Originally published in Dawn on October 24, 2021
ISLAMABAD: The Asia Internet Coalition (AIC) has termed the draft Pakistan personal data protection bill 2021 vague in many respect and made suggestions to make it of world standards.
In a letter to minister for IT and telecom Syed Aminul Haq, the Asia Internet Coalition submitted recommendations to improve the draft Pakistan Personal Data Protection Bill 2021.
“We are concerned that the Draft Bill’s extraterritorial application is based on provisions that are too wide and vague, which would even bring within scope foreign companies that neither operate in Pakistan nor process data collected in Pakistan,” the letter written by Jeff Paine, AIC Managing Director said.
“We continue to have concerns, particularly on cross-border transfer of “critical” and “sensitive” personal data,” Mr Paine said.
At the same time AIC has suggested that properly constituted data protection legislation has the potential to provide reliable standards for businesses and consumers and ensure the secure and responsible handling of personal data.
The AIC has said that as Pakistan’s digital economy continues to grow, it was important that the country’s privacy laws take into consideration three key goals including the value of data protection in enabling a dynamic digital economy that protects consumers and facilitates Pakistani enterprise.
The other two suggestions are the need to promote data-driven innovation in Pakistan and consistency with global standards for data protection.
The AIC has also said that the mandatory data localisation requirements may be removed from the draft bill.
It said that the draft bill includes an extremely broad data localisation requirement that will impose significant burdens on all businesses operating in Pakistan.
“We note with concern that the categories of “critical personal data” and “some sensitive data” remain broad, which makes it difficult for companies to plan their business,” the AIC said.
It added that data localisation will result in increased data storage costs which will eventually be passed on to Pakistani consumers.
The AIC has also pointed out that the requirement in the draft to obtain consent from users for each separate purpose of data processing will result in a flood of consent notices to users.
“This will neither increase transparency nor result in better data protection outcomes, instead, it will create ‘consent fatigue’ among users and also overburden companies with a bureaucratic requirement that will disrupt the smooth functioning of Pakistan’s digital economy,’ the AIC has said.
The AIC has also said that the draft bill’s monetary fines and criminal liability were excessive and will deter companies from doing business in Pakistan.
The AIC has also asked for the clarity on the requirements regarding the obligations pertaining to the appointment and functioning of data protection officers, as pointed out in the bill.
It has also been added that the uncertainty surrounding over the powers of the Data Protection Commission (Commission) should be removed, and recommended to remove the commission’s powers to register and license data controllers, which would be a resource-intensive and time-consuming exercise without much gains.
Established in 2010 the AIC was an industry association that promotes the understanding and resolution of internet policy issues in the Asia Pacific region, its members are Amazon, AirBnb, Apple, Booking.com, Expedia Group, Facebook, Grab, Google, LinkedIn, LINE, Rakuten, Twitter and Yahoo.