Originally posted in: The News on Sunday
Writer: Asad Baig
Advances in information communication technology (ICT) have made the Internet and our devices an essential part of the way we experience life — from acquisition of goods and services to the creation of opportunity and access. Digital access is considered a human right by the United Nations and the world is so interconnected through this technology that our virtual lives now seamlessly merge into our physical ones. While advances in technology have made lives easier and brought much efficiency to service delivery, the increasing dependence on technology and its interconnected nature have raised new questions of privacy. We now live, document, store, and share much of our lives with support from digital technology — technology that is developed, owned, and operated by third parties, often without much transparency about its design and operations.
As citizens of Pakistan, our official existence and our national identity also exist on a digital database operated by the National Database and Registration Authority (NADRA). Add to this digital existence, many other kinds of digital services that we acquire — online banking, filing of tax returns, criminal records and passports – all are connected to our key digital identity. It doesn’t stop there. CCTV cameras of the Safe City project and thousands of private enterprises document our movements every day. Facial recognition software at airports and other critical places identify us and feed this information into our digital profiles.
We, the subjects of this digital data, remain largely unaware and often largely callous of what happens to our digital data. But if one looks at the intensity and expanse of the digital profiles that we are building, and that is being built of us, it is clear that the digital age brings its own specific threats to our privacy.
Article 14 (1) of the Constitution of Pakistan promises individuals the right to privacy, but as the concept of online privacy evolves it is important to enact effective legal instruments that codify the nuances of privacy threats in the digital age.
In 2013, the UN General Assembly affirmed that the rights held by people offline must also be protected online, and it called upon all states to respect and protect the right to privacy in digital communication. Thus, a strong legislation, that defines privacy in an expansive manner and is able to respond to the complexity of digital privacy threats, has to be enacted.
However, this isn’t an easy feat.
The nature of digital technology is such that barely any aspect of it exists entirely within national boundaries. More often than not, the companies collecting and storing consumer data aren’t registered locally and fall outside the jurisdiction of the local laws. Thus, it is essential that a data protection and privacy law doesn’t just deal with data protection and privacy on a national level, but also contains a well-defined mechanism for international cooperation. A good example is the General Data Protection Regulation (GDPR) that has created a regional framework for the protection of citizen’s privacy rights across the European States.
In the modern age, our digital footprint is truly global, and with the concept of digital identities our personal data isn’t just data anymore but an extension of our very selves.
Another key consideration for a data protection law would be its ability to deal with threats that are generated by the state itself. In both developed and transitional countries, surveillance and interception of communications by the state has increased, and stands to have a direct impact on civil and human rights. Such concerns are common in Pakistan and an effective law has to define a mechanism that protects citizens from such invasive actions by the state.
It is also important to push for increased awareness and skill building legal and judicial communities. Without a nuanced understanding of technology and the potential impact of breaches of digital data, the legal system remains unable to respond effectively. We have already seen an adverse impact of the lack of knowledge about technology in the implementation of the Prevention of Electronic Crimes Act (PECA) where FIA’s investigative officers appear unconcerned about the direct invasion of privacy that occurs when a subject’s digital devices are examined without following proper legal procedure. If left unchallenged, these uninformed attitudes will come to adversely affect the implementation of the data protection law as well.
But enactment of a strong pro-citizen privacy and data protection legislation, and setting up an effective implementation process is only the first step. It is also important to create better awareness about the emerging threats to citizens’ online privacy and to ensure that there is some public pressure on corporations and private businesses to remain mindful of privacy concerns.
Global giants like Facebook and Google, and national corporations like telecom companies, banks and other digital service providers hold important identity, financial and behavioural information of their clients in their digital databases. However, there is next to no public information about how this data is stored, saved and distributed.
A research by Media Matters for Democracy showed that there was a lack of transparency about how national corporations and service providers maintained, secured and shared consumer’s data.
In the modern age, our digital footprint is truly global, and with the concept of digital identities our personal data isn’t just data any longer but an extension of our very selves. It is, thus, imperative for the State to take all possible measures to ensure the protection of our online privacy and protection of data, especially of critical databases such as the NADRA, which have been in the limelight in the past few years due to massive breaches.
A step towards that could be the Personal Data Protection Bill (PDPB) — a legislative framework currently in the drafting process led by the Ministry of Information and Technology — but only if equally implemented by all private and government institutions that are collecting and storing citizens’ data. If the PDPB only takes into account the data breaches in private companies and conveniently sweeps similar breaches in institutions such as the NADRA under the carpet, the legislation will at best be an eyewash.
The writer is an Islamabad-based journalist. He is the founder and the executive director of Media Matters for Democracy and the editor of Digital Rights Monitor. He tweets at @asadbeyg