Our lives are becoming intertwined with technology as we share our thoughts on various online platforms, engage in online shopping, and utilise various services that require us to disclose our personal information. In this contemporary digital age, safeguarding our personal data has become more important than ever. Cognisant of this importance, many countries around the world have formulated robust privacy laws whereas others are still lagging behind. Pakistan, unfortunately, falls into the latter category.
Despite the global recognition of the importance of safeguarding personal data, Pakistan is yet to finalise and enforce comprehensive privacy laws that meet the evolving demands of the digital landscape. The Prevention of Electronic Crimes Act, 2016 (PECA) currently serves as the primary legislation in the country that establishes a legal framework for addressing crimes in the digital domain, particularly unauthorised access to personal data. However, it has been observed that PECA is insufficient in effectively addressing complex cases arising from data breaches. For instance, the Act does not provide guidance on handling cases where a data breach related to personal data is facilitated by the negligence of governmental institutions or other entities, such as telecommunications companies.
Acknowledging these shortcomings and limitations of PECA, the government of Pakistan proposed the Personal Data Protection Bill 2023. The Bill was introduced by the Ministry of Information Technology and Telecommunication in May 2023, however, it is yet to be promulgated into law owing to cumbersome bureaucratic procedures. Once in effect, this legislation will serve as the primary legal framework for regulating controllers and processors of personal data in Pakistan. The scope of the bill encompasses any individual and organisation that processes, controls or authorises the processing of personal data. However, until its implementation, there is no alternative available, and reliance on the existing flawed PECA remains unavoidable.
This situation raises concerns, particularly in light of the history of recurring incidents involving cyber attacks and data breaches in Pakistan. The theft and illicit sale of personal data on the dark web is a serious issue worldwide, with the data of millions of being compromised in recent years. Pakistan is no exception. The compromised information includes names, addresses, phone numbers, email addresses, and even financial details that can be exploited for malicious purposes.
One of the most famous cases in this regard happened in September 2023 when hackers accessed the data of over 2 million Pakistanis, including contact numbers and credit card details, from the databases of various restaurants. The stolen information was subsequently offered for sale online at a price of 2 Bitcoins on the dark web. However, this incident was not the first of its kind; a similar case occurred in 2018 when hackers stole the credit and debit card details of over 19,000 individuals from almost a dozen Pakistani banks. The compromised data was then sold on a dark web forum named Joker Stash for prices ranging from $100 to $135 per set. The data breach significantly impacted almost all major banks in Pakistan.
These cases are not isolated occurrences and are unlikely to be the last, which further underscores the imperative for a robust privacy legal framework in Pakistan. The government’s initiative in drafting the Personal Data Protection Bill 2023 is a step in the right direction; however, it must not linger in uncertainty and should be promptly implemented in both letter and spirit.
It is pertinent to mention here that the laws alone cannot achieve the desired outcomes, until and unless these laws are backed by structural reforms and public awareness. As for the former, the government needs to improve the existing complaint system, which is fraught with inefficiencies, delays, and lack of transparency. It needs to be more victim-friendly and swift. Moreover, it is essential to prioritise raising awareness and providing education to the general public, especially regarding the risks associated with sharing personal data on social media sites and various online platforms in the current digital age. Government-led campaigns should be initiated to educate the masses, particularly those who may be less familiar with technology and vulnerable to digital scams. These campaigns should highlight different modes of digital scams that can trap individuals into divulging their sensitive personal information.
In conclusion, robust privacy laws in Pakistan are the need of the hour. It is not just about fixing current issues but preparing for what is coming in our ever-changing digital world. These laws will be crucial for the defence against new threats to personal data. A clear set of laws will not only keep people safe but also build trust in the digital world, making a secure and thriving digital Pakistan possible. Moreover, looking forward to the future, in the wake of these laws, Pakistan can compete in the domain of digital privacy and can show the world how responsible data management can be done.