The Ministry of Information Technology and Telecommunication has drafted “Personal Data Protection Bill 2018” proposing maximum punishment of up to two years imprisonment and Rs 5 million in fine on unlawful processing of personal data.
According to the “Personal Data Protection Bill 2018”, the Constitution of the Islamic Republic of Pakistan guarantees privacy of home alongside dignity of every man and woman as their fundamental right under its Article 14. The Ministry has sought recommendations from all stakeholders on the proposed legislation.
The objectives of the bill states that digitization of businesses and various public services employing modern computing technologies involves processing of personal data. The growth of technological advancements have not only made it easier to collect personal data but also enabled processing of personal data in so many ways that were not possible in the past.
It further states that in today’s digital age, personal data has become an extremely valuable commodity and for many businesses the sole source of their income is the personal data of users they generate. The personal data is often being collected, processed and even sold without knowledge a person.
In some cases, such personal information is used for relatively less troublesome commercial purposes e.g. targeted advertising etc. However, the data so captured or generated can be misused in many ways e.g. blackmail, behavior modification, phishing scams etc. In order to realize the goal of full scale adoption of e-government and delivery of services to the people on their doorsteps, and increase users’ confidence in the confidentiality and integrity of government databases, it is essential that the users’ data is fully protected from any unauthorized access or usage and remedies are provided to them against any misuse of their personal data.
Additionally, accelerated increase in the use of broadband with the advent of 3G/4G in Pakistan led to an increasingly enhanced reliance on technology calling for protection of people’s data against any misuse, thus maintaining their confidence in the use of new technologies without any fear.
Whereas sectoral arrangements/frameworks exist in Pakistan that provide for data protection and Prevention of Electronic Crimes Act 2016 (Act No.XL of 2016) deals with the crimes relating to unauthorized access to data, there is a need for putting in place a comprehensive legal framework in line with the Constitution and international best practices for personal data protection.
Protecting personal data is also necessary to provide legal certainty to the businesses and public functionaries with regard to processing of personal data in their activities. The desired legal framework would clearly spell out the responsibilities of the data collectors and processors as well as rights and privileges of the data subjects along with institutional provisions for regulation of activities relating to the collections, storing, processing and usage of personal data, maintained in the Bill.
Unlawful processing of personal data: – Anyone who processes or cause to be processed, disseminates or discloses personal data in violation of any of the provisions of the proposed legislation shall be punished with fine up to three million rupees and in case of a subsequent unlawful processing of personal data, imprisonment for a term not exceeding one year may also be awarded with or without fine.
(2) In case the offence committed under sub-section (1) relates to sensitive data the offender may be punished with fine up to five million rupees.
Failure to adopt appropriate data security measures: – Anyone who fails to adopt the security measures that are necessary to ensure data security, when he is required to do so, in violation of the provisions laid down in this Act and the rules made there under shall be punished with fine upto one million rupees.
Failure to comply with orders: – Anyone who fails to comply with the orders of the commission or the court when he is required to do so, shall be punished with fine upto five hundred thousand rupees.
Corporate liability: – A person shall be held liable for a criminal offence committed on his instructions or for his benefit or lack of required supervision by any individual, acting either individually or as part of a group of persons, who has a leading position within it, based on a power of representation of the person; an authority to take decisions on behalf of the person; or an authority to exercise control within it. The person shall be punished with fine not exceeding five million rupees. Provided that such punishment shall not absolve the criminal liability of the individual who has committed the offence.
This proposed legislation applies to (a) any person who processes; and (b) any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions.
Further a data controller shall not (a) in the case of personal data other than sensitive personal data, process personal data about a data subject unless the data subject has given his consent to the processing of the personal data; or (b) in the case of sensitive personal data, process sensitive personal data about a data subject except in accordance with section.
Notwithstanding paragraph (1)(a), a data controller may process personal data about a data subject if the processing is necessary:
(a) for the performance of a contract to which the data subject is a party;
(b) for the taking of steps at the request of the data subject with a view to entering into a contract;
(c) for compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by a contract;
(d) in order to protect the vital interests of the data subject; (e) for the administration of justice; or
(f) for the exercise of any functions conferred on any person by or under any law.
Personal data shall not be processed unless— (a) the personal data is processed for a lawful purpose directly related to an activity of the data controller;
(b) the processing of the personal data is necessary for or directly related to that purpose; and
(c) the personal data is adequate but not excessive in relation to that purpose.
A data controller shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.
Right of access to personal data:
(1) An individual is entitled to be informed by a data controller whether personal data of which that individual is the data subject is being processed by or on behalf of the data controller.
(2) A requestor may, upon payment of a prescribed fee, make a data access request in writing to the data controller— (a) for information of the data subject’s personal data that is being processed by or on behalf of the data controller; and (b) to have communicated to him a copy of the personal data in an intelligible form.
(3) A data access request for any information under sub-section (2) shall be treated as a single request, and a data access request for information under clause (a) )of sub-section (2) shall, in the absence of any indication to the contrary, be treated as extending also to such request under clause (b) of subsection (2).
(4) In the case of a data controller having separate entries in respect of personal data held for different purposes, a separate data access request shall be made for each separate entry.
(5) Where a data controller does not hold the personal data, but controls the processing of the personal data in such a way as to prohibit the data controller who holds the personal data from complying, whether in whole or part, with the data access request under subsection (2) which relates to the personal data, the first mentioned data controller shall be deemed to hold the personal data and the provisions of this Act shall be construed accordingly.
Within six months of coming into force of this proposed bill, the Federal Government shall establish a Commission for Personal Data Protection (CPDP). The Commission shall be a corporate body, having perpetual succession which can sue and be sued in its own name and shall enjoy operational and administrative autonomy, except as specifically provided for under this proposed legislation.
The Commission shall comprise of three Commissioners, to be appointed by the Prime Minister as follows: (a) One Commissioner shall be a person who has been or is qualified to be a judge of High Court; (b) One Commissioner shall be a person having master degree in computer sciences or telecommunications and fifteen years of experience in the field of information technology, telecommunications or computer sciences; and
(c) One Commissioner shall be a person from civil society having a degree based on sixteen years of education from a recognized institution and fifteen years of experience in the field of mass communication, academics and civil rights.
The Commission shall be headed by a Chairman, who shall be nominated by the Federal Government from amongst the three Commissioners. The Commissioners including the Commissioner nominated as Chairman shall hold office for a term of four years from the date on which they assume office and shall not be eligible for re-appointment.