Draft data protection bill does not address industry’s major concerns, claims AIC
ISLAMABAD: The Asia Internet Coalition (AIC) comprising global digital media giants raised several questions on “Pakistan Draft Data Protection Bill 2023” while saying it does not address a majority of the industry’s substantive concerns such as stringent limitations on cross-border data flows and mandatory data localisation.
“In its current form, the Bill will have a negative impact on the ability of foreign internet companies to trade with and operate in Pakistan, hindering the country’s economic recovery and deterring foreign investment. Local Pakistani companies may lose access to cost-efficient global cloud services making them less competitive as they incur substantial costs to operate and maintain servers,” said Jeff Paine Managing Director AIC in a letter addressed to Amin ul Haque, Federal Minister for Information Technology and Telecommunication. A copy of the letter is also forwarded to Prime Minister Shehbaz Sharif.
MD stated on behalf of the AIC and its members, recommendations were submitted on Personal Data Protection Bill 2023, which was moved by Senator Afnan Ullah Khan as a Private Member Bill before the Pakistani Senate on 13 February 2023 (the Bill).
There are 16 core issues which have been identified in the Bill. Out of these 16 issues, the issues that have a material impact on the industry and business operations in Pakistan include: (1) the requirement to store personal data in Pakistan; (2) the regulator’s power to expand on the list of what constitutes “sensitive personal data” and impose further conditions for the processing of sensitive personal data; (3) prohibitions on certain types of processing for personal data of children; (4) the absence of “legitimate interest” as a legal basis for processing personal data; and (5) the regulator’s residual power to formulate specific regulations for “big/large data fiduciary/processors, along with other categories”, the letter read.
“We find that the Draft Bill still does not address a majority of industry’s substantive concerns such as stringent limitations on cross-border data flows and mandatory data localization, overbroad and vague definitions of key terms such as sensitive personal data and critical personal data, and globally divergent data subject rights, as well as far-reaching powers of the Commission.
These provisions fall short of international standards for data protection (such as GDPR) and will adversely impact Pakistani consumers and businesses.
In its current form, the Bill will have a negative impact on the ability of foreign internet companies to trade with and operate in Pakistan, hindering the country’s economic recovery and deterring foreign investment. Local Pakistani companies may lose access to cost-efficient global cloud services making them less competitive as they incur substantial costs to operate and maintain servers,” MD added.
The letter further noted that the protection of personal data is an important component of any privacy framework, and we appreciate the opportunity to provide feedback on the Draft Bill. AIC and its members have worked closely with governments around the world in relation to the development of national personal data protection policies and legislation.
In doing so, we have witnessed first-hand the potential for such policies and legislation to effectively protect the privacy interests of citizens without hindering innovation and technological advancement.
We recognize the on-going efforts of the Government of Pakistan and the Ministry of Information Technology and Telecomm-unications (MOITT) in further fine-tuning the draft legislation, but we continue to have concerns, particularly on cross-border transfer of “critical” and “sensitive” personal data.
The AIC requested for an industry meeting to better understand the views and priorities stemming from the Bill.
This introductory meeting can also discuss potential areas of collaboration as well as opportunities for consultation that can further assist the government’s review of the Personal Data Protection Bill 2023. MD also welcomed a video conference meeting with the minister and his team.
The Coalition noted that the Private Member’s Bill does not address earlier industry concerns such as stringent limitations on cross-border data flows and mandatory data localisation. The Bill appears to impose a broad data localisation mandate on all personal data.
Section 30(1) of the Private Member’s Bill reads: “Every data fiduciary shall ensure personal data is stored on a server or data centre based in Pakistan.” While both previous and the latest MOITT Draft Bill provide certain additional legal bases for the cross-border transfer of personal data (e.g. explicit consent/binding contracts/international cooperation), the Private Member’s Bill only enables cross-border transfer if it is determined that the jurisdiction to which data is being exported offers equivalent protection.
The Coalition recommended for removing the requirement to store personal data on a server or data centre in Pakistan under Section 30(1) of the Bill; and b. remove the prohibition on the transfer of critical personal data and “some components of sensitive personal data” outside of Pakistan under Section 31 of the Bill.
Copyright Business Recorder, 2023
Comments
Comments are closed.