Public and private entities storing massive amounts of consumer data have no legal liability to safeguard that same data
"Hello, I am Sadaf Khan speaking. Here’s my number…but I am calling from a friend’s phone. Can you please confirm my address?" said Komal Tariq, a member of a Media Matters for Democracy (MMFD) team, pretending to be Sadaf Khan while on a call with a popular food delivery service.
"Hello, Miss Sadaf. Sure. Your address is …." And just like that the call-centre representative gave out the address of Sadaf Khan to a potential imposter. It turned out that one only needs to have a phone number and basic ‘social hacking’ skills to get the private food delivery services to expose their consumer data.
Thankfully, this was only a social experiment conducted by the MMFD team in a video podcast to demonstrate the potential risk of consumer data leak in Pakistan. The experiment took less than 2 minutes to raise many questions.
Other data leaks have not been so benign. In the beginning of 2019, new of hacking of consumers banking data hit the airwaves. Customers of several banks lost millions after their debit/credit card details were stolen and used to make purchases in Pakistan and overseas. In another high-profile case, ride-hailing giant Careem shared news of a data leak, around two months after it actually happened. No details were given and customers never got to know what kind of information was leaked from Careem’s database. Commercial websites have been hacked and even telecom service providers have faced digital attacks. Citizens, whose data is compromised have no access to information about these attacks and leaks and have no means of holding anyone accountable.
Simply put, even though many public and private entities store massive amounts of consumer data, they have no legal liability to safeguard the data they are hosting. In addition, the citizens have no means of finding out if private companies, collecting and storing their data are sharing it with anyone.
A research conducted by Media Matters for Democracy to analyse the privacy policies of leading digital companies of Pakistan, including the telecom operators, found that most of these companies aren’t transparent about the third-parties they share their consumer data with. This presents a real challenge in determining the legal liabilities of entities involved in data storing and sharing with regards to its protection when there is a potential leak.
Another key challenge is to address the potential data leaks from government institutions especially the ones collecting and storing citizens’ identity data.
The fact is that there is currently no law in place that allows citizens to seek respite in situations where their personal data is compromised. Surprisingly, the draft Personal Data Protection Bill circulated by the Ministry of Information and Technology in November 2018, clearly exempts government entities from the data protection framework regime that the law seeks to enact.
Also read: GDPR and the Pakistani context
According to the draft, as far as the public institutions are concerned, the data protection bill will come into effect only when hackers engage in some sort of commercial activity. Their actual service to the citizens, which is much more likely to be connected to the data collection and storage, will continue to remain outside the ambit of the law. With such blanket exemptions, even if the law is enacted, it would remain completely ineffective, and leave citizens without any legal remedies if the institutions fail to protect their data.
In effect then, citizen’s private information would remain vulnerable within both public and private databases unless an effective legal instrument that holds both private and public entities liable is enacted and enforced.
The writer is a former journalist and a program manager at Media Matters for Democracy working on issues related to digital rights