Pakistan’s 2018 elections noticed a surge in use of personal information. Allegations on National Database and Registration Authority officials providing personal information to political forces and wide-scale electoral manipulation raise questions around personal data security. The genealogy of personal data can be traced back to the early 1990s when there was a rise in use of computers. Although increasing efficiency and productivity, there was a surge in e-information leaving a permanent online footprint. Human rights experts raised concerns that these positive advancements would have an adverse impact on an individual’s right to privacy.
As witnessed in recent times, an increase in crypto currencies, e-money wallets, across-border trade, financial transactions and exchange of online information were some aspects that perpetuated and enhanced these claims. More recently we have been increasingly surrounded by data analysis. Most of this data relates to our identities. Without limitation, this data provides evidence indicating our personal preferences and political manifestations. Since then personal data protection has been recognized as a fast-changing and increasingly important supranational, international and national contentious topic.
On May 25, the General Data Protection Regulation came into force across the European Union. Marked as a landmark legislative development in privacy law sphere, GDPR imposes onerous obligations on data controllers, processors, while transferring control over personal data security adequacy to data subjects. GDPR defines personal data as any means of information relating to a person who can be identified directly or indirectly with special reference to physical, psychological, genetic, mental, economic or social identity.
However, merits of such legislative enactments are questionable. Its success is predicated on the domestic enforcement in member states and the principle underlying regulation. However, questionable merits of any personal data protection regulation aside, it offers food for thought: How is our sensitive, personal data being handled? In particular, from Pakistan’s standpoint what recourse does the law provide to data subjects? Are telecom giants, internet companies, and e-commence businesses accountable for our personal data?
Pakistan is increasingly attracting e-commerce businesses to cater to the requirements of its 200 million inhabitants. Recently, China’s multibillion-dollar company, Ali Baba Group, acquired online retailer Daraz. China is actively investing in our telecommunication industry under the guise of China-Pakistan Economic Corridor. On the other hand, Punjab’s effectively addressing shortcomings in information technology services infrastructure. Some would argue that we are moving towards challenging the Indian IT services status quo in the region.
However, there are no robust frameworks in place to protect data subjects or provide any recourse against an alleged breach of their rights for misuse of their personal data. Recent saga involving Cambridge Analytica further emphasizes this conundrum: How do we protect our identities while remaining progressive to protect democratic values?
Cambridge Analytica offers an insight into the power that beholds the authority that possess customer data. It illustrates trends in data subject’s preferences and sensitive information. The absence of any regulatory structure in Pakistan questions the foundations of a free and fair democratic electoral process.
Personal data, data security has been hailed as the foremost priority of the 21st century. The sanctity of data can be determined by a recent English decision wherein an employer was held vicariously liable for a data breach affecting over 500,000 employees. Pakistan unfortunately offers no scope in relation to accountability of how data is stored or used. Cambridge Analytica’s case in relation to Donald Trump’s election campaign is an illustration of how murky the waters are in relation to personal data security.
The Prevention of Electronic Crimes Act 2016 makes progress towards data security but omits reference to personal data.
Technology can’t operate in a vacuum. However, technology is neither efficient nor productive if it is the antithesis of those very principles under which it was enacted. The fast pace of technology offers reliability and comfort. However, we ought not to be held hostage to our desire to seek reliability at the cost of our receding rights over our personal property.
Pakistan needs a complete overhaul in its approach toward personal data breach. Imran Khan’s government has pledged to take unprecedented steps in areas where no administration has dared to go before. He has also pledged to undertake electoral reforms. However, the new administration must appreciate that personal data has a direct bearing on the electoral process. An omission in relation to data protection in an attempt to revisit electoral process will be short on expectations of desired results.