Legal Advice on Data Protection Laws in Pakistan
by Josh and Mak International
As a leading law firm in Pakistan, Josh and Mak International offers expert legal advice on data protection laws to individuals, businesses, and organizations operating in the country. This advice aims to ensure compliance with data protection regulations and protect the rights and privacy of data subjects.
Data Protection Compliance:
Our legal experts can assist your organization in understanding the requirements envisaged of the latest Personal Data Protection Bill, 2023, as well as the current legislation in force. We will review your data processing practices to ensure they align with the provisions of the law. This includes examining data collection processes, consent mechanisms, data retention policies, and international data transfers.
Drafting Privacy Policies and Consent Forms:
Once the Personal Data Protection Bill, 2023, becomes law, organizations will be required to obtain explicit consent from data subjects for processing their personal data. Our team can draft comprehensive privacy policies and consent forms tailored to your specific business activities, ensuring that they are in line with the legal requirements and provide clear and transparent information to data subjects.
Data Breach Response:
In the event of a data breach, swift action is essential to minimize potential damages. Our experienced lawyers will guide you through the process of assessing the breach, notifying the relevant authorities and affected data subjects within the required time frame, and implementing remedial measures to prevent future breaches.
Data Subject Rights:
Once the Personal Data Protection Bill, 2023, it will grant various rights to data subjects, including the right to access, correct, and erase their personal data. We will advise you on how to handle data subject requests efficiently, ensuring compliance with the law and protecting individuals’ rights.
Data Transfer Mechanisms:
International data transfers require careful consideration if you are working with companies or clients registered in foreign jurisdictions. Our legal experts will guide you on the appropriate mechanisms to transfer personal data outside Pakistan, such as NCPDP adequacy decisions, binding contracts, or explicit consent from data subjects.
Employee Training and Awareness:
Ensuring your employees understand data protection laws and their responsibilities is crucial to maintaining compliance. We can conduct training sessions and raise awareness among your staff to minimize the risk of data breaches and promote a culture of data protection within your organization.
Legal Representation:
In the event of legal disputes or enforcement actions related to data protection, our skilled litigators can provide strong legal representation in courts or before relevant regulatory bodies.Data protection compliance is a vital aspect of modern business operations, and non-compliance can lead to severe consequences. With Josh and Mak International’s expert legal advice, you can navigate the complexities of data protection laws in Pakistan and establish robust data protection practices, ensuring the privacy and security of personal data while maintaining your organization’s reputation and trustworthiness.
Contact us now at aemen@joshandmakinternational.com
___________________________________________________________________
Below is a discussion on the legal aspects and applicable laws pertaining Data Protection in Pakistan as well as recent developments in laws
The Absence of a Consolidated Data Protection Law in Pakistan
In Pakistan, there is no single comprehensive law that addresses data privacy and protection across all sectors. Instead, various sector-specific laws and guidelines impose limited restrictions on the collection and handling of data. This fragmented approach creates uncertainties and gaps in safeguarding personal information.
Under the Constitution of Pakistan, 1973, the right to privacy is considered a fundamental right. Article 14(1) of the Constitution declares that the “dignity of man, and subject to law, the privacy of home, shall be inviolable.” Over time, the courts have interpreted this provision expansively, extending its protection to communications and data. However, despite recognizing the importance of privacy, Pakistan lacks a consolidated statute that comprehensively regulates the collection, retention, handling, processing, transfer, and transmission of data, including personal data. In this legal note, we explore the current state of data privacy laws in Pakistan, highlighting the limited scope of existing regulations and the need for a dedicated data protection law.
The Prevention of Electronic Crimes Act, 2016 (PECA) is the principal legislation in Pakistan that establishes a legal framework to address various forms of electronic crimes. Additionally, PECA extends its purview to encompass unauthorized access to personal data. This comprehensive legal note examines the powers vested in Authorised Officers under PECA, focusing on their ability to investigate offences and conduct searches and seizures related to electronic crimes.
Application and Jurisdiction:
PECA applies to all citizens of Pakistan, regardless of their location, and to any person present in Pakistan at the time of the offence. Furthermore, the act extends to acts committed outside Pakistan by any person if the act constitutes an offence under PECA and affects any person, property, information system, or data located in Pakistan.
Investigatory Powers of Authorised Officers:
Under Section 30 of PECA, officers designated as Authorised Officers have the authority to investigate offences defined by the act. Section 31 empowers these officers to take specific actions if they believe that certain data stored in an information system is necessary for a criminal investigation and there is a risk of data alteration, loss, destruction, or inaccessibility. The Authorised Officer can issue a written notice to the person in control of the information system, requiring them to provide the data or preserve it for up to 90 days, with the option to seek an extension from the court.
Search and Seizure:
Section 33 of PECA allows an Authorised Officer to apply to the court for a search or seizure warrant. If reasonable grounds exist to believe that an information system, data, device, or other articles are essential for a criminal investigation, the officer may enter specified premises with the warrant to search and seize relevant evidence. In cases of Section 10 offences, where the apprehension of data destruction or alteration exists, an Authorised Officer can conduct a search and seizure without a warrant, but they must inform the court within 24 hours.
Access to Data:
Section 34 of PECA enables an Authorised Officer to seek the court’s permission to access data stored in an information system if it is deemed necessary for a criminal investigation. The court may grant access after recording reasons for the decision.
Powers of Authorised Officers under Section 35:
Section 35 of PECA confers several powers on Authorised Officers:
- Access and inspection of specified information systems.
- Use of information systems to search for specified data.
- Obtaining and copying relevant data from information systems.
- Access to information in a readable and comprehensible format.
- Requiring access to data within the control of a person using an information system.
- Seeking technical assistance for the investigation from individuals responsible for operating an information system.
- Obtaining decryption information for accessing encrypted data.
Scope of Powers and Conduct of Authorised Officers:
Section 35(2) of PECA specifies guidelines for the exercise of powers by Authorised Officers:
- Exercise powers with proportionality.
- Maintain integrity and secrecy of information systems and data during search and seizure.
- Avoid interference with legitimate business operations and unrelated information systems.
- Minimize disruption to premises and data not subject to investigation.
PECA Reporting Requirements:
Section 53 of PECA mandates the Federal Investigation Agency (FIA) to submit bi-annual reports to the National Assembly and Senate, providing an overview of its activities without disclosing identity information.
PECA empowers Authorised Officers to effectively investigate electronic crimes and protect sensitive data while adhering to strict procedural guidelines. These powers are essential for combating cybercrimes and ensuring the integrity and security of information systems in Pakistan. However, it is crucial to strike a balance between law enforcement measures and individual privacy to ensure the effective implementation of PECA’s provision
Limited Redressal Options for Unauthorized Use of Personal Data: Data collected by entities, including retail businesses, for the provision of goods and services, is often protected under contractual arrangements. While such agreements may offer some level of data protection, they often do not provide sufficient recourse in case of unauthorized use of personal data. Consequently, individuals may find it challenging to seek remedies for data breaches or misuse.
Sector-Specific Laws and Policies: Certain laws and policies in Pakistan focus on specific data protection issues within particular sectors or industries. For instance, the Prevention of Electronic Crimes Act, 2016 (PECA) includes provisions related to data and information systems protection. PECA criminalizes unauthorized access to data or information systems, electronic forgery, unauthorized interception or use of identity information, and confidentiality breaches.
In specific sectors such as banking and telecommunications, there are special regimes and regulations in place to protect consumer data and ensure confidentiality. Some notable examples include:
Banking:
- Section 70 of the Payment Systems and Electronic Fund Transfers Act, 2007 prohibits financial institutions and authorized parties from disclosing any information related to electronic fund transfers, consumer affairs, or accounts of its customers.
- Regulation 4.2(i) of the State Bank of Pakistan’s Regulations for Payment Card Security mandates card service providers to maintain the confidentiality of consumer data during storage, transmission, and processing.
- Regulation 2.2.3(c) of the State Bank of Pakistan’s Regulations for the Security of Internet Banking requires that customer information should not be transferred to an unauthorized storage or access medium.
Telecommunications:
- Regulation 16 of the Telecom Consumers Protection Regulations, 2009 obliges telecommunications service operators and their employees to uphold the confidentiality of consumer information.
- Regulation 5(2)(xxi) of the Regulations for Technical Implementation of Mobile Banking, 2016 requires that service-level agreements between third-party service providers, telecommunications operators, and authorized financial institutions include provisions for online privacy, ensuring that consumer information obtained through mobile banking is collected, used, disclosed, and retained only as agreed upon.
These regulations are put in place to safeguard sensitive data, including financial and personal information, in the banking and telecommunications sectors, and to ensure that customer privacy is respected and protected. Additionally, other specific sectors like insurance, healthcare, and advertising may also have their own set of regulations to safeguard specific types of data, such as biometric data or medical records.
Penalties under PECA: PECA outlines penalties for offences related to data and information systems. For instance, Section 4 of PECA prescribes imprisonment and fines for unauthorized copying or transmission of data with dishonest intent. Violators may face imprisonment for up to six months, a fine up to PKR 100,000, or both.
Investigating Agency and Authorization Requirements under Pakistan’s Data Protection Laws
The Federal Investigation Agency (FIA) has been assigned the role of investigating agency under the Prevention of Electronic Crimes Act, 2016 (PECA). For complaints related to unauthorized access or transmission of data in violation of PECA, citizens can approach the FIA’s Cyber Crime Wing. However, it is crucial to obtain prior authorization from the data subject to avoid infringing on PECA provisions.
Authorization Requirement under PECA and the Electronic Transactions Ordinance, 2002 (ETO): Obtaining the data subject’s authorization is a critical step to ensure compliance with PECA. This requirement is consistent with provisions in the Electronic Transactions Ordinance, 2002 (ETO), which governs the recognition of electronic records, communications, and transactions and accredits service providers.
Previously, the ETO included penalties for unauthorized access to any information system, regardless of the intent behind the access. It also prohibited unauthorized acts intending to alter, modify, delete, remove, generate, or transmit information through an information system. However, these offences were later incorporated into PECA, leading to their omission from the ETO.
Prohibitions under the Pakistan Telecommunication (Re-organisation) Act, 1996 (PTRA): The Pakistan Telecommunication (Re-organisation) Act, 1996 (PTRA) also sets forth prohibitions on unauthorized transmission through a telecommunication system or service of false, fabricated, indecent, or obscene intelligence.
Role of the FIA’s Cyber Crime Wing: As the designated investigating agency under PECA, the FIA’s Cyber Crime Wing handles complaints related to unauthorized data access or transmission. To protect individuals’ privacy and data rights, it is essential to engage the Cyber Crime Wing in cases where such unauthorized activities are suspected or detected.
The Unlawful Online Content Rules ( Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguard) Rules 2021 ) were enacted under Section 37(2) in conjunction with Section 51 of the Prevention of Electronic Crimes Act (PECA) and were immediately enforced. Section 37 of PECA deals with unlawful online content, granting authority to the Pakistan Telecommunication Authority (PTA) to remove, block, or issue directions for such content’s removal or blocking if it is deemed necessary in relation to the commission of or incitement to an offence under PECA. These rules primarily pertain to the removal and blocking of unlawful online content.
It is noteworthy that neither PECA nor the rules provide a specific definition for ‘unlawful online content.’ However, it can be inferred from Section 37 of PECA that any online content accessed or shared in violation of PECA’s provisions falls within the scope of ‘unlawful online content.’
The Unlawful Online Content Rules also impose certain obligations on service providers, social media companies, and significant social media companies. They are required to publish community guidelines for accessing or using any online information system. These guidelines should be easily accessible and inform users not to host, display, upload, modify, publish, transmit, update, or share any online content that violates local laws.
It is important to note that the Unlawful Online Content Rules only apply to licensees providing social media or social network services. These terms are defined in the rules.
Rule 4 of the Unlawful Online Content Rules obligates the PTA to entertain complaints regarding online content. The PTA may seek further information or clarification from the complainant to make an appropriate decision. Upon registering the complaint, the PTA allocates a unique complaint number to be communicated to the complainant. The PTA must maintain the confidentiality of the online content and the complainant’s identity if sharing such information may lead to the proliferation of the content or cause harm, harassment, defamation, invasion of privacy, or relates to the complainant’s modesty.
Additionally, the PTA, subject to the provisions of the Unlawful Online Content Rules, can initiate action on its own motion by taking cognizance of any online content and exercising its powers under PECA to remove or block such content.
Implications of the Official Secrets Act, 1923 on Data Handling and Transfer
While obtaining necessary authorization under the Prevention of Electronic Crimes Act, 2016 (PECA) and the Pakistan Telecommunication (Re-organisation) Act, 1996 (PTRA) is essential, it is equally crucial to consider the implications of the colonial-era Official Secrets Act, 1923 (OSA) on the handling and transfer of data.
Prohibitions under the Official Secrets Act, 1923: The Official Secrets Act, 1923, a colonial-era law that is still in force, prohibits the communication of any State secret, official code, password, document, prohibited location data, or information that could be useful to an enemy of Pakistan, potentially compromising Pakistan’s safety or security.
Data Handling and Transfer Implications: Despite obtaining authorization under PECA and PTRA, organizations and individuals must be mindful of the sensitive nature of certain information and data. If any data, particularly classified or confidential information that falls within the ambit of the Official Secrets Act, is communicated, transmitted, or mishandled, it could lead to severe legal consequences.
Ensuring Compliance: To ensure compliance with the Official Secrets Act, organizations should implement robust data classification and handling procedures. It is crucial to distinguish between public information and sensitive data that requires protection under the OSA. Employees must be trained and made aware of the specific requirements for handling, storing, and transferring classified or sensitive data.
Importance of Due Diligence: Organizations dealing with sensitive information or collaborating with the government must exercise due diligence to avoid unintentional breaches of the Official Secrets Act. Implementing strong security measures, conducting regular audits, and establishing clear protocols for data handling will help mitigate potential risks.
While obtaining authorization under PECA and PTRA is crucial for data handling and transfer, compliance with the Official Secrets Act, 1923, is equally significant. Organizations must take necessary precautions to safeguard sensitive information and prevent any inadvertent violations of the OSA. By being diligent and proactive in data handling, organizations can maintain data security and integrity while respecting the laws and regulations governing the protection of classified information in Pakistan.
Industry-Specific Frameworks and the Need for Comprehensive Data Protection Law
Industry-specific frameworks and regulations play a crucial role in governing the handling of specific kinds of data. Regulators like the State Bank of Pakistan (SBP) and public sector entities have issued frameworks to guide banks, financial institutions, and government-owned entities in their data handling practices. However, these frameworks are limited to specific industries, leaving a gap in data protection for other entities. This emphasizes the necessity for a comprehensive data protection law in Pakistan.
State Bank of Pakistan’s Frameworks: The SBP has issued the Enterprise Technology Governance and Risk Management Framework for Financial Institutions (2017) and the Framework for Risk Management in Outsourcing Arrangements by Financial Institutions (2019). These frameworks apply to banks, financial institutions, and licensees under SBP regulation. They outline compliance guidelines, information technology usage, approval requirements, and obligations for data handling and transmission in the financial sector.
Public Sector Entities and the Cloud Policy: Public sector entities, wholly or partially owned by the Government of Pakistan, must comply with additional restrictions related to cloud computing services as stipulated in the Pakistan First Cloud Policy, 2022. The Cloud Policy aims to prevent unauthorized data transmission outside the country and mandates that certain cloud infrastructure exclusive to public sector entities should not be hosted outside Pakistan.
Inadequacy of Existing Frameworks: While the mentioned frameworks are essential for their respective industries, they do not cover data handling practices of many other entities. There is a lack of comprehensive regulation for data obtained, retained, and transferred by entities outside the scope of these specific frameworks.The existing frameworks, along with the Prevention of Electronic Crimes Act (PECA), Pakistan Telecommunication (Re-organisation) Act (PTRA), and Official Secrets Act (OSA), underscore the need for a comprehensive data protection law in Pakistan. Such a law should protect the right to privacy granted by the Constitution and align with international data protection best practices.
Industry-specific frameworks are valuable in guiding data handling practices within their sectors. However, a comprehensive data protection law is imperative to cover data protection for all entities, ensuring that the right to privacy is safeguarded across industries and in accordance with global standards. By establishing a robust data protection framework, Pakistan can enhance data security, foster public trust, and promote responsible data management practices.
Recent Developments
The Personal Data Protection Bill, 2021 has been replaced by the Personal Data Protection Bill, 2023 (see below). The draft Personal Data Protection Bill (2021) had been in the pipeline since 2021.In contrast to the then limited industry-specific protections of data, the draft Bill was notably wide in its application. It was intended to be applicable to any entity/individual who had control over personal data, any entity operating in Pakistan that controlled or processed data, and any data subject in Pakistan.The draft Bill aimed to provide individuals with more control over their personal data by, for example, requiring data controllers to inform data subjects, through a written notice, of the collection of their personal data and the source, purposes, duration, further processing of such data, and information about the class of third parties who would have access to the data.7Furthermore, the draft Bill placed an obligation on data controllers to take all reasonable steps to ensure that all personal data was destroyed or permanently deleted if it was no longer required for the purpose for which it was to be processed.
The Draft Data Protection Bill (2021) also envisaged that to build public trust, the law should establish a regulatory authority responsible for overseeing data protection compliance and enforcing penalties for violations. This authority should be equipped with the necessary resources and expertise to effectively monitor and address data protection concerns.
The Draft Data Protection Bill 2021 has been revised as of 2023.
Legal Update: Personal Data Protection Bill, 2023 – Key Highlights (May 2023)
The Pakistan Ministry of Information Technology and Telecommunication (MITT) has introduced a new draft of the Personal Data Protection Bill, 2023 (PDPB) on 19th May 2023. The primary objective of the PDPB is to regulate the collection, processing, use, disclosure, and transfer of personal data, while also imposing penalties for violations of data privacy rights.
The PDPB has a broad scope that extends beyond Pakistan’s borders and applies to data controllers or processors falling under the following categories:
- Entities processing personal data within Pakistan’s territory.
- Entities incorporated in other jurisdictions but operating digitally or non-digitally within Pakistan, processing personal data related to commercial or non-commercial activities, including profiling of data subjects within Pakistan.
- Entities processing personal data in territories where Pakistani law applies under public or private international law, despite having no physical presence within Pakistan.
- Entities collecting personal data of data subjects within Pakistan, including foreign individuals present in Pakistan during data collection and data processing.
All data controllers and processors are required to register with the National Commission for Personal Data Protection (NCPDP) within six months of the PDPB’s commencement.
In case of a personal data breach, data controllers must notify the NCPDP and the data subject within 72 hours of becoming aware of the breach, unless the breach poses no significant risks to the data subject’s rights and freedoms. Data processors must follow a similar notification process but need only inform the data controller and the NCPDP. Additionally, data controllers are obligated to maintain a data breach register.
The PDPB places specific emphasis on the protection of children’s personal data (under 18 years). Controllers and processors must consider the rights and interests of children and obtain parental consent before processing their personal data. Tracking or behavioral monitoring of children, as well as targeted advertising directed at them, is strictly prohibited.
Similar to the GDPR, the PDPB lays down legitimate grounds for data processing, including consent, contract, legal obligations, protection of vital interests, court orders, legitimate interests of data controllers, public health, research in medical emergencies, and exercising functions conferred by law.
Sensitive and critical personal data require explicit consent from data subjects, except in specific circumstances such as compliance with employment obligations, protection of vital interests, medical purposes by healthcare professionals, legal proceedings, and obtaining legal advice.
“Sensitive data” encompasses financial information, health data, digital national identity cards or passports, biometric and genetic data, data related to religious beliefs, criminal records, political affiliations, ethnicity, or caste. “Critical personal data” refers to data retained by public service providers, data related to international obligations, or data identified as critical by sector regulators or the NCPDP. Enhanced safeguards apply to sensitive and critical personal data, and critical personal data must be processed within servers or digital infrastructures located within Pakistan’s territory.
The PDPB grants various rights to data subjects, including the right to access, correct, and erase their personal data, the right to prevent processing likely to cause harm, the right to redress grievances with controllers and the NCPDP, data portability, and the right not to be subject to solely automated decision-making, including profiling.
International data transfers (excluding critical personal data) can be conducted based on NCPDP adequacy decisions, binding contracts, explicit consent of data subjects (not conflicting with Pakistan’s national security or public interest), international agreements, or other conditions specified by the NCPDP.
The Personal Data Protection Bill, 2023, if enacted, will significantly impact data protection practices in Pakistan, aiming to enhance privacy rights and data security for individuals. Businesses and organizations must familiarize themselves with the provisions of the PDPB and ensure compliance with its requirements.
Additionally, promoting awareness and educating individuals and organizations about data protection practices is crucial. Training programs and campaigns can empower citizens to understand their rights, make informed decisions, and exercise greater control over their personal data.
In conclusion, as Pakistan continues its journey towards technological advancement and digital transformation, a well-crafted and comprehensive data protection law is essential to uphold citizens’ privacy rights and foster a secure digital ecosystem. The Government, in collaboration with relevant stakeholders, must prioritize the development and implementation of such a law to create a safer and more transparent digital environment for all.
While the Constitution of Pakistan recognizes the right to privacy as a fundamental right, the country lacks a comprehensive data protection law to safeguard individuals’ personal data adequately. The absence of a consolidated statute hinders the establishment of a robust framework for data privacy and protection across all sectors. Consequently, individuals may face challenges in seeking redressal for unauthorized data use or breaches. The existing sector-specific laws and policies, such as PECA, offer some protection, but a dedicated data protection law is essential to address the complexities and concerns associated with the collection, handling, and transfer of personal data in Pakistan. As data privacy becomes an increasingly critical issue in the digital age, it is crucial for policymakers to prioritize and enact comprehensive data protection legislation to protect the rights of individuals and foster trust in the digital economy.
A Critical Overview of the Personal Data Protection Bill 2023
The Personal Data Protection Bill (PDPB) 2023, presented by the Ministry of Information and Technology and Telecommunications in June 2023, marks a significant advancement in Pakistan’s digital privacy landscape. Despite this progress, the draft Bill still requires substantial revisions to align with international human rights standards.
Key Areas of Concern
- Data Localization: Section 31(2) of the Bill mandates that critical personal data be processed within Pakistan. This data localization requirement could adversely affect business viability, especially for small businesses reliant on cloud servers. The lack of infrastructure to securely host large-scale data locally further exacerbates these concerns.
- Commission’s Independence: The National Commission for Personal Data Protection (NCPDP) is designed to function under the administrative control of the Federal Government, as per section 35(2). This arrangement raises questions about the Commission’s autonomy, potentially affecting its effectiveness in safeguarding personal data privacy.
- Vague Definitions and Broad Exemptions: The Bill contains ambiguously defined terms such as ‘national interest’, ‘legitimate interest’, and ‘public interest’, which could lead to subjective interpretations and misuse. The definition of ‘critical personal data’ also lacks specificity, relying heavily on the NCPDP for clarification.
Progress and Recommendations
The draft has incorporated notable improvements, such as enhanced protections for minors’ personal data in section 14. However, it requires more precise guidelines on age verification and consent processes, and a revision of exemptions that are too broad.
Concerning cross-border data transfer and the allocation of powers, the government’s extensive control and the potential for introducing self-serving policies may undermine the citizens’ interests in data privacy. Furthermore, the Federal Government’s role in determining the composition and functioning of the NCPDP, as stated in section 35(1), could exert undue influence over the Commission.
Historical Context and Evolution
The progression of data protection legislation in Pakistan from 2018 to 2021 highlights a growing awareness and response to digital rights. Each iteration of the Bill has brought forward improvements and identified new areas of concern, ranging from the inclusion of public bodies under data controllers/processors to refining definitions and limiting broad governmental powers. The journey reflects an evolving understanding of data protection needs in the country, albeit with ongoing challenges in aligning with global standards.
As the Bill moves towards becoming law, it is crucial to address these lingering concerns to ensure a robust and effective data protection regime. Clarifying vague definitions, ensuring the independence of the NCPDP, and reconsidering data localization requirements are essential steps. These revisions will not only strengthen the Bill but also enhance Pakistan’s position in the global digital economy by fostering trust and compliance with international data protection norms.
An analysis of the key sections
In the revised analysis of the 2023 Bill, we delve into the nuances of its provisions to ensure clarity and effective implementation.
Chapter I: Preliminary
Regarding Section 2(oo), which defines ‘vital interests’, it is recommended that a temporal limitation be introduced. This pertains specifically to contexts such as humanitarian emergencies, natural and man-made disasters, and the management of epidemics. The current breadth of this definition raises concerns about potential misuse in the collection and storage of personal and sensitive data. By introducing a time frame, the Bill can mitigate risks associated with the overextension of this term.
Section 3: Scope and Applicability
- Territorial Scope: The territorial scope, as stated in Section 1.2, remains consistent with the 2018 version, extending to the entirety of Pakistan. However, this fails to address the unique status of regions like Gilgit-Baltistan, ex-FATA territories, and Azad Jammu and Kashmir, which often lie outside the ambit of standard legislative reach. It is imperative to review and clarify this aspect to ensure the law’s unambiguous applicability across all regions within Pakistan’s boundaries.
- Definition of ‘Government’: The term ‘government’ as used in Section 2(o) requires more precise language. It should explicitly include a range of governmental institutions, such as attached departments and other public bodies. This clarification will ensure these entities fall squarely within the law’s scope, aligning with the legislation’s intent to protect personal data held by all government institutions.
- Categories of Data Controllers: The Bill distinguishes between data controllers established within Pakistan and those operating within the country but established elsewhere. This distinction, while necessary, raises questions about the accessibility of data for foreign data subjects. There is ambiguity surrounding whether data controllers must adhere to different data protection standards based on the data subject’s location. If this is the case, it could result in differential treatment, both within the group of foreign data subjects and between them and Pakistan-based data subjects. This potential for discriminatory treatment necessitates a closer examination to align with the principle of equal treatment under the law.
In conclusion, while the 2023 Bill marks significant progress in data protection, these specific areas require further clarification and adjustment to ensure the legislation is both comprehensive and effective in its application.
Chapter II: Processing of Personal Data and Obligations of Data Controllers and Processors
In the second chapter, we address crucial aspects of data handling and the responsibilities of data controllers and processors.
Section 6: Consent for Personal Data Processing
This section commendably mandates data controllers to secure consent from data subjects for processing personal data and places the onus of proving such consent on them. However, it is noteworthy that the revocation of consent necessitates immediate action from the data controller, barring exceptional and impracticable circumstances. The law could be enhanced by establishing more specific standards for these exceptions, and any delays should be justifiable to both the Commission and the data subject.
Furthermore, the exceptions to consent requirements, as outlined in sections 6(6)(g) and 6(6)(h), are overly broad and pose risks to data subjects’ interests. The concept of ‘legitimate interests’ is particularly vague and open to misuse. To mitigate this, a balance between legitimate interests and data protection rights is recommended, with a more precise definition of these exceptions in line with international human rights standards.
Section 7: Notice to the Data Subject
Section 7’s requirement for data controllers to notify data subjects within a ‘reasonably possible’ time is too ambiguous and could be exploited. A more concrete timeframe and written notice before data processing would enhance this provision. Additionally, penalties for non-compliance with notice requirements could be introduced to ensure adherence to the law.
The section could also benefit from including: the intention of cross-border data transfer, profiling for targeted purposes, and automated decision-making processes. Moreover, the disclosure of third-party names should be the default, with exceptions justified only when necessary.
Further, subsections 7(2)(a), (b), and (c) should be applied conjunctively, not alternatively, replacing ‘or’ with ‘and’. Also, accommodations for illiterate individuals or those with disabilities are crucial for inclusivity, suggesting the need for alternative methods like audio notices or visual aids.
Section 9: Security Requirements
The term ‘national interest’ as a criterion for data security is overly broad and subject to misuse, potentially prioritizing state interests over citizens’ rights. The reference to ‘best international standards’ is vague and leaves too much discretion to the Commission. It’s imperative to establish clear guidelines for data security, especially in Pakistan, where instances of data misuse are prevalent.
The section would be strengthened by making data controllers’ security measures public, enabling data subjects to make informed decisions. Additionally, allowing other laws to override these provisions could undermine the section’s effectiveness.
Lastly, the integration of policies like the ‘National Cyber Security Policy’ and the establishment of CERTs should be harmonized with the data protection law to ensure a comprehensive and rights-centric approach to data privacy.
These enhancements will significantly strengthen the Bill, ensuring robust data protection and clarity in the responsibilities of those handling personal data.
Chapter III: Processing Children’s Personal Data
In the third chapter of the Bill, Section 14 focuses on establishing a legal framework dedicated to safeguarding children’s data rights and addressing the risks associated with the misuse of their personal information.
Section 14: Processing Personal Data of Children
This section rightly emphasizes the importance of protecting children’s personal data. However, it includes a clause stating that “such other factors as may be prescribed” should be considered for age verification and parental consent. It is crucial that these factors be clearly and explicitly defined to prevent any potential ambiguity or misuse of the law. A transparent and accountable process for age verification is essential, and it should avoid being privacy-intrusive or leading to unnecessary data collection about the child or their parent.
Moreover, considering Pakistan’s unique socio-cultural context, the requirement for parental consent raises concerns. It could inadvertently lead to increased monitoring of children, particularly young women, and potentially lead to harmful consequences based on their online activities. Instances of violence linked to online presence underscore the need for a careful approach in this regard, acknowledging that parents might not always be the best arbiters of their children’s safety in the online world.
The exception provided under subsection 6 of this section appears overly broad and could result in ambiguous legal interpretations or misuse. It would be prudent to rephrase and limit the scope of this exception to ensure clarity and prevent exploitation.
The Bill also needs to address the prevalent international business practice of allowing children over the age of 13 to access and use digital services. Since many social media platforms permit 13-year-olds to create accounts, this aspect could pose challenges for digital platforms operating in Pakistan. Therefore, it is necessary to provide clear guidelines on how these child protection measures will be implemented in the context of digital businesses.
In summary, while Section 14 of the Bill takes significant steps towards protecting children’s data rights, it requires further refinement to address specific socio-cultural factors in Pakistan, ensure clarity in its provisions, and align with international standards for digital services accessed by children.
Chapter IV: Additional Requirements for Processing Sensitive and Critical Personal Data
Section 15: Processing of Sensitive and Critical Personal Data
Section 15(a)(viii) of the Bill, which provides an exception for the administration of justice under court orders, should be explicitly subject to fundamental rights, particularly the right to privacy as enshrined in Article 14 of the Pakistan Constitution. This ensures a balanced approach between legal proceedings and the protection of individual privacy.
There appears to be a typographical error in Section 15(b), which references non-existent subclauses in clause (b) of subsection (1). These clauses actually pertain to clause (a) of subsection (1). It is imperative that this error is corrected to avoid any confusion or misinterpretation in the final draft of the Bill.
Chapter V: Rights of Data Subjects
Section 16: Right to Access
The provision allowing data subjects to access their data is commendable. However, the imposition of a fee for this access, as stipulated in 16(3), is problematic. Access to personal data should not be conditional on the ability to pay a fee. Ideally, such access should be free, with any administrative costs borne by the data controller.
Section 17: Compliance with Data Access Requests
While a response timeframe for data access requests is defined, the absence of penalties for non-compliance, where reasons are not provided as outlined in Section 18, is a concern. Implementing penalties would ensure greater accountability and compliance.
Section 18: Circumstances of Refusal to Comply with Data Access Request
It is advised that if a data access request is refused under the criteria of Section 18, the data controller should provide the data subject with written reasons for the refusal within the defined timeframe.
Section 26: Right to Erasure
The current 14-day timeframe for data erasure is excessively lenient. To uphold the rights of data subjects effectively, this period should be reduced to a maximum of 5 days, with any delay beyond this period requiring explicit justification to both the data subject and the Commission.
Section 27: Right to Nominate
The wording of Section 27, pertaining to the nomination of an individual to exercise rights over a deceased or disabled data subject’s data, needs revision. A clearer phrasing could be: “In the event of the death or disability of the data subject, any individual as may be prescribed or previously nominated by the data subject, may exercise the rights of the data subject under this Act.”
Section 28: Right to Redressal of Grievance
While the addition of a grievance redressal right is a positive development, the section lacks detail on how this system will function. It should specify that data controllers address complaints in writing within five working days of receipt, with any delay requiring a written explanation to the complainant.
These suggestions aim to enhance the clarity and enforceability of the Bill, ensuring robust protection for sensitive and critical personal data, as well as clearly defining the rights and mechanisms available to data subjects.
Chapter IV: Right to Data Portability and Automated Processing
Section 29: Right to Data Portability and Automated Processing
Section 29(6) introduces the ‘public interest’ exception in the context of data portability and automated processing. However, this exception lacks the nuanced safeguards present in the General Data Protection Regulation (GDPR) of the European Union, particularly in Article 9(2)(g), which emphasizes the importance of balancing substantial public interest with the essence of the right to data protection. The Bill would benefit from incorporating similar parameters to ensure a harmonious balance between public mandates and individual rights. Moreover, any automated decision-making should be accompanied by explicit anti-discriminatory policies, communicated to data subjects and aligned with constitutional protections, as per Article 25.
Section 31: Condition for Cross-Border Transfer
Subsection 2 of Section 31 proposes that ‘Critical Personal Data’ be processed only within servers or digital infrastructure located in Pakistan. This data localisation requirement contradicts the principles of an open internet and may compromise data security. Pakistan currently lacks the infrastructure for such localized cloud storage, and the requirement overlooks practical challenges, including energy constraints. With data centers contributing significantly to energy-related greenhouse gas emissions, this requirement could exacerbate Pakistan’s existing energy crisis. Additionally, data localisation imposes burdens on small businesses and conflicts with the interests of larger international corporations, potentially hindering service delivery and increasing operational costs in Pakistan.
Section 32: Framework on Conditions for Cross-Border Transfer
The addition of sub-sections (a), (c), and (d) in the revised draft undermines the previously established explicit consent requirement for data transfer. These subsections allow for data transfer in certain situations without the explicit consent of the data subject, thus diluting the importance of consent. The conditions to be considered by the Commission for data transfer should be transparent and accessible to data subjects for informed decision-making.
Furthermore, the use of terms like “national interest” and “public order” in this section introduces vague and subjective criteria, granting excessive discretion to the Commission and potentially leading to misuse. A more defined and constrained approach would be beneficial to ensure fairness and prevent the arbitrary application of these terms.
In conclusion, while these sections aim to protect data rights and regulate data transfer, they require refinements to address ambiguities, safeguard individual rights effectively, and ensure practical feasibility in the Pakistani context.
Chapter IV: Exemptions and the Establishment of the Commission
Section 34: Exemption
Section 34(2)(c) exempts research and statistics collection from the consent requirement, which could potentially lead to misuse for profit, reminiscent of the Cambridge Analytica scandal. It is advisable to narrow this provision to prevent such misuse. Additionally, including non-governmental organizations working in the public interest within this research exemption would be beneficial.
Sub-section 4, with its reference to “specific situations/use cases” for Federal Government exemptions, is overly vague and broad, granting too much discretion to the Commission. A more precise definition of these terms or additional conditions for exemptions would enhance clarity and prevent potential misuse.
Section 34(2)(f) provides a broad exemption for journalistic purposes. This exemption covers critical and sensitive personal data and overlooks the significant risks posed by data breaches, especially those affecting women and gender minorities. To safeguard against such risks, it is essential to establish explicit Standard Operating Procedures (SOPs) by the National Commission for the Protection of Data Privacy (NCPDP), to be enforced within six months of the law’s enactment.
Section 35(2): Establishment of the Commission
There is a notable contradiction in Section 35(2), which describes the Commission as autonomous but places it under the administrative control of the Federal Government. To truly ensure its autonomy, the Commission should be independent of governmental control, in line with international best practices like the Paris Principles.
Section 37: Special Provisions Concerning Members
The terms “misconduct” and “misappropriation” in Section 37(2) are vaguely defined, providing excessive discretion to the Commission. These terms should be explicitly defined to prevent arbitrary interpretations and ensure accountability.
Section 43: Powers to Issue Policy Directives
The power granted to the Federal Government to issue policy directives to the Commission severely undermines the Commission’s independence. Such directives could potentially lead to external influences impacting the Commission’s decision-making.
Section 47: Cooperation with International Organizations
The requirement for government approval before the Commission cooperates with international organizations unnecessarily restricts the Commission’s autonomy. This condition could lead to delays and procedural hurdles, hindering the Commission’s effectiveness and its ability to engage in global data protection initiatives.
In summary, while the Bill aims to establish a robust data protection framework, certain sections require refinement to ensure precise definitions, prevent misuse, and maintain the independence and effectiveness of the Commission. The Bill would benefit from clearer guidelines and an autonomous, empowered Commission, capable of upholding data protection standards and cooperating effectively with international bodies.
Chapter IX: Complaint and Offenses; Chapter X: Miscellaneous Provisions
Section 51: Complaint
In Section 51, the Bill stipulates a “reasonable fee” for filing complaints before the Commission. It is advised that this fee be abolished, as even a nominal charge could deter individuals, particularly those from economically disadvantaged backgrounds, from exercising their right to file a complaint.
Section 54: Power to Make Rules; Section 59: Dissolution
The Bill grants the Commission the authority to make rules for implementing the Act, subject to the approval of the Federal Government. However, Section 54 appears to confer absolute rule-making power to the Federal Government. This centralization of power could potentially undermine the Commission’s autonomy and effectiveness.
Additionally, Section 59 permits the dissolution of the Commission by the Federal Government’s order. This contrasts with earlier drafts, where the Parliament held the power to wind up the Commission. Such a shift in power from the legislative to the executive branch disrupts the fundamental principle of separation of powers. It raises concerns about the potential for executive overreach and the implications for the independence and impartial functioning of the Commission.
In conclusion, while the Bill seeks to establish a comprehensive data protection regime, certain provisions in these chapters could hinder the accessibility of the complaint mechanism and compromise the independence of the Commission. It is essential to revisit these sections to ensure that they align with democratic principles and facilitate the effective protection of data rights without imposing undue barriers or centralizing excessive power in the executive branch.
The 2023 Bill, focusing on data protection and privacy, presents several key takeaways:
- Enhanced Data Protection Framework: The Bill introduces a comprehensive framework for the protection of personal data, emphasizing the rights of data subjects and imposing obligations on data controllers and processors.
- Consent and Rights of Data Subjects: It underscores the importance of obtaining consent from data subjects for processing their personal data and grants various rights such as access to personal data, right to erasure, and data portability.
- Protection of Children’s Data: The Bill pays special attention to the processing of children’s personal data, recognizing the need for additional safeguards in this area.
- Regulations for Sensitive and Critical Data: It delineates specific provisions for handling sensitive and critical personal data, highlighting the need for heightened security and caution.
- Exemptions and Governmental Control: The Bill includes exemptions for research, statistics collection, and journalistic purposes. However, it grants significant power to the Federal Government in terms of rule-making and the potential dissolution of the Commission, raising concerns about the balance of power and the autonomy of the Commission.
- Data Localization Requirements: The Bill proposes data localization for critical personal data, which could have implications for international business practices and local infrastructure capabilities.
- Commission’s Autonomy and Governance: The Bill establishes a Commission for data protection but places it under the administrative control of the Federal Government, which might affect its independence.
- Concerns Over Vague Definitions: Various sections of the Bill have been noted for their vague definitions (such as ‘public interest’ and ‘misconduct’), which could lead to subjective interpretations and potential misuse.
- International Alignment: While the Bill reflects an effort to align with international data protection standards, such as the GDPR, there are areas where it diverges or lacks clarity, indicating a need for further refinement.
- Fees and Accessibility Issues: The Bill’s provisions for fees for filing complaints or accessing personal data reports could potentially hinder the accessibility of these rights for all individuals, regardless of their financial situation.
In summary, the 2023 Bill represents a significant step towards establishing a robust data protection regime in Pakistan. However, it also presents challenges and areas for improvement, particularly in ensuring the independence of the regulatory body, refining vague definitions, and balancing the rights of individuals with the interests of the state and businesses.
