In the ever-growing world of technology, information is in the palm of your hands and unfortunately, so is the abuse of it. The protection of personal data in Pakistan was essentially unheard of, so any idea of protecting their personal data was merely shrugged off, but in this digitally charged world, governments all around the world struggle to strike a balance between utilizing technology’s advantages and protecting its citizens’ privacy. In light of this, the Federal Cabinet has approved the “Personal Data Protection Bill 2023” after realizing the importance of preserving the security and privacy of people’s personal information on the internet. Therefore, it is essential to carefully examine the bill by highlighting the protection afforded to the citizens of Pakistan and their personal data, dissecting the potential pitfalls that may arise due to ambiguities in the statute as well as a look into the future of this ground-breaking legislation and how it can be developed further.
Within six months of the Act’s commencement, the Bill would create the National Commission for Personal Data Protection (NCPDP), which will work to defend an individuals’ rights when engaging in data processing activities. In order to protect an individuals’ personal data, the Bill lays down quite a comprehensive list of remedies in case of any illegality. A fine of up to $125,000/-, or its equivalent amount in Pakistan Rupees, is levied where there is any violation in the process, dissemination or disclosure of personal data of the individual as per Section 48(1) of the Personal Data Protection Act, 2023. Section 48(2) lays down a fine of up to $500,000/-, or its equivalent amount in Pakistani Rupees, in case of personal data offences, whereas Section 48(3) levies a fine of up to $1,000,000/-, or its equivalent amount in Pakistani Rupees, in the instance of critical data violations. Lastly, where adequate security measures for data security are not met, then a fine of up to $50,000/-, or its equivalent amount in Pakistani Rupees, shall be imposed.
The Bill seems to have presented a solid foundation for the adequate protection of one’s personal data with little to no inadequacies, but on a closer inspection, there are a few chinks in the Bill’s armor which need to be addressed to curtail any loopholes that may arise in the future.
First and foremost, it is pivotal to discuss Section 50(4)(ii) of the Act which states that any unlawful disclosure, use or transfer of an individuals’ personal data will result in hefty fines of up to $2,000,000/-, or an equivalent amount in Pakistani Rupees, being imposed whereby the aforesaid section has been reproduced hereunder:
“50. Issue enforcement orders and impose penalties. –
(4) Where anyone fails to: -
(a) respond to the notice referred to in sub-section (2); or
(b) satisfy the Commission about the alleged contravention; or
(c) remedy the contravention within the time allowed by the Commission may by a written order and furnishing reasons for that shall: -
(i) levy fine which may extend to 2,000,000 USD or an equivalent amount in Pakistani Rupees; or
(ii) suspend or terminate the registration and impose additional conditions.”
When perusing the aforementioned section, the language is clear to a certain degree; however, further refinement is required in order to avoid any, and all, inconsistencies whereby Section 50(4)(ii) mentions the imposition of additional conditions without specifying what those additional conditions could be, and without a proper benchmark given to the same will result in arbitrary decisions and potentially unfair treatment.
Delving deeper into the semantics of the Bill, there also seems to be a flagrant confusion when reading Section 51, particularly 51(6), of the Act in which the aforesaid section prescribes the procedure that the complainant must adopt in order to file the complaint to the NCPDP. Section 51(6) states that the NCPDP shall dispose the complaint in an efficient manner – an act, if followed in the letter and spirit of the Bill, would be commended by all citizens – the section, however, also states that when issuing directives to prevent the breach, the data controller and data processor will not be consulted; a step forward taken only for the NCPDP to step back because if the NCPDP truly wishes to dispose the complaints efficiently, the comments of the data controller and the data processor may prove to be fruitful in order for that efficiency to come into effect.
Another concern is the cost of compliance whereby the main beneficiaries will mostly consist of businesses and start-ups. While the Bill has numerous benefits, but if the cost of compliance outweighs the benefits, then the Bill’s implementation will come as a challenge.
Uncertainty regarding the Court of Appeal in cases of disputes or violations is another significant concern with the Bill. According to Section 52(1), Appeals against the decision of the NCPDP shall be referred to the High Court or to any other tribunal established by the Federal Government for this Act which is perfectly fine and the language used is like any other statute in Pakistan. However, Section 52(2), on the other hand, states that if any person is aggrieved by the decision of the NCPDP, the appeal shall lie with the NCPDP itself. This provision not only raises questions about the fairness and impartiality of the appeal process, but also directly contradicts with Section 52(1). The language used in this Bill insinuates the word, “Review” was supposed to be preferred instead of “Appeal”, but the fact that that Appeal was preferred raises eyebrows especially since the Federal Cabinet has also approved the Bill.
A further matter in contention is Section 56 of the Act which pertains to the relationship of the Act with other laws, specifically stating that the sections of this Act will serve as bare minimum provisions and wherever there is any other applicable law on the subject, the provisions that have greater effect will prevail. The term “provisions that have greater effect will prevail” leaves room for interpretation. What constitutes a “greater effect” in terms of data protection is not explicitly defined, leaving it open to subjective judgment and potential inconsistencies in legal interpretations. Moreover, this section may potentially lead to dilution whereby the provision’s emphasis on other applicable laws with “greater effect” prevailing might lead to certain provisions of the Personal Data Protection Bill 2023 being rendered ineffective if they conflict with existing laws with weaker data protection measures.
Despite a few uncertainties here and there, the Bill is quite elaborate. The responsibilities of the data controller and data processor, along with their functions, have been laid down in a coherent manner. The procedure for correcting or removing a data subject’s personal data has been provided with little to no defects as well as cooperating with international organizations in the field of data protection, so altogether, it is a well drafted piece of legislation. When comparing this Bill with the statutes of other countries in the region, it seems Pakistan’s effort to maintain the citizen’s personal data is leaps and bounds ahead.
For instance, India recently approved the ‘Digital Personal Data Protection Bill, 2023’ whereby the personal data rights have been eloquently laid down; however, the offences have not been specified in case of non-compliance. Additionally, Iran’s ‘Personal Data Protection and Safeguarding Draft Act,’ is poorly drafted and incompatible with international law to appropriately secure its citizens’ rights to privacy. The Draft Act violates international data protection norms and jeopardizes the freedom of speech. The independence of the authority charged with monitoring the application of the Draft Act and the absence of effective legal channels for seeking restitution for any harm they may have endured are both grave concerns. Meanwhile, Afghanistan has no legislation on personal data protection.
All in all, the introduction of the Personal Data Protection Bill, 2023 appears to be a giant leap in the right direction representing a significant milestone in Pakistan’s efforts to protect individual privacy and secure personal data. While the Bill offers numerous benefits, it also faces hurdles that need to be vaulted to ensure its successful implementation, but considering the Bill is still at its fledgling stage and shall come into force in a year and a half from the date of its promulgation, there is still room for further development of the Bill. While taking into account the evolving digital landscape, Pakistan can set a precedent for responsible data governance and citizens can be duly informed about its significance by raising public awareness about data privacy rights and best practices will help citizens understand the importance of data protection and make informed decisions about their personal information.
–The Writer is an Advocate