History of Data Protection Legislation in Pakistan

According to the UN, 107 countries across the world have enacted data protection and privacy legislation. In order to ensure the fundamental rights of its citizens and compliance with international human rights standards, Pakistan has also taken steps to enact a personal data protection law in Pakistan. Article 14 of the Constitution of Pakistan guarantees the Right to Privacy, however serious efforts to introduce a law were first taken in 2018 (though a draft Bill was put forward in 2005 but was deemed too weak) when the Ministry of Information Technology and Telecommunication (MOITT) introduced a draft Personal Data Protection Bill in July 2018 and invited comments from the public. The Bill was lauded as a good first step, however suffered from serious issues in terms of scope as it restricted the definition of personal data to “commercial transactions”, limiting its applicability to government-held data, and the proposed Data Protection Commission was not sufficiently independent in its functions and composition. 

A second iteration of the Bill was shared by the Ministry in October 2018, with slight improvements in terms of definitions but many of the same concerns remained especially when compared to international best practices such as the General Data Protection Regulation (GDPR). There was little headway by the MOIT since despite appeals from civil society and being taken up by bodies such as the Senate Standing Committee on Human Rights. The third draft of the Personal Data Protection Bill (referred henceforth as the “Bill”), was put forward by Ministry in April 2020.

Executive Summary

We appreciate the efforts by the MOITT in making data protection and privacy of citizens a priority. Furthermore, we welcome the consultative process adopted by the Ministry. However we hope that during a time when the entire world, including Pakistan, is under lockdown and reeling from the economic, social and public health implications of the COVID-19 pandemic, that such important legislation will not be passed hastily and without the opportunity for an inclusive and open consultative process.

The new 2020 Personal Data Protection Bill, while a better version in comparison to the drafts issued in 2018, still does not fully capture the data protection needs of people in Pakistan. The most prominent issue we see with the draft is the exemption-making and wide-ranging powers given to the Federal Government, in particular under Sections 31 and 38 which risk undermining the protections afforded under the Act. Government bodies collect and process vast amounts of personal data and the obligations in the Act must extend to them and the Government should not be able to introduce further exemptions without proper scrutiny and safeguards. Additionally, the independence of the Personal Data Protection Authority of Pakistan needs to be ensured, by limiting the powers of the Federal Government to appoint members and approve rules made by the Authority (Section 48).

The need for and reliance on technology has and will drastically increase during the COVID-19 pandemic and in a post-Coronavirus world where we will see a predominantly offline world transform into an online world. Access to online platforms of communication, healthcare, education and business is no longer a luxury. In the midst of all this, the need for protection of our personal data is essential more than ever.

Our primary recommendations to the Ministry are:

1. Definitions of terms such as “Public Interest” and “Critical Personal Data” should be explicitly defined under the Act;
2. The definition of “Sensitive Personal Data” should be expanded to include categories such as “membership of a trade union” and “philosophical and/or religion beliefs”;
3. Implementation of the Act should be on a progressive basis to ensure a balance between rights protection and a grace period for data controllers to ensure compliance;
   
4. Clearer language regarding scope and jurisdiction of the Act;
   
5. Mandatory requirements for obtaining consent should be expanded to include information on intention to transfer of personal data to a third country and the level of protection provided, the existence profiling for targeted purpose, and the existence of automated decision-making;
   
6. The Act should develop a higher consent standard for personal data of children and young adults below the age of majority;
   
7. Clearer and minimum requirements for security measures for data controllers should be laid down in the Act;
   
8. Data localisation measures introduced for cross-border personal data flows should be seriously revised in light of international best practices;
   
9. Procedure for withdrawal of consent should be simplified to ensure that it is as easy for the data subject to withdraw consent as it is to give it;
   
10. Rights of data subjects such as the right to data portability, right to information related to profiling and automated decision-making, and right to compensation should be explicitly included in the Act;
    
11. Powers of the Federal Government to make exemptions under Section 31 be removed;
    
12. Safeguards should be included to ensure independence of the Data Protection Authority;
    
13. Powers of the Federal Government to issue policy directives under Section 38 should be removed.Find DRF’s detailed, section-by-section analysis of the Personal Data Protection Bill 2020 here.