Personal Data Protection

                                                                                                     Areeba Qureshi

With modernization, the world and its people have evolved over time. It has been centuries since people got their identities, they have evolved and formed societies during this period. This advent has brought a lot of prosperity, but it also led to substantial danger, and complications for each individual. Therefore, laws were made to keep everything within the boundary, and hence every law has its importance. A government is responsible for each individual’s security and privacy. Therefore, it becomes essential for the higher authorities to secure the personal data of the citizens and not expose them to any sort of danger. This focuses on personal data as well because each individual holds confidential data that they do not reveal for their own security reasons, and leaking or using it unlawfully compromises personal information, which is undoubtfully a breach of fundamental rights.

As per General Data Protection Regulation, data protection is protecting almost all kinds of data of the citizens. However, what everyone tends to ignore is personal data protection which is a basic necessity of everyone as it lies within their basic fundamental rights i.e. rights to security Article 9 and privacy Article 14(1).

Modern problems require modern solutions, and in a world of digital media, and a lot of paperwork, your personal information matters a lot as you would never want your confidential data being sold to strangers that may harm you in the future.

Personal data in terms of General Protection Regulation of UK defines it as information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly[1]. This includes personal information e.g., name, identification numbers, locations, the city he may be residing, addresses, and social links; whereas, sensitive data may include a person’s biographical data, his character traits, behavior, medical records, family belonging, birthplace, educational history, political-religious views, and background, etc. Without one’s consent or in other exceptions (for state’s security) the information is not allowed to be leaked by any third party as it is compromising one’s security and privacy, exposing them to further risks, and misfortunes.

Similarly, Pakistan is yet to pass the Law on Personal Data Protection as the Bill itself has been amended twice already. Not to forget, Pakistan does have Cyber Crime laws, however, these laws do not protect a person’s personal data which without consent should not be disclosed, kept in records, or shared with third parties.

Keeping in view what personal data is, we can identify one of the root causes of hideous crimes in the state for example abductions, harassments (online/direct), mass killings, and other crimes such as frauds, thefts on daily basis. It is no doubt that these crimes may include other factors, however, once a person’s personal information is leaked through a third party that is when the problems arise, and hence it is clearly a breach of Human Rights.

When a person’s data is compromised, it not only makes them lose their privacy but exposes them to vulnerable situations and greater risks they might never want to witness. They may face life-threatening situations unknowingly. When such an act is committed it is undoubtfully accepted by the higher authorities that raises a question; if the stakeholders matter more than the safety of a citizen? 

Furthermore, it is commonly witnessed how often personal data of pupil has been sold in markets, or been sold to other agencies without the person’s consent and this is why many get in the traps of frauds, many receives messages from spam accounts, many are threatened-blackmailed. An example can be taken into account, bank details of any person being shared by a third party may cause the individual’s security to be compromised and further cyber-crimes. This may lead to huge losses and he might end up losing millions or have massive blow out on his life and business. This is all connected however easily overlooked as it’s not much talked about.

The scenarios mentioned above can easily be backed by recent events. Firstly, NADRA[2] exposed its public information, database on public websites giving a free hand to criminals to take action without any hurdle. This was however diverted by calling it off a cyber-crime, that systems were ‘hacked’, despite the fact that personal data is sold for cash around the world, and the world itself has made certain laws to protect its citizens. Furthermore, there has been a data breach in a well-known service app that everyone uses it almost daily, however, it went un-noticed but if you dig deep inside to what it actually was then the personal data of drivers and the customers was leaked, it was approximately 14 million users. This is very dangerous in terms of every citizen’s data being compromised like that. This exposes them to threats, crimes, and abductions. A similar incident occurred when Dubai based information security company Rewterz[3] claimed the private data of 115 million Pakistani mobile users were up for sale on the dark web with a price tag of $2.1 million. And later this news authenticity was approved by Chairman PTA Major General (R) Amir Azeem Bajwa who told Arab News that approximately the data of 115 million Pakistani users was breached and that they had already contacted the mobile network agencies.

Another case that did not raise many concerns was recently when a well-known energy company did not pay its ransoms and hence it’s online data of people and billing was compromised. Not to forget that this energy company has access to every person’s personal data and that is what was compromised here and was threatened to be sold at Dark Web if they did not pay the ransom. The ransom was to be paid to the Netwalker gang. This may include cyber-crime however the cybercrime law itself does not have any kind of protection for personal data. The personal data hence compromised security of millions of Pakistanis here exposing them to further crimes and online threats. The energy company however refused to accept the claim that personal data was compromised for ransom, this further raises more questions if these powerful agencies are actually selling citizens personal data to such gangs or agencies, and exposing them to life-threatening situations?

This is unfortunately the truth that certain agencies, firms do sell the personal data of their client for some rupees. Others may purchase for e-commerce or to threaten one’s life. This however is clearly the breach of individuals’ rights since they did not ask for consent and this is what other countries have focused on and made laws to protect the personal data. This can be seen in the world’s famous law GDPR, the General Data Protection Regulation where agencies cannot compromise the data of their clients with third parties, and they have to register themselves in the Data commissioner office if they hold any kind of personal data of UK citizens. If any company is handling personal Data but fails to register with GDPR and fails with compliance then it may be charged up to $23.5 million. Implementation of GDPR[4] took a lot of effort to make it a proper law and despite the disadvantages, it did cost a lot and took a lot of time however in the end the data breaches did decline.

At present, Pakistan has the Data Protection Bill 2020[5], which focuses on every aspect of how personal data can be protected in Pakistan. However, here are a few clauses that the bill still needs to add; transparency and informed consent, purpose, and storage limitation (necessity), and data minimization (proportionality). These are a few crucial salient features of every personal data protection law of the globe. Therefore, Pakistan should also focus on these clauses to be added to the Bill to secure one’s personal data in a better way. It is important to provide every citizen with their rights just like Bruce Schneier said, “Privacy is an inherent human right and a requirement for maintaining the human condition with dignity and respect.”                                                                                                

References

[1] General Data Protection Regulation (GDPR) – Official Legal Text https://gdpr-info.eu/

[2]115 Million Pakistani Mobile Users Data Go on Sale on Dark Web | Rewterz https://www.rewterz.com/data-leakage/115-million-pakistani-mobile-users-data-go-on-sale-on-dark-web

[3]Data of 115m Pakistani mobile phone users was not leaked on Nadra’s part, SHC told https://www.dawn.com/news/1597963

[4] Art. 83 GDPR – General conditions for imposing administrative fines | General Data Protection Regulation (GDPR) https://gdpr-info.eu/art-83-gdpr/

[5]oitt.gov.pk https://moitt.gov.pk/SiteImage/Downloads/Personal%20Data%20Protection%20Bill%202020%20Updated.pdf

The Writer is a Research Associate and a 2nd-year law student at ZFL.

Twitter: @areebaQureshii

Published in ZU-BLAWGS, August 10th, 2021