🚨 The Pakistan govt just approved the data protection law that you must pay attention to. I read it so you don't have to (even though you should). Here's a long thread on the law and just some of the things that are very worrying.

- Starting w the process of passing the law: No one has seen the officially passed law. We got a copy titled "Final Draft" with no date through sources in media. Laws that are passed behind closed doors are always intended to stifle civil liberties & never in favour of citizens.

- Riddled with ambiguous terms like "vital interests", "legitimate interests", "national security", the law is pretty interesting. - S.7(1)(i) that says if a person fails to provide mandatory data to data controller demanding that data, the person will face "consequences".

Side note: Article 13 of the Constitution protects citizens from self-incrimination.

- The law says data controller & processor will notify in writing to citizens about data collection, processing, purpose, sharing etc. This just means that you'll have to read Terms of Services before you agree to them.

- This is IMPORTANT: The law enables citizens to withdraw consent to process or collect more data at any point but does not say how and what will be the conditions. In previous drafts, there was a lengthy process of submitting application+fee when withdrawing consent (contd.)

Civil society worked to have it changed in the last draft that was shared for public consultations in 2021. Our rec was to make the process of withdrawing consent as simple as giving consent, AND there should be no monetary charges or "fee" for doing so.

On another note, if the data controller fails to respect the request to withdraw consent for data processing, it will be liable to pay a fine of upto 50,000 USD.

- This law is quite vague, especially in terms of timeline. It says data controllers have to retain records of all requests/applications but doesn't specify for how long. But what caught my eye is the requirement of data controller to "regularly" update the Commission abt

the type of data they are collecting & why. How regularly and at what interval this update needs to happen, is not specified. Will this be a public document? Transparency is important, not just for data controllers and processors, but for the commission too.

- Data controller has to inform the Commission and the data subject about any data breach within 72 hours, but it's not important if the data breach doesn't infringe on the subjects' rights or freedoms. Wonder who decides which privacy violation is violation of rights/freedoms?

If the data controller does not inform of the breach within 72 hour, they can do it at any time afterwards with a valid reason for the delay. What constitutes a "valid" reason? & why is there no penalty for not informing citizens immediately that their data has been compromised?

Careem's 2018 data breach was reported to the public months after it happened. There were no consequences of this delay.

- S.16(3) says that if a person wants to access their data that the data controller has, they will have to pay a fee (how much?) to controller. My question here is whether the data subject will be paid when the data controller like tech companies will sell this data for profits?

Giving rights to people and then putting a fee to exercise those rights is not actually granting rights. You're still barring people from accessing/exercising their rights that the law in question is supposed to be granting unconditionally.

🚨 - S.24 says that scope of data disclosure can be broaden in some cases, & can go beyond what data subject agreed to. One of these instances is if the data disclosure is important to curb or "detecting a crime, or for investigations".

Its implications will directly be seen when and if journalists, activists, human rights defenders or dissidents are targeted and their data is accessed without their consent or knowledge to stifle their civil liberties.

- The law mandates data controllers to process Critical Personal Data of data subjects on servers or digital infrastructures located within Pakistan, which means servers will have to be localised. Critical Personal Data definition in the photo:

Localising servers comes w significant problems pertain to the impact to digital economy which PK can't afford at the moment given the situation of the country. The high cost of setting up & maintaining servers will act as a deterrent for companies to do business in the country.

Not to mention, it impacts small businesses significantly who might not have resources to setup and maintain their own servers and rely on servers located elsewhere in the world to store data and provide services. PK can't afford to pass legislations with impact of such nature.

- The law also gives powers to commission to make mechanism to share sensitive personal data of individuals w the govt when it's a matter of "national security" or "public order". This is another way of weaponising law against those who exercise their right to freedom of speech.

This is especially important since the Commission is being formed under the administrative control of the Federal Government. So the govt can influence these mechanisms to have something that favours them and not necessarily the citizens.

- PENALTIES The penalties in case of violation of this law entail fines of upto 125,000 USD, and repeated violation fined at upto 250,000 USD (or equivalent PKR). Those pertaining to sensitive personal data are fined at upto 500,000 USD (or equivalent in PKR).

Where the offence pertains to critical personal data (which is the data controlled by public service providers), the fine is upto 1,000,000 USD or equivalent. Interestingly this is the only section that mentions "as the Commission deems appropriate."

Penalties are probably not as worrying as the rest of the law, but did catch my eye especially since the government being the largest data collector in the country is also liable to comply with the law. Would be interesting to see how exemptions are created.