ISLAMABAD: The Ministry of Information Technology and Telecommunication has finalised the “Personal Data Protection Bill” aimed at realising the goal of full-scale adoption of e-government, increasing users’ confidence, and protecting users’ data from any unauthorised access or usage but initially covering individuals, and not business consumers.
This has been confirmed by Federal Minister for Information Technology and Telecommunication Aminul Haque, while sharing some details of the bill through a spokesperson.
According to another official statement, a high-level meeting was held under the Federal Minister for IT and Telecommunication, here on Thursday.
The meeting was attended by Secretary IT Shoaib Ahmad Siddiqui and senior officers of the ministry.
Haque has stated that the Personal Data Protection Bill under the ministry has entered the final stages.
The bill includes points to maintain privacy and economic continuity.
The purpose of the bill is to protect Pakistani consumers and promote economic activities, the minister added.
Preparation of Data Protection Bill includes consultation and suggestions of all the stakeholders.
The bill gives primary importance to the subject ‘Consumer’.
Initially, this policy is for individual consumer and business consumer not included, said the minister, adding that the data bill takes into account all international rules and the policies of social media companies.
The Data Protection Bill covers fundamental rights including human rights and digital rights.
The draft of Personal Data Protection Bill will be sent to the concerned department soon for legalisation, said the minister, adding that after the approval of the bill, the data of Pakistani consumers will be safe according to international standards.
The proposed legislation, which was drafted back in 2017, was delayed due to one reason or the other.
The draft bill has almost been finalised and would be presented for the Parliament’s approval anytime soon.
The legislation would give comfort to users by protecting their data.
The government has also proposed constituting a “Data Protection Authority” that will work to curb the misuse of data and protect personal information of citizens.
The Ministry of Information Technology and Telecommunication had drafted the “Personal Data Protection Bill, 2020” and sought feedback from all the stakeholders, proposing up to Rs25 million fine for those who process or cause to be processed, disseminate or disclose personal data and sensitive data in violation of any of the provisions of the proposed legislation.
The proposed legislation will govern the collection, processing, use and disclosure of personal data and to establish and make provisions about offences relating to violation of the right to data privacy of individuals by collecting, obtaining or processing of personal data by any means.
Whereas, it is expedient to provide for the processing, obtaining, holding, usage and disclosure of data, while respecting the rights, freedoms and dignity of natural persons with special regard to their right to privacy, secrecy and personal identity and for matters connected therewith and ancillary thereto.
A data controller would not process personal data including sensitive personal data of a data subject, unless the data subject has given his consent to the processing of the personal data.
Provided that if personal data is required to be transferred to any system located beyond territories of Pakistan or system that is not under the direct control of any of the governments in Pakistan, it will be ensured that the country where the data is being transferred offers personal data protection at least equivalent to the protection provided under this Act and the data so transferred will be processed in accordance with this Act and, where applicable, the consent given by the data subject.
Critical personal data will only be processed in a server or data centre located in Pakistan.
The proposed legislation states that digitization of businesses and various public services employing modern computing technologies involve processing of personal data.
The growth in technological advancement has not only made it easier to collect personal data but also enabled processing of personal data in so many ways that were not possible in the past.
The personal data is often being collected, processed and even sold without knowledge of a person.
In some cases, such personal information is used for relatively less troublesome commercial purposes e.g. targeted advertising etc.
However, the data so captured or generated can be misused in many ways e.g. blackmail, behavior modification, phishing scams etc.
In order to realise the goal of full-scale adoption of e-government and delivery of services to the people at their doorstep, and increase users’ confidence in the confidentiality and integrity of government databases, it is essential that the users’ data is fully protected from any unauthorised access or usage, and remedies are provided to them against any misuse of their personal data.
Additionally, accelerated increase in the use of broadband with the advent of 3G/4G in Pakistan led to an increasingly enhanced reliance on technology calling for protection of people’s data against any misuse, thus, maintaining their confidence in the use of new technologies without any fear.
Whereas sectoral arrangements/frameworks exist in Pakistan that provide for data protection and the Prevention of Electronic Crimes Act, 2016, deals with the crimes relating to unauthorised access to data, there is a need for putting in place a comprehensive legal framework in line with the Constitution and international best practices for personal data protection.
Protecting personal data is also necessary to provide legal certainty to the businesses and public functionaries with regard to processing of personal data in their activities.
The desired legal framework would clearly spell out the responsibilities of the data collectors and processors as well as rights and privileges of the data subjects along with institutional provisions for regulation of activities relating to the collections, storing, processing, and usage of personal data.
Within six months of coming into force of this Act, the federal government will, by notification in the official Gazette, establish an authority to be known as the Personal Data Protection Authority of Pakistan, to carry out the purposes of this Act.
The authority will be a statutory corporate body having perpetual succession and a common seal, and may sue and be sued in its own name and, subject to and for the purposes of this Act, may enter into contracts and may acquire, purchase, take and hold moveable and immovable property of every description and may convey, assign, surrender, charge, mortgage, reassign, transfer or otherwise dispose of or deal with, any moveable or immovable property or any interest vested in it and, will enjoy operational and administrative autonomy, except as specifically provided for under this Act.
The authority will be an autonomous body under the administrative control of the federal government with its headquarters in Islamabad.
The authority will be responsible to protect the interest of the data subject and enforce protection of personal data, prevent any misuse of personal data, promote awareness of data protection, and will entertain complaints under this Act.
Copyright Business Recorder, 2021