It’s worrisome to see Pakistan entering the digital age with a growing percentage of work being done online from banking, marketing, and management to technology outsourcing; without comprehensive legislation to address data protection and privacy.
In the absence of necessary laws, some of the companies are monetizing customer data without giving due consideration to the sensitivity of their personal, sensitive and traffic data knowing full well that it is a part of their essential business ethics and practices to develop a bond of trust with their customers.
Therefore, there have to be some ground rules for customer data collection, its storage, and usage including the monetization by the technology, telecom, OTTs, and internet companies. No control in terms of data protection can be catastrophic for companies against their reputation, goodwill, and business relationships.
It is, therefore, imperative for the government to promulgate the law on the Customer Data Protection at the earliest, so that all companies and their customers in Pakistan know their rights & obligations on customer data protection and their boundaries to monetize the customer data.
In this article, we recommend what should be included in the Customer Data Protection Law.
For the purpose of this article, we have just gone through the Customer Data Protection laws of countries, where the parent groups of Pakistani existing telecom companies are operating.
European Union has very comprehensive data protection laws followed by China and UAE respectively. A brief description of their existing laws is given below for your reference:
|The main legal source of data protection in EU is the Data Protection Act, which intends to protect personal data from processing and use by public authorities of the states and private bodies.||
Data Protection Regulations (‘DPR’).
|Currently, there is not a comprehensive data protection law in the People’s Republic of China. Instead, rules relating to personal data protection are found across various laws and regulations.||There is no comprehensive legislation regulating Customer Data Protection in Pakistan.|
Definition of Personal Data
|Personal data means any information relating to individuals who can be identified, even indirectly.||Any data referring to an Identifiable Natural Person.||Personal data means any electronic information which can enable identification of a citizen’s individual identity.||
Definition of Sensitive Personal Data
|Personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life.||Personal Data revealing racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership, and health or sex life.||Personal information the leakage, illegal provision or abuse of which may harm personal/property safety and personal reputation or physical/mental health, or result in discrimination towards the data subject which may also include bank account information and transaction information etc.||
|National Data Protection Authority||
|Data Protection Officers||Yes||No||No||No|
|Collection & Processing||Consent Required||Consent Required||Clear consent||No restriction|
Transfer of Data
|·Personal data may freely be transferred amongst the EU Member States.
·Personal/ sensitive data may be transferred to countries outside the EU, with customers consent in writing
·Under few other conditions, Personal data can be transferred outside EU.
|·Personal Data may be transferred out of the UAE if the Recipient is in a jurisdiction that has laws that ensure an adequate level of protection for that Personal Data.
·In the absence of an adequate level of protection, consent of the data subject is required
|·Consent required within China for transfer of data
·Personal information of Chinese citizens and “important data” collected by the operators to be kept within the borders of the China.
|·Transfer of data to third parties not allowed.
·Trans-border customer data transfer is not allowed
Data Breach Notification
|Data Protection Authority is required to be notified along with the subscriber without undue delay.||CDP Authority must be informed of the incident as soon as reasonably practicable.|
|Allowed with the prior informed consent (opt-in) from the recipient of the communication||Clearly inform the subscriber for Electronic Marketing.||Explicit consent to receive such messages from the customer||
·Traffic data can be retained for a period not longer than 6 months for billing and interconnection payments purposes
·Location data may only be processed if made anonymous or if the subscriber has given her/ his prior consent.
|The law does not contain specific provisions relating to traffic data, however, the broad provisions are likely to apply. In addition, as UAE criminal law and the privacy principles laid out therein may apply.||The law does not contain specific provisions relating to traffic data, however, the broad provisions are likely to apply.||The Law Enforcement Agencies can get traffic data. The retention period is one year|
Why CDP is Important for Customers and Telcos
There are multiple arguments as to why CDP is a burning issue for companies, specifically for telecom companies and citizens.
- For telecom operators, data privacy and security is not a risk management issue, but a potential source of competitive advantage that may be a central component of brand-building and corporate reputation.
Therefore cost incurred on customer data protection may be considered as an investment for building up the company’s reputation, goodwill and business relationships.
- Telecom companies have access to the broadest and most sensitive customers’ information like current physical location, most called numbers, visited websites, sent/received messages (written or voice), social network contacts, frequency and type of changed device, access to passwords inserted in websites via mobile device, access codes to company’s VPNs/servers, colleagues’ phone numbers and contacts, files stored on device memory and read/unread messages and cookies.
There is a possibility of following potential criminal acts in case of data breaches:
- Blackmailing on personal relationships / behaviors / belongings / beliefs
- Web-theft of
- confidential information
- Company secret leakages
- Direct calls onto colleagues’ phones for hire proposals
- Track employees’ behavior at/outside work
- Increasing customers’ concerns about own privacy and personal data handling as depicted in the largest ever survey conducted by Eurobarometer and the recent news about the customer data leakage by Facebook and Google. Below is the list of data, which is considered as personal data by the customers:
- “Battlefield” for conflicting interests: Governments, Consumers, Companies:
|Government’s Interests||Telecom Operators’ Interest||Consumers’ Interest|
|Ensure citizen’s privacy||Access own clients’ personal data for marketing activities
·Sale of lists to third parties
|Defend rights to privacy|
|Protect public interest, security and criminal prosecution||Purchase clients’ data from third parties for marketing activities||Control of usage of personal data|
|Set standardized regulatory frameworks||Ensure cost-efficient system compliance||Be contacted only for very relevant issues/offers|
|Protect own sensible data|
- The growth of cloud and web-based technology applications continuously opening new scenarios and issues
- Large data volumes moved to 3rd party servers on the cloud
- Lack of control on
- how, where and by whom data is being processed at cloud
- which laws apply and who is responsible for data at cloud
- Users’ online behavior being tracked for various purposes e.g. targeted advertising
- Mobile phone/internet users can be located through various technologies e.g. BTS data, GPS, manually on the internet.
- The online used passwords can be saved.
Proposed Framework of Customer Data Protection in Pakistan
In order to take Pakistan into a safe digital era, the first step has to be the providing personal data protection and privacy to our customers.
In view of this, a framework for Customer Data Protection (below) is recommended for PTA, MoIT, GoP and above all the citizens of Pakistan for their consideration.
|Scope and Objectives||4
Collection & Processing
|Ground Rules/Limits of data collection|
|Classification of data and definitions||Define Customer Privacy Code regarding Customer Data processing|
Data Enrichment and Profiling
|Clear Policy on Data Enrichment and Profiling and its monetizing.|
|Specific data processing situations||6
|Transfer of data to the third party|
Rights of data subject
|Transparency to the customers on the modalities of data collection, storage and usage||Trans-border Transfer of data by way of appropriate safeguards|
|Customers’ Rectification of consent and its revoking right||7
Independent supervisory authorities
|Customers’ right to request for the access or updating of own personal data||Duties and powers|
|Right to object on profiling||8
|Rules for traffic data sharing with the customer and third party including LEAs.|
General obligations for companies
|Deployment of Customer Data Protection Team for Data security||Audit of the provision of data by the Authority.|
|Impact assessment and prior authorization||9
Cloud and Web-Based Technology Applications
|Rules for transfer of customer data to a local cloud|
|Conduct awareness sessions for the employees on customer data protection||Approval process for Trans-border Transfer of data on to a cloud by way of appropriate safeguards if allowed.|
|Develop and periodically update a Data Processing Operations Map.||Recurring Risk Assessment on Customer Data on cloud|
|Perform a recurring Risk Assessment on Customer Data vs International Security best practices standard ISO27001/27002 concerning Information Security||Awareness to the customers regarding risks involved in sharing of their data and consents online|
|Adopt and formalize an internal procedure for Data Breach Management.||10
Remedies, liability and sanctions
|Complaints and judicial remedies|
|Data Breach Notification||Compensation, penalties and administrative sanctions|
|Ground Rules for Electronic Marketing||Audit process|