A security guard requests for your ID card. You give it to him, and enter the premises accordingly. You leave the premises a few days later, only to find out that your ID card has been misused by the guard by making photo copies or worse, losing it. You receive messages and calls from real estate agents, builders, insurance companies and investors the day your bank balance increases. All this confidential information is leaked by your banks without any fear. Another example would be spamming advertisements from random numbers to your mobile devices. Where one notes a phone number of a particular individual, that number and other sensitive data may be sold to advertising companies who then rely on it for their work. These are all possible scenarios here in Pakistan; due to the lack of data privacy, citizens are forced to hand over confidential documents to third parties. Such misuse of information in Pakistan should thus, be appropriately barred under the Pakistan Data Protection Bill 2020 (PDPB).
Let’s take the example of an ID card. Apart from its own personalised ID number, the card itself holds more private data than meets the eye—a father’s or husband’s name, address, blood type, thumbprint, and signature. Misuse of such confidential details can easily defame or ruin the reputation of an individual. Thus, the entry of individuals in guarded premises should only be granted with the card number itself. Digitisation via apps or scanned machinery would allow guards to easily authenticate someone’s identity, all without the need of snooping around other confidential data. But that can only happen if Pakistan can protect its laws in the first place and if NADRA regulates and monitors it.
The first law for data protection was passed in 1998 in the UK, the world’s toughest data protection regime and the foundation of data privacy laws throughout the world. Pakistan isn’t far behind in data privacy laws. In fact, the first step Pakistan took in protecting private data was through encapsulating data privacy into Article 14(1) of the 1973 Constitution of Pakistan, which stressed the ‘privacy of the home’ to be inviolable, while the first Act regarding data protection was in 1996 under the Pakistan Telecommunication (Re-organisation) Act. Fast forward to 2021, and the primary legislation currently used to combat data privacy breaches is through the Prevention of Electronic Crimes Act 2016 (PECA 2016). Despite this recent Act, there has been a failure to control future damages, with the most recent attack on the Federal Board of Revenue’s (FBR) system being the biggest of its kind in the history of Pakistan.
The most current update to data protection in Pakistan is the introduction of the Personal Data Protection Bill 2020, which aims to encapsulate regulation and accountability of data processors and controllers in Pakistan. Once enacted, it will overtake PECA 2016 as the leading legislation for data protection matters.
The definitions of “data controller” and “data processor” only link to “a natural or legal person or the government”. A bare interpretation shows that anyone in the government bears the brunt of regulating private data. But this legal loophole allows other bodies which also regulate and store personal data of their clients or citizens respectively, to be unaccountable for their actions, such as NADRA, the FBR, or PTA. Thus, other bodies should also be encompassed in this definition. Inclusions could include autonomous bodies, attached departments and public bodies including banks.
Clause 3 of the PDPB extends its scope and application of the Bill to any natural or legal person (local or foreign) located in Pakistan, “who processes or has control over or authorises the processing of any personal data.” Data controllers and processors who aren’t registered or established in Pakistan are additionally required to nominate a representative in the said country. Yet, it doesn’t specify whether this requirement applies indiscriminately to all data controllers or processors dealing with private data of Pakistani subjects outside the territory, or just social media companies. This poses a risk of the PDPB being misused to pressurise social media outlets to conform to the government’s policies, as is the case with Rule 9(5) of the Pakistan Telecommunication Authority (2020). This would not only lead to a limit on online freedom, but also impact Pakistan’s digital economy from progressing further. Meanwhile, Article 3 of EU’s GDPR extends its protection of data of EU members within and beyond its states. Instead of requiring data to be localised, which is what PDPB hopes to achieve, it instead bars transfer of data to organisations or countries that cannot guarantee sufficient data protection.
In essence, the PDPB must emulate other privacy laws in the world in order to guarantee adequate data protection to Pakistani data subjects, in addition to a secure digital economy for local and international businesses. By creating a transparent process that grants illiterate and literate citizens alike the right to know the procedural methods of their sensitive data, trust is built within society . But only time will tell whether the Bill will be construed into protecting the privacy of each citizen in Pakistan, or merely used as an excuse by authorities to exercise its power over its vulnerable citizens.