COVID-19 or the coronavirus has become a global pandemic over a short span of time. It is a submicroscopic organism that has affected over 1.2 million lives globally to date, and still continues to grow exponentially. Not only has this organism affected health and wellbeing of citizens worldwide, it seems like the beginning of a new world order: a virtual, real time world or even the creation of a virtual vortex.
Mostly, corporations install secured networks at workplaces to mitigate the risk of “phishing” which can potentially lure users to open fake websites with the sole purpose of illegally accessing and stealing personal or corporate data. The WFH culture may rely on the exchange of data over unsecured/unencrypted networks with corporations having no control on the scrutiny of the same. For any corporation involved in the type of business that makes its data its foremost asset, any data breach can ultimately lead to a significant loss of intellectual property, thus creating a crisis on its own-a virtual crisis.
Keeping aside corporations, we also see a rise of virtual gaming and use of video chat applications among individuals that require users to first accept terms of use before proceeding to the application. It is common among users to quickly accept the said terms without reading the same and rapidly initiating their game or chat. What most of them do not realise is that terms of use may include extreme collection of personal data and login information including any account details entered, collection of IP address(es), location information, etc. With the increasing induction into the digital world, airtight data privacy laws is the need of the hour.
Currently, the only statute enforced in Pakistan in relation to data privacy is the Prevention of Electronic Crimes Act, 2016 (PECA). (Parliament is yet to pass the Personal Data Protection Bill, 2018). PECA attempts to provide legal recourse for unauthorised access to data or information systems. However, the provisions of PECA fall short in relation to processing of personal data and necessitating standardised rules for securing confidential data. More importantly, it is pertinent to note that PECA, to an extended degree, allows discretionary powers to the investigating agency, in this case, the National Response Centre for Cyber Crime, to collect data if it reasonably believes the same to be required for investigation. Furthermore, for the same purpose, it also grants authority to service providers (telecommunication authorities) to collect real time information, without taking prior consent from users.
Taking cue from the prevailing situation that has given rise to excessive use of online systems, data privacy legislation requires ample development
Taking cue from the prevailing situation that has given rise to excessive use of online systems, data privacy legislation requires ample development. In this context, a good reference point can be taken from the General Data Protection Regulations (GDPR), enforced in the EU in May 2018. On an individual level, the GDPR, inter alia, grants users the right to access and request for their personal data collected by companies. Additionally, the users also have the right to request their personal data to be deleted if they are no longer customers of a company. To the contrary, PECA imposes an obligation on service providers to retain traffic data for a period of one year or such extended period as notified by the Authority; the same data must also be provided to the investigation agency upon any warrant from a court.
With respect to corporations, the GDPR standardises the norms and lays down a framework to minimise security breaches, promotes pseudonymisation for ensuring complete encryption of data, and imposes penalties if the same is not complied with. It also obligates companies to inform users and the authorities within 72 hours of a breach to ensure quick action. This way companies may mitigate the risk of heavy penalties and damages (resulting from lawsuit) for loss of confidential and personal data. In Pakistan, the requirement for implementation of security policies is only limited to digital banking under the Payment Systems & Electronic Funds Transfer Act, 2007, enforced by the State Bank of Pakistan. It is important that the obligation to implement such data security policies be applied to all organizations countrywide.
The outbreak of the virus and the consequent rise of virtuality have played a significant role in helping us realise the importance of cyber laws. With the Ministry of IT & Telecom already striving towards creation of a digital Pakistan, it is important that cybersecurity be given utmost importance. From what it seems, once the pandemic is over, the world as we see it now, may then only be seen through a digital lens.
The writer is a LUMS Law graduate and is currently working as Assistant Company Secretary for an IT Company. She can be reached at athermahnoor@gmail.com
During his address at the passing out parade of the Pakistan Air Force at the…
In light of the severe weather conditions in the United Arab Emirates (UAE), Pakistan…
Global investors are eyeing European and emerging market assets to protect themselves from further turbulence…
U.S. central bank officials will conclude their latest two-day policy meeting on Wednesday with a…
Asian stocks sank in holiday-thinned trade Wednesday, tracking a sharp sell-off on Wall Street after…
The Bank of Japan's decision to keep policy unchanged last week gave yen bears plenty…
Leave a Comment