September 23, 2021 — In response to the call for feedback on the Personal Data Protection Bill (PDPB) 2021, civil society organisations have submitted a response to the Ministry of Information Technology and Telecommunications (MoITT) on September 16. The feedback from civil society outlines the gaps in the law and suggests recommendations to make the law more comprehensive and rights respecting.
The advocacy on the current version of the bill has been ongoing since 2018 when the first draft was introduced. The latest draft addresses some of the concerns raised by the stakeholders in the previous rounds of feedback, however, some major concerns remain part of the proposed law. For example, the longstanding concern of centralisation of power through a new authority, now referred to as National Commission for Personal Data Protection (Commission) in the draft, continues to exist. Whereas, the federal government has been granted blanket powers over the appointment and operations of this commission, raising concerns of its autonomy and transparency.
Sadaf Khan, co-founder of Media Matters for Democracy, says, “We appreciate the multi stakeholder feedback process that the ministry has adopted for the passage of the data protection bill, however, we remain concerned about the implications of some of the major sections of the bill once the law is implemented. It will not just continue to keep citizens’ data unsafe on the internet, but will give open access to the authorities to infringe on citizens’ right to privacy and freedom of expression.” She says that online data and activities of citizens have been used multiple times against them to curtail their fundamental rights on the internet. “If passed with the concerns of stakeholders unanswered, the impact on civil liberties in the country will be drastic.”
Zainab Durrani, Project Manager at Digital Rights Foundation (DRF) agrees, and says, “The powers given to the Federal Government through sections 51 and 37, the focus on critical personal data to be processed within Pakistan (which is data localisation by another name) and the compromised position of the National Commission for Personal Data Protection by keeping their administrative control under the Federal Government all point to the gaping flaws in the Bill that will ultimately allow for it to be a bane rather than a boon, for the rights of Pakistani citizens and their personal data.”
Pakistan has seen an unprecedented increase in data breaches and hacks in the past couple of years. With NADRA’s database being targeted with unauthorised access multiple times leading to citizens’ sensitive data being published on the internet for anyone to access, and corporations enjoying complete impunity when data breaches happen putting information of Pakistanis at risk, these instances and many more have gone unanswered and data controllers have faced no accountability. Recently, the Federal Board of Revenue (FBR) experienced a large-scale database hack of its servers, risking the security of millions of people and businesses and billions of rupees of financial information. While FBR was alarmed of the potential attempt of cyber attack days before the hack happened, the agency did not take adequate measures to protect its servers, and subsequently citizens’ data.
Sadaf Khan says, “The recent incidents of digital attacks putting sensitive and personal information of citizens stored on various servers at risk of being abused, it is absolutely crucial to formulate a law that is comprehensive and protects the citizens’ data rather than aims at taking control of their digital information. The current draft of the bill suggests the latter and we hope that the government will take the feedback and suggestions of civil society and other stakeholders constructively and work towards drafting and passing a law that prioritises citizens’ interests.”