With so much of our personal data at the disposal of government authorities and private companies, it was about time that the government listened to citizen demands for a data protection law in Pakistan as Article 14 of the Constitution provides for the dignity of a person and privacy of the home as a fundamental right, both of which are violated when our personal data is not protected.
The draft Personal Data Protection Bill was introduced last month on the website of the Ministry of IT and Telecom for consultation. It is important to explore the strengths of this bill, some major issues with the clauses, some critical provisions that are missing in the current draft, the significance of its timing, and the consultation process the bill must go through.
The strengths of the bill include a strong regime for holding data-processing entities such as private companies accountable on protecting the personal data of consumers. With personal data such as phone numbers, call records, identity information, health records, and addresses of citizens being either sold, hacked, leaked or abused in other ways, it is critical that consequences for such misuse are outlined clearly.
The bill lays out the requirement of consent of a citizen for their data to be processed, notices to them in case of their data being processed, non-disclosure of personal data for purposes other than specified, standards for security for protection of held data, (undefined) time limits on data retention, and data breach notifications.
This bill also details in chapter three the rights of a data subject, including right to correction, erasure, compliance with data access request, withdrawal of consent for processing data, extent of disclosure of personal data, and right to prevent processing of data likely to cause damage or distress.
Additionally, the draft makes some exemptions for the purposes of this law, including for journalistic, literary or artistic purposes, which is a welcome step. However, it makes “processing of personal data in the interest of security of the state” subject to authorisation by the federal government under a procedure that remains undefined.
Also not defined explicitly is the liability of data protection on government and public bodies, which is a critical component of any such law considering the state and government hold the highest amount of sensitive personal data of citizens. The Nadra database, which holds the identity information of all citizens, has been subjected to hacking many times in the past, but there has been little transparency on the investigation of these hacks, whether an official was held responsible, and any consequences for those who failed in their responsibility of protecting citizens’ data.
This should also cover protections against leakage of personal data of citizens, including of families of public officials such as judges, ministers and generals, which is abused for political purposes. Such breaches often occur through connivance of officials in public bodies.
The bill also gives broad discretionary powers to the federal government whereby it can grant or revoke exemptions to data controllers, without a specified procedure. This also goes against the spirit of protecting data of citizens fairly.
A major contentious feature of the bill is the data protection authority that is “to carry out purposes of this act”, which under this bill functions under the federal government rather than being independent and autonomous. This is made more contentious by the funding of this body coming directly from the government, and the composition of the authority includes members of ministries, and four members from other industries such as media and civil society, but required to be employed full-time by the authority. This goes against the spirit of independence and autonomy of such a body.
The government would be better off using the already existing information commission, which functions to administer appeals under the right to information law, as is the practice in the UK under the Data Protection Act. This way, the government can utilise an existing body already working on a related matter — information requests — and legislate on its independence to avoid conflict of interest.
Furthermore, the current bill attempts to localise data under Sections 14 and 15 by requiring data of citizens to be stored within the borders of Pakistan, which presumably would apply to social media companies. This seems to be linked to the Protection (Against Online Harms) Rules, 2020, where the government proposed social media companies to register locally and set up servers. There is also the question of practicality of such a requirement as social media companies have already expressed strong opposition to plans of data localisation, especially in times of transnational data servers.
Apart from posing grave data privacy concerns given the state’s requests to social media companies on citizen data as shown by their transparency reports, data localisation also threatens freedom of speech on the internet, as surveillance causes self-censorship and persecution of speech critical of the government.
Lastly, this bill should include time-sensitive sunset clauses for health-related data and surveillance at a time of a pandemic. We have seen broad-based tracking of citizens for Covid-19, a process which has lacked transparency, legality and procedure respectful of the rights of citizens while safeguarding the right to life threatened by the pandemic such as only using aggregated and anonymised data rather than personally identifiable data. Further, the government should already be vigilant of Covid-19-related privacy violations such as leaking of health records of patients and stigma linked to the virus.
As for the timing of the bill, this is not the best time for consultation on a critical law considering the pandemic-related lockdown, and the tight deadline of 35 days for feedback. Hence, this must be treated as the first round of consultation, after which the draft should be amended, based on the feedback, and the ministry must provide justification for not including any suggestions made by those who submit comments. A second round of public consultation should be held on the amended version, followed by public hearings by the National Assembly and Senate committees on IT and telecom.