Unravelling Pakistan’s Data Protection Framework

In Pakistan, the alarming surge of data breaches across both public and private sectors is a matter of serious concern.

In Pakistan, the alarming surge of data breaches across both public and private sectors is a matter of serious concern. A shocking revelation was made recently by a Joint Investigation Team (JIT), which confirmed in its findings that the sensitive personal information of 2.7 million Pakistani citizens was stolen from the National Database and Registration Authority (NADRA) over a period of four years
from 2019 to 2023
. The report also mentioned that the data was transferred to Dubai, and eventually sold in Argentina and Romania. It is extremely unfortunate, how this startling disclosure not only undermines the confidence citizens place in governmental institutions but also exposes them to a myriad of dangers and susceptibilities. The incident, not the first of its kind, exposed the vulnerability of our sensitive data and the imperative need to guard against such breaches. Although, the recommendations which have been put forward by JIT, including technological advancements, mark essential strides in mitigating the immediate repercussions of this breach, however, they are merely the tip of the iceberg. The main concern is not just about technological shortcomings; it is also about the absence of comprehensive data protection legislation ensuring accountability of those tasked with the responsibility of protecting individuals’ sensitive data. In the landmark case of M. D. Tahir v. the Director, State Bank of Pakistan, Lahore, and 3 others [2004 CLD 1680], the Lahore High Court delivered a profound verdict stating that “It can hardly be denied, that the taking of private information without any allegation of wrongdoing of ordinary people is an extraordinary invasion of this fundamental right of privacy.”

In the swiftly evolving landscape of technology, it is necessary to establish legal frameworks that delineate and protect the digital rights of individuals. Pakistan, at present, finds itself in a precarious position, lacking comprehensive laws regarding data protection. This glaring gap makes personal data extremely vulnerable, highlighting the urgent need to introduce regulatory measures to guard against such vulnerabilities.

Although the Prevention of Electronic Crimes Act of 2016 addresses some electronic crimes, including unauthorized access to personal data, it fails to provide a robust legal framework required for protecting the sensitive information of citizens. In addition to the above, the Ministry of Information Technology and Telecommunication (MOITT) recently introduced the Personal Data Protection Bill 2023, which is yet to be promulgated into law. However, it is pertinent to mention that the Ministry’s noble aims were undercut by a lackluster effort to foster a comprehensive and open dialogue regarding the aforementioned legislation. As a result, this shortfall robbed relevant stakeholders of the opportunity to contribute their valuable insights and participate in meaningful discourse aimed at digital transformation and data protection.

Moreover, the Bill in its current form, as unveiled to the public on May 19, 2023, remains riddled with several notable gaps. For instance, it presents a multitude of exceptions rooted in ambiguous criteria like “national security” and terms with very broad interpretations such as “public interest” and “legitimate interest.” Given the lack of jurisprudence in the country defining these terms and the Commission’s perceived lack of autonomy from the federal government, a worrying prospect emerges; the potential exploitation of legal ambiguities and loopholes. To effectively advance its data protection strategy, Pakistan must prioritize transparency from the outset. Holding public discussions and debates about proposed data protection legislation is extremely vital—an essential step to assuage concerns and instill confidence in governmental initiatives. Moreover, encouraging community participation in data collection processes is essential to empower people to take responsibility for their own data and to gain real control over what information is collected, for what purpose, and how it is shared.

In today’s digital age, the misuse of personal data to influence people without their knowledge is not only alarming, it is downright dangerous, to begin with. When individuals are manipulated without even realizing it, their ability to meaningfully participate in democracy is compromised. A troubling factor that should concern us all. Not to mention, this issue goes to the very heart of what it means to have a free and informed society.

Additionally, as a point of reference, I think it is worth taking note of the significant examples presented by both the European Union’s General Data Protection Regulations (GDPR) 2018 and the California Consumer Privacy Act (CCPA) 2018 which stand as formidable guardians of individual data rights. These legislative powerhouses not only determine the level of protection afforded to data subjects but also establish barriers against harmful data breaches. By introducing strict safeguards and imposing penalties for malicious data mishandling, these laws offer comfort to users navigating the maze of modern technologies. Moreover, this discussion would remain incomplete without referring to how Malaysia has been a pioneer among low and middle-income countries in introducing a  comprehensive data protection framework. This is an example of a nation with a dedicated data protection legislation, the Malaysian Personal Data Protection Act (2010), which was introduced to restore consumer confidence in data usage in the face of excessive credit card fraud. The law aims to protect personal data by requiring data users to comply with certain obligations and by conferring certain rights on the data subject in relation to their personal data.

In light of the above analysis, this recent data breach in Pakistan should jolt relevant policymakers of the country into action, prompting a thorough re-evaluation and rigorous enforcement of relevant legislation. A digitalized world leaves no room for such massive security gaps. And though bills have been drafted previously, there has been a lack of real commitment to propel them forward. When we evaluate the state of identity theft globally, it becomes imperative that data protection laws are implemented forthwith, covering both public and private entities, as public bodies often hold the largest troves of personal data.

The government of Pakistan must focus on protecting the privacy of its citizens and ensuring the security of their data. Since, evading this responsibility would not only undermine individual freedoms but would also hinder the nation’s advancement in both economic and security realms.

Fizza Ali
Fizza Ali
Fizza Ali is an Advocate of the High Courts of Pakistan. She is also a Columnist and Member of International Bar Association, having graduated with an LLB (Hons) degree from the University of London and a Master of Laws (LL.M) degree with distinction in Corporate Governance from Queen Mary University of London. Twitter @fizzaalik