DAWN.COM Logo

Today's Paper | May 04, 2024

Data protection law

Usama Khilji Published January 7, 2019
The writer is director of Bolo Bhi, an advocacy forum for digital rights.
The writer is director of Bolo Bhi, an advocacy forum for digital rights.

THE introduction of a draft law on data protection and privacy by the IT and telecom ministry is a welcome step. In the absence of such a law, Pakistani citizens have had their privacy breached and personal data leaked and used without their consent a number of times by individuals, companies, and the state.

It is of utmost importance that in this day and age of technological advancement and reliance on information and communication technologies, there be a strong law that protects the privacy of citizens who trust several companies and the state with their personal data for ease in services, and have the guarantee under law that such personal information will not be misused.

The clauses related to journalist protection whereby the act does not apply to “processing of personal data exclusively for journalistic, literary or artistic material”, are a very welcome step in the face of Pakistan’s dismal performance in press freedom rankings because of several attacks.

The draft law contains some welcome steps to protect personal information.

Chapter two of the bill relates to the data controller respecting the consent of users, and making it mandatory for companies to notify customers regarding the processing of their personal data. This is necessary especially in the face of a plethora of text messages being sent to mobile phone users owing to their personal data including mobile phone numbers being shared by different marketing agencies with other companies without the consent of or notice to consumers. With this law, consumers will have a legal recourse in case of such breaches, and the law will also serve as a deterrent to companies that violate data privacy because of there being a penalty for misuse of data and its sharing without consent or notice.

Security requirements for companies that process data have also been overdue, considering how many times the data of users has been breached. Several of the companies did not even have security arrangements in place to protect the personal data of their users. Making this mandatory under clause eight of chapter two will result in penalties for companies that do not have sufficient security arrangements for data protection, and hence offer greater trust to users. This is especially important in the face of data hacks — and also deliberate data leaks by companies. For instance, it is common knowledge that data on mobile phone users can be acquired by anyone either with a contact in a telecom company or with the means to bribe someone who works there. There need to be strict consequences for employees of companies involved in such shady practices.

Further, some companies purposely sell user data to other companies for profit in order to tailor advertisements to increase their consumer base. This is especially of concern when it comes to foreign companies such as social media giants Facebook and Google. Although after the Cambridge Analytica leaks and introduction by the European Union of the General Data Protection Regulation (GDPR), several measures have been taken by technology companies to protect the privacy of users, there have been instances of hacks and privacy violations by the platforms.

The third chapter deals with rights of data subject, modelled on the GDPR, whereby users have the right of access to personal data, right to correct personal data, and the right to erasure of personal data; all finally giving users rightful control over their personal data.

The definition of ‘sensitive personal data’ is expansive. The law describes it to mean “personal data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in political parties, trade unions, organisations and associations with a religious, philosophical, political or trade union, or provide information as to the health or sexual life of an individual, or the commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, or the disposal of such proceedings or the sentence of any court in such proceedings or financial, or proprietary confidential personal data”. This is also important, and one hopes will protect Ahmadi citizens in Pakistan who have been asked to register in a separate registry based on their faith.

These are very welcome steps, especially in the face of campaigns against citizens deemed to be dissidents or critics whose personal information is used against them by state and non-state actors to vilify them in an attempt to silence them. We have seen such campaigns, rooted both in truth and fiction, on TV, social media and in print. One hopes that these clauses will put an end to ad hominem campaigns against persons of interest by those who wish to silence challengers of the status quo.

Another concern regarding the draft data protection law is its conflict with other laws. For instance, the clauses related to data retention under section 9 which requires data controllers to delete data not required for longer than its purpose, potentially clash with data retention clauses in the Prevention of Electronic Crimes, in which section 32 mandates service providers to retain user data for a minimum period of one year.

The two laws read in juxtaposition to each other when it comes to rights protection, and one hopes the evidently newer rights-based approach will prevail in the new parliament which is more than overdue in setting up a standing committee for IT and telecom in the National Assembly.

What this law misses is clauses relating to data processing by government and state institutions. Breaches of the Nadra database have been frequent in the past few years, and recently the Punjab IT board was also embroiled in a data leak controversy. With biometric and personal information available, and linked to Sim cards and bank accounts, there is high risk of privacy breach at an institutional level, as well as by employees of the state. Further, there need to be remedies available against state surveillance. With spy systems such as FinFisher having been detected on Pakistani servers, citizens need to have legal avenues against undue state surveillance.

The writer is director of Bolo Bhi, an advocacy forum for digital rights.
usama@bolobhi.org
Twitter: @UsamaKhilji

Published in Dawn, January 7th, 2019

Read more

On DawnNews
Dawn News English
Comments (1) Closed
Ali Kazmi
Jan 08, 2019 03:35am
The drafting of the law is great, but it's implementation isn't that simple. Even GDPR has not been able to successfully punish the breaches till now, even after coming into effect since May 2018. The problem across EU has been related to limited resources in order to catch and fine companies. So, this law is a step in the right direction, but much needs to be done before it can become fruutful at all. Otherwise, it's another well written document and nothing more than that.
Recommend 0

Latest Stories

dawn images site

Most Popular

01
02
03
04
05
06
07
08
09

Must Read

Opinion

Editorial

Rigging claims
Updated 04 May, 2024

Rigging claims

The PTI’s allegations are not new; most elections in Pakistan have been controversial, and it is almost a given that results will be challenged by the losing side.
Gaza’s wasteland
04 May, 2024

Gaza’s wasteland

SINCE the start of hostilities on Oct 7, Israel has put in ceaseless efforts to depopulate Gaza, and make the Strip...
Housing scams
04 May, 2024

Housing scams

THE story of illegal housing schemes in Punjab is the story of greed, corruption and plunder. Major players in these...
Under siege
Updated 03 May, 2024

Under siege

Whether through direct censorship, withholding advertising, harassment or violence, the press in Pakistan navigates a hazardous terrain.
Meddlesome ways
03 May, 2024

Meddlesome ways

AFTER this week’s proceedings in the so-called ‘meddling case’, it appears that the majority of judges...
Mass transit mess
03 May, 2024

Mass transit mess

THAT Karachi — one of the world’s largest megacities — does not have a mass transit system worth the name is ...