Data protection is one of the most concerning issues pertaining to the navigation of digital spaces in the modern times. In the light of countless and constant data breaches, governments around the world have started to prioritise protection of unlimited data that is being collected every second by public and private entities. Currently, over 80 countries have laws in place that particularly ensures user privacy and protection of their digital information, but Pakistan is not among one of these.
Pakistani citizens’ identification data collected and stored by NADRA was once the world’s largest biometric database, a position now taken over by India’s Aadhaar since its launch in 2016. However, despite storing a large amount of sensitive information on over 200 million individuals, NADRA database has been breached and leaked multiple times, and while one would expect amends would be made and individuals and authorities would be held accountable, there was no recourse.
This lack of accountability isn’t restricted to the breach of government owned database, instead there have been countless instances where data collected and stored by private institutions was leaked and the legal remedies to protect individuals at risk was unavailable.
Incidents like images captured by Punjab Safe Cities cameras under the guise of protection surfacing on the internet, the data leak of 14 million consumers of ride-hailing app Careem in April 2018, CCTV footage leak from a Lahore-based cinema in August 2019, and countless such events all point towards the need for strong and comprehensive data protection legislation that prioritises citizens’ privacy and safety above all interests in the digital spaces.
While there is no protection for citizens of Pakistan against these data vulnerabilities, various laws infringe their fundamental right to privacy enshrined and protected under Article 14 of the Constitution of Pakistan.
From today, we will be looking at laws that protect citizens’ privacy and assess their implementation. Follow this space, and watch out for our video series on this issue, titled “Privacy-in-Law: Legal framework of digital privacy laws in Pakistan.”
NADRA Ordinance, 2000:
The ordinance was passed to setup and ensure safeguards for “a new, improved and modernised registration and database system” that is currently being operated by NADRA. Under section 5: Purpose, objects, functions and powers of the Authority, sub-section (4)(d) of the ordinance, the authority – NADRA – is directed to “ensure and provide by regulations for the due security, secrecy and necessary safeguards for protection and confidentiality of data and information contained in the registration and database systems”.
This means that under this order, NADRA is obligated to frame data security regulations for the data that they collect and store on citizens. However, this database has been compromised multiple times, and there has been no accountability. The data of citizens continues to be vulnerable to multiple risks that further put their safety in peril.
Watch a short video on this topic, further explaining why the national database needs stricter data protection laws:
Investigation For Fair Trial Act, 2013
This act was passed with the intention to regulate law enforcement and intelligence agencies’ power to investigate criminal cases. This act is particularly interesting in the context of data protection as it empowers law enforcement agencies to violate citizens’ right to privacy in the ambit of investigation on the basis of suspicion. Section 9: Judge to issue warrant in Chambers, permits secret warrants to be issued for the purpose of surveillance and interception.
Pakistan Telecommunication (Re-Organisation) Act, 1996
This act was passed to establish, among others, the Pakistan Telecommunications Authority (PTA), and outlined the guidelines for its responsibilities. While the act is mostly about the duties of the authorities founded as per the order, section 54: National Security – subsection (1) empowers the Federal Government to authorise interception and tracing of calls and messages through any telecommunication system.
Watch the short explainer on these laws here:
Prevention of Electronic Crimes Act 2016 (PECA)
This act was passed to counter constantly increasing crimes originating from digital spaces. However, soon after the passage of the act in August 2016, it became a tool to stifle many civil liberties of citizens. The law, although, remains one of the most challenged acts pertaining to online spaces, continues to target users on the internet in various ways.
- In the context of data protection, the PECA orders the service providers to retain traffic data for up to one year under Section 32: Retention of Traffic Data of the act. As the act doesn’t specify data protection protocols under which collected information will be stored, it puts citizens’ data at risk of being breached.
- Section 39: Real-Time Collection and Recording of Data allows the authorised investigations agency or officer to collect and record data in real-time.
- Section 41: Confidentiality of information criminalises the unauthorised access and further dissemination of information by service providers and authorised persons without the consent of the person that information relates to, with the intend to cause harm to them.
Here is a short video, discussing PECA 2016 and its implementations since it was put into effect 3 years ago:
Data protection legislation:
The Personal Data Protection Bill proposed by the Ministry of Information Technology and Telecommunication (MoITT) in 2018 and opened it for public consultation. But since then, the process hasn’t furthered. Owing to the need for a legislation that unconditionally protects citizens’ data collected and stored in any information system and in the light of constant data breaches, the urgency to pass the bill into the act is now more than ever.
However, while the efforts of the ministry to consult public are commendable, there are some significant reservations with how the bill has been drafted. Among others, the bill only talks about the data held by private entities while implying immunity for the government-owned data, like NADRA biometric database or Safe Cities data, which is as vulnerable to breach, leak and theft as the data controlled and stored by private institutions.
Moreover, the bill in its current form fails to hold private companies accountable for the risks they can pose or are posing to citizens’ safety. The act should address the issue of third-party data breaches, like breaches through or inside international corporations like Facebook, etc. These companies hold an extensive amount of sensitive information on their users, which has historically been misused in not only harming individuals’ safety but also disrupt democratic processes. Given the sensitivity of these data sets, the Personal Data Protection Legislation should be mindful of instances they can be manipulated, and propose a mechanism of legal recourse for Pakistanis.
In the light of these laws and regulations, it’s evident that while there are some laws that are intended to protect people’s right to privacy that is protected under Article 14 of the Constitution of Pakistan, but there are more laws that stifle this right and put their safety and their data’s protection at risk. For a data protection legislation to actually do what it intends to do, i.e. to protect people’s data, we assume these key principles on the basis of which we are evaluating the proposed data protection bill. These principles are:
- Limitation of collection and purpose: A good data protection legislation should specify that data will be collected for specified and legitimate purposes.
- Use limitation: A good data protection legislation should further ensure that the data collected for whatever purpose is not used beyond the scope of those purposes.
- Security and confidentiality: A good data protection legislation should outline the necessary steps to be taken to ensure the security and confidentiality of the information that is being collected.
- Data minimization: A good data protection legislation should ensure that the services collecting data only collect the data they need in order to offer the service to the user.
- Openness: A good data protection legislation should ensure that transparency is exercised in every step of the way during collection, processing and using of the data of consumers/users.
- Accountability: A good data protection legislation should ensure there is accountability for data collectors and processors in the event of any noncompliance or breach of user privacy.
Watch a video for a quick understanding of the Personal Data Protection Bill, 2018 and where it lacks in being a comprehensive data protection legislature.
Hija is a Programs Manager at Media Matters for Democracy. She combines her experience in digital rights in Pakistan to lead digital rights and internet governance advocacy of MMfD. She tweets at @hijakamran