Data Protection Bill 2023: What’s the problem?

KARACHI: The federal cabinet on July 27 approved two new cybersecurity laws. Namely, the Personal Data Protection Bill 2023 and the E-Safety Bill 2023, these laws should have been welcomed in Pakistan, a country sadly devoid of any clear regulations regarding the protection of consumer data.

However, this was not the case. As soon as news of the bills’ approvals spread, digital rights activists, members of civil society, people, and organisations connected to the business, investment, and technology setups — both from the country and abroad — took to social media to express their discontent, bordering on outrage, with the legislations.

So what’s all the hullabaloo about?

Briefly speaking, the first problem is that the E-Safety Bill cannot be accessed anywhere. While this bill reportedly aims to bring digital media platforms under strict regulations to penalise those who commit any violations, it is nowhere to be found and has been seen by no one has lots of people feeling a little suspicious. How exactly does the government aim to protect consumers without even sharing the contents of the bill?

Then there’s the Personal Data Protection Bill 2023. This bill is easily accessible on the website of the Ministry of Information and Technology and has left activists and experts at a loss for words.

It will govern the collection, processing, use, and disclosure of personal data and establish and make provisions for offences relating to violation of the right to data privacy of individuals by collecting, obtaining, or processing personal data by any means.

Protection of my data? Finally? That sounds like a good deal; so what’s the problem?

While there is no denying that Pakistan is urgently in need of a data protection law, this bill, according to activists and experts from a range of fields, is full of problems. Not only is it extremely ambiguous, but also is it dubious from a legal and technical point of view.

To delve into these issues, The Centre for Excellence in Journalism (CEJ), IBA held an online session with experts from various fields to voice their opinions and answer some pressing questions about the 45-page long bill.

Hosted by Farieha Aziz, the session invited Misbah Naqvi (venture capitalist), Imran Moiuddin (technology expert), Mubariz Siddiqui (legal expert) and Zainab Durrani (digital rights activist) to address the major issues surrounding the Bill and why people are upset.

When asked to share their views on the matter, all collectively agreed — and could not stress enough — on the fact that there was indeed a pressing need to protect consumers’ data.

“Only 7 countries don’t have data protection regulations,” Zainab pointed out, while Misbah, from the get-go, said and reiterated that no one was against the law per se.

However, all speakers concurred that one of the biggest problems with the bill was the urgency and secrecy with which it was passed, cutting off any options for feedback from stakeholders across the board.

Zainab said that in the last 4 iterations of the bill — the first of which was shared in 2018 — quite a lot of impact has come from constant revisions.

She stated that while it is not the case, that no one was consulted at all, adding that civil society was asked for feedback for the previous versions, it is important to understand what process was followed after.

“Feedback was asked for and given,” she said but added that whether it was incorporated was a different matter altogether.

“We were given smaller wins, but bigger issues ignored,” she said, adding that in some places unconstitutional guarantees seemed to have been overlooked in the “final draft”.

Tech concerns

In terms of industry-specific concerns, Imran highlighted some major red flags of the bill, in terms of how the existing local infrastructure is and how the bill would impact the tech sector.

He said that it is essential that the data controller and processors mentioned in the bill aren’t handling data negligently, and that consumers’ data is not exploited.

He further added that it must also be ensured that due process is followed in the implementation of the bill.

“The bill clearly lays out what data can be stored onshore and what is offshore, but what needs to be realised is that Pakistan’s technological infrastructure does not have the same level of maturity you can enjoy with service providers abroad.”

He added that existing cloud options in Pakistan suffer issues of unreliability and costing.

“While there is a need to protect critical data and keep it onshore, it does not mean your local cloud is more secure and reliable, he pointed out,” adding that the local cloud that is being introduced will be available on a significant premium and will also be less secure.

The ramifications of this are obvious. Moreover, he pointed out that from a technological point of view, the commission being set up needs to provide clear guidelines to cloud vendors about what would make them good, safe reliable platforms for consumers’ easy.

“These standards have not been defined in the bill,” he said, adding that neither was it clear who would pay that extra cost incurred by businesses if they were to switch to local cloud services.

“We say we want to encourage AI and tech, but can the government ensure reliable and cost-effective cloud option?” he asked.

He further pointed out that the bill had some “open-ended statements”, including the term “best international security standards”.

He pointed out this term was both ambiguous and subjective.

“The government needs to tell what bare minimum standards are expected from vendors. Is it CIS, PCIDS or SOC 2?” he asked, adding that while the bill defined clear penalties for violators, it did not account for the fact that if users share their data insecurely, would controllers be held liable?

Investors’ concerns

Misbah, on the other hand, shored the concerns of the investment sector and how the bill is likely to impact business and foreign investment.

She said that the bill was restrictive on companies both in the tech sector and others, adding that startups usually relied on clouds, and international data sources.

“Localisation will impact these startups and businesses negatively,” she said.

She further raised concerns that the bill would also discourage foreign investors since it contributed to raised costs of businesses and also adversely affected efficacy and ease of doing business.

Reiterating that the investment sector had no qualms with having a data protection bill, he emphasised that it must, however, engage all stakeholders creating dialogue and generating feedback, instead of being one “sweeping law”.

“There is also the human rights aspect,” she pointed out.

“Where is data going? To whom? Who can access it and how easily? Parameters regarding these should be clear.”

The legal aspect

Asked if he thought that the bill may end up being a “compliance nightmare” from a legal standpoint, Mubariz said that while there is no denying the need for a data protection bill, this, however, has been approached too much from a security point of view.

Business and other aspects have been sacrificed, he noted, adding that while the importance of keeping data onshore had been emphasised, doing so would not guarantee the data’s safety.

“What we are lacking and may not get soon is cloud infrastructure in the way it is available abroad, he said.

He further stated that the bill may end up creating many restrictions.

He added that people in the country were already used to circumventing laws and finding loopholes; the bill, however, had added impediments, especially for international investment, while compliance issues would continue to exist.

There is no clarity regarding data protection obligations. He said, adding that compliance would continue to be an issue

He also pointed out that several small businesses and non-digital setups too rely on tools such as WhatsApp and Instagram. In that light, working or attempting to work in complete isolation, would only negatively impact businesses.

In response to a query on whether the bill would make room for the abuse of discretionary powers, he responded: “We do that regardless, we’ve banned platforms instead of content; now it will have a bit more legal cover, which will result in a civil liberties issues.

“It will not be surprising if this bill is abused.”

Civil rights concerns

When asked to comment on what rights of users and businesses may be contravened by the bill, Zainab stated that despite being a fundamental right granted by the Constitution, privacy was treated more like something you wanted when you are sure to have done something wrong or something to hide.

She added that data localisation should be done away with as it was not practical.

“We cannot afford to host it here,” she said, further pointing out that there was a lack of transparency on how data is stored in the country by government agencies.

For instance, she said, where does the closed-circuit television (CCTV) footage go?

Another issue she pointed out was whether the commission that is going to be set up would be autonomous.

If the commission is not autonomous outright, it may be “toothless”, she said.

“If the federal government has the power to intervene in the commission’s working and will decide who works there, the commission’s efficacy will be suspect.”

She added that for the commission to actually be useful, it needed to be equipped and empowered

Zainab also emphasised that definitions had been a major concern since the first draft in 2018.

For instance, the words consent and critical personal data were defined only after feedback from the civil society was given.

She further said that some definitions were still “problematic”.

“What does legitimate interest mean? What will stop powers that be from misusing data by terming it ‘legitimate interest’?” she asked.

On the whole, the consensus was clear: No one had issues with the existence of a bill. What was troublesome to all was the sheer absence of feedback from relevant stakeholders that could help iron out the ambiguity and the problems in the bill — without which, the bill, as many other laws in the country, could end up being a tool in a political game, only this time with a legal cover.

As Mubariz put it: “Do it once, but do it right.”

Zainab Sabir Mir is a staffer. She tweets @the_zainini