Saturday May 18, 2024

Personal data protection as a rights issue

By Nadeem Iqbal
May 10, 2020

The Ministry of Information Technology and Telecommunication (MoITT), has once again revealed its intentions to establish a legal framework to protect personal data privacy and allowing citizens, among others, the right to access their data from the authorities.

But there is scepticism over whether the ministry can establish a Personal Data Protection authority which is compatible with international best practices and satisfies the concerns of all stakeholders.

The scepticism stemmed from the fact that in the past, many attempts were made by the ministry to install a personal data protection framework but failed in the face of severe criticism from different rights groups. The main criticism proposed was that the law does not cover data processing by government and state institutions.

This includes NADRA (National Database and Registration Authority), whose law has a provision under which the authority is responsible for "ensuring of due security, secrecy and necessary safeguards for protection and confidentiality of data and information contained in or dealt with by the National Data warehouse at the individual as well as collective level." But it is not clear what measures would be taken in case of a security breach of data.

This issue continues to simmer in the context of a new draft ‘Personal Data Protection Bill’, uploaded on the MoITT website for public opinion. The one month period to comment on the bill is to end by May 15. The draft provides for the establishment of a Personal Data Protection Authority where complaints can be launched against any breach of data indeed against companies.

But, instead of following a proactive approach of engaging the citizens for feedback through online surveys and later on publishing the results of these interactions along with segregated feedback data in gender, age, education, and profession, the MoITT has come up with a most passive approach of eliciting feedback through email only. This is itself a negation of the ministry's tall objectives of introducing e-governance – as outlined in its Digital Pakistan Policy.

The security and protection of personal data is a human rights issue linked with personal privacy, whereas the MoITT domain is limited to the development and improvement of Information Technology and Telecommunications. The reason the ministry is dealing with this is to make the country’s ICT structure compatible with the global data protection framework.

But here, the treatment by the ministry of the rights surrounding data protection is very weak and has a fragile foundation without any statistics and human rights based elaborations.

This is obvious from the “statement of objective” of the draft law: “In today's digital age, personal data has become a precious commodity, and for many businesses, the sole source of their income is the personal data of users they generate. The [sic] personal data is often being collected, processed and even sold without knowledge of a person.

“In some cases, such personal information is used for relatively less troublesome commercial purposes, e.g. targeted advertising etc. However, the data so captured or generated can be misused in many ways, eg blackmail, behaviour modification, phishing scams etc.”

The statement links the draft law with the constitutional fundamental rights Article 14 which while dealing with the inviolability of dignity of man says that the dignity of man and, subject to law, the privacy of home, shall be inviolable. And that no person shall be subjected to torture to extract evidence.

Certainly, this right does not directly deal with personal data, and a new article needs to be incorporated on the subject to provide better protection to citizens against data misuse at a time when the Digital Pakistan Policy (DPP) of the government ambitiously wants to integrate the federal government's distributed databases to enable data mining and analysis on big data through establishment of state-of-the-art tier 3/4 national-level data centres.

The policy adds: “Enhance the quality of e-government services through real-time integrated management and data analytics. Discourage the establishment of silo IT infrastructures (small islands) in different government offices to mitigate duplication of efforts, HR requirements and operational expenses. Integrate national and provincial databases to avert duplication and ensure synergy. Remove legal and administrative barriers for exchange of data for citizen-oriented services and pattern analysis. Provision of cloud-based citizen-centric services for public, paving the way for subsequent transformation to e/m-government”.

Given the fact that the law is an instrument of policy implementation, the policy defines the objectives behind the legal instruments quoting different situational analysis. Whereas the Digital Pakistan Policy says that legislation will be done for "the protection of personal data and online privacy for improved transparency and security of sensitive and confidential information through appropriate Data Protection law", it does not provide thematic support for such legislation.

The references quoted at the end of the DPP does not contain anything regarding personal data protection or from which best international practices the DPP gets the inspiration while expressing its intentions to draft a new law.

The EU’s General Data Protection Regulation (GDPR) are some of the most talked-about concepts in IT/cybersecurity circles today. The GDPR encompasses 11 chapters and 99 articles that deal with everything from data subject rights, differences in controller and processor responsibilities, reporting, working with data protection authorities, and enforcement actions.

Though not mentioned explicitly, Pakistan's draft law also gets inspiration from the GDPR. But it failed to highlight principles of the GDPR related to human rights such as: "The principles of, and rules on the protection of natural persons concerning the processing of their data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and the well-being of natural persons.”

Giving human rights treatment to regulations GDPR further says: “Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.”

In the emerging governance structures, regulatory frameworks promote active consumer participation in policymaking and implementation but in Pakistan regulatory frameworks tend to empower public-sector bureaucrats with more discretionary powers and reduce the consumer to the role of a complainant only. The proposed personal data protection authority is no different.

The ministry is right in saying that the power of data in the current era and its other aspects like privacy, confidentiality and integrity have become more relevant and important than ever before because of the increasing use of ICT services in the current pandemic (Covid-19).

Therefore, the need is to finalize the bill after engaging consumers in meaningful dialogue and allaying their concerns by incorporating principles such as respecting a citizen’s fundamental rights and freedoms, in particular its right to the protection of personal data.

The writer is a freelance contributor.