Data protection and privacy
What is data?
WITH the fast paced advancements in technology and the increasing pervasiveness of information and community technologies (ICTs) in everyday life, our personal information is accessible to multiple parties including corporations, governments, hackers, stalkers and other third parties.
We have now entered what Klaus Schwab calls the fourth industrial revolution, which, he argues, is “characterised by a fusion of technologies that is blurring the lines between the physical, digital, and biological spheres”. This is causing a seismic shift in the way we live. Whereas there are multiple advantages to this that are being embraced and celebrated, like anything else, it comes with associated risks, and there is a need for law and policy to respond to these needs adequately in order to protect our personal data that is now becoming more accessible than ever before.
The role of data today — when is it used?
We give up a certain level of privacy each day to email and social media companies when we use the internet to connect and communicate with people or each time we search for something on the internet; when we use ride-hailing applications to commute as our location and movement is constantly tracked; to the government when our personal information is stored in national databases; and to banks that have access to our financial habits, and increasingly so with reliance on card and digital payments. In short, with more efficient communication, access to information, movement, governance, and financial activity, our privacy is compromised when our personal data is stored by companies and governments, as well as by individuals that may attempt unauthorised access to this information.
What are the risks?
This is why data is now known as the most valuable resource — replacing oil and gold. Data breaches are not uncommon in Pakistan. The National Database and Registration Authority was named by WikiLeaks in June 2017 in a case where data of Pakistani citizens was shared with the US National Security Agency and the British Government Communications Headquarters, though Nadra has denied this claim. The Nadra website was also reportedly hacked in 2012, 2013, and 2015 by hackers based abroad.
Hacking of ATM machines in large Pakistani cities has also been reported this month, with customers losing thousands of rupees, and this breach has also caused losses to the banks. Further, telecom companies in Pakistan have been known to sell user data of subscribers to third parties, something that is even stated in the privacy policies of some companies. This is why most of us receive text messages advertising a wide variety of products, often time even unrelated to our consumption patterns.
Small businesses and especially technology-related start-ups are in need of data protection laws because they are susceptible to hacking and data breaches, and require legal relief in case hackers violate or steal their ideas and data.
In the existing legal framework of Pakistan, the right to privacy falls under Article 14 (1) of the Constitution, which states that the “dignity of man, and subject to law, the privacy of home, shall be inviolable”. However, the application of this right in the digital realm is yet to be seen. Only one section of the Electronic Transaction Ordinance, 2002, Article 43 (2) (e) recommends that the federal government may make regulations to provide for “privacy and protection of data of subscribers” but these are yet to be made. The Prevention of Electronic Crimes Act, 2016, provides for telecom and internet service providers to retain data for at least 90 days, but does not include any provisions that protect citizen’s data or privacy. A privacy commission still does not exist in Pakistan, though the IT ministry is on record saying that a draft data protection law is under way. It remains to be seen if key stakeholders including citizen groups are consulted in the drafting of this important law.
We can look to the example of the United Kingdom and India when it comes to data protection and privacy laws. The British government recently introduced a new draft data protection bill which will replace the 1998 law, and some key features include extended the “right to be forgotten” on the internet to “the right to innocence” whereby citizens can request social media sites to remove any content they posted before the age of 18. Further, the bill proposes tougher penalties on companies for data breaches, as well as a requirement by businesses to inform the UK information commissioner’s office about any breach within 72 hours. In India, the Supreme Court earlier this year ruled to recognise the right to privacy as a fundamental right linked to liberty and dignity of citizens, in a case where the constitutional validity of India’s biometric identity scheme Aadhaar was challenged.
What does a good data protection law look like?
In light of these transformative changes in the way we live and interact with one another, it is important for us to realise three important things. First, that the realm of what is private and should be protected has drastically expanded with technological advancements, and hence individual as well as legal efforts also need to expand to cover emerging aspects. Second, that the right to privacy is not a right in isolation but in fact intrinsically linked to other rights such as the freedom of speech and right to life, and this needs to be considered when any new laws and policies are promulgated. Third, the discourse on privacy itself has to be developed progressively so that corporate and state entities are mindful of privacy concerns when dealing with data, and citizens are equipped to claim justice in case of a breach.
It is high time privacy of our data was taken seriously so as to protect our digital as well as physical footprint, seeing how closely intertwined the two are becoming, not only for individuals but for small businesses and large corporations as well.