Image Source:
Image by Macrovector on Freepik < https://www.freepik.com/free-vector/data-protection-concept_3817367.htm#query=data%20privacy&position=25&from_view=keyword&track=ais > accessed 22 September 2023
Introduction
Data protection is the process of protecting data, which includes the interaction between data collection and distribution, technology, public perception and expectation of privacy, and the political and legal underpinnings of that data.[1] It seeks to find a balance between individual privacy rights and the usage of individual data. When data protection is concerned, the expectation of privacy and the right to protection of privacy comes to mind, which is the right of every individual under international law. Hence, it is crucial to respect the individual’s right to privacy in terms of the collection and dissemination of data. In light of the paramount importance of data protection, important legislative measures including, the Personal Data Protection Bill 2023[2], and the E-Safety Bill 2023[3] have been passed by the federal legislature of Pakistan. These proposed legislative bills have faced substantial criticism from both international and national communities, with a view that these bills infringe on the fundamental right to freedom of speech, expression, and right to privacy of individuals. This paper aims to analyze the legality of the bills in light of international law and international best practices.
Legality under International Law
It is noteworthy to mention that the right to freedom of speech and expression as well as the right to privacy are the two fundamental rights of every individual, and it is the responsibility of the States to protect these fundamental rights of its citizens. It is the responsibility of the States to give account to these fundamental rights while drafting important legislation. In this section, the article aims to evaluate the legality of these bills by reviewing the controversial provisions of the bills in light of international law.
Personal Data Protection Bill 2023:
The Ministry of Information Technology and Telecommunication (‘MITT’) issued the Bill on May 19, 2023. However, there was no open and comprehensive consultation for views to be presented to the MITT.[4] In a worrying development, it was claimed that the Bill was approved by the Federal Cabinet in late July 2023 and that it would now be sent to Pakistan’s National Assembly and Senate (collectively the Parliament) without any public consultation or discussion. Section 5 of the bill allows the data controller or data processor to collect and process personal data for specified, explicit, and legitimate purposes.[5] However, the Bill fails to clearly define critical personal data as well as what is a legitimate purpose. The Bill defines critical personal data as “such personal data retained by the public service provider – excluding data open to the public – as well as data identified by sector regulators and classified by the Commission as critical or any data related to international obligations”.[6] Likewise, the Bill defines legitimate interest as “means anything permitted under the law”.[7] These definitions are open-ended and allow the data controllers to process the data in the name of legitimate purposes compromising individuals’ right to privacy.
Moreover, Section 6(6) of the Bill allows for exceptions where an individual’s consent is not necessary when the data controller collects or uses the data of the individual, which infringes the right to privacy of individuals. Section 7(2) requires the data controller to notify the data subject within a “reasonably possible” time limit, as specified in section 7(1).[8] This ambiguity permits the controller to set extended durations by exploiting the ambiguity in the law. Section 15 (a) (viii) lays out an exception ‘for the administration of justice under the orders of a court of competent jurisdiction’ regarding the processing of sensitive and critical personal data of a data subject. All of these provisions show that the Personal Data Protection Bill 2023 infringes the right to privacy of individuals and Pakistan has an obligation under international law to give account to this fundamental right. Pakistan is a signatory of the Universal Declaration of Human Rights (UDHR)[9] as well as the International Covenant on Civil and Political Rights (ICCPR)[10]; thus, Pakistan needs to respect its obligations under these instruments.
- Article 17 of ICCPR: “1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor unlawful attacks on his honour or reputation. 2. Everyone has the right to the protection of the law against such interference or attacks.”[11] For this reason, United Nations Human Rights Committee: General Comment No. 16 on Article 17 ICCPR is of great importance, it describes that the term “unlawful” means that no interference can take place except in cases envisaged by the law. Interference authorized by States can only take place on the basis of law, which itself must comply with the provisions, aims and objectives of the Covenant. It demonstrates that all persons who live in society, the protection of privacy is necessarily relative. However, the competent public authorities should only be able to call for such information relating to an individual’s private life, the knowledge of which is essential in the interests of society as understood under the Covenant. Even with regard to interferences that conform to the Covenant, relevant legislation must specify in detail the precise circumstances in which such interferences may be permitted.
- Article 12 of UDHR states that: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”[12]
It means that the above-mentioned bill does not follow the spirit of important provisions of UDHR and ICCPR with respect to right to privacy, and Pakistan is a signatory of both these instruments Pakistan needs to respect its obligations under these instruments.
E-Safety Bill 2023:
The E-Safety Bill 2023 (the “Bill”) is a tremendously problematic piece of legislation that, if passed in its current form, will impede freedom of expression and speech in Pakistan.[13] It will also harm Pakistan’s fledgling digital economy. Section 2(c) of the Bill, which defines “Aspersion” The definition is vague and includes terms such as “harmful information” and “harmful allegations”, granting the E-Safety Authority (established under the bill) extensive rights to interpret and define any remark or information as harmful.[14] Furthermore, the Bill fails to clarify these confusing phrases, leaving the Authority open to potential abuse. Section 4 defines the Authority’s powers and functions, including the control of advertisements.[15] However, the Bill lacks an effective mechanism for regulating ads, leaving the Authority with significant discretion. Section 30 imposes restrictions on news and current affairs programs, potentially infringing on the right to freedom of speech and information.[16] This shows that this bill hinders the right of freedom of speech and expression of the individuals as guarded by international law.
- Article 19 of UDHR: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”[17]
- Article 19 of ICCPR: “1. Everyone shall have the right to hold opinions without interference. 2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice. 3. The exercise of the rights provided for in paragraph 3 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary: (a) For respect of the right or reputations of others; (b) For the protection of national security or of public order, or of public health or morals.”[18]
Thus, where a lot of power will be given to a regulatory authority, then it would hinder the right to freedom of speech and expression, and the idea of a democratic society will not prevail. Since, Pakistan is signatory of both ICCPR and UDHR, Pakistan needs to fulfill its obligations under them.
International Best State Practices
The European Union
The General Data Protection Regulation 2018 is implemented based on Article 8 of the European Convention on Human Rights – right to respect private and family life[19] and General Data Protection Regulation (GDPR) which is the European Union regulation on Information privacy in the European Union and the European Economic Area. Regarding interactions between Pakistani and all sectors in the European Union, seven data protection principles have been listed in GDPR Article 5.1 – 5.2.[20] To summarize, processing of data must be lawful, fair and transparent to the data subject. This means the process of data must be under the data subject’s specific, unambiguous consent. The process is related to formation of contracts, performance of legal obligations or tasks in the public interest along with other official functions.[21] For example, the collection is for saving somebody’s life. All personal data obtained must be accurate and up to date. The purpose, amount of data and storage must be restricted. Data should not be collected, processed or stored unless there are legitimate purposes or the action is absolutely necessary.[22] Furthermore, processing of data, in particular to encryption activities, must be done to ensure appropriate security, integrity and confidentiality.
Japan
Japan has strong data privacy laws – The Act on Protection of Personal Information (APPI) 2017 comparable with GDPR,[AM1] to the extent that there is an agreement on reciprocal adequacy between Japan and the EU for specifically identified companies within these countries.[23] Japan’s data privacy protection extends to commercial companies operating outside of the country that process Japanese citizens’ personal information. It also protects any personal information of non-residents when processed in Japan.[24] Any business in Japan that holds personal data is required to abide by the APPI, with some minor exclusions. It includes provisions on third-party transfers, record-keeping, anonymity and breaches, and protects the rights of individuals in regard to their personal data. The reformed law has helped to get Japan on the EU’s “white list” of countries with adequate data protection legislation.
Canada
Canada has 28 federal, provincial or territorial statutes governing data protection and privacy in the country. At the national level, the collection, use and disclosure of personal information in the private sector is governed by Bill C-6 of the Personal Information Protection and Electronic Documents Act (PIPEDA) 2000. PIPEDA was most recently amended in November 2018 to include mandatory data breach notification and record-keeping laws. PIPEDA is built on a list of 10 guiding principles surrounding personal information, and the government provides a Privacy Guide for Business to help corporations operating in the country comply.[25]
Thus, it is important to keep in mind international law and international best practices while enacting important legislative measures, in order to strike a balance between data protection, collection and important fundamental rights such as freedom of speech and right to privacy.
Conclusion
The introduction of legislative measures in Pakistan, such as the Personal Data Protection Bill 2023 and the E-Safety Bill 2023, underscores the importance of balancing data protection with fundamental rights, particularly in the context of international law. Under international law, concerns have arisen regarding the compliance of these bills with human rights principles. The Personal Data Protection Bill lacks precise definitions for key terms like “critical personal data” and “legitimate interests,” potentially leading to arbitrary data collection and processing. This raises questions about adherence to international standards that prioritize protection against arbitrary interference with privacy. Similarly, the E-Safety Bill 2023, which empowers the E-Safety Authority with extensive censorship authority, has sparked apprehensions about its impact on freedom of speech and expression, a right protected by various international agreements. The potential for arbitrary website blocking without proper legal procedures and judicial oversight may conflict with international norms. Thus, Pakistan’s efforts to regulate data protection are commendable, but alignment with international law is essential. This alignment would help strike a balance between data protection and fundamental rights, such as privacy and freedom of expression, ensuring compliance with international standards. An inclusive public consultation process can be a pivotal step in refining these bills to meet international norms and uphold individual rights.
[1] Brown University, Personal Data Protection Initiative < https://www.brown.edu/data-protection/about > accessed 25 August 2023.
[2] Personal Data Protection Bill, 2023 < https://moitt.gov.pk/SiteImage/Misc/files/Final%20Draft%20Personal%20Data%20Protection%20Bill%20May%202023.pdf > accessed 26 August 2023.
[3] Discussion Draft, E-Safety Bill, 2023 < https://bytesforall.pk/sites/default/files/Draft-E-Safety-Bill_Cabinet-Letter.pdf > accessed 26 August 2023.
[4] Privacy International (2023), Privacy International raises concerns regarding Pakistan’s Personal Data Protection Bill < https://privacyinternational.org/news-analysis/5090/privacy-international-raises-concerns-regarding-pakistans-personal-data > accessed 26 August 2023.
[5] Section 5, Personal Data Protection Bill, 2023.
[6] Section 2(g), Personal Data Protection Bill, 2023.
[7] Section 2(u), Personal Data Protection Bill, 2023.
[8] Section 7(2), Personal Data Protection Bill, 2023.
[9] UN General Assembly, Universal Declaration of Human Rights, 10 December 1948, 217 A (III).
[10] UN General Assembly, International Covenant on Civil and Political Rights, 16 December 1966, United Nations, Treaty Series, vol. 999, p. 171.
[11] Article 17, ICCPR.
[12] Article 12, UDHR.
[13] Bytes for All, E-Safety Bill, 2023, Another draconian law of censorship and threat to citizens privacy Submission to The Ministry of Information Technology and Telecommunication < https://bytesforall.pk/sites/default/files/E-safety-bill-2023.pdf > accessed 28 August 2023.
[14] Section 2(c), E-Safety Bill, 2023.
[15] Section 4, E-Safety Bill, 2023.
[16] Section 30, E-Safety Bill, 2023.
[17] Article 19, UDHR.
[18] Article 19, ICCPR.
[19] Article 8, Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14, 4 November 1950, ETS 5.
[20] European Council & Council of the European Union, ‘The General Data Protection Regulation’ < https://www.consilium.europa.eu/en/policies/data-protection/data-protection-regulation/ > assessed 27 August 2023.
[21] European Union, ‘What is GDPR, the EU’s new data protection?’ < https://gdpr.eu/what-is-gdpr/ > assessed 27 August 2023.
[22] General Data Protection Regulation, 2018.
[23] Natsuko Sugihara, ‘Japan makes amendments to their Act on the Protection of Personal Information’ < https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2020/06/amendments-to-the-protection-of-personal-information-act-of-japa.html > assessed 26 August 2023.
[24] Act on Protection of Personal Information, 2017.
[25] Personal Information Protection and Electronic Documents Act (PIPEDA) 2000, Article 2(1).
Authors
Ameera Khurshid, Research Assistant, RCIL & HR.
Henson Kwok, Research Assistant, RCIL & HR.