Illustration by Aniqa Haider
The Right to Privacy and the Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguard) Rules, 2020
Back in 2006, Professor Lawrence Lessig of Harvard Law School, in his book Code and Other Laws of Cyberspace Version 2.0, wrote about how businesses and advertisers can “aggregate endless amounts of data and information about us”. This was before social media and smartphones had pervaded contemporary life as they have in the 2020s. Now, the situation is even more alarming than the surveillance state envisaged by George Orwell in 1984. Lessig writes:
“…it is interesting to note just how inefficient, relative to the current range of technologies, Orwell’s technologies were. The central device was a “telescreen” that both broadcasted content and monitored behavior on the other side. But the great virtue of the telescreen was that you knew what it, in principle, could see. Winston knew where to hide, because the perspective of the telescreen was transparent. It was easy to know what it couldn’t see, and hence easy to know where to do the stuff you didn’t want it to see.
That’s not the world we live in today. You can’t know whether your search on the Internet is being monitored. You don’t know whether a camera is trying to identify who you are. Your telephone doesn’t make funny clicks as the NSA listens in. Your email doesn’t report when some bot has searched it. The technologies of today have none of the integrity of the technologies of 1984. None are decent enough to let you know when your life is being recorded.”
Rather than attempting to counter the clear infringement of the right to privacy by social media through introducing a personal data protection law in accordance with Article 14 of the Constitution of Pakistan, 1973 which guarantees the rights to dignity and privacy, the Government of Pakistan is moving in a direction to co-opt the data available to social media companies, in what seems to be an aspiration to become a surveillance state of sorts. This is clear from the recent promulgation of the Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguard) Rules, 2020, or the Rules, in November 2020.
The Rules were made under the power granted by Parliament to the Pakistan Telecommunication Authority (PTA) and the Federal Government under section 37: Unlawful Online Content of the Prevention of Electronic Crimes Act, 2016 (PECA). Section 37 of PECA empowered PTA to, with the approval of the Federal Government, promulgate rules “for removal of blocking of access to an information system if it considers it necessary in the interest of the glory of Islam or the integrity, security or defence of Pakistan or any part thereof, public order, decency or morality, or in relation to contempt of court or commission of or incitement to an offence…”
The Rules have interesting legislative history, to say the least. A draft of the Rules was shared by PTA on its website in February 2020, but the same were not notified by the Federal Government. The most important change that was made between the February draft and the final version of the Rules was that a position of “National Coordinator” was omitted. The Rules as we have them now present a number of concerns relating to the fundamental rights of the people of Pakistan, particularly the rights to freedom of expression and privacy. It is imperative to consider the privacy concerns and how effective such concerns may be in presenting a legal challenge to the Rules before the High Courts of Pakistan which are empowered under Article 199 of the Constitution to strike down subordinate legislation such as the Rules if they are found to be unconstitutional or outside the scope of their parent legislation i.e. PECA.
Recent developments in the doctrine on the right to privacy in Pakistan
The right to privacy has recently received great attention in the dissenting note of Justice Syed Mansoor Ali Shah of the Supreme Court of Pakistan in Justice Qazi Faez Isa v. The President of Pakistan and others and the judgement of Justice Tariq Saleem Sheikh of the Lahore High Court in Ghulam Mustafa v. Judge Family Court and another. The former case has received copious media attention because it involved the legality of a reference instituted against a Supreme Court Judge. However, the judgement in Ghulam Mustafa’s case has expounded privacy rights doctrine in a manner previously unseen in Pakistani jurisprudence, and must now be taken into account in any discussion on the right to privacy in Pakistan.
In Ghulam Mustafa’s case, a wife had instituted khula proceedings against her husband before a Family Court. The husband in response made an unorthodox argument before the Family Court, that his wife lacked feminine characteristics and that his wife was in fact transgender, therefore, the marriage was void from its inception. To this end, he moved an application that the Family Court compel his wife to undergo a medical examination to prove that she was a woman. The Family Court rejected the application, against which the husband filed a writ petition before the Lahore High Court (LHC). In his judgement, Justice Tariq Saleem Sheikh proceeded to discuss the right to privacy at great length. It is particularly relevant to note when assessing a possible legal challenge to the Rules that the judgement cites with approval the Global Internet Campaign on the facets to the right to privacy:
- Information privacy, which involves the establishment of rules governing the collection and handling of personal data such as credit information and medical records;
- Bodily privacy, which concerns the protection of people’s physical selves against invasive procedures such as drug testing and cavity searches;
- Privacy of communications, which covers the security and privacy of mail, telephones, email and other forms of communication; and
- Territorial privacy, which concerns the setting of limits on intrusion into the domestic and other environments such as the workplace or public space.
Justice Tariq Saleem Sheikh goes on to cite the a very relevant portion of the dissenting note of Justice Mansoor Ali Shah in Justice Isa’s case:
“Recognising and protecting the zone of privacy is the freedom and liberty our Constitution holds dear. Privacy attaches to the person and not to the place where it is associated. Home under Article 14 of the Constitution is not only the physical house but the entire treasure of personal life of a human being. The intrusion by the State into the sanctum of personal space, other than for a larger public purpose, is violative of the constitutional guarantees. Right to privacy is deeply intertwined with the right to life, right to personal liberty and right to dignity. ‘Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.’ This is a cherished constitutional value, and it is important that human beings be allowed domains of freedom that are free of public scrutiny and protected against ‘unwanted gaze,’ unless they act in an unlawful manner.“
The discussion above shows that the oft-ignored right to privacy, particularly in the digital realm, has been the subject of much greater judicial notice over the past year. It is particularly pertinent to note that both the judgement in Ghulam Mustafa’s case and the dissenting note in Justice Isa’s case make frequent references to the works of the Global Internet Campaign, Edward Snowden, Lawrence Lessig, and the like, which shows that the judiciary has begun to take serious note of concerns relating to privacy and digital rights. It is in the backdrop of these considerations that the Rules shall be analysed.
The Rules – aspiring towards surveillance
The very existence of the Rules as taken from section 37 of PECA raises concerns relating to the rights to freedom of expression and privacy. Through section 37, the Government has set out to enable itself to block access to content it deems unlawful on a wide range of grounds. Not only does this restrict the right to freedom of expression, but it will lead to the government gaining access to any information that is in the hands of any Service Provider or Social Media Company, as laid out in the Rules. PECA defines the term “Service Provider” widely as a person or entity who provides services in sending, receiving, storing, or processing information; owns, possesses, operates, manages a telecommunication network; or possesses or stores data on behalf of a telecommunication service. Whereas, the term ‘Social Media Company’ is defined as “any person that owns or manages Online Systems for provision of Social Media”, and the Rules have specified that they apply to Facebook, Google+, Youtube, Dailymotion, Instagram, Snapchat, LinkedIn, Reddit, and TikTok and any other such application or service.
Interestingly, Whatsapp, which is the world’s third most-used social media platform and is also very popular in Pakistan, is not included by name, but it would seem that Whatsapp would definitely fall within the definition of a service provider or a social media company. The most concerning provision of the Rules with respect to the right to privacy is Rule 9(7) which obligates social media companies and service providers to provide user data “in decrypted, readable and comprehensible format or plain version in accordance with the provision of the Act”.
The major implication of Rule 9(7) is that now, service providers and social media companies such as Facebook, WhatsApp, Instagram, and the like are obliged to share any data and information they hold, including messages containing private conversations, search histories, and any other encrypted user data with the Federal Investigation Agency (FIA), which is the investigation agency notified under section 29, PECA. This is particularly worrying with respect to messaging applications such as WhatsApp, Signal, and Telegram, which claim to be end-to-end encrypted, and to themselves be unable to read or listen to conversations taking place on their applications. Rule 9(7) seems to be expressly attempting to override this privacy safeguard built in the applications as their core feature by making it legally mandatory for them to provide user data or information to the FIA.
In addition to messages regarding private conversations, the FIA will also be empowered to obtain any data pertaining to e-commerce. In this context, it is pertinent to note the growth of e-commerce in Pakistan, particularly during the COVID-19/Coronavirus pandemic. Daraz.pk, which is one of the largest e-commerce sites active in Pakistan, estimates that there has been a nearly 70% increase in e-commerce since the pandemic struck in March 2020, particularly with respect to fast moving consumer goods. Therefore, the Rules would not only affect the privacy of the growing e-commerce industry in Pakistan, it would also affect the ease of doing business and make foreign players in the sector quite wary of coming to Pakistan, especially global e-commerce giants such as Amazon and PayPal which have still not entered the Pakistani market due to the unfavourable regulatory environment.
The FIA will be further empowered to compel social media giants to release their data because Rule 9(5) has made it mandatory for Service Providers or Social Media Companies with more than half a million users to establish offices, and, subject to a data protection law, establish data servers in Pakistan, thereby becoming amenable to the territorial jurisdiction of FIA. It is important to note that despite numerous drafts of Personal Data Protection Bills since 2015, which carry their own share of constitutional and legal issues, Pakistan has yet to promulgate a data protection law.
This means that the data of Pakistani users that is currently still outside the reach of the government will easily be accessible and hence controlled if and when the servers are localised within Pakistan. The implications of whether or not or how big service providers and social media companies will actually submit to the requirements of Rule 9(5) are outside of the scope of this Article, but the Rules make it clear that the Federal Government is aspiring to increase data collection and surveillance of the people of Pakistan under the garb of protecting it.
Will the Rules survive?
The Rules are currently under challenge before the Islamabad and Lahore High Courts. It is submitted that the Rules or certain provisions thereof could be struck down by the High Courts for a number of reasons. Rule 9(5), which requires that large Social Media Companies establish offices in Pakistan, is outside the scope of anything written in PECA, and could also be deemed to amount to excessive delegation of legislative power to the executive, which are both distinct grounds for judicial review of the Rules. In addition to this, a number of provisions of the Rules provide for infringement of the rights to freedom of speech and expression, as well as trade, business and profession with respect to burdens placed on people engaging in e-commerce as well as Youtubers, TikTokers and the like.
However, it will be favourable for the jurisprudence on digital rights in Pakistan if the Courts also take cognizance of the clear breaches of the right to privacy contained in the Rules. The recent trend of the Pakistani judiciary to adjudicate on privacy rights, and take into account case law and jurisprudence of a number of jurisdictions as seen in Ghulam Mustafa’s case and Justice Isa’s case is promising in this regard. Certainly, Rule 9(7) would seem to infringe the rights to privacy of information and communications as delineated by the Global Internet Campaign and cited with approval in Ghulam Mustafa’s case. The judgement in Ghulam Mustafa’s case extensively cited the judgement of the Indian Supreme Court in K.S. Puttaswamy v. Union of India which also greatly stressed the concepts of communicational and informational privacy despite the fact that there is no explicit right to privacy guaranteed in the Indian Constitution unlike the Pakistani Constitution.
Citing another Indian Supreme Court judgement in Gobind v. State of Madhya Pradesh, Justice Tariq Saleem Sheikh held that the right to privacy is not absolute and may be subject to a compelling public interest. Rule 9(7) does not reveal any such compelling public interest. It simply and baldly states that a Service Provider or Social Media Company shall provide any information to the FIA, that too in a decrypted and readable format, thereby violating privacy rights at the hands of not only the FIA but before that, the Service Providers and Social Media Companies.
In light of the recent interest taken by the judiciary in the right to privacy and digital rights, it may be argued that Rule 9(7) is bad for failing to state a compelling public interest against which it is clearly violating the right to privacy under Article 14 of the Constitution. Further, even if the Rules were to be amended to include what in the estimation of the Federal Government amounts to a compelling public interest such as security or for certain criminal investigations, such an amendment would still be subject to judicial review as to whether the supposed compelling interest amounts to a reasonable restriction on the right to privacy.
Social media giants such as Facebook, WhatsApp, Instagram, etc. have already aggregated endless amounts of information about us. It would be more appropriate for the Federal Government to concentrate on promulgating a data protection law to ensure that the data and information of people is protected from huge foreign corporations and advertisers, and from any breach, misuse or abuse.
However, it seems that the Federal Government, rather than attempting to protect the privacy of its citizens, is aiming to control the data in the hands of the social media companies to achieve its aspiration of greater surveillance. Fortunately, there is a recent trend of the superior judiciary in developing jurisprudence on the right to privacy. This developing doctrine on digital and privacy rights will hopefully result in the Rules being improved through litigation and judicial review.