The introduction of a draft law on data protection and privacy by the IT and telecom ministry is a welcome step. In the absence of such a law, Pakistani citizens have had their privacy breached and personal data leaked and used without their consent a number of times by individuals, companies, and the state.
It is of utmost importance that in this day and age of technological advancement and reliance on information and communication technologies, there be a strong law that protects the privacy of citizens who trust several companies and the state with their personal data for ease in services, and have the guarantee under law that such personal information will not be misused.
The clauses related to journalist protection whereby the act does not apply to “processing of personal data exclusively for journalistic, literary or artistic material”, are a very welcome step in the face of Pakistan’s dismal performance in press freedom rankings because of several attacks.
Chapter two of the bill relates to the data controller respecting the consent of users, and making it mandatory for companies to notify customers regarding the processing of their personal data. This is necessary especially in the face of a plethora of text messages being sent to mobile phone users owing to their personal data including mobile phone numbers being shared by different marketing agencies with other companies without the consent of or notice to consumers. With this law, consumers will have a legal recourse in case of such breaches, and the law will also serve as a deterrent to companies that violate data privacy because of there being a penalty for misuse of data and its sharing without consent or notice.
Security requirements for companies that process data have also been overdue, considering how many times the data of users has been breached. Several of the companies did not even have security arrangements in place to protect the personal data of their users. Making this mandatory under clause eight of chapter two will result in penalties for companies that do not have sufficient security arrangements for data protection, and hence offer greater trust to users. This is especially important in the face of data hacks — and also deliberate data leaks by companies. For instance, it is common knowledge that data on mobile phone users can be acquired by anyone either with a contact in a telecom company or with the means to bribe someone who works there. There need to be strict consequences for employees of companies involved in such shady practices.
Further, some companies purposely sell user data to other companies for profit in order to tailor advertisements to increase their consumer base. This is especially of concern when it comes to foreign companies such as social media giants Facebook and Google. Although after the Cambridge Analytica leaks and introduction by the European Union of the General Data Protection Regulation (GDPR), several measures have been taken by technology companies to protect the privacy of users, there have been instances of hacks and privacy violations by the platforms.
The third chapter deals with rights of data subject, modelled on the GDPR, whereby users have the right of access to personal data, right to correct personal data, and the right to erasure of personal data; all finally giving users rightful control over their personal data.
The definition of ‘sensitive personal data’ is expansive. The law describes it to mean “personal data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in political parties, trade unions, organisations and associations with a religious, philosophical, political or trade union, or provide information as to the health or sexual life of an individual, or the commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, or the disposal of such proceedings or the sentence of any court in such proceedings or financial, or proprietary confidential personal data”. This is also important, and one hopes will protect Ahmadi citizens in Pakistan who have been asked to register in a separate registry based on their faith.
These are very welcome steps, especially in the face of campaigns against citizens deemed to be dissidents or critics whose personal information is used against them by state and non-state actors to vilify them in an attempt to silence them. We have seen such campaigns, rooted both in truth and fiction, on TV, social media and in print. One hopes that these clauses will put an end to ad hominem campaigns against persons of interest by those who wish to silence challengers of the status quo.
Another concern regarding the draft data protection law is its conflict with other laws. For instance, the clauses related to data retention under section 9 which requires data controllers to delete data not required for longer than its purpose, potentially clash with data retention clauses in the Prevention of Electronic Crimes, in which section 32 mandates service providers to retain user data for a minimum period of one year.
The two laws read in juxtaposition to each other when it comes to rights protection, and one hopes the evidently newer rights-based approach will prevail in the new parliament which is more than overdue in setting up a standing committee for IT and telecom in the National Assembly.
What this law misses is clauses relating to data processing by government and state institutions. Breaches of the Nadra database have been frequent in the past few years, and recently the Punjab IT board was also embroiled in a data leak controversy. With biometric and personal information available, and linked to Sim cards and bank accounts, there is high risk of privacy breach at an institutional level, as well as by employees of the state. Further, there need to be remedies available against state surveillance. With spy systems such as FinFisher having been detected on Pakistani servers, citizens need to have legal avenues against undue state surveillance.