August 8, 2018

The Ministry of Information Technology and Telecommunications (MOIT) has put forth it’s draft Personal Data Protection Bill, 2018. Digital Rights Foundation (DRF) welcomed the move to invite comments and feedback from experts, civil society and the general public. Pursuant to the invitation for feedback, Digital Rights Foundation and Privacy International have submitted their joint comments regarding the Personal Data Protection Bill 2018.

The Bill put forward by the MOIT envisions a data protection regime that takes a comprehensive, federal approach to data privacy. The Bill consists of 43 sections and the preamble states its purpose as “to provide for the processing, obtaining, holding, usage and disclosure of data relating to individuals while respecting the rights, freedoms and dignity of natural persons with special regard to their right to privacy, secrecy and personal identity and for matters connected therewith and ancillary thereto”.

The Bill protects two types of data: 1) personal data and 2) sensitive personal data. The processing of personal data can only be done where there is consent of the data subject and notice has been given. In the case of sensitive personal data, explicit consent and along the requirement of necessity are required to collect, process, store and share sensitive personal data. We posit, however, that the definitions of personal data and sensitive personal data are limited in their scope as the former is confined to commercial transactions, whereas the latter does not include within its ambit biometric and genetic data. These definitional limitations essentially mean that government bodies and data held for non-commercial purposes are not governed by the Bill. Given the vast amount of citizens’ data held by the government and its various bodies, this limitations leaves the Bill inadequate in its goal of protecting the privacy of Pakistani citizens.

The Bill confers several rights on citizens, termed as “data subjects”, including the right of notice, access, correction, updation and erasure. It also compels data controllers to put in place security measures to guard against loss, misuse and unauthorized disclosure of personal data; and failure to do so can result in a fine of upto one million rupees. While these are welcome steps, we would urge the Ministry to review some of exceptions to these rights as they are vaguely worded and cast the net of exceptions wide enough to render some of these rights ineffective. We also request the government to define consent widely to ensure that it is explicit, free, informed, proactive, specific and withdrawable.

The Bill also creates a National Commission for Personal Data Protection (NCPDP) which consists of three members belonging to the judiciary, the field of computer science/telecommunications and civil society each.

Generally the Bill does not guarantee protection of personal data of local data subjects when it is held or processed outside the country. This jurisdictional confusion can effectively result in an inability of Pakistani users to control their data once it leaves the borders of Pakistan. Furthermore, the Bill vests wide powers in the Federal Government to make exceptions to the Act and draft Rules, without any effective limits on its delegated powers.

We appreciate that civil society and the general public were given the opportunity to provide their feedback on the Bill and we look forward to engaging in the next steps of the legislative process. Digital Rights Foundation hopes that an inclusive, transparent and well-defined consultative process is laid out by the in-coming government that takes into account meaningful engagement with civil society which is important to ensure that the subsequent Act safeguards the rights of citizens and results in the actualisation of the fundamental right to privacy as enshrined in Article 14 of the Constitution.

The Ministry’s draft Bill can be found here.

Digital Rights Foundation and Privacy International’s submission can be found here [PDF].

---

This statement is written by Shmyla Khan for the Digital Rights Foundation. For comments or information, email her at [email protected] or tweet at @shmyla