Power, privacy and governance

In today's Pakistan, data has quietly become one of the most powerful instruments of governance. From identity cards and voter rolls to tax records, telecom metadata and social media activity, the state now sees its citizens increasingly through databases.

Used responsibly, this data can drive development, transparency and inclusion. Used carelessly or coercively, it can deepen inequality, erode trust and undermine democracy.

Pakistan stands at a critical crossroads in its data governance journey, especially after the passing of the Digital Nation Pakistan Act 2025.

While the country has made significant progress in digitisation and data collection, the legal and institutional framework governing data remains fragmented, outdated and heavily skewed in favour of state control rather than citizen rights.

Pakistan’s public sector holds some of the largest and most sensitive datasets in South Asia. Nadra maintains one of the world’s most comprehensive biometric identity databases. The Election Commission manages detailed voter information. The Federal Board of Revenue, State Bank of Pakistan, telecom operators and regulators collectively hold vast financial and behavioural data on citizens and businesses.

Yet, despite the scale of data collection, Pakistan still lacks a comprehensive, enforceable data protection law. Privacy is recognised as a fundamental right under Article 14 of the Constitution, but in practice it remains weakly protected. The long-pending Personal Data Protection Bill has been revised multiple times since 2005, and the last draft available is of 2023, but it has yet to become law. In the meantime, citizens' personal data continues to circulate across government departments and private entities with minimal oversight, weak consent mechanisms and questionable security safeguards.

Recent data breaches, including leaks involving millions of identity records, have exposed the system's vulnerability. When citizens have no effective legal remedy against the misuse of their data, trust in digital governance erodes rapidly.

Pakistan has formally committed itself to transparency and access to information. The Right of Access to Information Act, 2017, gives citizens the constitutional right to request information from public bodies. Government departments publish budgets, economic surveys, procurement tenders and statistical reports online.

Institutions like the Pakistan Bureau of Statistics provide gender-disaggregated data critical for development planning.

However, this openness is uneven and often superficial. Much of the published data is outdated, incomplete, or locked in non-machine-readable formats such as scanned hard copies, limiting meaningful analysis. Pakistan’s experience with the Open Government Partnership is telling: after joining in 2016, the country failed to submit an action plan and was ultimately removed in 2022.

At the same time, broad and vaguely worded legal exceptions allow the state to withhold information on grounds of "public interest" or "national security" with little transparency or accountability. Ministers can unilaterally block disclosure, and secrecy laws dating back to the colonial era continue to cast a long shadow over governance.

Details of defence procurement, lawful interception systems, technical surveillance capabilities and orders directing internet slowdowns, social media bans, or content blocking are rarely made public and are routinely excluded from disclosure under RTI laws on grounds of national security.

Few areas illustrate the imbalance in Pakistan’s data governance framework more clearly than telecommunications and online content regulation. Under existing laws and rules, the state enjoys sweeping powers to intercept communications, block online platforms, restrict content and retain user data.

The frequent suspension or throttling of social media platforms, often during politically sensitive moments, has become a routine governance tool. This was immediately apparent before the 2024 elections, aimed at disrupting the virtual campaign of a particular political party. Entire platforms have been blocked for extended periods, disrupting journalism, civic discourse and the digital economy.

Credible international news agencies like Al-Jazeera reported the installation of advanced internet filtering and monitoring systems; if true, this raises serious concerns about mass surveillance and its chilling effect on free expression.

While national security is a legitimate concern, democratic societies recognise that security measures must be lawful, proportionate and subject to independent oversight. In Pakistan, the absence of transparent safeguards risks normalising censorship and unchecked state surveillance.

Proponents of expansive state data powers often argue that Pakistan's security challenges and development needs justify stronger controls. But international experience shows that development and rights are not mutually exclusive. In fact, sustainable digital transformation depends on public trust.

Consider Nadra's role in enabling social protection, disaster response and financial inclusion. These achievements demonstrate how data can serve the public good. Yet the same institution operates commercially, selling verification services to private entities, while citizens have limited visibility into how their data is shared or monetised. Consent mechanisms remain opaque and accountability is weak.

Similarly, while Pakistan has made progress in recognising marginalised communities, such as the legal recognition of transgender persons, the persistent undercounting and data gaps highlight how governance failures can perpetuate exclusion even in a data-rich environment.

Pakistan does not need more data; it needs better rules for governing it. As suggested in the "Harnessing Data for Democratic Development in South and Southeast Asia" project of LIRNEasia, five urgent steps can help restore balance between state power, citizen rights and economic innovation.

First, parliament must enact a strong, independent and enforceable data protection law that places citizens, not institutions, at its centre. This law must apply equally to the public and private sectors and provide real remedies for misuse.

Second, data governance institutions must be strengthened. Regulators should be independent, adequately resourced and empowered to audit government entities, not just private companies.

Third, transparency must move beyond symbolism. Open data should be timely, accurate and machine-readable, with clear standards for interoperability across government systems.

Fourth, security laws and content regulation frameworks must be narrowed, clarified and subjected to judicial oversight to prevent abuse and political censorship.

Finally, citizens must be treated as rights-holders, not merely data subjects. Consent, access, correction and deletion rights over their own data should be meaningful and enforceable, not procedural formalities.

Data governance is no longer a technical issue; it is a democratic one.

How Pakistan chooses to govern data will shape not only its digital economy, but also the relationship between the state and its citizens. A system built on secrecy, surveillance and unchecked power may appear efficient in the short term, but it ultimately weakens institutions and public trust.

Pakistan still has the opportunity to choose a different path, one where data empowers citizens, strengthens accountability and supports inclusive development. The question is not whether Pakistan will govern data, but who that governance is truly for.

The writer is an ICT regulatory expert with over 20 years of national and international experience and can be reached at [email protected]

Disclaimer: The viewpoints expressed in this piece are the writer's own and don't necessarily reflect Geo.tv's editorial policy.

Originally published in The News