The new data protection law is a farce aimed at violating citizens’ privacy

Progressive developments in data protection can only be made through inclusive policy-making processes that seek input from privacy experts, tech companies, and, most importantly, citizens.
Published August 1, 2023

Over the last few weeks, Pakistan has aggressively pushed for increased control over cyberspace, with the federal cabinet hastily granting approval to two new bills and another reportedly in the works.

One of the primary objectives of the new legislation is to realise the long-standing ambition of data localisation. Among these bills, one proposes amendments to the Pakistan Electronic Crimes Act (Peca) — a law notorious for enabling state-led political censorship.

As for the second bill, called the E-Safety bill, there is neither a published draft nor have any consultations been held, leaving citizens uninformed about its potential implications.

The third bill in question is the draft of the Personal Data Protection Bill, 2023 (PDPB), which was circulated in June and has drawn flak from rights activists for various reasons, including its provision for data localisation.

Section 31(2) of the PDPB requires organisations and businesses that handle “critical personal data” to process and store such information within servers located in the country. However, the responsibility of defining what constitutes “critical personal data” has been entrusted to the National Commission for Personal Data Protection, which is expected to be established under the law. Concerns have also been raised regarding the independence of this Commission.

Although the government received feedback and recommendations on the bill, it remains uncertain whether the draft, recently approved by the federal cabinet, addresses any of the concerns raised or incorporates the feedback received.

Why the govt wants data localisation

Pakistan’s pursuit of data localisation is driven by two primary motivations. First, the challenges it faces when dealing with social media platforms, particularly in obtaining access to user data that it wants censored or removed. These demands are often justified under vague terms such as “national security” and “national interests.” Social media platforms push back against this proposition, citing data privacy concerns as the main reason for their reluctance to share certain data with the government.

Second, the government aims to adapt to the new political landscape by asserting ownership over user data of its voters. In recent years, the impact of user data on shaping political landscapes has become increasingly evident. Political entities use personal data to create detailed psychological profiles of voters, categorising them based on personality traits, values, attitudes, interests, and behaviour. These intricate psychological profiles provide insights into the preferences and inclinations of different voter segments. Equipped with this wealth of information, political actors strategically tailor content to manipulate and sway public opinion in their favour, thus advancing specific political agendas.

This use of personal data raises significant concerns about its potential impact on human agency and autonomy. When personal data is exploited to target and manipulate individuals without their awareness, it undermines their capacity to make independent and informed decisions, thereby posing a threat to the essence of democratic participation.

Consequently, the push for data localisation, which essentially means transferring the ownership of critical personal data to the state, has triggered apprehension among rights activists and privacy advocates, who are worried that such measures could jeopardise user privacy and provide the government with greater control over online content and communications.

While the PDPB does mandate user consent for data collection, the reality presents a different picture. In many instances, this consent is either uninformed, as users are not provided with sufficient information about how their data will be used, or it is coerced, meaning that users may find themselves compelled to consent to almost any form of data processing if they wish to access essential digital services. The alternative would be to forgo access to these services entirely, which is not viable in a world where people have transitioned to the digital world for their daily-needs.

Genuine data protection does not come from adding provisions for superficial consent or data localisation. The real emphasis must be on curbing extensive data collection and restricting it to what is genuinely necessary for specific purposes, such as advancements in education or healthcare sectors.

Unfortunately, the reality today is quite different with user data stockpiled in surplus, left dormant within archives for future possibilities of exploitation. Moreover, promoting community participation in data collection processes is essential to empower people to take ownership of their own data and gain actual control over what information is collected, for what purpose, and how it is shared.

However, such progressive developments in data protection can only be made through inclusive policy-making processes that actively seek input from privacy experts, tech companies, and, most importantly, citizens.

For Pakistan to progress towards data protection, it must prioritise transparency from the outset. Holding public discussions and debates about proposed laws is crucial to address concerns and foster trust in the government’s efforts. Unfortunately, the current approach of secrecy and haste to policymaking stands in stark contrast to these principles.

Header image: Shutterstock