E-commerce policy: Pakistan lacks privacy, consumer protection statutes: ADB

ISLAMABAD: Pakistan does not have a privacy statute of general application or a national consumer protection statute, which applies directly to electronic commerce, says the Asian Development Bank (ADB).

The ADB in its report, "E-commerce in CAREC countries, laws and policies", stated that as a national priority, Pakistan adopted an e-commerce policy in 2019 to create an enabling environment for holistic growth of e-commerce across all sectors of the country, including plans for national single-window and cross-border e-commerce.

Pakistan adopted an Electronic Transactions Ordinance in 2002; there is no available information of any update during this study. The ordinance is quite different from the laws of other CAREC members.

It adopts large parts of the Model Law on Electronic Commerce (MLEC). The ordinance indicates that the requirement for signatures "shall be deemed satisfied" where electronic signatures or advanced electronic signatures are applied.

The report further noted that the ordinance does not require either evidence of intention or any degree of reliability. However, reliability is supported by the use of an "advanced electronic signature."

With such a signature, it is presumed that the signed document is authentic and has integrity; or that the signature is that of the person to whom it correlates, it was affixed for the purpose of signing or approving the document, and the e-document has not been altered since it was signed.

An advanced e-signature can be made in two ways. The first is to create it in the circumstances which the MLES says makes for a reliable signature. The second is to have it created by an accredited CSP considered by a government supervisory agency-the Electronic Certification Accreditation Council (ECAC) - to be capable of establishing authenticity and integrity.

Not all CSPs need to be accredited. Detailed regulations govern the accreditation process. The ordinance describes in detail the composition of the ECAC and its functions. Public bodies-known as "appropriate authority" in the ordinance-may accept or reject electronic documents and payments.

If they decide to accept them, the authorities may specify the technology and the process to ensure the integrity of the information received. They are not in a position to negotiate the format, so the ordinance gives them the power to impose it.

The regulator of the accreditation system, the ECAC, is allowed to recognise or accredit foreign CSPs. The ordinance does not indicate the grounds on which such arrangements might be made or whether they should be reciprocal. The ECAC's Accreditation Regulations say that a CSP formed in another country can get permission under corporate law to carry on business in Pakistan, and then apply for accreditation.

The report stated that Pakistan does not have a privacy statute of general application. The ordinance allows the ECAC to make regulations about privacy and the protection of personal data of subscribers to signature certificates from CSPs.

The Prevention of Electronic Crimes Act of 2016 prohibits the unauthorised obtaining, sale, possession, transmission, or use of a person's "identity information."

A person who has been the victim of such activities may apply to the Pakistan Telecommunication Authority (PTA) to have the information secured, blocked, or prevented from being further transmitted.

The National Database and Registration Authority, which maintains records for all citizens of Pakistan and runs the national identity card program, has strict rules about keeping its information confidential.

Cross-border sharing of personal data is more likely to be focused on the same security priorities than on protecting individuals from undue commercial exploitation.

The ordinance prohibits entering computer systems to see or take the information in them- a provision headed "violation of privacy of information," although it is not in the nature of personal data protection. It also bans and penalizes causing damage to information systems.

The principal source of cyber crime law is the Prevention of Electronic Crimes Act of 2016. This statute prohibits most or all of the activities that the Budapest Convention of 2001 requires member states to ban: unauthorised access to information systems, unauthorised copying of data, interference with an information system (particularly with regard to critical infrastructure systems), forgery, fraud, supplying of malware devices, spamming, spoofing, and several others.

It focuses as well on offenses relating to terrorism, including "cyber-terrorism"-that is, using e-communications for spreading fear or inciting hate, "glorification" of terrorism, hate speech, and recruiting for terrorism.

The act contains an array of procedural rights and techniques used to fight cyber crime. It is by far the most extensive legislation on this topic among CAREC members. It allows for anticipatory action and censorship, including removing content from information systems by the decision of the PTA.

The act contains a substantial set of provisions about cooperating with foreign countries (both for collecting information and for sharing it) for the purpose of investigation or prosecution of electronic crimes. Pakistan may also refuse to accede to a foreign government's request for a number of reasons, including that Pakistan's interests would be prejudiced and that the request was made for an improper purpose.

Pakistan has no national consumer protection statute. Each of its provinces, including the capital region, has a statute on the topic, but most of them were enacted in the 1990s or earlier and do not apply directly to electronic commerce. The legislation focuses mainly on the safety of consumer products being sold in the provinces.

The province of Sindh is the exception, with a consumer protection statute enacted in 2015. It deals with safety issues, but also with misrepresentation and warranties. It was drafted in media-neutral language so could apply to e-commerce transactions.

However, the only express reference to such transactions is in the definition of "advertising," which includes internet communications, short message service, and other electronic media.

Typical online consumer protection measures found elsewhere, like the right to receive a contract within a short time of the transaction or rescission rights, are not mentioned, it added.

Copyright Business Recorder, 2021