Nannying the net

The PDM government has been rather gung-ho about legislation. That would be welcome if only it hadn’t come as a bulldozing of problematic laws rather than legislative work done after consultation and debate. Two new cybersecurity laws – Personal Data Protection Bill 2023 and the E-Safety Bill 2023 – aproved by the government have elicited loud protest from digital rights activists heer at home and even tech companies around the world. The Asia Internet Coalition (AIC), a global association of social media companies, has written a letter to Prime Minister Shehbaz Sharif expressing reservations over the two bills, sharing fears that the country risks becoming a “global outlier”. In its letter, the AIC has pointed out that with such laws, the government will end up isolating and depriving Pakistani businesses of growth in the internet economy and that it is important to foster investor trust in Pakistan.

Why exactly is the AIC concerned about the new laws? Experts say that these laws will directly impact individuals and organizations and undermine their privacy. In its statement of objectives, the Personal Data Protection Bill 2023 says that it “ensures that any personal data shall be collected only by lawful, fair, and consensual means..." While on first read, that sounds fair enough, local digital rights activists say that this bill was passed in haste without any feedback from stakeholders. The bill, say activists, has a lot of red flags and will also impact the tech sector due to localization. Most of this could have been resolved through consultation. The insistence on data localization is an important consideration. Per experts, it is tough to have localized data hosting since our digital environment is not set up for such tasks yet. There is also the not-so-small matter of there being very little transparency on how our government stores data itself. Given that the law prescribes a ‘commission’ to oversee things, digital activists have also asked whether said commission will be autonomous or yet another tool of the government. The law itself says the commission members will be appointed by the federal government, and have the powers of a civil court. All that will end up doing is making consumers and businesses run around in bureaucratic circles. The e-Safety Bill 2023 has a whole other set of issues – given that no one even knew much about it before it was approved.

The government says the laws are aimed at protecting users but it is tough to buy that given how Peca was brought in on the pretext of protecting women but ended up harassing dissident voices, making women more vulnerable and also targeting journalists. In a nanny state such as ours, the lack of transparency and consultation makes many suspicious over the way these two cybersecurity laws have been approved. There is little doubt that Pakistan needs data protection laws; there is also little doubt that Pakistan needs these laws to be made transparently and by taking onboard people who have been at the forefront of working for privacy and protection clauses. In a world where e-commerce is a source of income for many, making an authority on the lines of Pemra and PTA that rights activists say will be merged together, sounds more like a way to police these spaces. Every government in Pakistan has taken a blind approach towards cyber legislation – ironically making laws that are inevitably used against these very political parties and their workers as well as human rights activists and journalists. Instead of protecting the people they vow to serve and represent, our political players are guilty of being complicit in bringing laws that are weaponized to be used against citizens. The problem is not that laws have been made (they are needed); the problem is how the laws have been made – and why.