ON Monday, ride-hailing company Careem, which has been operating in Pakistan since 2015, announced a massive security breach had occurred in January, potentially compromising the personal data, collected through its app and stored on its computer systems, of over 14m users (riders and drivers alike) across 13 countries. Such a major cyberattack has once again exposed vulnerabilities in protecting individuals’ digital identities, particularly in Pakistan where, despite a burgeoning internet user base, there is as yet no legal framework for data protection. Such protection places limits on what, how, and for what purpose data is harvested by private and state entities. Although one of the stated objectives of the flawed Prevention of Electronic Crimes Act, 2016, is to “afford protection to citizens”, the law addresses cyber security from a distinctly national security, not digital privacy, perspective. And despite the IT ministry’s repeated claims last year to introduce a data protection bill, it has yet to materialise.

Pakistan is not an island; our digital footprints extend to, and are affected by attacks on, international databases. While enacting data protection legislation will not, ipso facto, protect the country from such breaches, it is nonetheless essential for ensuring transparency, legitimacy and accountability for all stakeholders. Consider how, here at home, we have experienced a major ATM skimming scandal in recent months, Punjab’s land holdings records were hacked last year, and Nadra’s database has reportedly been compromised on several occasions in recent years. Yet our government continues to fail to recognise the magnitude of this emergent threat and, consequently, has failed to guarantee its citizens’ fundamental right to privacy. The realm of privacy has rapidly expanded with increased ICT use, and the lack of legal safeguards can hurt consumer and investor confidence in the country, especially in our nascent e-commerce and online banking regimes. A law that prioritises protecting citizens’ personal information, places effective limits on corporate interests and state security imperatives for data mining, and adopts safeguards against unauthorised data collection and use, is crucial in this day and age. Unlike the case with Peca, where recommendations made by digital advocacy experts, civil society and private companies were ultimately ignored, the government might hopefully engage more meaningfully with such consultations, improve the national discourse on digital privacy, and introduce a bill that reflects the best interests of its citizens.

Published in Dawn, April 25th, 2018