October 23rd, 2020 

By Rehan Piracha 



The Federal Ministry of Informational Technology is holding consultations to finalise a draft of the country’s first-ever legislation on personal data protection and safeguarding the privacy rights of online users, but digital rights organisations say the proposed law still gives greater control to government rather than users who should have undisputed control of their online personal data and privacy.

According to the draft of the Personal Data Protection Bill 2020, the bill is to govern the collection, processing, use and disclosure of personal data and to establish and making provisions about offences relating to violation of the right to data privacy of individuals by collecting, obtaining or processing of personal data by any means.

The bill provides for the processing, obtaining, holding, usage and disclosure of data while respecting the rights, freedoms and dignity of natural persons with special regard to their right to privacy, secrecy and personal identity. The protection of personal data and protection of privacy rights online have led to protective legislation around the world as more than 80 countries in European Union, Asia, America and Africa have enacted laws to protect personal data and privacy of their citizens.

Surprisingly, Pakistan has not been able to legislate on data protection despite many reported breaches of citizens’ personal data by NADRA, Safe City Authorities, and leak of CCTV footage from cinemas. The ministry proposed its draft of  Personal Data Protection Bill in 2018. The fifth draft of Personal Data Protection Bill 2020 was unveiled for public consultation on April 9, 2020 and closed for public submissions on June 15, 2020. According to Shoaib Siddiqui, Secretary of Information Technology, the draft is under active finalisation by the ministry, adding that the timeline for submission was short. The ministry was holding consultation with citizens and digital rights organisations that had submitted their suggestions on the draft.

What is in Personal Data Protection Bill 2020?

The bill would establish a Personal Data Protection Authority which would be empowered to formulate a framework for monitoring and enforcing the bill.The Authority shall be responsible to protect the interest of the data subject and enforce protection of personal data, prevent any misuse of personal data,promote awareness of data protection and shall entertain complaints under the Act. The proposed law defines procedures for the collection,processing and disclosure of personal data. It bounds a data controller (platforms,applications) not to process personal data including sensitive personal data of a citizen without his consent. The draft law also lists conditions for cross border transfer of personal data as well as notifying the authority of any breach faced by data controllers.

‘Data Protection Authority not independent’

Nighat Dad, Founder of Digital Rights Foundation (DRF), told Voicepk.net that the DRF representatives held consultations with officials from the Ministry of Information Technology on October 20. The DFR made a submission regarding the draft on May 6, 2020, as part of the ministry’s call for public consultations. “In our meeting with the Ministry on October 20, we raised serious concerns with the lack of independence of the proposed Data Protection Authority, particularly the inclusion of defence and interior ministries in its composition and the administrative control of the federal government,” she said. Furthermore, she said, the DRF posited that the powers of the Federal Government to make exemptions under Section 31 be removed, as it would make the Bill toothless if the government could exempt itself from the obligations under the bill. The DRF strongly recommended that the powers of the Federal Government to issue policy directives under Section 38 should be removed from the draft, she added.

Dad said the DRF also relayed its concerns regarding the data localisation measures introduced for cross-border personal data flows and‘critical personal data’, which has been left undefined, as they endanger the data security of citizens’ data and goes against international best practices.

‘State will have control of citizens data and privacy’

The concerns and objections were shared by other digital rights organisations. The purpose of a data protection law was to ensure that citizen’s data is safe from both state and private actors like technology companies and other service providers, said Sadaf Khan, Co-Founder of Media Matters For Democracy. “However, the draft Personal Data Protection Bill 2020 appears to consider the state as the default authority over data rather than the citizens whose data and information it is,” she said. She said the draft bill also creates an Authority that enjoys all the power over citizens’ data without having any kind of oversight mechanism to stop abuse of power. Global best practices have been completely overlooked, she added. “We have outlined these concerns and submitted our recommendations to the IT ministry and hope that they will take them seriously,”she said.

‘Consultations are an eyewash’

Whereas the world over regulators and governments are most concerned about the handling of user data by internet companies, in Pakistan data protection and privacy seems to be secondary, according to Usama Khilji, Director of Bolo Bhi. The government instead wants greater access to user data, the intent of which is clear in the new social media rules where data localisation is being demanded, said Khilji. “On the other hand, there is little progress on the data protection and privacy law, the consultation is ongoing and slow, and usually the consultations are an eyewash,” he added.