Pakistan has seen an upsurge in digital and data driven crimes in recent years. Not only has the country gone through multiple instances of ATM fraud and skimming scams, the proliferation of personal data theft, leakage and other such cybercrimes against individuals has gone unchecked. This happens because companies, hospitals, shops, online retailers,and even government organisations collect and tabulate personal data of their consumers without adequate provisions for information security, and when their hit-and-miss security is breached, that personal data is leaked.
Entire swathes of national databases have been made public by hackers, including the NADRA database, leading to wire fraud, file sharing and piracy, and counterfeiting and forgery. The wide proliferation of personal data crimes has seen a sharp rise in online blackmailing, and data leakage as well.
Now, with a raging pandemic and the new work-from-home regime it has enforced for many white collar workers, the threat against the safety and security of personal data is high. Legislatively, Pakistan has been slow to tackle this problem. Since 2009, the legislature has managed to pass only three acts, the last of which was the Electronics Crimes Act of 2016.
Moreover, there has been no particular legislation passed for the protection of personal data. The closest we have come is a bill drafted by the Ministry of Information Technology and Telecommunication (MoITT) in October 2018, which has been revised and presented again in April 2020 as a result of the increasing reliance on information technology because of the Covid-19 pandemic.
The new draft, if passed, would essentially work as the legislative framework governing the collection, processing, use and disclosure of personal data. It would also establish and make provisions for offenses in the case of violation of the regulations set by the bill. However, IT Secretary Shoaib Siddique has confirmed to the media that there was no deadline for the consultation process at the moment, indicating that the government was in no hurry to make the bill law, despite the urgency of the situation, and is still seeking public comments on the bill.
Profit takes a look at the viability of the bill, and if it does become enforceable law, whether it will give Pakistan’s citizens the protection they deserve, and what the bill still leaves to chance. In summary, the bill does a reasonable job in protecting consumers against data privacy breaches by private actors like companies, but does nothing to prevent surveillance and abuses by the government itself.
Traditionally, consumer data or information might be gathered through surveys or focus groups or simple observation, and other situations where explicit consent is usually given to provide data. However, in these times, those organisations or companies collecting data often do it through more subtle methods. For example, one way to go about this is Automatic Data Processing (ADP) equipment. These are devices that automatically record and process data when it is entered. Companies also tend to make providing personal data part of transactions, since data is considered a ‘currency’ and is often hoarded.
Under the bill, data is information that is collected by means of equipment that is operated automatically (such as ADP equipment), or is requested in response to instructions. Providing data for an application, a newsletter, to buy a product or service, or to get a subscription all falls under this.
To this end, the bill tries to define “Personal Data.” The most important feature of personal data is that a person is recognisable through it, so for example their name or phone number. The bill deals with this kind of personal data when it is collected as part of transactional exchanges, or when it is provided “in response to instructions given for the purpose of the transaction.”
Under this definition, for example, if you were to buy a product and the company selling it to you was to ask for your name, address and phone number, and then file that information somewhere for later use, then only will it fall under the ‘personal data’ category.
This further leads to what the bill calls “Sensitive Personal Data.” This refers to personal data consisting of information that reveals racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in political parties, trade unions, organizations and associations, biometric or genetic data, or the health or sexual life of an individual, criminal record, or any other personal data.
However, this is where the bill makes its first significant lapse. While there is an entire section in the bill relevant to the notifications and consequences of “data breach” in the bill, there is no definition given to what may or may not constitute a data breach in the first place.
What the bill does try to do is set out certain key principles that apply to the processing of personal data. And while some important ones are covered in the bill, a lot of other key principles have been left out.
The bill makes provision relating to the lawful basis for processing, purpose limitation, data minimisation, and retention. These four jargony terms essentially mean that when a company is collecting personal data, it must only be collected for lawful and relevant purposes. So fishing for extra data as part of a transaction would become illegal under this law, and only that data must be collected which is necessary for a transaction. The bill goes so far as to detail that data can only be retained by companies after collection if it is still needed for the relevant purpose for which it was collected, and they would be legally obliged to destroy this data responsibly if this was not the case.
Once again taking the example of a transaction where name, mobile phone number and address is provided by the customer, there must be reasonable cause to ask for this data, such as for delivery. And unless the delivery is a regular one, the company cannot keep the personal data of the customer and are obliged to dispose of it. This would also mean that companies and stores can no longer keep your phone number or address for advertising purposes. Disposing data is also particularly important here, since the entire point is to avoid personal data leakage in case the company is breached.
The bill also places great importance on ‘consent,’ which is to be an essential requirement to process personal data of the data subject under the new bill. It is as simple as this: the company or organisation collecting data cannot disclose it for any purpose without the express permission of the person that owns the data. Not only this, but those collecting data are responsible for the data they control, and are required to take practical steps to protect the personal data from any “loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction,” under the act.
There are certain aspects, however, that the bill ignores which have come to be considered standard practice in the European Union (EU). These principles are defined by the EU as ‘Necessity’, ‘Transparency’ and ‘Proportionality’.
These are also simple concepts which would go a long way to making Pakistan’s bill a much stronger one. Necessity, for example, is simple enough, and is also framed in other words in the current Pakistani bill. It is the idea that a fundamental right such as the right to privacy of information can be restricted when it is a necessary part of the process. Again, a company must collect your address to be able to deliver a product to you. However, in the EU’s data protection conception, it is said in so many words
Similarly, ‘Proportionality’ is defined as a general principle that restricts authorities in the exercise of their powers by requiring them to strike a balance between the means used and the intended aim. So this would essentially mean that the benefits being gained from restricting a fundamental right (right to privacy) are more than the disadvantages. This means safeguards accompanying a measure can support the justification of a measure, and thus promotes better cyber-security.
The final concept is ‘Transparency,’ which is no less important, since the institutions and bodies that adopt legislation like this data protection bill and make decisions based on that affect the lives of all those living in the country. Transparency is termed by the EU’s body as a significant feature of the law ensuring that the decisions affecting the populace must be taken as openly as possible. They should have the right to know why, how and who is involved in making these decisions and laws as well as have the fundamental right of access to the documents prepared in these activities. Given how a bill for protection of personal data may be misused, especially in a data wilderness like Pakistan, transparency is one key concept that the current bill of the MoITT must incorporate at all costs.
Individual rights in the bill
In addition to defining what data is and regulating how it is to be managed by those collecting it, the bill also lists the individual rights that the person who is the ‘subject’ of the data – and thus the original owner of the data – has. Once again, the bill posits these rights in the form of a set of key principles.
The bill guarantees the ‘right of access to data/copies of data,’ which in simple terms means if your data is being considered for some action by the authorities, you will have the right to access it. However, there is another clause that gives the discretion of sharing this data to the controller and also implements a certain fee upon the person in concern, should they wish to access their data.
Another key principle is the ‘right to rectification of errors,’ which insures that if you do manage to get access to your data after possibly paying a fee, and you discover that the data is inaccurate, incomplete, misleading or not up to date, you have a right to get it corrected by making a written request to the data controller.
Corollary to this is the ‘right to deletion/right to be forgotten’ principle, a centerpiece of data protection and laws in Europe and America. Under this principle, the data subject may also request for erasing their personal data, as long as this request is made without undue delay. Other requirements for the ‘right to be forgotten’ include the personal data no longer being necessary to the purposes for which it was collected, and that the data subject withdraws consent on which the processing is based.
Similarly, the data subject also holds the ‘right to complain to the relevant data protection authority(ies).’ The bill has provisions for the formation of a National Commission for Personal Data Protection, which will be a tribunal against any violation of personal data protection rights as granted under the bill, regarding the conduct of any data controller, data processor or any such cases.
While the bill covers most of the provisions that also exist in the EU’s General Data Protection Regulation (GDPR), the one important one that it seems to miss out as far as individual data rights go, is the ‘right to data portability.’
Going back to the EU’s definitions of these rights, data portability is required in the case that one authority fails to provide the desired outcome to the complainant. The definition of this key principle is that “The right to data portability allows data subjects to obtain and reuse personal data about them for their own purposes, and across different services. It allows data subjects to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way without affecting its usability. This enables data subjects to take advantage of different applications and services that can use their data to find them a better deal or help them understand their spending habits. The right only applies to information about a data subject provided to a controller.”
Who will watch the watchers?
The merits or demerits of the bill as a legal entity aside, as it stands, it is still the subject of considerable criticism. While Pakistan desperately needs a legal framework for data privacy, many digital and human rights groups believe it does not go nearly far enough in protecting individuals from abuses by the government even as it places restrictions on private actors.
At the front advocating for these digital rights have been two groups, Media Matters for Democracy (MMfD) and Bolo Bhi, which is a civil society organization dealing with policy, and research in the areas of digital rights and civic responsibility.
At a press event in April, Bolo Bhi’s Director, Usman Khilji, told the media that while it was encouraging that the government was thinking about and taking data protection seriously, a month for consultation was very little time. Similar concerns have also been expressed by Nighat Dad of the Digital Rights Foundation and MMfD officials.
Bolo Bhi went on to publish a detailed analysis of the proposed bill, and said that while the protection of citizens’ data is long overdue and legislation seeking to extend safeguards is necessary, “the current draft does not adequately extend safeguards to citizens,” and like the Prevention of Electronic Crimes Act (PECA) 2016 and Citizens Protection (Against Online Harm) Rules 2020, “the bill awards discretionary powers which will lead to weak accountability and likely privacy violations of citizens’ communications and, in turn, a chilling effect on speech. Some of this is explained further in the analysis below, which deals with some of the major concerns.”
In an interview with Dawn, Khilji had explained this saying at a time when the government was mass tracking cell phones without any transparency or accountability, there was a greater need for conversation around protection of privacy rights. “I fear the law could be linked to the controversial online harms rules, especially Section 15 of the consultation draft,” he said in the interview.
Bolo Bhi’s analysis includes the statement that “Pakistan, like the rest of the world, is currently grappling with a pandemic. Around the world and here, governments have deployed technology to trace, track and surveil citizens citing these as Covid-19 measures. However, concerns about such measures going beyond just dealing with Covid-19 exist and are not misplaced. In light of this, any legislation proposed during this time should not be rushed.”
Pointing out the experience from rushing the PECA 2016, the organization states that “The Citizens Protection Against Online Harms Rules 2020 should also be kept separate from this process. The draft Personal Data Protection Bill 2020 merits a discussion while the Citizens’ Protection Against Online Harms Rules 2020 should only be discarded.
Meanwhile, the MMfD had submitted a set of recommendations to parliament back in October 2019, when the bill was originally drafted. They had outlined similar issues as those identified by Bolo Bhi. The recommendations were critical of the loose definitions of terms like “commercial transactions”, “personal data”, and “journalistic activities”.
They also identified that “The bill currently proposes criminal liability under section 21 in the wake of negligence in protecting data of the citizens.” Their analysis indicated that the bill would result in overlaps with other criminal laws such as Sections 3, 4, 5 and 16 of the Prevention of Electronic Crimes Act 2016 (PECA).
Bolo Bhi’s report has, in fact, listed a number of pressing concerns regarding the bill. For starters, they say that the bill provides very vague definitions, with no distinction between individuals, public, and private sector, personal or commercial. Left to interpretation, these vague definitions provide no clarity or certainty in terms of responsibilities, liabilities, or protections. This results in a general absence of clear procedures and guidelines, and a lack of clarity on responsibility and liability. It fails to take into account the scale and nature of operations, and makes no mention of government entities collecting data with the intent to process it.
Bolo Bhi also argues that the bill grants broad, discretionary powers to the federal government, allowing them to grant or revoke exemptions to any data controller “which is completely arbitrary, and should be done through an executive process devoid of any checks and balances. This is also prone to political influence.” In addition to this, there is a lack of independent oversight and accountability since it functions under the federal government administratively.
With the free reign given to the federal government, the bill also allows the government to come up with a mechanism that requires a “copy of personal data” to be kept in Pakistan. Other than the monetary costs attached to doing this, there are grave privacy concerns. To whom will this data be provided to store, process, protect, and access? For what purpose?
On the other hand, MMfD also suggested that “the data collected by government entities i.e. such as the data collected by NADRA [National Database and Registration Authority], is most at risk of being misused as this data falls within the purview of ‘sensitive personal data’. The scope of the bill should be extended to government-controlled, collected and processed data, ensuring protection and legal liabilities for data held by the government entities as much as for commercial entities.”
Why you should be concerned
In February this year, before the Pakistan government could announce the confirmation of Pakistan’s first coronavirus patient, the name, photograph, personal details, as much as his home address were leaked on social media. The person eventually recovered and wrote “My photo was all over social media and I became a pariah”.
Some other examples, mentioned in previous articles published on Profit include the incidence on October 27, 2018, when Bank Islami reported an online breach of their system in which the bank lost Rs2.6 million. In November of the same year, the stolen data went on sale on the black market. On February 22, 2019 Moscow-based threat intelligence firm Group-IB reported spotting the sale of nearly 70,000 Pakistani identity cards on the cybercrime marketplace called Joker’s Stash, worth approximately $3.5 million at the time.
In June 2019, PTA reported the identity theft of nearly 45,000 Pakistani international travelers for the purpose of registering imported mobile phones on the government’s Device Identification Registration and Blocking System (DIRBS) to avoid payment of customs duty. In December 2019, it was reported that biometric machines available with the myriad of retailers for SIM card registrations were faulty and were potentially leaking data.
Now, while we are a step ahead from where we were before, there is still a long way to go. And while this bill is a highly welcome move from the MoITT, the risks that experts from all over the country are highlighting with passing this legislation in a hurry and without taking all due considerations into account, might end up making this bill more damaging than useful.
The ministry was open for comments and suggestions from stakeholders until May 15, 2020. However, IT Secretary Shoaib Siddique spoke to a media house that there was no deadline for the consultation process at the moment and the process was open-ended for now. “We will decide the timeline for implementation depending on the feedback,” he said. One hopes that is the case, because there are still a lot of dents in the bill that need to be beaten out.