Pakistan: Revised draft Personal Data Protection Bill v. GDPR
On 6 July 2018, the Ministry of Information Technology and Telecommunication ('MOITT') introduced the draft Personal Data Protection Bill 2018 ('the Draft Bill'). After receiving feedback on the Draft Bill, MOITT released a revised draft Personal Data Protection Bill 2018 ('the Revised Bill'), on 19 February 2019. Mustafa Munir Ahmed and Saira Khalid Khan, of RIAA Barker Gillette, provide insight into how the Revised Bill will work within data protection in Pakistan, and compare the key provisions of the Revised Bill to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
In 2005, the MOITT circulated the Electronic Data Protection Act 2005 ('the Act'), however, it was never tabled in Parliament. According to expert critiques, there were major loopholes and grey areas in the Act, suggesting that if it was to be implemented it would fail to provide personal data protection.
On 23 May 2018, the Cabinet of Pakistan approved the Digital Pakistan Policy 2017, of which one of the key components is the proposal, inter alia, for legislation on the protection of personal data and online privacy for improved transparency, and security of sensitive and confidential information through an appropriate data protection law.
Whilst there is a majority consensus that the Revised Bill is an improvement on the Draft Bill, there are still certain key aspects which the Revised Bill has failed to address.
The Revised Bill
A national data protection law, which provides a solid structure for data protection, is a need of the hour for Pakistan. At the outset, it is noted that there is an improvement of the language in the Revised Bill to provide focus on the processing of data relating to the data subject. Definitions and provisions of the Draft Bill have been amended to provide better clarity. There is also an improvement on the processes involved, vis-à-vis, the collection and processing of personal data.
Information that advertisers and websites use to track online activity, such as cookies, device identifiers, and IP addresses, should also be entitled to the same level of protection as other personal data. Such information can be highly revealing about online searches and activity, especially when combined with other data that companies may hold. All data processors must be required to explain how a person's personal data is used, shared and stored, even if they obtained their data from another company, like a data broker, or social media company. Even with strong enforcement, there are still many structural challenges to achieving the same vision of data privacy and control. For one, while the Revised Bill requires consent before companies can collect or process data, meaningful informed consent is difficult to achieve without choice.
Additionally, there is also concern regarding conflict with other laws. The Revised Bill requires data controllers to take all reasonable steps to ensure that all personal data is destroyed, or permanently deleted, if it is no longer required. This potentially clashes with data retention requirements under the Prevention of Electronic Crimes Act 2016, which mandates that service providers retain user data for a minimum period of one year.
While the Revised Bill provides that it will not apply to the processing of personal data by a government entity, solely for the purposes and to the extent provided under the relevant law, there is an added requirement to ensure security and secrecy for the protection and confidentiality of personal data.
Major highlights of the Revised Bill
Empowerment of the Commission
The National Commission for Personal Data Protection ('the Commission') has been given broader powers, including powers of enforcement, which were previously held by the Court of Session.
Complaint and judicial recourse
Complaints shall now be filed with the Commission. Any person dissatisfied with the processing of his or her compliant at the Commission, may seek directions from the High Court, in whose territorial jurisdiction the aggrieved person is permanently or temporarily residing.
The definition of the term 'personal data' has been widened to include any information that relates directly or indirectly to a data subject, as opposed to the older definition, which was restricted in terms of information with regard to commercial transactions. A data controller is now also required to provide to the data subject, in a written notice, the legal basis for the processing of personal data, and time duration for which data is likely to be processed and retained thereafter.
Security requirements - standards to protect personal data
Standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction, shall be prescribed by the Commission. Previously, a data controller was required to take 'reasonable steps' in this regard.
Transfer of data outside Pakistan
Unless a data subject has consented, or it has ensured that the country where the data is being transferred offers equivalent data protections to the data subject, and that the data transferred shall be processed in accordance with the Revised Bill, personal data of any data subject shall not be transferred to any person or system located beyond the territories of Pakistan.
Notification of personal data breach
A data controller is now required to notify the Commission of any personal data breach within 72 hours of becoming aware of it. However, in circumstances where such a breach is unlikely to result in a risk to the rights and freedoms of natural persons, the same is not required to be notified to the Commission. Such an arbitrary exemption can create potential legal problems.
Comparison with the GDPR
In the digital age, personal data is intrinsically linked to people's private lives and their human rights. Everything a person does leaves digital traces that can reveal intimate details of their thoughts, beliefs, movements, associates, and activities. The GDPR seeks to limit abusive intrusions into people's private lives through their data, which in turn protects a range of other human rights. While it appears that the structure of the Revised Bill is thematically in line with the GDPR, there are certain areas which still require improvement, specifically in terms of the current position of the digital economy of Pakistan, as it is still in its developing phase.
Pakistan doesn't enjoy the kind of economic muscle and policing capacity that the European Union has. The GDPR is common-sense regulation which can be implemented through a dedicated, serious-minded data protection agency. In view thereof, the third chapter of the Revised Bill does deal with rights of the data subject, modelled on the GDPR, whereby users have the right of access to personal data, the right to correct personal data, and the right to the erasure of personal data, all finally giving users rightful control over their personal data.
The MOITT has tried to capture and reflect the broad concepts of enhanced protections against unnecessary data collection and use of data in unanticipated ways, as provided for under the GDPR, however, certain potential problems have also been imported with this. Similar to the GDPR, the Revised Bill allows entities to obtain and process a person's data without consent if the entity's 'legitimate interests' outweigh a person's rights and freedoms. Some of the legitimate interests that entities can rely on include fraud prevention, internal administration, information security, and reporting possible criminal acts. However, direct marketing is also a legitimate interest, raising a potentially much broader category against which the individual's rights would be weighed. Depending on how the 'legitimate interests' provision is interpreted, it could create a major loophole, allowing data collectors to avoid seeking consent.
Like the GDPR, the Revised Bill also envisages only the concept of an express consent for the processing of personal data. No concept of implied consent has been envisaged.
As technology develops at such a fast pace, Pakistan needs data protection legislation that is fit for purpose.
Even as the Government pushes to put in place a new regulatory framework around how data is managed and shared, there does not yet appear to be a high-level consensus around how to do this in practice. With issues ranging from cross-border data flows and what constitutes important data, to how to balance the development of emerging technologies, such as artificial intelligence, there are growing demands by Pakistani users for data privacy. Therefore, there remains an unresolved internal debate in Pakistan about what all of this should look like. These debates will persist, even as new laws, measures and standards related to data protection are issued, leading to inconsistent enforcement and interpretation by authorities and entities. As such, the intent behind the Revised Bill is a key component for gauging what it will mean in practice. However, it is not the entire picture. It is essential for the law to define the scope of the Revised Bill clearly, and it is vital for the law to clearly define its material territorial scope to ensure that the rights of data subjects are protected, regardless of where their data is processed or held.