Pakistan’s federal cabinet has approved two significant pieces of legislation that are expected to have far-reaching consequences for digital rights, Pakistan’s e-commerce sector, and the overall digital economy, the Asia Internet Coalition (AIC) warned in a statement on July 26, the day the bills were approved.
“The Asia Internet Coalition is alarmed that the Personal Data Protection Bill is expected to be introduced in Parliament despite concerns raised repeatedly by Industry about the Bill’s many problematic provisions,” AIC said.
Established in 2010 by eBay, Google, Nokia, Skype, and Yahoo!, AIC is a Global tech coalition committed to a safe and open internet by promoting the understanding and resolution of Internet policy issues in the Asia Pacific region.
Earlier, the industry association of leading technology companies in the world had addressed a letter to the country’s Information Technology Minister, Syed Amin ul Haque in June, expressing concerns about the mandated bill. The letter stated that the bill required critical personal data to be exclusively processed within Pakistan. Additionally, it raised several other issues while urging the government to establish a maximum fine for breaches of the bill.
“In its current form, the Bill falls short of international standards for data protection and creates unnecessary complexities that will increase the cost of doing business and dampen foreign investment,” the statement said.
AIC believes the bill’s requirement to store unspecified “critical” data locally and its significant restrictions on cross-border transfer of other personal data would limit Pakistan’s access to numerous global digital services.
“This Bill creates additional barriers to digital trade at a critical time when Pakistan’s economic growth demands paramount attention,” the statement continued. “For such an important piece of legislation that will profoundly impact Pakistani consumers, businesses, and, ultimately, the country’s economic growth, the Government should undertake transparent stakeholder consultations to develop balanced regulation that supports the country’s digital growth and fulfills the nation’s vision of a Digital Pakistan.”
E-Safety Bill 2023 and the Personal Data Protection Bill 2023
The cabinet granted principle approval to the E-Safety Bill 2023 and the Personal Data Protection Bill 2023, with the latter being accompanied by the establishment of a dedicated commission for its enforcement.
The E-Safety bill aims to combat online crimes such as harassment, cyberbullying, and blackmail. To this end, a new regulatory body, ‘The E-Safety Authority,’ will be established. This authority will be responsible for the registration and monitoring of websites, web channels, YouTube channels, and existing media houses’ websites.
A senior official from the IT ministry emphasized that the establishment of the E-Safety Authority is crucial to safeguarding the rights of citizens, businesses, and public and private institutions from online harassment and blackmail.
“This was essential, as cybercrime cases occur at a much faster pace than FIA can investigate them, while the role of PTA is limited to regulatory functions and violations related to internet and telecom service providers,” the official said.
The Personal Data Protection Bill defines “personal data” as any information directly or indirectly related to an identifiable individual, including sensitive or critical personal data. However, the bill excludes anonymized or pseudonymized data from its purview.
Under this legislation, all entities operating digitally or non-digitally in Pakistan that collect or maintain data will need to register locally and appoint a data protection officer. The National Commission for Personal Data Protection (NCPDP), set to be established within six months of the bill’s passage, will be responsible for the registration process.
The primary objective of this bill is to safeguard user data and prevent illegal usage of information systems. It seeks to protect and prohibit unauthorized access to consumers’ data across all online services, including e-commerce platforms and social networking websites in Pakistan.
Concerns raised by Venture Capital Association of Pakistan
Venture Capital Association of Pakistan (VCAP), which represents Pakistan-focused venture capital funds investing in the country’s digital economy, has also expressed concerns about the potential impact of the Personal Data Protection Bill on Pakistan’s digital ecosystem.
“Strict restrictions on cross-border data transfers would negatively impact startups as they have a critical dependency on cloud and cloud-based services offered by the likes of Amazon, Google, and Microsoft. It will also prevent tech companies in Pakistan from fully realizing the potential of the latest advances in areas such as Artificial Intelligence. This could impede the growth of local businesses and hinder consumer access to valuable online resources” the VCAP statement read.
The association called for striking a balance between national security and privacy protection. In the statement, Zayn Venture Capital, Sarmayacar, i2i Ventures, and Indus Valley Capital, urged comprehensive consultation with stakeholders to ensure legislation promotes innovation, economic growth, and protection of personal data.
AIC Recommendations for Pakistan
In a letter to Pakistan’s IT Ministry, AIC made the following recommendations for data protection and economic boost:
Data Localization and Cross-Border Data Flows:
- Remove the Data Localization (DL) requirement or limit critical personal data to government-held data.
- Embrace cross-border data flows to benefit Pakistan’s economy and promote productivity, innovation, and efficiency.
- Avoid data localization to prevent stifling the economy and discouraging foreign investment.
- Cross-border data flows will increase access to global products and services and ensure competitiveness in the global economy.
Mandatory Government Access to Sensitive Personal Data:
- Remove the requirement for data controllers to share data with the Government upon the Commission’s request.
- Protect individuals’ right to privacy and ensure the adequacy of the PDP Bill according to global privacy law norms.
- Consider signing a Mutual Legal Assistance Treaty (MLAT) with the United States for diplomatic data requests from U.S.-based companies.
Fines:
- Specify a maximum fine for breaches of the PDP Bill and prevent the Commission from imposing fines above this limit.
- Ensure clarity and transparency for the industry by clearly articulating maximum penalties in the Bill.
- Avoid giving the Commission discretion to impose fines without legislative guardrails.