Context:

On 16 December, 2024, the Minister of State for IT Shaza Fatima tabled^[1] the Digital Nation Pakistan Bill 2024^[2] (“Bill”) in the National Assembly (NA). The proposed Bill aims to facilitate the formation of digital identity for citizens and centralize social, economic, and governance data. The digital identity is expected to include data about a citizen’s health, assets, and other social indicators. Furthermore, the Bill proposes to create three bodies^[3] including a high-powered National Digital Commission (NDC), to be chaired by the Prime Minister, a Strategic Oversight Committee (SOC), and a Pakistan Digital Authority (PDA). Reportedly, NDC will “set the strategic vision and policy framework for the country's digital transformation.” Furthermore, PDA will “implement these policies by coordinating and harmonizing digital initiatives across all levels of government.” Lastly, SOC will provide oversight on the work on PDA. Reportedly, the Bill has been prepared under the World Bank’s US$78 million Digital Economy Enhancement Project (DEEP)^[4]. It will likely enable the creation of a centralized digital infrastructure by 14 August, 2025 and all existing databases would be linked to it.

The bill has received widespread criticism from digital rights advocates, industry and parliamentarians, with some urging the government to consult all stakeholders before rushing through the legislation. On the other hand, IT Minister Shaza has defended the bill, terming it a “historic initiative” that would “eliminate red tape”.

The bill has been referred to the National Assembly’s Standing Committee on IT for further consultation. In terms of the next steps, it has to be tabled in the National Assembly again if new changes are incorporated into the existing draft. Once approved by the NA, it will then have to be tabled and approved by the Senate, before it is sent to the President for formal assent and becomes an Act. It is unclear how soon the government will move it through the parliament.

Concerns pertaining to the Bill:

1. No Prior consultation with civil society: The proposed initiative will transform the way citizens interact with the state and will have huge implications for human rights as well as the digital economy. Civil society organisations were not given a chance to provide inputs during the drafting of the bill or share any solutions to address any human rights concerns pertaining to the proposed Digital ID framework. Furthermore, the World Bank did not initiate such a consultation while providing input to the government. It is also unclear what advice was sent to the government by the World Bank on the proposed framework. Global civil society organisations had long urged the Bank to consult human rights groups while facilitating the launch of such ID systems globally. An open letter^[5] in this regard was also issued in 2022 that called for human rights impact assessments of digital ID systems. Additionally, in the governance bodies, there is no representation of ordinary citizens or civil society.
2. Overlapping Agenda: The proposed authorities in the bill seem to share many of the ambitions on digital development for which there already exist autonomous bodies such as the National Information and Technology Board^[6] and provincial technology boards. It is unclear why a new set of authorities are needed to design and implement a “National Digital Masterplan”, as per Sections 11 and 12 of the Bill,  given the presence of existing bodies with similar mandates and areas of focus. The Act also contains broad definitions for terms like "digital economy," "digital governance," and "emerging technologies," which may lead to overlapping responsibilities across agencies or entities, causing inefficiencies.
3. Austerity Vs Efficiency: The new Bill proposes the creation of a new authority called the Pakistan Digital Authority (PDA). The PDA will monitor implementation, assess compliance, and report progress to the NDC (Section 12(2)). However, there are no timelines for these processes, which will pose a risk of delays and ineffective implementation. Further, the current draft of the Bill proposes that the PM will appoint the three members of the authority and they may be eligible to open new offices. The creation of new authority with overlapping agenda may not be a good use of government resources at a time when the Prime Minister and the Finance Minister Muhammad Aurangzeb are spearheading an austerity drive that will likely lead to abolishing at least 82 government departments^[7] at the federal level and also include a few in the IT Ministry. Finance Minister Aurangzeb in particular criticised^[8] the need for creating the NDC and PDA, urging instead for the use of current technological infrastructure.
4. Data Protection Bill Vs Digital Nation Pakistan Bill: The proposal of a centralised digital infrastructure amid multiple incidents of massive data breaches and the absence of a data protection framework raise serious concerns around the government's capability to effectively manage data security of a centralised infrastructure. In various jurisdictions across the globe, a clearly laid out data protection framework and an autonomous data protection authority is essential to providing clarity around safety of the citizens’ data. Without a strong legal framework , a digital ID system runs the risk of highly sensitive data breaches with no mechanism for redressal and accountability, as has already been noted extensively in the case of data breaches in Aadhaar (India’s digital ID system) by CSOs such as Privacy International^[9]. Given the proposed masterplan under this Bill is likely to increase data processing of citizens’ data from various government departments, the next step towards enhanced digitalization is a Data Protection law, not a DNPB at this stage. Unless citizens have clarity on the accountability mechanisms pertaining to their data, creating additional authorities with powers to handle citizen data would create uncertainty among citizens. Numerous jurisdictions have adopted universally acclaimed data protection frameworks such as GDPR^[10] in the EU, Sri Lanka’s Registration of Persons Act^[11] in South Asia, and the Philippines’ Data Privacy Act of 2012^[12].  It is positive to note that the IT Ministry is already working on the bill and has been provided with feedback from all the stakeholders, especially from the digital economy and the human rights lens.
5. Internet connectivity challenges: Additionally, the effectiveness of the digital identity system relies heavily on reliable internet connectivity, which remains inaccessible to more than half of the population. Even those with access have complained of poor internet quality and intermittent disruptions with no clear explanation from the government on how soon the internet connectivity would improve. Reportedly, Pakistan’s internet speeds were rated among the lowest 12% of the countries.^[13] In such a situation, a centralized digital ID framework is likely to exacerbate the digital divide and deprive half of the population from the services it aims to offer.
6. Sweeping powers, Lack of Accountability and Judicial Oversight: Sections 28 and 29 of the Bill raise serious concerns by giving unchecked power to the authorities enforcing it. By stipulating under Section 29 that “no decision or action taken under this Act or rules" or regulations made thereunder shall be questioned by any agency or challenged in any court or tribunal, nor shall any injunction be granted against such decisions or actions”, the law shuts the door for accountability, removes judicial scrutiny, and violates the principle of checks and balances.  This prohibition further conflicts with constitutional guarantees, such as the right to due process, as it bars seeking legal remedies against potential abuses of power. The lack of oversight and barring injunctions will risk arbitrary decision-making and misuse of powers. It could also discourage foreign businesses and investors who prefer strong legal safeguards. Moreover, section 28 giving this Bill an overriding power over other laws will threaten existing or future right-based protections, like those for privacy or data protections. Concerningly, the Strategic Oversight Committee (SOC), established under Section 9 of the Bill, which claims to be an independent body, will be chaired by the IT Minister, effectively rendering its independence and autonomy compromised. For instance, Cambodia set up a monitoring body called the National Steering Committee on CRVS and Identification (NSCI) under its National Strategic Plan of Identification (2017-2026) that includes civil society representation apart from members of multiple government ministries^[14].
7. Concerns around the Bureaucratic Composition of Proposed Authorities:  The establishment of three governance bodies in the Bill raises concerns regarding power concentration, accountability, and operational effectiveness. Firstly, the NDC, chaired by the Prime Minister and made up of political leaders, centralizes decision-making, which could lead to politicized decisions. NDA is composed of 17 members, including the Prime Minister, key federal ministers, and all four provincial chief ministers. This composition raises concerns about the practicality and functionality of the commission. For instance, holding meetings could be challenging with this centralized structure of the high-level membership, resulting in delays in decision-making, and difficulties in coordinating across various levels of government. The sustainability of such a structure over time may be questioned, given the complexities of aligning federal and provincial interests within a single body. Secondly, though the PDA does have administrative and financial powers, it does not appear to have true autonomy, as any appointments will be made by the Prime Minister, who also has the authority to remove persons “for reasons to be recorded” (Section 7(6)), in the absence of voluntary resignation. Lastly, the SOC, according to the Bill, will promote accountability through monitoring the PDA’s performance and providing independent reviews. Its purview for thorough external oversight could be limited, however, given that it will be answering to the NDC. The language of the Bill does not indicate or address any clear mechanism for conflict resolution between these bodies or the federal and provincial stakeholders involved.
8. Unclear Funding Mechanism: There are many vague sources of the "Digital Nation Fund," like government allocations, grants, and loans, but no mechanism for securing and sustaining these funds. Getting an annual allocation from the Finance Ministry will be a challenge.

Recommendations:

1. Human Rights Risk Audit: Prior to and during the implementation of a digital ID system under the Digital Nation Pakistan Bill (2024), a human rights risk audit conducted by independent experts is necessary. This audit will comprise contextual and baseline analyses, independent rights-focused evaluations, and cost-benefit audits that take into account political, social, and economic dynamics. Funding and resources must be allocated to such an audit . The audit team should be independent from the World Bank or government to avoid conflict of interests.
2. Create opportunities for sustained, high-level engagement with civil society and other experts: In the review stage of the Bill, the government must facilitate inclusive multistakeholder fora by holding open and transparent dialogue with civil society, experts, and other stakeholders. These fora should enable the evaluation of current systems and potential implementations across various sectors, including trade, healthcare, and migration management.
3. Enact a Human Rights compliant data protection bill: The government should prioritize the passage of a rights-respecting data protection law instead of the proposed Bill, with clear guidelines on how data will be collected, stored, and used, alongside strict protocols for consent mechanisms, data security, and accountability. In parallel, given the centralization of data, there must be proper implementation of cybersecurity measures, including checks on access controls and regular assessments.
4. Cyber Security of Centralized Data Systems: Refrain from establishing digital ID systems as a centralized repository that government officials or private actors can easily access without limitations, particularly if the digital ID system includes biometric data. Access to the data should be strictly limited, and law enforcement access should be predicated on a warrant issued by an independent judicial authority. All data collection, processing, and storage must instead be decentralised, and distributed across multiple locations or systems instead of relying on a single, centralized database. Capacity building in cybersecurity infrastructure is possible for Pakistan through collaboration with international organisations and experts, enhanced public funding, and public-private partnerships.
5. Develop a legal framework with robust transparency and oversight mechanisms: The government must develop robust legal frameworks to govern the operation, use, and access of digital ID systems. These frameworks must classify citizen data by sensitivity—particularly protecting biometric, financial, and medical data under strict guidelines inspired by international standards such as the European Union General Data Protection Regulation (EU GDPR), United Kingdom Digital Identity and Attributes Trust Framework (UK DIATF), United States Health Insurance Portability and Accountability Act (US HIPAA), and Gramm-Leach-Bliley Act (GLBA).

   Section 29 of the Digital Nation Pakistan Bill 2024 which provides blanket immunity provisions that undermine transparency and accountability, must be amended to allow for limited judicial review. Any oversight mechanisms must be independent, and must include accessible grievance processes to address rights violations, gain public trust, and protect against potential abuses of power.

6. Ensure Digital ID systems are inclusive: The proposed Bill risks excluding marginalized communities due to limited internet access in rural and underdeveloped areas such as Gilgit-Baltistan and Balochistan. The framework does not address how these regions will be accommodated. The government should make significant investments to expand broadband and 5G infrastructure, leveraging public-private partnerships and government subsidies. A good model to follow can be India’s BharatNet^[15], which aims to provide broadband access to 250,000 villages for e-health, e-education, and e-governance. Policies should be designed to incentivize ISPs to reduce service costs in underserved areas alongside launching digital literacy campaigns to empower citizens.
   Further, the framework must delink digital IDs from legal status, following examples like the World Bank-funded Nigeria Digital Identification for Development Project. This allows refugees, migrant workers, and stateless persons to access essential services without barriers.
   The Bill should include periodic appraisals pertaining to digital inclusivity, annual progress reports to Parliament, and a clear timeline for infrastructure development with robust accountability mechanisms.
7. Ensure Strategic Oversight Committee (SOC) is fully independent: As highlighted in the concerns above, the proposed establishment of the Strategic Oversight Committee (SOC) as an independent and autonomous body consisting of private sectoral representation with the aim of legally enabled input is hindered by the fact that it will be chaired by the IT Minister. In order to ensure the independence of this body, there must be no involvement of government officials in the Committee.

^[1] https://www.dawn.com/news/1879138

^[2] https://www.na.gov.pk/uploads/documents/6760344aeafac_156.pdf

^[3] https://www.geo.tv/latest/579958-digital-nation-pakistan-bill-tabled-in-na-to-establish-unified-identity-for-citizens

^[4] https://www.brecorder.com/news/40338210/talks-on-digital-nation-bill-inconclusive

^[5] https://www.accessnow.org/press-release/open-letter-to-the-world-bank-digital-id-systems/

^[6] https://www.nitb.gov.pk/

^[7] https://www.dawn.com/news/1855153

^[8] https://tribune.com.pk/story/2495476/ministers-object-to-creation-of-more-authorities

^[9] https://privacyinternational.org/long-read/2299/initial-analysis-indian-supreme-court-decision-aadhaar#:~:text=The%20court%20has%20demanded%20that,for%20government%20grants%2C%20and%20schools

^[10] https://gdpr.eu/

^[11] https://www.srilankalaw.lk/r/1018-registration-of-persons-act.html

^[12] https://privacy.gov.ph/data-privacy-act/

^[13] https://www.google.com/url?q=https://www.dawn.com/news/1882236/the-year-they-came-for-the-internet&sa=D&source=docs&ust=1736247757914673&usg=AOvVaw0DwtDZoKi3rpzmLbVr9jIZ

^[14] https://greaterinternetfreedom.org/wp-content/uploads/2023/09/Regional-Report_South-and-Southeast-Asia.pdf

^[15] https://www.akalinfo.com/blog/bharatnet/