EDITORIAL: The Federal Board of Revenue’s (FBR’s) recent decision to classify taxpayers’ data as critical infrastructure under the Prevention of Electronic Crimes Act (PECA) 2016 is a necessary, albeit delayed, step in addressing the growing concerns over data security in Pakistan.

While the move is welcomed, it raises critical questions about the timing and execution of such decisions, especially in light of past breaches involving sensitive taxpayer information.

Taxpayer data is one of the most sensitive assets a state can possess. It reflects the financial honesty of citizens and serves as the backbone of a country’s economic framework.

The declaration by the FBR to protect this data through PECA recognises the vulnerability of such information in today’s digital age. However, one must ask why this realisation came so late, considering the frequent reports of leaks, unauthorised access, and data misuse that have plagued government agencies in the past.

The most glaring example of these lapses occurred in the case of Sarina Isa, the wife of Supreme Court Justice Qazi Faez Isa. The unauthorised leak of her tax records brought to light the severe shortcomings in the system designed to protect such information. Despite the significant legal consequences that followed, it remains an example of the grave risks associated with poorly secured taxpayer data.

The FBR’s latest decision attempts to address such issues by classifying taxpayer data as critical infrastructure, ensuring that such breaches will be harder to execute in the future.

While the decision is a step forward, its implementation remains the real test. The PECA Act is far-reaching in its scope, imposing harsh penalties for any unauthorized access to critical data, including imprisonment and hefty fines. But legal provisions alone are insufficient.

The FBR must now ensure the creation of a secure and robust framework for data protection. This requires not only technical safeguards but also accountability measures within the FBR and other related agencies. If the decision is to have any real impact, it must be followed by comprehensive training for officials, the establishment of transparent audit systems, and continuous improvements in cyber security measures.

Furthermore, it is crucial to recognize that classifying taxpayer data as critical infrastructure is not a catch-all solution.

Data protection must evolve alongside emerging threats, and it is vital that the government doesn’t rest on this step alone. Pakistan needs to develop a culture of cyber security awareness that extends beyond government institutions to the private sector as well. The global landscape of cybercrime is continuously changing, and the state must be prepared to adapt.

This declaration has the potential to set a positive precedent, but it cannot be seen as a panacea. The state’s past track record with sensitive data handling has been less than stellar, and it will take more than new legislation to restore public confidence. The actions taken in the coming months will be crucial in determining whether this decision is a genuine effort to secure taxpayer data or another case of reacting to a crisis after it has already occurred.

By taking steps to secure taxpayers’ data, the FBR has responded to a growing issue that has sparked public debate. However, while this move is necessary, it must be seen as part of a broader strategy to ensure that Pakistan’s digital infrastructure is secure and that citizens’ data is protected at all levels of government. If this decision is to carry weight, the government must prove its commitment by ensuring that the measures implemented are not just theoretical but actively working to protect the rights of its citizens.

Copyright Business Recorder, 2025