Originally published in Dawn on March 6, 2021
KARACHI: The Sindh High Court on Friday directed the federal authorities to inform it about the progress of proposed legislation regarding personal data protection of citizens till April 20.
A two-judge bench headed by Justice Mohammad Ali Mazhar also expressed displeasure over the law and justice and information technology and telecom ministries for not filing comments on a petition seeking a probe into reports regarding data breach of 115 million mobile phone users from Pakistan and its sale on the darknet.
An assistant attorney general submitted that the draft Personal Data Protection Bill had been sent to the ministry of law and justice for vetting and requested for more time.
The bench observed that it was a very serious and important issue and directed the secretaries of both the ministries to file a progress report about the proposed legislation on the next date.
Petitioner Tariq Mansoor contended that there was also no mechanism for protection of cross-border data transfer while such laws were in place in many other countries.
Earlier, the bench had also had directed the Pakistan Telecommunication Authority (PTA) to take all necessary preventive steps to save the mobile users’ data while a cybersecurity researcher of the PTA said an investigation was being conducted and the report was going to be concluded soon.
The ministry of interior in its comments had submitted that an inquiry board on the purported data leakage in its report said that the report of M/s Rewterz, a specialised cybersecurity services firm in Pakistan, itself confirmed that data shared was related to Pakistan mobile users and not of the National Database and Registration Authority while a detailed forensic analysis through various tests also reconfirmed that there was no data leakage on the part of Nadra.
The petitioner had submitted that there were reports of Rewterz about personal data breach of 115m Pakistani mobile phone users allegedly by telecom service providers and the same was being shown on the darknet by some cybercriminals, who were demanding 300 BTC [bitcoins] for the sale of the data.
He further argued that the data, including full names, complete addresses and CNICs of cellular users, was reportedly put for online sale and it was very alarming and affecting the privacy of citizens.