The draft Personal Data Protection Bill was introduced last month on the website of the Ministry of IT and Telecom for consultation. The bill lays out the requirement of consent of a citizen for their data to be processed, notices to them in case of their data being processed, non-disclosure of personal data for purposes other than specified, standards for security for protection of held data, (undefined) time limits on data retention, and data breach notifications. Additionally, the draft makes some exemptions for the purposes of this law, including for journalistic, literary or artistic purposes, which is a welcome step. However, it makes “processing of personal data in the interest of security of the state” subject to authorisation by the federal government under a procedure that remains undefined. Also not defined explicitly is the liability of data protection on government and public bodies, which is a critical component of any such law considering the state and government hold the highest amount of sensitive personal data of citizens.
A major contentious feature of the bill is the data protection authority that is “to carry out purposes of this act”, which under this bill functions under the federal government rather than being independent and autonomous.
The current bill attempts to localize data under Sections 14 and 15 by requiring data of citizens to be stored within the borders of Pakistan, which presumably would apply to social media companies. This seems to be linked to the Protection (Against Online Harms) Rules, 2020, where the government proposed social media companies to register locally and set up servers.
Lastly, this bill should include time-sensitive sunset clauses for health-related data and surveillance at a time of a pandemic. We have seen broad-based tracking of citizens for Covid-19, a process which has lacked transparency, legality and procedure respectful of the rights of citizens while safeguarding the right to life threatened by the pandemic such as only using aggregated and anonymized data rather than personally identifiable data. Further, the government should already be vigilant of Covid-19-related privacy violations such as leaking of health records of patients and stigma linked to the virus.
A dead line of 35 days is provided for feed back after which there is every bit a chance that this bill may take the shape of a long awaited law on Data Protection. The timing is of the dead line is quite questionable though with a lot of consultative work suspended locally and internationally on account of Covid-19.
