We had mentioned in earlier posts that the fourth draft bill of the proposed Data Protection Act in Pakistan has been submitted for public consultation. Various laws in Pakistan such as the Electronic Crimes Ordinance 2002, the Prevention of the Electronic Crimes Act 2016, the National Data Base Authorization and Registration Authority Ordinance 2000 already contain sections of law which criminalize the unauthorized dissemination and usage of personal data. Specific Data Protection law drafts have been circulated by the legislature but the same were never enacted. This is the first time that any government in Pakistan has gone this far on the Data Protection Legislation. It appears that this law will in fact be enacted soon although many rights organization in Pakistan have criticized the provisions of this law.
It appears that the enactment of the law may be part of the larger recommendations which have been made to Pakistan by the FATF. Section 14 of the draft Act provides that data may be transferred out of Pakistan to a country where equal or better data protection law exists. Better data protection exists in European Countries and the United States.
The Data Controller within the law is defined as a person who has the authority to collect and use the data and is a natural legal person or the government. The Data Controller apparently has unfettered powers albeit subject to consent of the Data Subject to collect and use the data. Terms such as Sensitive Data and Critical Data have been provided within the law but not defined. The Data Controller is to provide the Data Subject a notice that his data may be used if the same is required for certain purposes such as performance of contract, obtaining of legal advice, legal purposes, medicinal purposes.
This all becomes tricky if the Data Subject is a not well to do normal citizen of Pakistan and the Data Controller is the security apparatus of the Government and to whom such Data Subject cannot deny permission for Data usage. Does not then the usage of legal advice or performance of contract which would normally contain confidentiality provisions fall the risk of being exposed to the Government where the Government too is party to such contracts and where the Government is the Data Controller?
In our opinion (which might appear to be different from the majority opinion on the subject is that) sufficient legislation exists for protection of Data in Pakistan in the various laws provided earlier. Enacting a separate Data Protection law will not protect Data in fact it will allow Data to be legally processed and distributed and the Data Subject theoretically though has rights but in reality he will be exploited.
