Digital and data-driven crimes have increased in Pakistan in recent years. The country has had numerous cases of ATM fraud and skimming frauds, but there has also been an unregulated increase in personal data theft, leaks, and other online crimes against people.
This occurs because businesses, hospitals, retail establishments, and even government agencies gather and compile customer personal information without making proper information security safeguards, and when their haphazard security is penetrated, that personal information is revealed.
Pakistan has been slow to address this issue at the legislative level. Only three acts have been passed by the legislature since 2009, the most recent of which being the Electronic Crimes Act of 2016.
Additionally, no specific regulation for the protection of personal data has been passed. The legislation that the Ministry of Information Technology and Telecommunication (MoITT) developed in October 2018 and updated and reintroduced in April 2020 is the closest we have reached.
In summary, the bill does a reasonable job in protecting consumers against data privacy breaches by private actors like companies, however, the bill lacks in certain areas including storage of data, cross-border transfer of critical data, and the requirement of keeping certain data components within Pakistan.
In the past, surveys, focus groups, casual observation, and other scenarios where explicit consent is typically requested to contribute data have been used to collect consumer data or information. However, in modern times, groups or businesses that acquire data frequently employ covert techniques. For instance, automatic data processing (ADP) tools are one method of doing this. When data is entered, these gadgets automatically capture and process it. As data is viewed as a “currency” and is frequently hoarded, businesses also frequently require customers to provide their personal information in order to complete transactions.
Under the bill, data is information that is collected by means of equipment that is operated automatically (such as ADP equipment), or is requested in response to instructions. Providing data for an application, a newsletter, to buy a product or service, or to get a subscription all falls under this.
To this end, the bill tries to define “Personal Data.” The most important feature of personal data is that a person is recognisable through it, so for example their name or phone number. The bill deals with this kind of personal data when it is collected as part of transactional exchanges, or when it is provided “in response to instructions given for the purpose of the transaction.”
This legislation is riddled with loopholes and inconsistencies, per the set international standards.
Being an Islamic country and having a rapidly expanding digital industry, it is unsettling to see how little attention is given to safeguarding the privacy and information of its residents. Our right to privacy—a fundamental element of our religion—does not call for the carelessness with which it is treated. What’s even more concerning is that our citizens are unaware of the potential dangers associated with the information they so readily provide online. We therefore take a two-pronged approach to data protection: first, we enact and enforce strict information privacy laws to reduce unauthorised data transfers and uses; second, we educate our citizens about the rights they must demand and expect when disclosing their CNIC, home address, mobile phone number, banking information, or credit card details online.
