By Media Matters for Democracy Islamabad, 27 April 2020
This article was republished from MMfD.
Media Matters for Democracy (MMfD) is concerned about the insertion of draconian and anti-democratic sections in the draft Personal Data Protection Bill 2020 that has been made public by the Ministry of Information Technology and Telecommunications (MoITT) for public consultation. While we appreciate that the government has opened the draft for public consultation, we remain concerned as the current draft clearly demonstrates that the feedback from the previous two rounds of consultation has been completely disregarded. We are alarmed that a law that has been in the making since 2017 and has already undergone multiple consultative processes has now been redrafted to introduce measures that are not only anti-democratic but also a negation of international best practices.
We wish to remind the government that the purpose of a data protection law is to protect citizens from the misuse and abuse of personal data, and not to create ways to enable a government’s access and control over the data. We also want to remind the government that the creation of a Privacy Commission, that holds the mandate to protect citizens in a watchdog capacity, is an established best practice across the world, as opposed to the creation of a powerful Authority that has been given powers to control citizen’s data for ‘security reasons’ in whatever way it might.
We view this draft as a dangerous tool to gain access to and control citizen’s personal data and information, and remain particularly concerned about:
The establishment of the Personal Data Protection Authority of Pakistan (the Authority), within which the government has attempted to consolidate all powers, including the power of (delegated) legislation, investigation and the judiciary. This disregard of the constitutional principle of separation of powers demonstrates an attempt to centralise power, which will enable unlimited access to, and exercise of strict controls over citizens’ data. The existing Authority or commission should be independent from the involvement of existing government ministries.
Giving the Authority powers to create definitions and rules that go well beyond general rule-making powers. This will fundamentally alter how the law is interpreted and implemented in the long run. This draft also tries to create a structure that undermines the authority of the Parliament and effectively allots the power of legislation to a ‘statutory corporate body’ designed and controlled by the Federal Government.
Sections like 32.5, which allows the Federal Government to change the composition of the Authority at will, as this demonstrates ill will and an intentional attempt to undermine democratic institutions like the Parliament by creating structures that could potentially legalise abuse of power over citizens’ data.
Allowing the Authority to define Critical Personal Data that will include different protections. Again, this is an attempt to increase the scope of delegated legislation well beyond reasonable bounds.
The introduction of a licensing framework for data controllers and data processors on Personal Data Protection in Pakistan, as defined in Section 35(f) is an attempt to push for localisation of International Corporations, which is neither a global best practice, nor something that International Corporations are likely to consider seriously. Given the history of control and repression, the attempt to create a licensing regime for everyone who holds and processes data also appears to be a veiled attempt to increase state’s access and control over citizens’ information and expression.
The vague definitions and the use of undefined (and undefinable) terms like strategic interests, vital interests, and the like, that are used in multiple sections to create exceptions for protections in regards to citizens’ rights.
Moreover, we are concerned that the draft does not demonstrate integrability with international data transfer mechanisms, such as the APEC Cross-Border Privacy Rules and other such frameworks. Instead, it attempts to create national, localised policies to govern international data transfer, a mechanism that is inherently international in nature. This is also demonstrative of the attempt to create centralised control mechanisms.
The government also needs to revisit the underlying assumption that personal data is the property of the government or the state rather than citizens. We remind the government that the data protection legal regime has to prioritise the protection of citizens while remaining cognisant of international best practices and democratic values when designing any legislative instrument.
We also remind the government that failing to adopt legislation that can demonstrate equivalency to the General Data Protection Regulation (GDPR) may also limit access to European IT markets, thereby creating a negative impact on the digital economy of Pakistan.
We urge the government to review the introduction of authoritarian structures like the Personal Data Protection Authority of Pakistan and instead take approaches that are rights-respecting and further democratic values. The drafting of the data protection legislation has been ongoing since 2017, and after three years, it is essential that the rights of Pakistani citizens are protected in the most effective manner possible. Thus, we strongly urge the government to review and redraft this Bill, taking into consideration internationally acknowledged mechanisms such as the GDPR, to create a legislative framework that takes into consideration precedents set by such regulations and as well as the recommendations of the United Nations.