GDPR and the Pakistani context

Citizen’s fundamental rights of privacy of home and dignity require immediate action by the government to establish data protection

GDPR and the Pakistani context

The General Data Protection Regulation (GDPR) adopted by the European Union (EU) in 2016 is the single most important piece of legislation governing privacy of data in the world today. This is designed to give the EU citizens (and in certain instances others too) more control over their personal data, recognising that an individual’s personal data is in fact their absolute ownership. Without informed consent the processing of personal data of an EU citizen becomes a legal impossibility and any breach of this can lead to fines as steep as 20 million euros. In addition to name, address, email address, passwords, photos and videos, this regulation classifies biometric data as well as genetic data as personal data. Personal data also includes confidential health records and places it in the exclusive ownership of the user.

Hardly anyone today bothers to read the fine print which comes with using websites and apps on one’s devices. After the enforcement of the GDPR and its official compliance deadline in 2018, many of these user contracts (specifically those from EU) have become void on grounds of public policy, if these are in contravention to lawful-purpose test established by this regulation.

The GDPR establishes a single data protection regime across Europe, including the United Kingdom, which will still implement the regulation despite Brexit. What this means is that organisations within or without Europe, which may be processors or controllers handling data, are under legal obligation to prevent misuse of all personal data. The regulation seems to apply to all data handlers based in Europe with data subjects anywhere in the world and to data handlers outside Europe who may be handling data of EU citizens. In other words, if data of Pakistani data subjects is being handled by a data handler in the EU, it is subject to this law. Similarly a Pakistani data handler controlling or processing the data of an EU citizen is also subject to this law.

According to the law there are two kinds of data handlers - data controllers and data processors. A data controller is any "person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data" while a data processor is any "person, public authority, agency or other body which processes personal data on behalf of the controller".  What is data processing?  Data processing involves all classification of data received from the controller. Therefore, the GDPR places specific legal obligations on the processor as it is justifiably assumed that a processor is most likely to be responsible in the event of a breach. A positive legal duty on all organisations dealing with data is to immediately inform the subject that their data may have been breached.

There are other wide-ranging rights such as the right to know how one’s information is being processed and for what purpose. Significantly, there is also the right to data portability. Thus, Article 20 of the GDPR states: "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller". For data storage itself, there is a positive requirement for the data controller to implement "pseudonymisation" which is different from "anonymisation" - the difference being that the former is traceable while the latter is not.  Nevertheless there are artificial identifiers which help protect personal data in storage from being directly identified with the subject.  Another requirement for the controllers is to inform all data subjects how and why their data is being stored, for what purpose and under what law.  There is a further requirement for the data handler to ensure that in the event of data being transferred to an organisation outside the EU, this information is made available to the data subject. The law also gives data subjects the power to request an erasure on grounds of fundamental rights. This is called the right to erasure. The purpose as a whole is to ensure that a person’s data is fully protected. The test is simple - fundamental rights and freedoms of the data subject should out-weigh any legitimate reason or cause for data handling of the controller. The controller itself is under obligation to ensure data protection by design and this obligation begins at the time of initiation of such data handling.

In Pakistan, there is a callous disregard for data protection which is evident in the number of breaches that have been reported in recent years even from the National Database and Registration Authority (NADRA).

The regulation thus acts as a check on overreach by major corporate entities like Facebook, Twitter, Apple and Samsung etc. In short, the GDPR ensures that these companies are held liable for any use of data without informed consent of the data subject.

In our context, it must be said that in Pakistan there is a callous disregard for data protection which is evident in the number of breaches that have been reported in recent years even from the National Database and Registration Authority (NADRA). To start with, Pakistan still does not have a data protection law. A number of bodies - public and private - control and process data of Pakistani citizens with little or no legal protection. Whatever safeguards are there in various laws are conspicuous by their lack of implementation. It is quite unfortunate though because the Pakistani constitution spells out the right of privacy and dignity explicitly. Our neighbour India’s landmark Supreme Court judgment in 2017 established that privacy was a constitutional fundamental right. This now has become the basis of a new data protection legislation which is under works. Pakistan’s fundamental rights of privacy of home and dignity require immediate action by the government to step in and establish data protection.

Also read: Privacy in the digital age

A significant problem is that the Asian behemoths surrounding us, China and India, are also massive surveillance states. The states of China, Russia and India actually mine more data of their citizens than any other country in the world. Thus, despite the fine Supreme Court judgment, India has a completely different understanding of privacy when it comes to national security. It is rumoured that one section of the proposed Indian data protection law describes the data of Indian citizens as a national asset. One should always be circumspect about such "nationalistic" interpretations because it inevitably means that the state has the right to mine the national asset. The Indian approach is more likely to mirror China than Europe. As a result Pakistan - on the one hand, motivated by fear of India and on the other, inspired by its taller-than-Himalayas friend China - is unlikely to take a vastly different view.  An Asian GDPR, therefore, is unlikely.

Having a GDPR-type data protection law is good for innovation. It can help Pakistan establish itself as a data destination. Yet, the powers that be in our country have not even begun thinking in those terms.  Ultimately, someone is going to cut, copy and paste the Indian and possibly the Chinese laws unimaginatively, and we shall be stuck with an unworkable data protection law that will work at cross-purposes to the objective of having a data secure environment.


The writer is an advocate of high courts specialising in internet freedom and data security

GDPR and the Pakistani context