The state of data protection law in Pakistan

The effect and influence of Europe's General Data Protection Regulation (GDPR) upon the data privacy laws of swathes of countries around the world cannot be overstated. While GDPR is definitely not perfect, the laws have undoubtedly set the gold standard internationally when it comes to designating protections over personal data, whilst remaining relatively effective in holding organisations to account for any wrongdoings.

As a result, many nations - from Brazil to the United States to India - have sought to enact their own all-encompassing privacy/data protection laws, to a varying degree of success. However, there are still many countries around the world that have not successfully implemented any GDPR-like regulation and are thus falling behind on the issue of data protection when compared to many of their international counterparts.

Falling into this category is Pakistan, which despite drafting a set of data governance laws in 2018 that were clearly inspired by Europe's in many ways, has not yet managed to ratify the regulation. In assessing the state of Pakistan's data protection law as it stands right now, we look back at what the country has had up until this point and what privacy experts are saying about the latest draft of its Personal Data Protection Bill (PDPB).


Pakistan's existing regulation

Up until a couple of years ago, Pakistan had only taken a few, more minor steps towards bringing in official regulation to protect the privacy of its citizens. In a basic form, article 14 of the country's constitution guarantees privacy as a fundamental constitutional right, taking precedence over any other provisions of domestic law, although this had little significance in the realm of data privacy. A bill was also drafted in 2005 by the Ministry of Information Technology and Telecommunication (MOITT) that looks to specifically address data protection, although it wasn't expressly written with individual privacy issues in mind and was never actually tabled in parliament.

So essentially, Pakistan had really been lacking any kind of comprehensive or substantial regulation that governed data privacy for a considerable period. However, in July of 2018, the country signalled that it would be getting serious about data privacy when MOITT introduced a draft Personal Data Protection Bill (PDPB), which was welcomed as a positive first step by privacy advocates. PDPB was envisioned as a comprehensive, federally mandated set of regulations governing the "processing, obtaining, holding, usage and disclosure of data relating to individuals."

Many of the bill's elements were similar to those found in GDPR, introducing designations of ‘sensitive personal data', consent-based processing requirements (albeit without defining what it meant by consent), and stipulations outlining the rights of citizens or ‘data subjects'. These rights included things like the right of access to personal data, the right to correct personal data, the right to withdrawal of consent, and the right to erasure. It also compelled organisations, or ‘data controllers', to put security measures in place to defend against data loss or breaches, with fines of up to one million rupees (about $6000 USD) for non-compliance.

 One of these issues was around the restriction of the definition of ‘personal data' as pertaining only to "commercial transactions", meaning the swathes of personal data held by government organisations would not be included here. Issues were also raised in relation to the proposed ‘Data Protection Commission', which did not seem to be independent from government control in regard to its functions and composition.

While a second iteration of PDPB was issued by MOITT in October of 2018, with minor improvements on definitional aspects, many of the same issues that plagued the first version remained. All in all, privacy experts noted significant shortcomings of the proposed legislation, especially when compared to other privacy regulations such as GDPR.


Update: 2020 data protection bill

The second draft of the PDPB came in October of 2018, but it wasn't until April of this year that the third iteration was shared by the MOITT. Many of the amendments to the third version have been deemed improvements by some privacy advocates, but many of the earlier issues remain, with civil society organisations concerned that some even go a step further towards facilitating government control in some key areas.

The scope of the bill has been expanded in the latest amendment and is actually now wider than most other privacy laws. As stated, the laws would apply to both local and foreign entities (whether they were established within and outside of Pakistan) that process, and have control over or authorize, the processing of personal data, as long as any aspect of the processing chain (i.e. controller, processor, and the data subject) is located in Pakistan. Essentially, if any of the applicable parties are located in Pakistan, including the individual data subject, the laws apply.

The third iteration also updates the definitions of personal and sensitive personal data, with the former comprising of any information relating directly or indirectly to a data subject and the latter defined  non-exhaustively but including an individual's access credentials, financial information, health and medical records, passports and biometric data, ethnicity, and religion. Crucially, the third iteration has also outlined a definition of consent, which is stated as any freely given, specific, informed and unambiguous indication of the data subject's wishes. Consent must be given through "clear affirmative action" to signify the agreement to the collecting, obtaining, and processing of relevant personal data.

The new draft also significantly bumps up the fines for non-compliance, with penalties of up to 5 million rupees (just under US$30,000) for processing personal data without consent and up to 25 million (just under $150,000) for the unlawful processing of personal data. In addition, the bill now outlines that a legal entity held liable for non-compliance may be fined 30 million rupees (just under US$180,000) or 1% of its annual gross revenue in Pakistan, whichever is higher. While this represents a healthy increase over the previously mentioned fines, they still pale in comparison to that of the GDPR, which has maximum fines of €20 million, or 4% of an organisation's total worldwide annual turnover, whichever is higher.


Potentially authoritative nature

While the bill seeks to address some of the criticisms it faced over the last two iterations, many of the previous recommendations from privacy groups have seemingly been ignored. One of the major issues that privacy groups have with the set of provisions as they stand is to do with the degree of overarching government control and the apparent freedom that public institutions have in being exempt from the rules.

As per the latest iteration of the Personal Data Protection Bill, the commission for personal data protection has been replaced with a seven-member Authority, which has the power to call for information from any data controller or processor for the effective discharge of its functions. However, the authority is described as an autonomous body under the administrative control of the federal government.

It indicates that the government will appoint members of the authority (including the chairman), while also stipulating that several government representatives of existing ministries will also take positions on the board, allowing these members to be part of the decision-making process. These members could also almost exclusively govern certain decisions, considering the bill only requires three members to attend meetings. This arrangement potentially cuts deep into the legitimacy of the PDPB, as the authority is obviously a central aspect of the overall effectiveness of any set of data privacy regulation.

The freedom of expression exchange (ifex) outlines their issues with the government's power over the authority, expressing concerns that with how the bill is worded, the government "has attempted to consolidate all powers, including the power of (delegated) legislation, investigation and the judiciary."

"This disregard of the constitutional principle of the separation of powers demonstrates an attempt to centralise power, which will enable unlimited access to, and exercise of strict controls over citizens' data. The existing Authority or commission should be independent from the involvement of existing government ministries," ifex wrote in a review statement.

The bill gives further powers to the government of Pakistan through its stipulation that the government is allowed to grant exemptions to the law for certain controllers or processors essentially whenever it wants. The vague nature of this stipulation seems to indicate that the government would have the power to waive the law when it applies to their own conduct, again undermining the nature of the PDPB itself.


Further issues

Another point of contention amongst privacy professionals has been the bill's move towards localisation policies. While the bill outlines that personal data may be transmitted outside of Pakistan borders (as long as those countries are deemed to have at least an equivalent policy to the PDPB), the bill makes an exception here for "Critical personal data", which it neglects to define. Instead, critical personal data - which will be classified by the authority with the approval of the federal government - will need to remain within Pakistan. Localisation is widely condemned as an unnecessary measure and is often used to ensure government control of certain data, which is a motive feared by privacy experts.

Further discrepancies between GDPR and PDPB when looking deeper into the bill. This includes the lack of a data portability option, which is often a staple of comprehensive privacy laws. Portability has been highlighted as a point of improvement by a few privacy groups, including the digital rights foundation and Access Now. Furthermore, while there is a mandate for breach notifications, these only need to be given to the data authority and not the individuals themselves.

Some pundits have also expressed a concern that the newest revision of the PDPB is being pushed now - in the midst of the coronavirus pandemic - not as a means to ensure citizen's data remains safe during outbreak measures, but to quicken the approval process.  


What's next?

In terms of applicability, the government of Pakistan has said that, if passed, the bill would come into effect after at least one year, and no longer than two years, from the date of promulgation. This measure would be employed in order to allow businesses time to get up to speed with the new rules and to determine what category they fit within (i.e. data processor or controller).

It must be reiterated the latest revision of the PDPB makes a lot of headway and clears some of the major problems present within the last iteration. However, from the perspective of privacy advocates, the bill still has a long way to go if it wants to be positioned on par with international counterparts and especially GDPR. There are multiple issues with vague definitions and overly authoritative alignments that seem to plague the bill, to the point where it is often unclear how parts of it would actually work. It also takes a step backwards in parts when compared to international best practices, such as where it pushes for partial data localisation.

While the government might be keen to push the legislation through on the back of the COVID-19 outbreak and noting that the public consultation period is now over, these significant issues look to hold the PBPB back to the point where it could be extensively revised. Multiple recommendations, many of them shared between multiple privacy organisations, have now been submitted to the government of Pakistan, providing guidance on how to rectify these issues. However, in regard to any adherence, amendments and revisions, the ball is now firmly the government's court.