WHEN British mathematician Clive Humby declared “data is the new oil” in 2006, he did not know that data was going to supersede the then-coined analogy. Today, the bit-bytes of 1 and 0 are the magical numbers to unlock or lock the fortunes. Nevertheless, our fellow countrymen show no regard for data’s sanctimony. We see copies of personal credentials being shared, even publicly posted sans thinking an iota about ramifications. We happily relinquish our data protection rights to sign up for digital services or relish meagre online loans offered by shark apps. It seems we have nothing to lose digitally.
Why are we so careless about data? The answer lies with the social construct in which we are living. At the national level, there is no law sensitizing masses and nudging data holders to take care of the data. Without a comprehensive legal framework, data possessors operate on whims and wishes, causing data breaches, online fraud and risking privacy. According to the Global Cyber Security Index, Pakistan stands at an abysmal 79. In comparison, India leapt to 10 from its previous ranking of 47.
A Personal Data Protection Bill 2023 drafted by Ministry of Information Technology and Telecommunications (MoITT) missed sight of outgoing legislatures amid eleventh-hour historic clearance of other bills owing to reasons unbeknownst. The Data Protection Bill had already been approved by the Federal Cabinet but was yet to be presented before the Lower House.
The protection of data is a fundamental right envisaged under Article 14 (1) of the Constitution of Pakistan that states ‘dignity of man and subject to law, the privacy of home shall be inviolable’. In addition, Pakistan is a ratified party to the International Covenant on Civil and Political Rights which states, “No one shall be subject to arbitrary or unlawful interference with his privacy, family or correspondence.” Large-scale public databases have their own obligations as an instance mentioned in section 4 (j) of the National Database and Registration Authority Ordinance, 2000.
Internationally, data protection is always on the priority list. Nations know the path to prosperity is peppered with effective governance frameworks. The European Union’s General Data Protection Regulation 2016 (GDPR) covers all the EU nations as a touchstone document. The Swedish Data Act of 1973 is the pioneer data protection legislation. The US follows its Privacy Act which dates back to 1974. China has its version of data protection epitomized in the Personal Information Protection Law 2020. Other countries like Australia, Canada and India have already crafted their data protection laws.
At home, the somewhat protective semblance of data is provided by a fragmented long list of legislations. The major portion is derived from the Prevention of Electronic Crimes Act 2016 which itself is a cybercrime law rather than a data protection watchdog. Likewise, data handling in different situations elicits scrolling down specific portions of varying laws ranging from the Electronic Transactions Ordinance 2002 to the Pakistan Telecommunications Reorganization Act 1996. Sometimes the search for the right data protection guideline pushed us as far as to scavenge the Mental Health Ordinance 2001 for protection of medical records and the Customs Act 1969 for handling information of commodities. In the same vein, data on cloud servers need to be handled by the Cloud Policy issued by MoITT. Delving deep, the cobweb gets intricate; the retention of data of electronic transactions is managed by the Payment Systems and Electronic Fund Transfers Act 2007; banking data by Banking Companies Ordinance 1962; critical telecom data by Critical Telecom Data and Infrastructure Security Regulations 2020 under Pakistan Telecommunication (Re-organization) Act 1996; Wi-Fi data by Data Retention of Internet Extended to Public Wi-Fi-Hotspots Regulations 2018.
It is important that once the legislative business is restored, Personal Data Protection Bill 2023 should be presented for enactment at the earliest. Once enacted, the proposed law will regulate all personal data collection, control, processing, disclosure, usage and cross-border transfer affairs. Effective redressals such as the removal of wrongfully posted data and fines of as much as US$1,000,000 are also mentioned in the bill. The right to object to the processing and hiring of data controllers and processors is stipulated in the proposed law.
The bill also mandates the establishment of an overseeing body proposed as “The National Commission for Personal Data Protection” within six months after the promulgation of the Bill. The Commission will also recommend requirements and international best practices regarding personal data protection to the government. It may also exercise the powers of a Civil Court against complaints. The Commission will craft a mechanism to share personal data with government entities. It is also proposed to conduct a data protection impact assessment and receive information about data breaches within the stipulated time (72 hours) after taking cognizance.
The proposed bill can further be debated in Parliament before approval. Necessary amendments can also be made accordingly. Subjects like real-time data monitoring by Monitoring and Reconciliation of Telephony Traffic Regulations 2010 and data access by the Fair Trial Act 2013 can also be included in the bill to make it an exhaustive one. Previously, MoIT had drafted a similar bill for data protection, the Electronic Data Protection Bill 2005. Had that bill not gone into oblivion, we would have moved on to this quagmire. To fully embrace the fruits of the digital revolution, the rules of the game must be set before riding the digital gravy train. This time, we can’t afford languor.
—The writer is a security professional and contributing columnist.
Email: [email protected]
views expressed are writer’s own.