The Ministry of Information Technology and Telecommunication has finalized the Personal Data Protection Bill 2020 aimed at realizing the goal of the full-scale adoption of e-government, increase users’ confidence, and protect users’ data from unauthorized access or usage.
This development was confirmed by the Secretary Ministry of Information Technology and Telecommunications, Shoaib Ahmad Siddiqui.
He said that the draft bill is almost finalized and will be presented for the approval of the Cabinet very soon, adding that the legislation will facilitate users through the protection of their data.
The government has also proposed the constitution of a “Data Protection Authority” to curb the misuse of data and to protect citizens’ personal information. According to the Secretary, however, this constitution has not been finalized yet.
The Ministry had drafted the ‘Personal Data Protection Bill 2020’ and sought feedback from all its stakeholders while proposing a fine of up to Rs. 25 million for those who process or cause to be processed, disseminate, or discloses personal and sensitive data in violation of any of the provisions of the proposed legislation. The proposed legislation had been drafted in 2018 but was delayed multiple times.
The proposed legislation will govern the collection, processing, use, and disclosure of personal data; and will establish and make provisions for offenses related to the violation of individuals’ right to the privacy of data by collecting, obtaining, or processing personal data by any means.
Furthermore, a data controller will not process personal data including the sensitive personal data of a data subject unless the subject has consented to the processing of the personal data.
If personal data is required to be transferred to any system beyond the territories of Pakistan or to a system that is not under the direct control of any of the governments of Pakistan, it will be ensured that the country where the data is being transferred offers personal data protection that is at least equivalent to the protections provided under this Act. Additionally, critical personal data will only be processed in a server or data center within Pakistan.
Personal data is often being collected, processed, and even sold without the knowledge of the person in question. In some cases, such personal information is used for relatively less troublesome commercial purposes like targeted advertising. However, the data thus captured or generated can be misused in many ways like blackmail, behavior modification, phishing scams, etc.
Within six months of the enforcement of this Act, the federal government will, by notification in the Official Gazette, establish the Personal Data Protection Authority of Pakistan to perform its functions.
This Authority will be a statutory corporate body having perpetual succession and a common seal; and may sue and be sued in its own name and; subject to and for the purposes of this Act, may enter into contracts and may acquire, purchase, take and hold moveable and immovable property of every description; and may convey, assign, surrender, charge, mortgage, reassign, transfer, or otherwise dispose of or deal with any moveable or immovable property or any interest vested in it; and will enjoy operational and administrative autonomy except as specifically provided for under this Act.
It will be responsible to protect the interest of the data subject and enforce the protection of personal data, prevent any misuse of personal data, promote awareness of data protection, and will entertain complaints under the Act.
Moreover, the Authority will be an autonomous body under the administrative control of the federal government, with its headquarters in Islamabad.