Pakistan: E-commerce policy "identifies means to protect data generated in Pakistan"
The Ministry of Commerce ('MOC') published, on 13 November 2019, the first e-Commerce Policy of Pakistan ('the Policy'). In particular, the Policy focuses on nine key areas, including, financial inclusion and digitisation through payment infrastructure development, the ICT and telecommunications sector, data protection and investment, and consumer protection in the digital environment.
In addition, the Policy seeks to augment e-commerce in Pakistan, provide an efficient e-payment infrastructure for local and cross-border transactions, create an e-commerce ecosystem, and ensure transparency and accountability in the digital industry.
Mustafa Ahmed and Saira Khalid Khan, Partner and Associate respectively at RIAA Barker Gillette, told OneTrust DataGuidance, "The Policy aims to trigger the introduction of new legislation and amend the current legislative framework to allow for regulatory oversight to enable the growth of e-commerce in Pakistan. The same, inter alia, aims to create a centralised registry for e-commerce businesses, introduce mandatory requirements for efficient customer support and dispute resolution mechanisms, a one-window facilitation entry, and improvements to the existing consumer protection framework. Additionally, the Policy acknowledges the importance of data as an asset and identifies the means to protect data generated in Pakistan, enhance data security, prevent violation of privacy, and create domestic standards for devices which are used to store, process, and access data."
Furthermore, the MOC emphasised the need for Pakistan to have data protection laws to allow the local digital industry to effectively use data, as well as enable local entrepreneurs to offer goods and services to other countries, specifically to the EU member states who require an adequate level of data protection for cross-border personal data transfer. In addition, the Policy recommends investment in the complete chain of e-commerce, including logistics, payment gateways, and marketplaces, to meet the challenges of the digital economy. Moreover, the Policy states that, apart from the banking sector, currently there is no legal framework for data localisation, however, the Ministry of Information Technology and Telecommunications ('MOITT') is formulating Pakistan's first Cloud Policy and the Data Protection Bill is at an advanced stage of consultation, both of which will address e-commerce issues.
Success of an e-commerce model depends on consumers' confidence, and this is what businesses should focus on
Ahmed and Khalid Khan continued, "Businesses should operate in a transparent manner. E-commerce entities should be mandated to make a full disclosure to the consumer regarding the purpose and use of data collection upfront, in a simplified and an easily understandable form on their websites/application interfaces. The success of an e-commerce model depends on consumers' confidence, and this is what businesses should focus on. [Furthermore], MOITT’s Cloud Policy shall provide protection to the general public regarding data privacy, transparency, ownership, and security to their end consumers, providing secure e-commerce services."
In addition, the Policy highlights that an efficient e-payment infrastructure will allow for smooth and quick, local and cross-border transactions. The MOC noted that, although 23 banks offer mobile banking to their customers, and that measures such as biometric verification of SIMs have enabled secure digital services and increased financial digital inclusion, digital merchant on-boarding is not currently offered by any bank in Pakistan. In addition, the Policy specifies that the State Bank of Pakistan ('SBP') will shortly issue guidelines for improving banking services for merchants, and that the MOITT and the SBP will approach PayPal and other similar services to ensure the availability of international payment gateways in Pakistan.
Ahmed and Khalid Khan further noted, "Issues related to payment processes and other financial transactions which are inherent to e-commerce should be addressed in order to prevent data leaks or theft, protect privacy, and sensitive data to enable secured transactions. [Moreover], a legal and technological framework should be created for imposing restrictions on data flows from data generated by users in Pakistan from e-commerce platforms, social media, and search engines etc. All such stored data should not be made available to a third party for any purpose without the consent of the data owner, sensitive data collected should not be made available to foreign governments or entities without prior permission of Pakistani authorities, and any violations of these conditions should result in consequences prescribed by the Government."
Tooba Kazmi Privacy Analyst