July 11, 2018 - Comments Off on DRF Statement: Ministry of IT and Telecom introduces the Personal Data Protection Bill
Digital Rights Foundation would like to appreciate the Ministry of Information Technology and Telecommunication (MOITT) for drafting a Personal Data Protection Bill and opening it up for consultation among the public. We hope that this is the start of a two-way consultation process where suggestions put forward by civil society groups and citizens are taken into account.
Accessing the internet in a country with little to no focus on digital literacy and no guarantee of data protection is a curious thing. You may expect that what you share online out of your own will is all that anyone knows about you, and that rest of your life remains personal. Right to data protection becomes essential when a person, despite having no understanding of how technological servers work, owns a mobile phone with working telecom network. From his phone number to transmitted data like SMS and call records are being saved somewhere possibly without any security protocols whatsoever - putting the data of that person at risk of being stolen and misused.
While this is not restricted to telecom data, instead, it’s true for all kinds of electronically transmitted information either stored by the person themself or via someone else like that in the case of NADRA database that holds the most sensitive information on over 200 million Pakistanis. A simple internet search lists all the data breaches that NADRA has experienced in the past couple years; a government agency that once held the title of being world’s largest biometric database overlooked the safety of the citizens of Pakistan and allowed for external and internal actors to misuse its data through security loopholes. Digital Rights Foundation recorded some of these breaches in 2017 in an infographic [PDF] in hopes to demand authorities for better security protocols.
This is just one example of citizens data being breached. Whereas it’s important to acknowledge the instances where customer data is being sold for as low as 100 PKR (~ $0.82) by customer care representatives of telecom companies, and through WhatsApp groups. Another rather recent incident was that of a ride-hailing app’s servers being breached and the data of millions of customers was cop. The service chose to remain quiet for months while people continued to use their hacked accounts transmitting more details on the compromised servers. The incident was soon forgotten and no legal measures were taken.
There have been a multitude of instances where customers’ safety was jeopardized and consequences were overlooked. We at the Digital Rights Foundation have recognised and been advocating for the need of a concrete data protection legislation in Pakistan that addresses the issues of security breaches and unwarranted use of their personal information by various organisations and institutions, and grant the protection and power of data to their rightful owners - the users.
It is for this reason, we commend the efforts of the MoITT to put the preliminary bill of the Personal Data Protection Act for comments. The initial overview of the draft by the DRF team suggests that while the bill is comprehensive in its scope and underscores the importance of data protection and consent of the user before using and/or transmitting their data, we notice that it indeed has some loopholes that have the potential of taking away people’s agency from their information. Some of the reservations include vague language being used in the bill, lack of clarity on certain terms including ‘consent’ and ‘public interest’, some sections overlapping and indeed clashing with the Prevention of Electronic Crimes Act 2016 (PECA), and most importantly this bill seems to be giving broad powers to the authorities and data controllers over user data.
DRF submitted a policy brief to the ministry, PDF of which can be found here, and some of our recommendations were made part of this draft. However, we believe that certain sections in the bill should be amended, and DRF is in the process of analysing it in detail to file a submission to the ministry. We hope that the Ministry of Information Technology and Telecommunications will take our recommendations into account in order to address these issues.
Meanwhile, we recommend everyone to review the bill here [PDF]. We would encourage all citizens to send their recommendations to us at email@example.com with subject line “Recommendations for Personal Data Protection Bill”, or send feedback directly to MoITT to firstname.lastname@example.org.
Statement drafted by Hija Kamran and Shmyla Khan for the Digital Rights Foundation
Published by: Digital Rights Foundation in Blog