India’s Digital Personal Data Protection Bill passed: “it’s a bad law”

Ensuring Pakistan passes a privacy-protecting, user-centric data protection bill

We have analysed the version of the Draft Data Protection Bill that was published in April by the Ministry of Information Technology and Telecommunications of the Government of Pakistan for public comment. At Access Now, we have been involved with the development and implementation of the EU’s General Data Protection Regulation, as well as provided expertise on the formulation and enforcement of data protection and privacy legal frameworks across the world. We have published a data protection guide for lawmakers built on lessons from the EU’s GDPR and global privacy frameworks that highlights dos and don’ts for comprehensive data protection legislation, which we believe will be useful in the refinement and finalisation of the draft bill on Personal Data Protection prepared by the Government of Pakistan.

In our filing submitted last week to the consultation organised by the Ministry of IT and Telecommunications, Government of Pakistan, we explained how the current draft data protection bill can better achieve its stated purpose if efforts are directed towards the following areas:

  1. Improve its list of binding user rights; including adding a right to portability and a right to explanation. Additionally, the bill is amended to ensure that the exercise of all data rights are free of charge.
  2. Review its proposed provisions on mechanisms for secure data transfer to third countries; to balance government powers and discard proposals for ill-advised data localisation.
  3. Further develop its data breach and notification provisions; ensuring that users are notified about data breach — and not just the Personal Data Protection Authority.
  4. Take urgent steps to ensure that the law provides for independence of the data protection authority; given that that the current text would result in an authority not independent of the executive branch and unable to investigate and adjudicate on the government.
  5. Reduce space for the federal government to alter its scope of application or exempt law enforcement-related activities from the law, and ensure that obligations under data protection law clearly apply to both the private and public sector
  6. Avoid creating a data protection “licensing framework” which would be overbroad and ineffective, and may chill rights and detract from the regulatory focus on personal data.

We hope that the Government of Pakistan improves the bill based on the feedback of all stakeholders in this process, including the concerns that have been expressed by several in civil society. An updated draft of the bill should be made available for further review, so that an improved, effective bill is brought to the Parliament of Pakistan for consideration and passing. As we have noted in our lawmakers guide, ensuring transparency and inclusive negotiations is a critical first principle in the creation of a data protection law.