By: Tristan Jenkinson
Last month, the Ministry of Information Technology and Telecommunications for the Government of Pakistan issued a draft Data Protection Bill for consultation. You can get a copy here.
This draft follows a previous draft issued in 2018 (also available from the above link). The contents contain many of the same concepts that we are seeing from other data protection legislation, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). There are, however, a number of potentially significant differences.
Punishments for non-compliance
One of the differences, is the potential penalty for non-compliance. Under the GDPR, companies could be charged up to €20m or 4% of annual turnover, whichever is greater, for non-compliance. Some of the highest fines listed in the PPDPB are:
- 15 million rupees (about €85,000) for unlawful processing of personal data, rising to 25 million rupees (€140,000) if the unlawful processing was of sensitive data or if the unlawful processing continued. This is covered in section 41.
- Corporate liability – fines up to 30 million rupees (€29,000) or 1% of annual gross revenue in Pakistan (whichever is higher). This is covered in section 44.
While the potential fines available under the PPBPB are significantly lower than under the GDPR, the PPDPB does include the possibility of imprisonment. A data controller who receives notice to cease processing and does not could be liable for a fine of up to 5 million rupees (€61,000), imprisonment for up to one year, or both (see section 23).
What is not yet clear is how imprisonment would necessarily be applied, since the data controller is a “natural or legal person or the government” and so would likely would be a company, rather than an individual.
Data Access Rights – and Exceptions
One of the biggest differences between PPDPB and GDPR is with regard to data access rights.
While the draft legislation provides a right of access to personal data, section 18 is titled “Circumstances where data controller may refuse to comply with data access request”.
Within this section, one option which data controllers may rely on to refuse data access requests is confidentiality.
18.1 A data controller may refuse to comply with a data access request under section 10 if—
b) the data controller cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information, unless—
(i) that other individual has consented to the disclosure of the information to the requestor; or
(ii) it is reasonable in all the circumstances to comply with the data access request without the consent of the other individual;
This differs to the approach under the GDPR (and the previous Data Protection Act 1998) where such information would normally be redacted, allowing the data subject request to be complied with.
Concerns Over Segregation of Powers
One of the more vehement concerns that have been expressed about the Bill concern a potential issue over the non-segregation of powers and the creation of the Personal Data Protection Authority (PDPA – commonly referred to as “the Authority”).
Under the current draft, the Authority has significant powers – for example, Section 34 (2a) states “the Authority shall be deemed to be a Civil Court and stall have the same powers as are vested in such court”. Other powers include the powers of search and seizure.
There is concern regarding the level of power that would therefore sit with the Authority. Some see this as an attempt to centralise power, which they view as against the constitution of Pakistan. The establishment of the Authority has been described as “draconian” and “anti-democratic”. See, for example the statement from Media Matters for Democracy here.
While the progress from previous drafts, in areas such as the definition of consent and expansion in scope with regard to data processors and controllers, should be applauded, there are clearly still concerns from some key groups that they feel need to be addressed. It will be interesting to see the resulting draft after the consultation period has been completed and whether those concerns are taken into account.