How to leap forward in data protection

January 30, 2022

The media and civil society can play an important role in creating digital rights awareness among the masses

How to leap forward in data protection

All data stored by a business, from financial information and payment details to contact information, that relate to an identifiable individual, needs to be properly protected to prevent it from being misused for fraud, such as phishing scams and identity theft.

Pakistan does not have any far-reaching data protection legislation in place that specifically controls matters in connection with the processing of personal data.

The first step Pakistan took in protecting private data was by including data privacy into Article 14(1) of the 1973 constitution, which stressed the ‘privacy of the home’ to be inviolable. The first Act regarding data protection came in 1996 under the Pakistan Telecommunication (Re-organisation) Act.

In 2002, Electronic Transactions Ordinance (ETO) was introduced after which Pakistani telephone services providers are required to retain communications data as a condition of their operating licences. The Ordinance does not regulate data protection directly, but it criminalises unlawful or unauthorised access to information.

In 2005, the Ministry of Information Technology circulated a draft law on data protection. However, for unclear reasons, it was never tabled in the parliament.

The federal cabinet approved the adoption of the Prevention of Electronic Crimes Bill 2007 on January 17, 2007. The proposed law titled as Prevention of Electronic Crimes Bill 2007 that proposes penalties ranging from six months imprisonment to capital punishment for 17 types of cyber crimes, including cyber terrorism, criminal access, criminal data access, data damage, electronic fraud, electronic forgery, misuse of electronic system or electronic device, unauthorised access to code, misuse of encryption, misuse of code, cyber stalking and suggest stringent punishment for offences involving electronic crimes.

The Prevention of Electronic Crimes Act 2016 (PECA) is currently the primary legislation in respect to data protection in Pakistan. It was promulgated on August 18, 2016. The Act contains a number of sections related to data privacy. These are intended to grant law enforcement and other government entities access to private data of citizens and to restrict citizens from gaining access to government data.

The Prevention of Electronic Crimes Act 2016 (PECA) is currently the primary legislation in respect to data protection in Pakistan. It was promulgated on August 18, 2016. The Act contains a number of sections related to data privacy.

Since data is treated like an economic asset, it faces threats and risks. To mitigate the IT security vulnerabilities, a comprehensive cyber security policy was introduced and approved by the federal cabinet. The policy framework envisaged securing the entire cyberspace of Pakistan, including all digital assets of Pakistan, data processed, managed, stored, transmitted or any other activity carried out in public and private sectors, and the information and communication systems used by the citizens of Pakistan.

The policy document mentions the risk of data colonisation whereby data is managed, controlled and processed out of the legal jurisdiction of the country and there is limited or no bilateral agreement among the stakeholders in this regard. Threat actors are liable to pollute the information domain and citizen data may be sold to third parties without due consent or validation.

Such proliferation and abuse of data can lead to the exploitation of some segments of the society. Weak governance of data, poor data quality and absence of data stewardship generate unreliable information resources and pose a threat to cyber security. A Cyber Governance Policy Committee (CGPC) has been constituted to formulate, guide, and recommend actions for the approval of the National Cyber Security Policy and Cyber Security Act.

Currently, the Ministry of IT and Telecom is in the process of finalising rules under a Personal Data Protection Act. The proposed legislation will oversee the collection, processing, use and disclosure of personal data and establish and make provisions about offences relating to violation of the right to data privacy by collecting, obtaining, or processing of personal data by any means.

According to the draft, no personal data shall, without the consent of the data subject, be disclosed for any purpose other than for which the personal data was to be disclosed at the time of collection of the data.

There is currently no national data protection authority. The draft law provides for the creation of a commission. Key functions of the commission include: receiving and deciding complaints with regard to an infringement of personal data protection, examining various laws, rules, policies, by-laws, regulations or instructions in relation to protection of personal data and may suggest amendments to bring the law in conformity with the provisions of the law and monitoring cross-border transfer of personal data.

A key aspect of the draft is data categorisation and cross border data flow. According to draft legislation, if personal data is required to be transferred to any system located beyond territories of Pakistan or a system that is not under the direct control of the government of Pakistan or entity/entities in Pakistan, it shall be ensured that the country where the data is being transferred has a personal data protection legal regime at least equivalent to the protection provided under this law and the data so transferred shall be processed in accordance with this and where applicable, the consent given by the data subject. Critical personal data shall only be processed in a server or data centre located in Pakistan.

Non-critical personal data may be transferred outside the territory of Pakistan under a framework to be devised by the Commission.

Amir Jahangir, the chief executive officer of Mishal, a country partner for World Economic Forum, says that a complete ban on cross-border flow of data will increase the cost of doing business, especially in an environment where data saucerisation is costly due to a lack of understanding of data handling, ultimately shrinking the choice for the consumer. He says a ban on cross-border data flow will hamper future growth in the digital space, especially diversification and innovation in the digital economy. Ultimately, he warns, this will result in a flight of ideas and human capital.

Dr Rafi Shan, the project director at the Ministry of Information Technology and Telecommunication, says that the ban is proposed for critical data only. He says routine data, like social media might flow without hindrance.

Jahangir says the government of Pakistan has introduced almost 100 reforms to improve the business environment in the country. He says the real challenge now is the capacity limitations in terms of mainstreaming these reforms.

Data protection is critical for economic growth. All segments of society, including the general public and policy makers, need to be aware of what is going on in the rest of the world and how data protection is important for them as individuals and for the country as a whole.

Low levels of digital literacy among both the general public and policymakers present a major hurdle in implementing data privacy laws effectively. Informed consent is meaningless in situations where data subjects lack a basic understanding of how their data is collected and used.

Dr Rafi Shan says that the media and civil society can play an important role in digital rights awareness among masses. He says Pakistan needs a cyber safe society and this cannot be achieved by legislation alone. He says the media has to play a responsible role. Policies and laws can only be successful if the media supports the implementation process through creating awareness.

The writer is a freelance journalist and a communication expert with an interest in socio-economic development and public policy issues in Pakistan. He can be reached at

How to leap forward in data protection