The government has decided to constitute ‘Data Protection Authority’ that will work to curb the misuse of data and protect the personal information of the citizens. The Ministry of Information Technology and Telecommunication has drafted ‘Personal Data Protection Bill 2020’ and sought feedback from all stakeholders by June 15, proposing up to twenty five million rupees fine for those who processes or cause to be processed, disseminates or discloses personal data and sensitive data in violation of any of the provisions of the proposed legislation. The proposed legislation was drafted back in 2018, but delayed due to one or the other reason.
GOP to Constitute Personal Data Protection Bill 2020
The proposed legislation will govern the collection, processing, use and disclosure of personal data and to establish and making provisions about offenses relating to violation of the right to data privacy of individuals by collecting, obtaining or processing of personal data by any means. Whereas it is expedient to provide for the processing, obtaining, holding, usage and disclosure of data while respecting the rights, freedoms and dignity of natural persons with special regard to their right to privacy, secrecy and personal identity and for matters connected therewith and ancillary thereto.
A data controller would not process personal data including sensitive personal data of a data subject unless the data subject has given his consent to the processing of the personal data.
Provided that if personal data is required to be transferred to any system located beyond territories of Pakistan or system that is not under the direct control of any of the governments in Pakistan, it will be ensured that the country where the data is being transferred offers personal data protection at least equivalent to the protection provided under this Act and the data so transferred will be processed in accordance with this Act and, where applicable, the consent given by the data subject. Critical personal data will only be processed in a server or data centre located in Pakistan.
The proposed legislation states that digitization of businesses and various public services employing modern computing technologies involve processing of personal data. The growth of technological advancements have not only made it easier to collect personal data but also enabled processing of personal data in so many ways that were not possible in the past.
The personal data is often being collected, processed and even sold without knowledge a person. In some cases, such personal information is used for relatively less troublesome commercial purposes e.g. targeted advertising etc. However, the data so captured or generated can be misused in many ways e.g. blackmail, behavior modification, phishing scams etc.
In order to realize the goal of full scale adoption of e-government and delivery of services to the people on their doorsteps, and increase users’ confidence in the confidentiality and integrity of government databases, it is essential that the users’ data is fully protected from any unauthorized access or usage and remedies are provided to them against any misuse of their personal data.
Additionally, accelerated increase in the use of broadband with the advent of 3G/4G in Pakistan led to an increasingly enhanced reliance on technology calling for protection of people’s data against any misuse, thus maintaining their confidence in the use of new technologies without any fear.
Whereas sectoral arrangements/frameworks exist in Pakistan that provide for data protection and Prevention of Electronic Crimes Act 2016 deals with the crimes relating to unauthorized access to data, there is a need for putting in place a comprehensive legal framework in line with Constitution and international best practices for personal data protection. Protecting personal data is also necessary to provide legal certainty to the businesses and public functionaries with regard to processing of personal data in their activities.
The desired legal framework would clearly spell out the responsibilities of the data collectors and processors as well as rights and privileges of the data subjects along with institutional provisions for regulation of activities relating to the collections, storing, processing and usage of personal data.
Within six months of coming into force of this Act, the federal government will, by notification in the official Gazette, establish an Authority to be known as the Personal Data Protection Authority of Pakistan, to carry out the purposes of this Act. The Authority will be a statutory corporate body having perpetual succession and a common seal, and may sue and be sued in its own name and, subject to and for the purposes of this Act, may enter into contracts and may acquire, purchase, take and hold moveable and immovable property of every description and may convey, assign, surrender, charge, mortgage, reassign, transfer or otherwise dispose of or deal with, any moveable or immovable property or any interest vested in it and , will enjoy operational and administrative autonomy, except as specifically provided for under this Act. The Authority will be an autonomous body under the administrative control of the federal government with its headquarters at Islamabad.
The Authority will be responsible to protect the interest of the data subject and enforce protection of personal data, prevent any misuse of personal data, promote awareness of data protection and will entertain complaints under this Act.