Article 14 of the Constitution of Pakistan recognises ‘the dignity of man and, subject to law, the privacy of home’ as a fundamental right – violation of this right would therefore be extra-constitutional.
We are living in an ‘information’ and ‘technology’ age where not only business transactions but also many personal transactions are made electronically. This phenomenon, further, is not bound by any geographical boundaries – businesses/people are engaged in cross-border transactions electronically.
The exchange of information electronically, for the above purposes, has necessitated the privacy and protection of any personal data that is collected and processed during the course of any transactions. Therefore, the collection and processing of personal information/data needs to be regulated in order to have privacy and data protection.
The Constitutional guarantee, contemporary requirements and global developments altogether necessitated the introduction of a legal framework regarding personal data protection in Pakistan. Against this background, the Ministry of Information Technology & Telecommunication (the IT Ministry) has developed a draft bill titled the Personal Data Protection Bill, 2021 (the Bill). After the IT Ministry consulted on the Bill, it has now been approved by the Federal Cabinet. The Bill is now to be tabled before the legislature for promulgation as a law.
The Bill is aimed at providing for the processing, obtaining, holding, usage and disclosure of personal data while respecting the rights, freedoms and dignity of natural persons with special regard to their right to privacy, secrecy and personal identity.
The nucleus of the Bill is ‘data subject’ and ‘personal data’. ‘Data subject’ means a natural person who is the subject of the personal data. While, personal data means any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data. Anonymised, encrypted or pseudonymised data which is incapable of identifying an individual is not personal data.
The Bill has three other significant concepts, in addition to data subject and personal data, which are ‘data controller’, ‘data processor’ and ‘processing’. In simple terms these concepts can be understood as:
- Data controller is a person (natural person, company or government) who has the authority to collect personal data of a natural person.
- Data processor is a person (natural person, company or government) who process the data on behalf of a data controller.
- Processing is performance of any operation on personal data (like collection, recording, organisation, structuring storage etc).
The Bill defines the respective rights/protection of the data subject and obligations of the data controller and data processor.
The Bill confers significant rights/protection on the data subject (the natural persons), including right of access, right to correct personal data, right to withdraw consent, right to prevent processing likely to cause damage or distress, right to erasure.
On the other side, the Bill places certain obligations on the data controller, the utmost being the lawful purpose for which a data controller can process the personal data. The obligation of lawful purpose must have a nexus with a necessity directly related to that lawful purpose. Further, the extent of processing of personal data must be adequate and not excessive, meaning that only personal data which is sufficient for that lawful purpose can be used.
In addition, the data controller can only process the personal data with consent of the data subject (certain exceptions apply). The data controller is further required to inform the data subject about collection and use of their personal data.
The Bill also provides that personal data may not be disclosed without the consent of the data subject. The data controller and data processor, under the Bill, are required to take security measures to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction in accordance with the standards to be prescribed by the National Commission for Personal Data Protection of Pakistan (the Commission) – to be established under the Bill.
The Bill provides that the federal government, within six months of the coming into force of the Bill, is to establish the Commission. The Commission shall be responsible to protect the interest of the data subject and enforce protection of personal data, prevent misuse of personal data, promote awareness of data protection and shall entertain complaints. The Commission shall also formulate compliance framework for adherence by the data controller and data processor.
Appeals against the decisions of the Commission, under the Bill, shall lie before the High Court or to any other Tribunal established by the federal government for the purpose in the manner prescribed by the High Court.
The Bill also provides for fines and imprisonment in case of violation of provisions of the Bill. The fines may be up to PKR25m. In case of legal persons, the fine is not to exceed 1% of its annual gross revenue in Pakistan or PKR30m, whichever is higher.
The Bill provides that the proposed law shall come into force with in a period of two years from the date of its promulgation. The federal government, in this regard, is to determine such a date through a notification in the official Gazette providing at least three months’ advance notice of the effective date.
Given the growth rate of e-commerce, and cross-border e-commerce in particular, governments across the globe are framing the laws and regulations for personal data protection. The development of the law on this subject in Pakistan is timely for various reasons, including the law becoming compatible with best practices which enable our entrepreneurs to compete globally and to fetch a sizeable share of global trade. This is the time to embrace change and all those likely to be affected by the Bill and in particular the natural persons (data subject) need to carefully understand their respective rights and obligations under the Bill to become fully compliant and for the natural persons to fully reap the protection provided therein.