Data pro­tec­tion law

The Financial Daily - - NATIONAL - Usama Khilji

The in­tro­duc­tion of a draft law on data pro­tec­tion and pri­vacy by the IT and tele­com min­istry is a wel­come step. In the ab­sence of such a law, Pak­istani cit­i­zens have had their pri­vacy breached and per­sonal data leaked and used without their con­sent a num­ber of times by in­di­vid­u­als, com­pa­nies, and the state.

It is of ut­most im­por­tance that in this day and age of tech­no­log­i­cal ad­vance­ment and reliance on in­for­ma­tion and com­mu­ni­ca­tion tech­nolo­gies, there be a strong law that pro­tects the pri­vacy of cit­i­zens who trust sev­eral com­pa­nies and the state with their per­sonal data for ease in ser­vices, and have the guar­an­tee un­der law that such per­sonal in­for­ma­tion will not be mis­used.

The clauses re­lated to jour­nal­ist pro­tec­tion whereby the act does not ap­ply to "pro­cess­ing of per­sonal data ex­clu­sively for jour­nal­is­tic, lit­er­ary or artis­tic ma­te­rial", are a very wel­come step in the face of Pak­istan's dis­mal per­for­mance in press free­dom rank­ings be­cause of sev­eral at­tacks.

The draft law con­tains some wel­come steps to pro­tect per­sonal in­for­ma­tion.

Chap­ter two of the bill re­lates to the data con­troller re­spect­ing the con­sent of users, and mak­ing it manda­tory for com­pa­nies to no­tify cus­tomers re­gard­ing the pro­cess­ing of their per­sonal data. This is nec­es­sary es­pe­cially in the face of a plethora of text mes­sages be­ing sent to mo­bile phone users ow­ing to their per­sonal data in­clud­ing mo­bile phone num­bers be­ing shared by dif­fer­ent mar­ket­ing agen­cies with other com­pa­nies without the con­sent of or no­tice to con- sumers. With this law, con­sumers will have a le­gal re­course in case of such breaches, and the law will also serve as a deter­rent to com­pa­nies that vi­o­late data pri­vacy be­cause of there be­ing a penalty for mis­use of data and its shar­ing without con­sent or no­tice.

Se­cu­rity re­quire­ments for com­pa­nies that process data have also been over­due, con­sid­er­ing how many times the data of users has been breached. Sev­eral of the com­pa­nies did not even have se­cu­rity ar­range­ments in place to pro­tect the per­sonal data of their users. Mak­ing this manda­tory un­der clause eight of chap­ter two will re­sult in penal­ties for com­pa­nies that do not have suf­fi­cient se­cu­rity ar­range­ments for data pro­tec­tion, and hence of­fer greater trust to users. This is es­pe­cially im­por­tant in the face of data hacks - and also de­lib­er­ate data leaks by com­pa­nies. For in­stance, it is com­mon knowl­edge that data on mo­bile phone users can be ac­quired by any­one ei­ther with a con­tact in a tele­com com­pany or with the means to bribe some­one who works there. There need to be strict con­se­quences for em­ploy­ees of com­pa­nies in­volved in such shady prac­tices.

Fur­ther, some com­pa­nies pur­posely sell user data to other com­pa­nies for profit in or­der to tai­lor ad­ver­tise­ments to in­crease their con­sumer base. This is es­pe­cially of con­cern when it comes to for­eign com­pa­nies such as so­cial me­dia gi­ants Face­book and Google. Al­though af­ter the Cam­bridge An­a­lyt­ica leaks and in­tro­duc­tion by the Eu­ro­pean Union of the Gen­eral Data Pro­tec­tion Reg­u­la­tion ( GDPR), sev­eral mea­sures have been taken by tech­nol­ogy com­pa­nies to pro­tect the pri­vacy of users, there have been in­stances of hacks and pri­vacy vi­o­la­tions by the plat­forms.

The third chap­ter deals with rights of data sub­ject, mod­elled on the GDPR, whereby users have the right of ac­cess to per­sonal data, right to cor­rect per­sonal data, and the right to era­sure of per­sonal data; all fi­nally giv­ing users right­ful con­trol over their per­sonal data.

The def­i­ni­tion of 'sen­si­tive per­sonal data' is ex­pan­sive. The law de­scribes it to mean "per­sonal data re­veal­ing racial or eth­nic ori­gin, re­li­gious, philo­soph­i­cal or other be­liefs, po­lit­i­cal opin­ions, mem­ber­ship in po­lit­i­cal par­ties, trade unions, or­gan­i­sa­tions and asso­ciations with a re­li­gious, philo­soph­i­cal, po­lit­i­cal or trade union, or pro­vide in­for­ma­tion as to the health or sex­ual life of an in­di­vid­ual, or the com­mis­sion or al­leged com­mis­sion by him of any of­fence, or any pro­ceed­ings for any of­fence com­mit­ted or al­leged to have been com­mit­ted by him, or the dis­posal of such pro­ceed­ings or the sen­tence of any court in such pro­ceed­ings or fi­nan­cial, or pro­pri­etary con­fi­den­tial per­sonal data". This is also im­por­tant, and one hopes will pro­tect Ah­madi cit­i­zens in Pak­istan who have been asked to reg­is­ter in a sep­a­rate reg­istry based on their faith.

Th­ese are very wel­come steps, es­pe­cially in the face of cam­paigns against cit­i­zens deemed to be dis­si­dents or crit­ics whose per­sonal in­for­ma­tion is used against them by state and non-state ac­tors to vil­ify them in an at­tempt to si­lence them. We have seen such cam­paigns, rooted both in truth and fic­tion, on TV, so­cial me­dia and in print. One hopes that th­ese clauses will put an end to ad hominem cam­paigns against per­sons of in­ter­est by those who wish to si­lence chal­lengers of the sta­tus quo.

An­other con­cern re­gard­ing the draft data pro­tec­tion law is its con­flict with other laws. For in­stance, the clauses re­lated to data re­ten­tion un­der sec­tion 9 which re­quires data con­trollers to delete data not re­quired for longer than its pur­pose, po­ten­tially clash with data re­ten­tion clauses in the Pre­ven­tion of Elec­tronic Crimes, in which sec­tion 32 man­dates ser­vice providers to re­tain user data for a min­i­mum pe­riod of one year.

The two laws read in jux­ta­po­si­tion to each other when it comes to rights pro­tec­tion, and one hopes the ev­i­dently newer rights-based ap­proach will pre­vail in the new par­lia­ment which is more than over­due in set­ting up a stand­ing com­mit­tee for IT and tele­com in the Na­tional As­sem­bly.

What this law misses is clauses re­lat­ing to data pro­cess­ing by gov­ern­ment and state in­sti­tu­tions. Breaches of the Nadra data­base have been fre­quent in the past few years, and re­cently the Pun­jab IT board was also em­broiled in a data leak con­tro­versy. With bio­met­ric and per­sonal in­for­ma­tion avail­able, and linked to Sim cards and bank ac­counts, there is high risk of pri­vacy breach at an in­sti­tu­tional level, as well as by em­ploy­ees of the state. Fur­ther, there need to be reme­dies avail­able against state sur­veil­lance. With spy sys­tems such as FinFisher hav­ing been de­tected on Pak­istani servers, cit­i­zens need to have le­gal av­enues against un­due state sur­veil­lance.

Newspapers in English

Newspapers from Pakistan

© PressReader. All rights reserved.