The Data Protection Bill in Pakistan defines legitimate interests as anything permitted under law. Under what law? Any law? Who knows.
Why do countries have national data protection laws? The general idea is to safeguard individuals’ data and privacy, balance key interests of the state, and not hinder business growth in an increasingly digital and globalised economy.
The global proliferation of data protection legislation can be largely attributed to the introduction of the General Data Protection Regulation (GDPR) by the European Union, a classic case of the ‘Brussels Effect’ — the idea that entities outside the EU have to end up complying with EU laws and standards for many reasons such as its influence on global markets.
Two recent additions to this trend are India’s Digital Personal Data Protection Act (DPDPA), enacted in August this year, and Pakistan’s proposed Personal Data Protection Bill (PDPB), approved by the federal cabinet in July.
Both India’s DPDPA and Pakistan’s PDPB draw inspiration from the GDPR — in letter and spirit. It does not take a policy genius to realise that blindly copying any legal text, let alone an industry-defining legislation without considering local context is a bad idea. So is arbitrarily curbing internationally recognised norms and rights in the name of contextualisation. While each country is entitled to regulate data protection according to its needs, any particular selection of rights and obligations has consequences within its borders and beyond.
India’s DPDPA has been praised for its enterprise and startup-friendly provisions, however, many concerns have arisen regarding broad exemptions, limited grounds for processing data, and the government’s arbitrary power to make changes to the law. The law’s passage brings valuable lessons for Pakistani policymakers as they craft their own data protection law.
The most recently available draft of the PDPB has received major criticism from local and international policy observers, digital rights activists, and industry leaders for failing to address individual rights and business interests.
Read more: The new data protection law is a farce aimed at violating citizens’ privacy
Issues relating to over-reliance on consent, undue state surveillance of citizens’ privacy, and stringent compliance requirements for organisations have been identified as some problematic aspects of the proposed law. The bill’s approval came without any meaningful consultation with relevant stakeholders, which can be judged by the fact that it is largely unclear which version of the draft bill has been pushed through.
Did I even consent to that?
The law is heavily reliant on the use of ‘free, specific, informed and unambiguous’ consent for lawfully processing data under Section 6 of the bill. While this may seem logical on the surface, it comes with its own issues. Consent is an appropriate basis for processing only if a person is offered control and a genuine choice on how their data is used. In reality, this is not always the case.
Companies regularly employ dark patterns that manipulate users into providing consent for a range of data processing activities. These requirements are often excessive and go far beyond what is necessary for using any particular service or digital application. Think of a mobile app whose primary feature is playing music but does not work unless you grant it access to your phone’s camera and microphone as well. Since these permissions are usually bundled together, users are not even aware of what they are saying yes to. Such consent is hardly informed.
Another example is pre-ticked or opt-out boxes, which nobody bothers unchecking while browsing websites or downloading apps on their devices. True consent differs from opting out. A lack of objection to the default state is not equivalent to a deliberate and unambiguous choice.
A connected issue is the age of children who can consent without seeking permission from parents or guardians. Under the PDPB, no one below 18 years of age can consent on their own accord. While it is important to ensure the safety of minors online, it is counterproductive and overly paternalistic to outright block teenagers’ participation in this digital age and economy. Imagine the compliance costs involved in devising a robust consent-seeking mechanism, monitoring and enforcing it every time a 16-year-old wants to create an Instagram account.
The EU places significant importance on safeguarding the privacy of children, as seen by the substantial lawsuits worth hundreds of millions of Euros filed against social media companies. However, even they believe that excessive surveillance of children above the age of 13 is not warranted. While the GDPR mandates the age of 16 for consent, it offers member states the flexibility to lower it to 13. Even the DPDPA which also has 18 as the age of consent, allows the government to specify a lower age of consent for organisations it deems safe for processing children’s data.
How did you get access to my data?
A notable exception to processing by consent under the Pakistani legislation is the category of legitimate interests. The bill defines legitimate interests as anything permitted under law. Under what law? Any law? Who knows.
This overly expansive criterion gives organisations enough flexibility to routinely circumvent the consent requirement for using people’s data for a broad range of activities that may not always align with the interests of the subjects. Allowing such a significant degree of discretion to organisations is unlikely to instil trust among individuals in their privacy and data being protected.
The legitimate interests criteria are a feature of GDPR as well. Unlike the PDPB, it does not define legitimate interests. However, it restricts processing where individual fundamental rights and freedoms override any legitimate interests. No such caveat exists in the PDPB.
Surprisingly, the Indian data protection law does not include legitimate interests as a lawful means of processing data. Rather, it introduces a category of certain legitimate uses that is fairly well specified. In fact, the specification is the only good thing about it. It adds a long list of intrusive data accesses on grounds such as the performance of state functions under any law and in the interests of sovereignty, national security, and integrity. The kind of exceptionalism that would make ‘Big Brother’ proud.
If the DPDPA casts a shadow of Big Brother, its Pakistani counterpart displays him in 4K. It’s one thing for organisations to handle personal data in pursuit of legitimate interests, but it reaches a different level when the state gains direct access to sensitive information. The bill, under Section 32, mandates organisations to share sensitive personal data with the government on vague grounds such as “public order” or “national security”. This blatant infringement of the right to privacy under Article 14 of the Constitution will shake the confidence of citizens, businesses, and foreign investors alike.
Even though the DPDPA allows the processing of personal data on abstract grounds such as national security, it does not have any provisions for sharing sensitive data with the government. In general, it is not uncommon to find national security exceptions in all types of laws including data protection.
The European data protection law as a whole does not apply to national security issues because the subject matter is outside the scope of EU law and is left to member states. That being said, it doesn’t facilitate government access to sensitive personal data on any other type of vague grounds. Even for matters relating to criminal convictions, it permits processing data, provided that appropriate safeguards are in place for the rights and freedoms of the subjects.
Regardless, the state has no business ordering organisations to hand over sensitive personal data of their users. The ‘sensitive’ in the term loses all value if the data can easily be shared with government authorities without any substantial grounds. Activists and observers are rightly worried that such draconian measures will delegitimise the value of having data protection legislation for citizens and outsiders.
Where did my data go?
All data is personal, but some is more personal than others. Typically, in data protection laws globally, you will encounter the two terms ‘personal data’ and ‘sensitive personal data’. Personal data, which constitutes the majority of all data, is subject to the standard application of the text and most of its provisions. In contrast, sensitive personal data which includes details such as religion, ethnicity etc, is generally prohibited from processing, save for a few clearly articulated exceptions. This framework is commonly found across data protection laws, including the PDPB, DPDPA, and the GDPR.
In an inexplicable move, the drafters of the bill in Pakistan have gone a step further by introducing a novel term to the mix: ‘critical personal data’. The rationale for this creativity is not provided, likely because there isn’t any or that the actual motives might not sit well with the public.
The bill defines critical personal data as “personal data retained by public service providers (excluding data available to the public), data identified by sector regulators, and classified as critical by the Commission, or any data related to international obligations.” If you think that’s just the way legal-speak works, you are mistaken. Most lawyers would not be able to make sense of this definition either. Not only is it exceedingly vague, but it is also open-ended, as the proposed commission can potentially classify anything under the sun as critical personal data.
One may ask, well, so what? Whether there are two or three different categories of data, what’s the big deal? None of this would be particularly interesting if this new invention of critical personal data wasn’t subject to data localisation under the bill — meaning the data has to be processed and stored locally and cannot be transferred outside of Pakistan. Many commentators fear this is a really bad idea.
Data localisation raises concerns among businesses offering services and products beyond Pakistan’s borders. It would diminish the competitiveness of local businesses, as they will be unable to utilise more cost-effective and reliable international cloud service providers. Freelancers and startups will encounter difficulties providing a range of digital services to offer optimal client experiences. Foreign investors and companies will be hesitant to store data within the country and/or do business here.
It may potentially lead to other countries declaring Pakistan’s data protection regime as inadequate for cross-border data transfers and other engagements. It also raises apprehensions among citizens whose data would inadvertently be subject to unlawful surveillance and government access. Overall, restricting cross-border data flows and data localisation could have severe repercussions on the country’s export potential and economic development and safeguarding the right to privacy. In short, the outcome is likely to be disastrous for key stakeholders.
Despite its many flaws, the Indian law, in contrast, generally does not impose any general restrictions on cross-border data flows — with the exception of cases where the government restricts transfers to certain blacklisted countries or enacts other types of restrictions. Earlier, draft versions of the text did contain data localisation obligations that were done away with in the published Act. The DPDPA, however, does not affect cross-border data transfer restrictions within existing sector laws in areas such as banking and telecommunication.
This is a more flexible approach compared to mandating data localisation obligations for all international transfers, which is likely to dissuade foreign companies from entering the local market and prevent local businesses from engaging with international entities on favourable and equal terms.
The EU has had its fair share of struggles with devising effective cross-border data transfer mechanisms, with the EU-US data transfer agreements in particular being amended 3 times and counting. However, this only alludes to the fact that despite issues with cross-border transfers, major economic players in the world believe that data localisation is not the answer. The GDPR emphasises that international cooperation on the protection of data is the way forward despite regulatory discrepancies between the two systems.
The discussion above tries to address just a fraction of the gaps within the existing PDPB draft bill, especially those relating to cumbersome compliance requirements such as unrealistic timelines and bureaucratic hurdles.
Pakistani policymakers should recognise that a robust national data protection law hinges on respecting individuals’ privacy and autonomy, scrutiny of terminology, thorough assessment of conflicting interests, and a forward-thinking perspective on fostering innovation and economic advancement. This cannot be achieved without engaging in substantive participatory dialogue and discussions with all significant stakeholders.
