The Federal Cabinet is likely to approve the “Personal Data Protection Bill,” proposing up to Rs. 25 million fine for those who process or cause to be processed, disseminates, or discloses personal data in violation of any of the provisions of the proposed legislation, it is learned.The Ministry of Information Technology and Telecommunication has finalized the “Personal Data Protection Bill,” after vetting it from the Law Ministry, sources told ProPakistani.
The cabinet meeting is scheduled for Tuesday with Prime Minister Imran Khan in the chair which would consider the Personal data protection bill moved by the Ministry of Information Technology and Telecommunication. The proposed legislation will govern the collection, processing, use, and disclosure of personal data and establish and make provisions about offenses relating to violation of the right to data privacy of individuals by collecting, obtaining, or processing personal data by any means. “Whereas it is expedient to provide for the processing, obtaining, holding, usage, and disclosure of data, while respecting the rights, freedoms, and dignity of natural persons with special regard to their right to privacy, secrecy, and personal identity and for matters connected therewith and ancillary thereto,” the draft bill reads.
The draft bill further stated that in today’s digital age, personal data has become an extremely valuable commodity and for many businesses, the sole source of their income is the personal data of users they generate. Personal data is often being collected, processed, and even sold without the knowledge of a person. In some cases, such personal information is used for relatively less troublesome commercial purposes, e.g., targeted advertising, etc. However, the data so captured or generated can be misused in many ways e.g., blackmail, behavior modification, phishing scams, etc.
To realize the goal of full-scale adoption of e-government and delivery of services to the people on their doorsteps, and increase users’ confidence in the confidentiality and integrity of government databases, it is essential that the users’ data is fully protected from any unauthorized access or usage and remedies are provided to them against any misuse of their data.
Additionally, the accelerated increase in the use of broadband with the advent of the Next Generation Mobile Service and Networks in Pakistan led to an increasingly enhanced reliance on technology calling for the protection of people’s data against any misuse; thus, maintaining their confidence in the use of new technologies without any fear.
Whereas sectoral arrangements/frameworks exist in Pakistan that provides for data protection and Prevention of Electronic Crimes Act 2016 (Act No. XL of 2016) deals with the crimes relating to unauthorized access to data, there is a need for putting in place a comprehensive legal framework in line with our Constitution and international best practices for personal data protection.
Protecting personal data is also necessary to provide legal certainty to the businesses and public functionaries concerning the processing of personal data in their activities. The desired legal framework would spell out the responsibilities of the data controllers and processors, as well as, rights and privileges of the data subjects along with institutional provisions for regulation of activities relating to the collections, storing, processing, and usage of personal data.
The collection, processing, and disclosure of personal data shall only be done as necessary in compliance with the provisions of the proposed Act. The data be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; be adequate, relevant, and limited to what is necessary for relation to the purposes for which the data is processed.
A data controller shall not process personal data including sensitive personal data of a data subject unless the data subject has given his consent to the processing of the personal data. A separate consent shall be obtained from the data subject for each purpose. Notwithstanding subsection (1), a data controller may process personal data about a data subject if the processing is necessary for either of the following:
- For the performance of a contract to which the data subject is a party
- For compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by a contract
- In order to protect the vital interests of the data subject
- For the administration of justice pursuant to an order of the court of competent jurisdiction
- For legitimate interests pursued by the data controller
- For the exercise of any functions conferred on any person by or under any law.
Personal data shall not be processed unless:
(a) The personal data is processed for a lawful purpose directly related to an activity of the data controller
(b) The processing of the personal data is necessary for or directly related to that purpose
(c) The personal data is adequate but not excessive in relation to that purpose.
Subject to Section 24, no personal data shall, without the consent of the data subject, be disclosed:
(a) For any purpose other than
i. The purpose for which the personal data was to be disclosed at the time of collection of the personal data
ii. A purpose directly related to the purpose referred to in subparagraph (i)
(b) To any party other than a third party of the class of third parties as specified in clause (e) of sub-section (1) of section 6.
The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose or as required under the law. It shall be the duty of a data controller to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed or as required under sub-section (1).
In the event of a personal data breach, the data controller shall without undue delay and where reasonably possible, not beyond 72 hours of becoming aware of the personal data breach, notify the Commission and the data subject in respect of the personal data breach except where the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject.
In the event of delay in notifying a personal data breach beyond 72 hours, the personal data breach notification to the Commission and the data subject shall be accompanied by valid reasons for the delay.
If personal data is required to be transferred to any system located beyond the territories of Pakistan or a system that is not under the direct control of the government of Pakistan or entity/entities of Pakistan, it shall be ensured that the country where the data is being transferred offers personal data protection legal regime at least equivalent to the protections provided under this Act and the data so transferred shall be processed in accordance with this Act and, where applicable, the consent is given by the data subject.
Critical personal data shall only be processed in a server or data center located in Pakistan.
Personal data other than those categorized as critical personal data may be transferred outside the territory of Pakistan under a framework (on conditions) to be devised by the Commission.
The Commission shall also devise a mechanism for keeping some components of the sensitive personal data in Pakistan, to which this act applies, provided that related to public order or national security, reads the draft bill.Federal Minister for Information Technology and Telecommunication, Aminul Haq, has stated that the objective of the new legislation is to protect individuals and businesses communities and provide them with a conducive environment. The minister further stated that all stakeholders were taken on board before finalizing the bill.