According to reports, the Federal Cabinet is expected to pass the “Personal Data Protection Bill,” which proposes a punishment of up to Rs. 25 million for those who handle, distribute, or reveal personal data in violation of any of the proposed legislation’s provisions.
According to ProPakistani, the Ministry of Information Technology and Telecommunication has finished the “Personal Data Protection Bill” after receiving approval from the Law Ministry.
Prime Minister Imran Khan will convene a cabinet meeting on Tuesday to discuss the Personal Data Protection Bill proposed by the Ministry of Information Technology and Telecommunication. The proposed legislation will regulate the collection, processing, use, and disclosure of personal data, as well as establish and make provisions for offences involving the violation of an individual’s right to data privacy through the collection, acquisition, or processing of personal data by any means. “Whereas it is expedient to provide for the processing, obtaining, holding, using, and disclosing of data while respecting the rights, freedoms, and dignity of natural persons, with particular regard to their right to privacy, secrecy, and personal identity, and for matters connected therewith and ancillary thereto,” reads the draught bill.
Personal data has become an incredibly valuable commodity in today’s digital age, according to the draught bill, and for many organisations, the personal data of users they create is their primary source of income. Without a person’s awareness, personal data is frequently gathered, processed, and even sold. In certain circumstances, such personal data is utilised for less intrusive commercial objectives, such as targeted advertising and so on. However, the information gathered or created can be used in a variety of ways, including blackmail, behaviour manipulation, and phishing schemes.
To achieve the goal of widespread adoption of e-government and delivery of services to citizens’ doorsteps, as well as to increase users’ confidence in the confidentiality and integrity of government databases, it is critical that users’ data is fully protected from unauthorised access or use, and that remedies are provided to them in the event that their data is misused.
Furthermore, the increased use of broadband in Pakistan as a result of the introduction of Next Generation Mobile Service and Networks has resulted in an increased reliance on technology, necessitating the protection of people’s data from misuse, allowing them to maintain their confidence in the use of new technologies without fear.
While Pakistan has sectoral arrangements/frameworks for data protection, and the Prevention of Electronic Crimes Act 2016 (Act No. XL of 2016) addresses crimes involving unauthorised access to data, a comprehensive legal framework in line with our Constitution and international best practises for personal data protection is needed.
Personal data protection is also required to offer legal clarity to enterprises and government officials on the handling of personal data in their operations. The ideal legislative framework would clearly outline the roles of data controllers and processors, as well as data subjects’ rights and privileges, as well as institutional requirements for regulating activities related to the collection, storage, processing, and use of personal data.
Personal data must be collected, processed, and disclosed in accordance with the law.
Personal data will be collected, processed, and disclosed only as needed and in accordance with the proposed Act’s requirements. The data must be gathered for specific, explicit, and legitimate reasons, and it must not be further processed in a way that is incompatible with those goals; it must also be adequate, relevant, and restricted to what is required for the purposes for which the data is processed.
A data controller may not treat a data subject’s personal data, including sensitive personal data, unless the data subject has given his permission to the processing. For each purpose, the data subject must provide their consent separately. A data controller may proceed despite paragraph (1).
- For the performance of a contract to which the data subject is a party
- For compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by a contract
- In order to protect the vital interests of the data subject
- For the administration of justice in accordance with a court of competent jurisdiction’s order
- For legitimate interests pursued by the data controller
- For the performance of any duties entrusted to a person by or under any legislation
Personal data shall not be processed unless:
(a) Personal data is processed for a permissible purpose that is directly connected to the data controller’s activity.
(b) Personal data processing is required for or directly connected to that objective.
(c)In respect to that goal, the personal data is appropriate but not excessive.
Subject to Section 24, no personal data shall, without the consent of the data subject, be disclosed:
(a) For any purpose other than
- The purpose for which the personal data was to be disclosed at the time of collection of the personal data
- A purpose directly related to the purpose referred to in subparagraph (i)
(b) To any party other than a third party of the class of third parties as specified in clause (e) of sub-section (1) of section 6.
Personal data processed for any reason must not be stored for any longer than is necessary for that purpose’s fulfilment or as required by law. It is the responsibility of a data controller to take all reasonable efforts to guarantee that all personal data is protected.
The data controller must notify the Commission and the data subject in the event of a personal data breach without undue delay and, where reasonably possible, within 72 hours of becoming aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the data subject’s rights and freedoms.
If a personal data breach is not reported to the Commission and the data subject within 72 hours, the personal data breach notification must be supported by legitimate grounds for the delay.
If personal data must be transferred to a system outside Pakistan’s borders, or to a system not directly controlled by Pakistan’s government or entity/entities, it must be ensured that the country to which the data is being transferred has a personal data protection legal regime at least equivalent to the protections provided under this Act, and that the data so transferred is processed in accordance with this Act.
Only a server or data centre in Pakistan will be used to process sensitive personal data.
Personal data that is not classified as critical personal data may be transmitted outside of Pakistan under a framework (with constraints) that the Commission will develop.
According to the proposed law, “the Commission shall establish a method for preserving specific components of sensitive personal data in Pakistan, to which this act applies, provided that such data is linked to public order or national security.”
Aminul Haq, the Federal Minister of Information Technology and Telecommunications, has indicated that the new legislation’s goal is to safeguard individuals and companies while also providing a favourable atmosphere. Before drafting the law, the minister indicated that all parties were consulted.
