Pakistan’s nascent data protection legislation
Main image
Data protection

By Yousaf Amanat

Data protection is an area of law that has been ignored in Pakistan. The right to privacy of the average Pakistani citizen is enshrined within the Constitution of Pakistan, which provides that “the dignity of man and the privacy of his home shall be inviolable”. Unfortunately, the same has, to date, not been translated into legislation and, therefore, no specific law for data protection exists in Pakistan.

Therefore, it was perhaps a small relief that in 2016 the Prevention of Electronic Crimes Act 2016 (PECA) was enacted, which contains a smattering of data protection law.

Although PECA was proposed to counter issues such as cyberstalking, online harassment, cyber terrorism, spamming and hacking of information systems, it also contains data protection provisions. PECA provides that, in addition to its application to the whole of Pakistan and Pakistani citizens, it also applies to acts committed by persons outside of Pakistan if the action constitutes an offence under the legislation and affects any person, property, information system, or data located in Pakistan.

PECA provides that the identifying information of a person shall not be obtained, sold, or transmitted without authorisation. Authorisation has been defined under the legislation as being authorised by law or a person empowered under the law to make such authorisation. Any person whose information is obtained without their authorisation can apply to the Pakistan Telecommunication Authority to secure, block, destroy or prevent the transmission of such information.

Pakistan’s Ministry of Information Technology and Telecommunication recently introduced a new draft of Pakistan’s Personal Data Protection Bill 2020 and launched a public consultation. The public consultation period ended on 15 May 2020; however, the bill has yet to be promulgated.

The bill, which applies to “any person who processes” or “has control over or authorises the processing of” any personal data, if the data subject, the controller, or processor are located in Pakistan, would establish certain requirements and restrictions related to the processing of personal data, as well as penalties for violating the law. Also, under the bill, the federal government will, within six months of it coming into force, establish a Personal Data Protection Authority of Pakistan with rule-making authority to enforce the new law.

The draft bill provide that data subjects must be provided with written notice that includes certain content when the personal data of the data subject is collected by or on behalf of the data controller. This notice must be provided when the data subject is first asked to provide the data, when the data controller first collects the personal data, or before the personal data is used for a purpose other than the purpose for which the data was collected, or the personal data is disclosed to a third party.

In addition, data controllers may not disclose personal data without the consent of the data subject for any purpose other than the purpose for which the personal data was disclosed at the time of collection or a purpose directly related to that purpose, or any third party not within the class of third parties provided within its notice. Also, personal data may not be transferred to any unauthorised person or system.

Where necessary, data may be transferred to a country that offers at least the same amount of protection of personal data, as long as the data subject provides consent where required and the data continues to be processed under the bill’s requirements. Critical personal data may only be processed in servers and data centres located in Pakistan.

Data controllers must take “practical steps to protect personal data” when collecting or processing personal data including, among other factors, taking into consideration the nature of the personal data and the harm that would result from the loss, misuse, modification, or unauthorised or accidental access, disclosure, alteration or destruction. The data protection authority will prescribe standards that the data controller must comply with.

Data controllers must take reasonable steps to ensure that personal data is accurate, complete, not misleading and kept up-to-date. Additional limitations apply to the processing of sensitive personal data.

The bill provides data subjects with the right to: be informed about whether a controller has processed their personal data; for a fee, make a data access request for the information being processed and to have a copy of their personal data provided to them in an intelligible form; request correction of their personal data where inaccurate, incomplete, misleading or not up-to-date; withdraw consent to process personal data; prevent processing that is likely to cause damage or distress; and erasure of their personal data when certain conditions are met.

Data controllers must notify the data protection authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of relevant data subjects.

Moreover, data controllers must keep and maintain a record of any application, notice, request, or any other information relating to personal data that has been or is being processed. The controller also must maintain a record of personal data breaches.

Finally, data controllers may not keep personal data for longer than is necessary to fulfil the purposes of the collection. The data controller must destroy or permanently delete the data when no longer needed.

Yousaf Amanat is the managing partner of Yousaf Amanat & Associates