Data privacy and protection in Pakistan

Sahar Iqbal

Akhund Forbes, Karachi

Introduction

The dynamic adoption of technology has made the transfer and storage of private and personal data convenient, as the majority of transactions are now generated electronically. The exchange of data through such means has globally pushed for regulation of the collection, handling and processing of personal data and information in order to ensure its privacy and protection.

Article 14 of the Constitution of Pakistan holds the privacy of a person as a fundamental right, with any infringement of such right being considered an outright violation of the Constitution. Article 14 reads as ‘dignity of man, and subject to law, the privacy of home, shall be inviolable’.[1]

However, the regulatory regime surrounding data privacy and protection in Pakistan has been torpid, with no specific statute in place to regulate the processing and transmitting of personal data. The relevant laws are, instead, scattered throughout various statutes, rules and regulations.

Current regulations governing data protection

The current laws related to data protection can be found in fragments under different legislations, including certain provisions of the:

• Prevention of Electronic Crimes Act 2016 (PECA);
• Customs Act 1969;
• Electronic Transactions Ordinance 2002 (ETO);
• Pakistan Telecommunications Re-organisation Act 1996 (PTA Act);
• the Pakistan Telecommunication Authority’s (PTA) Protection from SPAM;
• Unsolicited Fraudulent and Obnoxious Communication Regulations 2009;
• and in a number of State Bank of Pakistan’s (the SBP) circulars.

The PECA serves as the current primary legislation on data protection and contains provisions pertaining to unauthorised access to personal data and confidentiality of information. Section 38 of the PECA stipulates that if any person, including a service provider, having access to any personal or sensitive data of another person, except when required by law, transfers such data or information without the consent of the person concerned, they shall be punished with imprisonment which may extend to three years or a fine which may extend to PKR 1m, or both. The Federal Investigative Agency (FIA) has been appointed by the Pakistani government to investigate any complaints pertaining to any offences under PECA.[2]

The Ministry of Information and Technology, under Section 37 of PECA, has enacted the Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguard) Rules 2021, which empower the PTA to block or remove any content of unlawful nature under PECA.[3]

The ETO primarily provides for the legal recognition of electronic records and transactions and the validity of digital signatures. The ETO also provides for the prohibition of unauthorised access to data; however, these provisions were omitted after the promulgation of PECA.[4]

In addition to the above, the PTA lays down certain provisions prohibiting unauthorised transmission, through a telecommunication system or a telecommunication service, of any intelligence known to be false, fabricated and obscene.[5]

The Ministry of IT and Telecom of the Federal Government of Pakistan has also issued Pakistan’s first 'Cloud Policy'.[6] If and when the Cloud Policy is implemented by the federal and provincial governments, cloud service providers will be required to comply with confidentiality obligations contained therein.

The Mental Health Ordinance 2001[7] provides for the confidentiality of the information of patients with mental health disorders and restricts publicising or disclosing their identity to the public by any means unless a person chooses to publicise their own condition. This law is addressed to mental health facilities providing care and treatment for mental health patients.

Under the Child Protection Laws, any report made by a Child Protection Officer is confidential.

Personal Data Protection Bill 2021

The Personal Data Protection Bill 2021 (‘PDP Bill’) was put before the Parliament in 2021 and is still in consultation stages and yet to be promulgated into official legislation by the Parliament. The PDP Bill governs the processing, obtaining, holding, use and disclosure of personal data while respecting the rights, freedoms and dignity of natural persons, with special regard to their right to privacy, secrecy and personal identity.

The PDP Bill defines a natural person whose personal data is used or processed in any manner as a ‘data subject’, while ‘personal data’ means any information directly or indirectly connected to the data subject, including any sensitive data. In addition, any natural person, company or government who has the authority to collect personal data of a natural person is described as a ‘data controller’ and whoever processes the data on behalf of the data controller is defined as the ‘data processor’.

The PDP Bill provides protection and rights to the data subject and confers certain obligations on the data controller.

The collection, transfer and processing of personal data without consent is prohibited under the PDP Bill. It further provides the data subject with the right to withdraw consent, right to erasure and right to prevent processing in the event that it might cause damage or distress.

Personal data and its variations have been defined under the Bill in the following manner:

1. ‘Critical personal data’ means and includes data relating to public service providers, unregulated e-commerce transactions and any data related to international obligations.
2. ‘Personal data’ means any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller and/or data processor, including any sensitive personal data.
3. ‘Sensitive personal data’ means and includes data relating to access control (username and/or password), financial information such as bank account, credit card, debit card, or other payment instruments, computerised national identity card, passports, biometric data, and physical, behavioural, psychological, and mental health conditions, medical records, and any detail pertaining to an individual’s ethnicity, religious beliefs, political affiliation, physical identifiable location, travelling details, pictorial or graphical still and motion forms, IP address and online identifier.

The processing of personal data is only permitted for any lawful purpose and can be used only in a form that is sufficient or adequate, not in excess.

In addition, the data controller is obligated to ensure all reasonable steps are taken to prevent any damage caused to the data and that it is permanently deleted in case no longer required for the purpose it was obtained.

The PDP Bill mandates that the National Commission for Personal Data Protection (the ‘Commission’) be established by the Federal Government within six months of the PDP Bill’s entry into force. The Commission is tasked with safeguarding the interests of the data subject, upholding the protection of personal data, preventing its misuse, raising awareness of data protection, and handling complaints. The Commission is also tasked with creating a framework for compliance, to which the data controller and data processor must adhere.

The PDP Bill also contains provisions governing the cross-border transfer of personal data. Transferring data beyond the territories of Pakistan or to systems not under the direct control of the Government of Pakistan shall be permitted if the jurisdiction where the data is being transferred to offers a personal data protection legal regime at least equivalent to the protection provided under the PDP Bill, and the data so transferred shall be processed in accordance with the PDP Bill. Critical personal data shall only be transferred in a server or data centre located in Pakistan. The PFP Bill further provides that the Commission may formulate a framework and conditions for the transfer of personal data (other than sensitive personal data) outside Pakistan. The Commission shall also devise a mechanism for keeping in Pakistan some components of sensitive personal data to which the PDP Bill applies, provided that related to public order or national security.

Under the terms of the PDP Bill, appeals from the Commission’s decisions may be made to a High Court or, in the manner specified by a High Court, to any other tribunal formed by the federal government for said purpose.[8]

Conclusion

The development of data protection and data privacy regulations has been sluggish in Pakistan. Despite the existence of several regulations aimed at protecting personal data, there has always remained an uncertainty since there is no separate comprehensive law solely governing the storage and transfer of data.

However, the introduction of the PDP Bill is an important milestone, as there was a genuine requirement for a comprehensive and independent data privacy and protection law in Pakistan, providing a clear direction for the legal framework aimed at regulating data protection and providing rights preventing the misuse of people’s data in the data processing and storage process.

Once the PDP Bill becomes law, it will be the primary legislation governing data privacy and protection and, as a result, will provide a greater sense of security in business transactions, playing a key part in promoting cross-border transactions, especially in the field of e‑commerce.