ISLAMABAD: The Ministry of Information Technology and Telecommunication has finalized the “Personal Data Protection Bill, 2020” aimed at realising the goal of full-scale adoption of e-government, increasing users’ confidence and protecting users’ data from any unauthorised access or usage.
This was confirmed by Shoaib Ahmad Siddiqui, secretary of Ministry of Information Technology and Telecommunication, while talking to the Business Recorder.
He further said that the draft bill had almost been finalized and would be presented for the cabinet’s approval soon.
The secretary said that the legislation would give comfort to users by protecting their data.
The government has also proposed constituting a “Data Protection Authority” that will work to curb the misuse of data and protect personal information of citizens.
However, the secretary said that the Data Protection Authority was not finalized yet.
The Ministry of Information Technology and Telecommunication had drafted the “Personal Data Protection Bill, 2020” and sought feedback from all the stakeholders, proposing up to Rs25 million fine for those who process or cause to be processed, disseminate or disclose personal data and sensitive data in violation of any of the provisions of the proposed legislation.
The proposed legislation, which was drafted back in 2018, was delayed due to one reason or the other.
The proposed legislation will govern the collection, processing, use and disclosure of personal data and to establish and make provisions about offences relating to violation of the right to data privacy of individuals by collecting, obtaining or processing of personal data by any means. Whereas, it is expedient to provide for the processing, obtaining, holding, usage and disclosure of data, while respecting the rights, freedoms and dignity of natural persons with special regard to their right to privacy, secrecy and personal identity and for matters connected therewith and ancillary thereto.
A data controller would not process personal data including sensitive personal data of a data subject, unless the data subject has given his consent to the processing of the personal data.
Provided that if personal data is required to be transferred to any system located beyond territories of Pakistan or system that is not under the direct control of any of the governments in Pakistan, it will be ensured that the country where the data is being transferred offers personal data protection at least equivalent to the protection provided under this Act and the data so transferred will be processed in accordance with this Act and, where applicable, the consent given by the data subject.
Critical personal data will only be processed in a server or data centre located in Pakistan.
The proposed legislation states that digitization of businesses and various public services employing modern computing technologies involve processing of personal data.
The growth in technological advancement has not only made it easier to collect personal data but also enabled processing of personal data in so many ways that were not possible in the past.
The personal data is often being collected, processed and even sold without knowledge of a person.
In some cases, such personal information is used for relatively less troublesome commercial purposes e.g. targeted advertising etc.
However, the data so captured or generated can be misused in many ways e.g. blackmail, behavior modification, phishing scams etc.
In order to realise the goal of full-scale adoption of e-government and delivery of services to the people on their doorsteps, and increase users’ confidence in the confidentiality and integrity of government databases, it is essential that the users’ data is fully protected from any unauthorised access or usage, and remedies are provided to them against any misuse of their personal data.
Additionally, accelerated increase in the use of broadband with the advent of 3G/4G in Pakistan led to an increasingly enhanced reliance on technology calling for protection of people’s data against any misuse, thus, maintaining their confidence in the use of new technologies without any fear.
Whereas sectoral arrangements/frameworks exist in Pakistan that provide for data protection and the Prevention of Electronic Crimes Act, 2016, deals with the crimes relating to unauthorised access to data, there is a need for putting in place a comprehensive legal framework in line with the Constitution and international best practices for personal data protection. Protecting personal data is also necessary to provide legal certainty to the businesses and public functionaries with regard to processing of personal data in their activities.
The desired legal framework would clearly spell out the responsibilities of the data collectors and processors as well as rights and privileges of the data subjects along with institutional provisions for regulation of activities relating to the collections, storing, processing, and usage of personal data.
Within six months of coming into force of this Act, the federal government will, by notification in the official Gazette, establish an Authority to be known as the Personal Data Protection Authority of Pakistan, to carry out the purposes of this Act.
The authority will be a statutory corporate body having perpetual succession and a common seal, and may sue and be sued in its own name and, subject to and for the purposes of this Act, may enter into contracts and may acquire, purchase, take and hold moveable and immovable property of every description and may convey, assign, surrender, charge, mortgage, reassign, transfer or otherwise dispose of or deal with, any moveable or immovable property or any interest vested in it and, will enjoy operational and administrative autonomy, except as specifically provided for under this Act. The authority will be an autonomous body under the administrative control of the federal government with its headquarters in Islamabad.
The authority will be responsible to protect the interest of the data subject and enforce protection of personal data, prevent any misuse of personal data, promote awareness of data protection, and will entertain complaints under this Act.
Copyright Business Recorder, 2020