• April 7, 2023
• Social Media
• Web Desk

The Asia Internet Coalition (AIC), a group of global digital media giants, has raised several concerns regarding the “Pakistan Draft Data Protection Bill 2023.” According to the AIC, the current bill does not address the industry’s substantive concerns, including stringent limitations on cross-border data flows and mandatory data localization.
Jeff Paine, Managing Director of AIC, expressed his concerns in a letter addressed to Amin Ul Haque, Federal Minister for Information Technology and Telecommunication, Ministry of Information Technology and Telecommunication (MoITT). The letter was also forwarded to Prime Minister Shehbaz Sharif.
Paine stated that Bill’s current form will negatively impact the ability of foreign internet companies to trade with and operate in Pakistan, hindering the country’s economic recovery and deterring foreign investment. He added that local Pakistani companies may lose access to cost-efficient global cloud services, making them less competitive, as they would incur substantial costs to operate and maintain servers
Paine further explained that the AIC and its members had submitted recommendations on the Personal Data Protection Bill 2023, which Senator Afnan Ullah Khan moved as a Private Member Bill before Pakistan’s Senate on 13 February 2023.
The letter identified 16 core issues in the Bill, out of which five issues have a material impact on the industry and business operations in Pakistan. These issues include the requirement to store personal data in Pakistan, the regulator’s power to expand on the list of what constitutes “sensitive personal data,” prohibitions on certain types of processing for personal data of children, the absence of “legitimate interest” as a legal basis for processing personal data, and the regulator’s residual power to formulate specific regulations for “big/large data fiduciary/processors, along with other categories.
The AIC stated that the Draft Bill still does not address a majority of the industry’s substantive concerns, such as stringent limitations on cross-border data flow and mandatory data localization, overbroad and vague definitions of key terms such as sensitive personal data and critical personal data, and globally divergent data subject rights, as well as far-reaching powers of the Commission. These provisions fall short of international standards for data protection, such as GDPR, and will adversely impact Pakistani consumers and businesses
The letter further noted that the protection of personal data is an important component of any privacy framework, and AIC appreciates the opportunity to provide feedback on the Draft Bill.
The AIC and its members have worked closely with governments around the world in relation to the development of national personal data protection policies and legislation. They recognize the ongoing efforts of the Government of Pakistan and MOITT in further fine-tuning the draft legislation, but they continue to have concerns, particularly on the cross-border transfer of “critical” and “sensitive” personal data.
The AIC has requested an industry meeting to better understand the views and priorities stemming from the Bill. This introductory meeting can also discuss potential areas of collaboration, as well as opportunities for consultation that can further assist the government’s review of the Personal Data Protection Bill 2023. Paine also welcomed a video conference meeting with the minister and his team.
The Coalition noted that the Private Member’s Bill does not address earlier industry concerns such as stringent limitations on cross-border data flow and mandatory data localization. The Bill appears to impose a broad data localization mandate on all personal data.
Section 30(1) of the Private Member’s Bill reads, “Every data fiduciary shall ensure personal data is stored on a server or data center based in Pakistan.” While both the previous and the latest MOITT Draft Bill provide certain additional legal bases for the cross-border transfer of personal data, the Private Member’s Bill only enables cross-border transfer if it is determined that the jurisdiction to which data is being exported offers equivalent protection.
The Coalition has recommended removing the requirement to store personal data on a server or data center in Pakistan under Section 30(1) of the Bill and removing the prohibition on the transfer of critical personal data and “some components of sensitive personal data” outside of Pakistan under Section 31 of the Bill.

Source: Pro Pakistan