about what actually constitutes personal data and why it needs to be protected.
It is of extreme significance in today’s digital age that a law exists to fundamentally protect the privacy of citizens who place their trust in not only private corporations but also the government with regard to giving up their personal information in exchange for better service delivery, and assure that their information will not be abused in any manner. The Constitution of Islamic Republic of Pakistan enlists the right to privacy as a fundamental right under Article 14(1), mentioning how the dignity of a person and the privacy of home shall be inviolable.
In simple terms, personal data includes the name, birth date, national identity number, home address and other such private details of an individual. Moreover, as per the research conducted by Privacy International, any information that can be used to identify a person directly or indirectly can be described as personal data. A more comprehensive definition has also been provided by the European Union’s General Data Protection Regulation (GDPR), which came into force in 2018.
Pakistan’s Prevention of Electronic Crimes Act 2016 appears to have several sections relating to data privacy. But these sections seem to grant law enforcement agencies and government entities access to the private data of citizens while restricting citizens to gain access to the government’s records of their data. The Electronic Transactions Ordinance 2002 does not regulate data protection directly, though it criminalizes any sort of unlawful or unauthorized access to information under Section 36.
Ride-hailing company, Careem admitted in January 2018 how the personal data of many of its users had been stolen by professional hackers. Unfortunately, ordinary citizens had no direct legal recourse against Careem or several other companies for failing to take effective and precautionary measures to protect the users’ personal data. As data becomes more and more valuable, small and large companies keep looking for the personal and private details of consumers in order to target potential customers with marketing campaigns.
Later in the year 2018, the Ministry of Information Technology and Telecommunication (MoITT) invited comments on a draft law pertaining to personal data protection. The Bill interestingly contained a number of significant shortcomings which had been highlighted by various civil society organizations. With respect to the draft law on data protection, it would be prudent to consider whether the standards are similar to the standards of the European Union’s General Data Protection Regulation (GDPR). For example, the draft is only applicable to commercial entities, meaning that public institutions are exempt from its jurisdiction. So if these government institutions abuse their power and leak personal information, ordinary citizens will have no claim against them under the existing draft law.
Additionally, the draft also exempts the processing of personal data that is exclusively meant for literary, journalistic or artistic purposes. Though this promotes media freedom, any sort of potential misuse of sensitive personal data by the press of this country is still a dangerous possibility. Moreover, the federal government alone has been granted a broad range of powers under the draft Bill and if it feels that it is reasonable to share the personal data of citizens, it will certainly have the right to do so. This can eventually lead to an unjustified abuse of power by the government.
Pakistani citizens on multiple occasions have had their privacy violated and personal data disclosed and used repeatedly without consent by other individuals, businesses and the state. Companies have also been deliberately selling user data to other businesses for profit in order to tailor advertisements to increase their consumer-base, which is of particular concern when it comes to foreign corporations like Facebook, Google and other social media giants.
Another concern regarding the draft data protection Bill is its conflict with other laws. For instance, data retention clauses under Section 9, which oblige data controllers to delete the data that is not needed for longer than its original purpose, may conflict with the data retention clauses in the Prevention of Electronic Crimes Act where section 32 obliges service providers to keep user data and relevant information for at least one year.
What is missing from this law is the clause relating to data processing by government and state institutions, especially since the NADRA database has been frequently breached in recent years and institutions such as the Punjab IT Board have also faced controversies over data leaks. There must be remedies against state supervision and since spy systems such as FinFisher have been detected on Pakistani servers, citizens must have legal channels against undue government surveillance.
Authorities should strictly enforce the provisions of cyber-crime law criminalizing the unauthorized use of identity information. Given that there is always a risk of data theft, the least we can do is not make things easier for the thieves. Violation seems to be more of a human issue than a technical one. So it is hoped that the more recent rights-based approach will prevail in Parliament as soon as possible.
The views expressed in this article are those of the author and do not necessarily represent the views of CourtingTheLaw.com or any other organization with which she might be associated.