DAWN.COM Logo

Today's Paper | April 23, 2024

Data protection bill

Usama Khilji Published May 10, 2020
The writer is director of Bolo Bhi, an advocacy forum for digital rights.
The writer is director of Bolo Bhi, an advocacy forum for digital rights.

WITH so much of our personal data at the disposal of government authorities and private companies, it was about time that the government listened to citizen demands for a data protection law in Pakistan as Article 14 of the Constitution provides for the dignity of a person and privacy of the home as a fundamental right, both of which are violated when our personal data is not protected.

The draft Personal Data Protection Bill was introduced last month on the website of the Ministry of IT and Telecom for consultation. It is important to explore the strengths of this bill, some major issues with the clauses, some critical provisions that are missing in the current draft, the significance of its timing, and the consultation process the bill must go through.

The strengths of the bill include a strong regime for holding data-processing entities such as private companies accountable on protecting the personal data of consumers. With personal data such as phone numbers, call records, identity information, health records, and addresses of citizens being either sold, hacked, leaked or abused in other ways, it is critical that consequences for such misuse are outlined clearly.

The bill lays out the requirement of consent of a citizen for their data to be processed, notices to them in case of their data being processed, non-disclosure of personal data for purposes other than specified, standards for security for protection of held data, (undefined) time limits on data retention, and data breach notifications.

It is important to explore the strengths of the bill as well as address its shortcomings.

This bill also details in chapter three the rights of a data subject, including right to correction, erasure, compliance with data access request, withdrawal of consent for processing data, extent of disclosure of personal data, and right to prevent processing of data likely to cause damage or distress.

Additionally, the draft makes some exemptions for the purposes of this law, including for journalistic, literary or artistic purposes, which is a welcome step. However, it makes “processing of personal data in the interest of security of the state” subject to authorisation by the federal government under a procedure that remains undefined.

Also not defined explicitly is the liability of data protection on government and public bodies, which is a critical component of any such law considering the state and government hold the highest amount of sensitive personal data of citizens. The Nadra database, which holds the identity information of all citizens, has been subjected to hacking many times in the past, but there has been little transparency on the investigation of these hacks, whether an official was held responsible, and any consequences for those who failed in their responsibility of protecting citizens’ data.

This should also cover protections against leakage of personal data of citizens, including of families of public officials such as judges, ministers and generals, which is abused for political purposes. Such breaches often occur through connivance of officials in public bodies.

The bill also gives broad discretionary powers to the federal government whereby it can grant or revoke exemptions to data controllers, without a specified procedure. This also goes against the spirit of protecting data of citizens fairly.

A major contentious feature of the bill is the data protection authority that is “to carry out purposes of this act”, which under this bill functions under the federal government rather than being independent and autonomous. This is made more contentious by the funding of this body coming directly from the government, and the composition of the authority includes members of ministries, and four members from other industries such as media and civil society, but required to be employed full-time by the authority. This goes against the spirit of independence and autonomy of such a body.

The government would be better off using the already existing information commission, which functions to administer appeals under the right to information law, as is the practice in the UK under the Data Protection Act. This way, the government can utilise an existing body already working on a related matter — information requests — and legislate on its independence to avoid conflict of interest.

Furthermore, the current bill attempts to localise data under Sections 14 and 15 by requiring data of citizens to be stored within the borders of Pakistan, which presumably would apply to social media companies. This seems to be linked to the Protection (Against Online Harms) Rules, 2020, where the government proposed social media companies to register locally and set up servers. There is also the question of practicality of such a requirement as social media companies have already expressed strong opposition to plans of data localisation, especially in times of transnational data servers.

Apart from posing grave data privacy concerns given the state’s requests to social media companies on citizen data as shown by their transparency reports, data localisation also threatens freedom of speech on the internet, as surveillance causes self-censorship and persecution of speech critical of the government.

Lastly, this bill should include time-sensitive sunset clauses for health-related data and surveillance at a time of a pandemic. We have seen broad-based tracking of citizens for Covid-19, a process which has lacked transparency, legality and procedure respectful of the rights of citizens while safeguarding the right to life threatened by the pandemic such as only using aggregated and anonymised data rather than personally identifiable data. Further, the government should already be vigilant of Covid-19-related privacy violations such as leaking of health records of patients and stigma linked to the virus.

As for the timing of the bill, this is not the best time for consultation on a critical law considering the pandemic-related lockdown, and the tight deadline of 35 days for feedback. Hence, this must be treated as the first round of consultation, after which the draft should be amended, based on the feedback, and the ministry must provide justification for not including any suggestions made by those who submit comments. A second round of public consultation should be held on the amended version, followed by public hearings by the National Assembly and Senate committees on IT and telecom.

The writer is director of Bolo Bhi, an advocacy forum for digital rights.

Twitter: @UsamaKhilji

Published in Dawn, May 10th, 2020

Read more

On DawnNews
Dawn News English
Comments (2) Closed
Noor Fatima
May 10, 2020 11:33pm
Regime must take the precautionary measures in order to reserve the public data
Recommend 0
Ahmad
May 11, 2020 04:37am
People do not trust the government.
Recommend 0

Latest Stories

dawn images site

Most Popular

01
02
03
04
05
06
07
08
09

Must Read

Opinion

Editorial

By-election trends
Updated 23 Apr, 2024

By-election trends

Unless the culture of violence and rigging is rooted out, the credibility of the electoral process in Pakistan will continue to remain under a cloud.
Privatising PIA
23 Apr, 2024

Privatising PIA

FINANCE Minister Muhammad Aurangzeb’s reaffirmation that the process of disinvestment of the loss-making national...
Suffering in captivity
23 Apr, 2024

Suffering in captivity

YET another animal — a lioness — is critically ill at the Karachi Zoo. The feline, emaciated and barely able to...
Not without reform
Updated 22 Apr, 2024

Not without reform

The problem with us is that our ruling elite is still trying to find a way around the tough reforms that will hit their privileges.
Raisi’s visit
22 Apr, 2024

Raisi’s visit

IRANIAN President Ebrahim Raisi, who begins his three-day trip to Pakistan today, will be visiting the country ...
Janus-faced
22 Apr, 2024

Janus-faced

THE US has done it again. While officially insisting it is committed to a peaceful resolution to the...