The government has decided to constitute a ‘Data Protection Authority’ that will work to curb the misuse of data and protect the personal information of citizens.
The Ministry of Information Technology and Telecommunication has drafted ‘Personal Data Protection Bill 2020’ and sought feedback from all stakeholders by June 15, proposing up to Rs. 25 million fine for those who process or cause to be processed, disseminate or disclose personal and sensitive data in violation of any of the provisions of the proposed legislation.
The legislation was drafted back in 2018, but delayed due to different reasons.
The proposed legislation will govern the collection, processing, use, and disclosure of personal data and to establish and making provisions about offenses relating to a violation of the right to data privacy of individuals by collecting, obtaining, or processing personal data by any means.
Whereas it is expedient to provide for the processing, obtaining, holding, usage and disclosure of data while respecting the rights, freedoms, and dignity of natural persons with special regard to their right to privacy, secrecy and personal identity and for matters connected therewith and ancillary thereto.
A data controller will not process personal data including sensitive personal data of a data subject unless the data subject has given their consent to its processing.
Provided that personal data is required to be transferred to any system located beyond territories of Pakistan or system that is not under the direct control of any of the governments in Pakistan, it will be ensured that the country where the data is being transferred offers personal data protection at least equivalent to the protections provided under this Act and the data so transferred will be processed in accordance with this Act and, where applicable, the consent is given by the data subject.
Critical personal data will only be processed in a server or data center located in Pakistan.
The proposed legislation states that digitization of businesses and various public services employing modern computing technologies involve the processing of personal data. The growth of technological advancements has not only made it easier to collect personal data but also enabled the processing of personal data in several ways that were not possible in the past.
Personal data is often being collected, processed, and even sold without the knowledge of a person. In some cases, such personal information is used for relatively less troublesome commercial purposes e.g. targeted advertising, etc. However, the data can be misused in many ways e.g. blackmail, behavior modification, phishing scams, etc.
In order to realize the goal of full-scale adoption of e-government and delivery of services to the people on their doorsteps, and increase users’ confidence in the confidentiality and integrity of government databases, it is essential that the users’ data is fully protected from any unauthorized access or usage and remedies are provided to them against any misuse of their personal data.
Additionally, an accelerated increase in the use of broadband with the advent of 3G/4G in Pakistan led to an increasingly enhanced reliance on technology calling for the protection of people’s data against any misuse, thus maintaining their confidence in the use of new technologies without any fear.
Whereas sectoral arrangements/frameworks exist in Pakistan that provides for data protection and Prevention of Electronic Crimes Act 2016 deals with the crimes relating to unauthorized access to data, there is a need for putting in place a comprehensive legal framework in line with Constitution and international best practices for personal data protection. Protecting personal data is also necessary to provide legal certainty to the businesses and public functionaries with regard to the processing of personal data in their activities.
The desired legal framework will clearly spell out the responsibilities of the data collectors and processors as well as rights and privileges of the data subjects along with institutional provisions for regulation of activities relating to the collections, storing, processing and usage of personal data.
Within six months of coming into force of this Act, the federal government will, by notification in the Official Gazette, establish an Authority to be known as the Personal Data Protection Authority of Pakistan, to carry out the purposes of this Act.
The Authority will be a statutory corporate body having perpetual succession and a common seal, and may sue and be sued in its own name and, subject to and for the purposes of this Act, may enter into contracts and may acquire, purchase, take and hold moveable and immovable property of every description and may convey, assign, surrender, charge, mortgage, reassign, transfer or otherwise dispose of or deal with, any moveable or immovable property or any interest vested in it and, will enjoy operational and administrative autonomy, except as specifically provided for under this Act.
The Authority will be an autonomous body under the administrative control of the federal government with its headquarters at Islamabad.
The Authority will be responsible to protect the interest of the data subject and enforce protection of personal data, prevent any misuse of personal data, promote awareness of data protection, and will entertain complaints under this Act.