A student at Allama Iqbal Medical College Lahore, recently received a call from a fraudulent bank helpline seeking her personal information. Detecting an extra zero at the start of the calling number, she grew suspicious and promptly ended the call. Upon investigating with her bank’s helpline, she learned the bank never requests personal information over the phone. The target’s siblings also received similar calls, raising concerns about how the callers acquired their family tree information, CNIC number, and ATM card number.
While the target successfully thwarted a potential scam, many individuals unknowingly fall victim to fraud due to scammers possessing ample personal information.
Despite the prevalence of such scams and data breaches, Pakistan lacks comprehensive data protection laws, leaving citizens vulnerable.
The Prevention of Electronic Crimes Act, 2016 (PECA) currently serves as the primary legislation addressing electronic crimes, but it falls short in effectively curbing financial crimes arising from data breaches. Advocate Miqdad Mehdi highlighted two cases, one involving a woman losing Rs. 400,000 to scammers with detailed information, leading to an investigation by the Federal Investigation Agency’s (FIA’s) Cybercrime Wing.
Mehdi emphasized the absence of data protection laws in Pakistan, making information easily accessible at any stage. Language barriers, distrust in institutions, and complex processes hinder individuals from registering complaints. Experts stress the urgent need for stringent data protection policies, an efficient complaint system, and grassroots education to combat phone fraud, particularly targeting elderly and vulnerable populations.
Kaukab Zuberi, chairperson of the Department of Criminology and Forensic Sciences at Lahore Garrison University, explained criminals employ social engineering techniques, preying on those less familiar with technology. Despite efforts by the Pakistan Telecom Authority (PTA) to address fraud, limitations prevent criminal proceedings against perpetrators, allowing them to continue illicit activities.
Legal expert Shmyla Khan highlighted the necessity of a data protection law to hold institutions accountable for negligence and impose fines. With a pending draft of the 2023 Data Protection Bill, concerns include consent requirements, vague terms like “legitimate interest,” and the need for an independent commission.
The Digital Rights Foundation (DRF) conducted a policy review of the draft, emphasizing the importance of a robust data protection law to combat the growing threat of phone fraud and data breaches. The incoming government’s swift action is crucial to enact comprehensive legislation, addressing consent, legitimate interest, and third-party sharing concerns, ensuring citizens’ digital security in the evolving landscape.