ISLAMABAD: The Ministry of Information Technology and Telecommunication has finalised the “Personal Data Protection Bill, 2021” and sent it to the Law Ministry for vetting, proposing up to Rs25 million fine for those who processes or cause to be processed, disseminates or discloses personal data in violation of any of the provisions of the proposed legislation.
The proposed legislation will govern the collection, processing, use, and disclosure of personal data and to establish and making provisions about offences relating to violation of the right to data privacy of individuals by collecting, obtaining, or processing of personal data
by any means. “Whereas, it is expedient to provide for the processing, obtaining, holding, usage, and disclosure of data, while respecting the rights, freedoms, and dignity of natural persons with special regard to their right to privacy, secrecy, and personal identity and for matters connected therewith and ancillary thereto,” the draft bill reads.
The draft bill further stated that in today’s digital age, personal data has become an extremely valuable commodity and for many businesses, the sole source of their income is the personal data of users they generate. Personal data is often being collected, processed, and even sold without the knowledge of a person. In some cases, such personal information is used for relatively less troublesome commercial purposes, e.g., targeted advertising, etc. However, the data so captured or generated can be misused in many ways e.g., blackmail, behaviour modification, phishing scams, etc.
To realise the goal of full-scale adoption of e-government and delivery of services to the people on their doorsteps, and increase users’ confidence in the confidentiality and integrity of government databases, it is essential that the users’ data is fully protected from any unauthorised access or usage and remedies are provided to them against any misuse of their data. Additionally, the accelerated increase in the use of broadband with the advent of the Next Generation Mobile Service and Networks in Pakistan led to an increasingly enhanced reliance on technology calling for the protection of people’s data against any misuse; thus, maintaining their confidence in the use of new technologies without any fear.
Whereas sectoral arrangements/frameworks exist in Pakistan that provides for data protection and Prevention of Electronic Crimes Act 2016 (Act No XL of 2016) deals with the crimes relating to unauthorised access to data, there is a need for putting in place a comprehensive legal framework in line with our Constitution and international best practices for personal data protection.
Protecting personal data is also necessary to provide legal certainty to the businesses and public functionaries concerning the processing of personal data in their activities. The desired legal framework would spell out the responsibilities of the data controllers and processors, as well as, rights and privileges of the data subjects along with institutional provisions for regulation of activities relating to the collections, storing, processing, and usage of personal data.
The collection, processing and disclosure of personal data shall only be done as necessary in compliance with the provisions of the proposed Act. The data be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed.
A data controller shall not process personal data including sensitive personal data of a data subject unless the data subject has given his consent to the processing of the personal data. A separate consent shall be obtained from the data subject for each purpose. Notwithstanding sub-section (1), a data controller may process personal data about a data subject if the processing is necessary for either of the following:- (a) for the performance of a contract to which the data subject is a party; (b) for compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by a contract; (c) in order to protect the vital interests of the data subject; (d) for the administration of justice pursuant to an order of the court of competent jurisdiction; (e) for legitimate interests pursued by the data controller; or (f) for the exercise of any functions conferred on any person by or under any law.
Personal data shall not be processed unless— (a) the personal data is processed for a lawful purpose directly related to an activity of the data controller; (b) the processing of the personal data is necessary for or directly related to that purpose; and (c) the personal data is adequate but not excessive in relation to that purpose.
Subject to Section 24, no personal data shall, without the consent of the data subject, be disclosed— (a) for any purpose other than— i. the purpose for which the personal data was to be disclosed at the time of collection of the personal data; or ii. a purpose directly related to the purpose referred to in subparagraph (i); or (b) to any party other than a third party of the class of third parties as specified in clause (e) of sub-section (1) of section 6. The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose or as required under the law. It shall be the duty of a data controller to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed or as required under sub-section (1).
In the event of a personal data breach, data controller shall without undue delay and where reasonably possible, not beyond 72 hours of becoming aware of the personal data breach, notify the Commission and the data subject in respect of the personal data breach except where the personal data breach is unlikely to result in a risk to the rights and freedoms of data subject.
In the event of delay in notifying personal data breach beyond 72 hours, the personal data breach notification to the Commission and the data subject shall be accompanied by valid reasons for the delay.
If personal data is required to be transferred to any system located beyond territories of Pakistan or system that is not under the direct control of government of Pakistan or entity/entities of Pakistan, it shall be ensured that the country where the data is being transferred offers personal data protection legal regime at least equivalent to the protection provided under this Act and the data so transferred shall be processed in accordance with this Act and, where applicable, the consent given by the data subject.
Critical personal data shall only be processed in a server or data centre located in Pakistan.
Personal data other than those categorise as critical personal data may be transferred outside the territory of Pakistan under a framework (on conditions) to be devised by the Commission.
The Commission shall also devise a mechanism for keeping some components of the sensitive personal data in Pakistan to which this act applies, provided that related to public order or national security, reads the draft bill.