Introduction
The 21st century brought a technological revolution that seemed fictional not too long ago. The idea of technology aiding humans in everyday tasks became more common as decades passed. The revolution owes most of its beginning to Alan Turing, who is regarded as the father of modern computer sciences and perpetrator of artificial intelligence & many other concepts. To some simple calculations, simple rotor motors evolved into electronic processors operating on small instructions, and with the exponential advancement of hardware and software technology came the spread of modern-day computers and smartphones. These devices became storage mediums of personal and professional information. The data inside the machines are owned by its user but used by different applications to produce several automated tasks. It was reported that at the beginning of the last decade, 1.2 trillion gigabytes were generated in 2010, which is expected to be 44 times more after 2020. The generation of so much data led to new algorithms and programs to use this data and generate predictive analytics that would have some business value.
It was noted that mobile applications, desktop applications, and web applications or cloud storages harness and access user’s personal information such as
-
Contacts
-
Location
-
Media (Images & Videos)
-
Communication (Message content),
-
Internet browsing.
This information is stored in the company servers and is later either sold to 3rd party vendors for analysis and marketing purposes or performed in-house. The issue arises that the data collection is being performed without the permission of its owner. Hence, it is theft of private property. Like other physical entities, legislation is needed to regulate the data acquisition process and dictate the user's consent as a primary requirement. The same concerns were globally discussed, and competent authorities from various countries started developing data protection and fair usage Acts and Rules. This article will also discuss a broad overview of these regulations across the globe with a statistical analysis of their implementation.
Current Statistics
Data protection laws were not taken seriously until recent legislation. These legislations were also due to civil society and open source community outrages on big data analytics performed on non-consent-based data harnessing. The following stats are from UNCTAD (United Nations Conference on Trade And Development.
-
59 % of countries have some legislation on Data protection
-
5 % of countries have at least draft legislation
-
9 % have no legislation regarding data protection
-
27 % are not included in the stats as UNCTAD has no record of their legislative developments
Geographical Map on Data Protection Legislations
The statistics highlight that from 134 countries for which data is available, 110 have formed some legislation for consumer data protection, particularly for e-commerce information. These legislations are not all focused on the personal data of users, which is accessible by application owners; rather, they combine all laws linking to data protection and fair usage policies. Many inconsistencies in recent years have influenced the creation of proper laws dealing with data privacy and protection worldwide.
Data Protection Law Pakistan & PECA
The right of the protection of data of individuals and its importance derives its validity from the Constitution. Under Article 14(1) of the Constitution of 1973, 'privacy of home' is declared inviolable. Such privacy, however, is subject to the laws of Pakistan. In the case of M. D. Tahir v. the Director, State Bank of Pakistan, Lahore [2004 CLD 1680], the High Court of Lahore held that 'It can hardly be denied, that the taking of private information without any allegation of wrongdoing of ordinary people is a great invasion of this fundamental right of privacy.
Pakistan does not currently have any law or rules strictly focused on Data protection; however, a bill was drafted by the Ministry of Information Technology to provide national legislation for user data rights and its protection called “Personal Data Protection Act 2021,” which is pending Parliament passage and Presidential assent. The Bill, once enacted, will be the primary law pertaining to the protection of personal data in Pakistan. It will regulate the collection, processing, use, and cross-border transfer of personal data. Furthermore, the Bill provides that a data controller shall not process personal data unless the data subject's consent has been obtained. Unfortunately, there is no clear guideline at this time as to when the Bill will be enacted.
The primary law currently about the legal framework concerning electronic and digital media and also extending to the unauthorized access to personal data is PECA 2016 “Prevention of Electronic Crimes Act” promulgated on 18 August 2016. PECA aims to prevent unauthorized acts for information systems and provides for related offenses and mechanisms for their investigation, prosecution, trial, and international cooperation.
PECA is mostly focused on cybercrime and the usage of social media platforms to ensure compliance with the existing legislation of the state dealing with the concerning offense. PECA served as a building block to bring internet crimes under the rule of law in Pakistan and enhanced state control over internet usage policies. PECA itself is not enough for all the legislation needed to control and streamline internet usage. Still, it will surely be evolved to cater to all cybercrimes and cyber-harassment of the people of Pakistan. PECA also has several loopholes and has been termed a draconian law. Therefore, some Act provisions were termed unconstitutional and struck down by Islamabad High Court in April 2022.
The Ministry of Information Technology and Telecommunications has further promulgated the Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguard) Rules 2020 ('Unlawful Online Content Rules') under Section 37 of PECA. Section 37 of PECA provides that the Pakistan Telecommunication Authority ('PTA') will have the power to remove, block, or issue directions for the removal or blocking of access to information through any information system if it considers it necessary about, inter alia, incitement of any offense under PECA.
Evolution of DPA to GDPR
UK Data Protection Act 1998 served as the baseline of data protection laws in Europe and other areas. DPA was later found ineffective as the scope of technology changed rapidly, leading to the development of the GDPR – General Data Protection Regulation. Following the UK’s exit from the European Union, the UK government, has transposed the General Data Protection Regulation into UK national law, and many technical changes were made to account for its status as national law. The Data Protection Act 2018 (“DPA”) remains a national data protection law and supplements the UK GDPR regime. It deals with previously permitted derogations and exemptions from the EU GDPR.
The core differences and contrasts between the two are as follows:
|
Section |
DPA |
GDPR |
|
Fines |
Under DPA, the fine for ‘serious breaches’ was 500 GBP. |
Under GDPR the penalty can go up to 20 million EUR for serious breaches, and even less severe violations would result in a 10 Million EUR fine |
|
Accountability |
Organizations were not bound to document a list of actions taken to protect data |
Organizations are bound to maintain proper documentation of actions taken to protect user data and present it to the governing bodies whenever asked |
|
Breach Notifications |
DPA did not require organizations to report any data breaches |
This is a must requirement, organizations are bound to report any data breach to the competent authority within 72 hours, it also dictates to the notify the individuals concerned with the data breach be notified as well |
|
Right to Ensure |
DPA did not grant individuals the right to control their data retention |
Users have the right to either not allow companies to store any of their data or if data is shared with the vendors then user reserves the right to ask the data holding company to erase their information from the system simply. This law also restricts all digital applications from storing user data without their consent; special permissions must first be granted by the user for the application to keep any kind of data |
|
Right to Portability |
DPA lightly ensures users' right to reuse data from companies. Still, not strictly |
Users have full rights to gain access to all their data held by any party it was shared. Legislation dictates that all the historical data or activity states must be shared in CSV or machine-readable format with the data owner |
International Guidelines
International economic organizations such as the Organization for Economic Co-operation and Development (OECD) and the Asia-Pacific Economic Cooperation (APEC) Forum have come up with their data privacy guidelines. These guidelines deal majorly with the transfer of personal data across borders. These guidelines act as an international standard for data privacy and protection to facilitate international trade; however, these are not binding and merely guidelines and are less effective than the domestic laws of participating countries. Data security and compliance executives still have to develop their cross-regulatory compliance strategy that adheres to the stringent regulations in their target markets.
Data Protection Laws of Different States
In light of present circumstances and the work paradigm of the world shifting so rapidly towards digitalization, it is the need of the hour that the data of individuals, companies, and corporations be protected for them to feel safe online. For this purpose, states have legislated upon data protection and safety. 128 out of 194 countries have put legislation in place to secure data and privacy protection.
71% of COUNTRIES WITH LEGISLATION, 15% of COUNTRIES WITH NO LEGISLATION,
9% of COUNTRIES WITH DRAFT LEGISLATION, and 5% of COUNTRIES WITH NO DATA
The countries that have no legislation on the subject are Cuba, Guatemala, Guyana, Venezuela, Sierra Leone, Guinea-Bissau, Liberia, Cameroon, Libya, Belize, Haiti, Sri Lanka, Bangladesh, Central African Republic, Sudan, Egypt, Ethiopia, Syrian Arab Republic, Afghanistan, Eritrea, Papua New Guinea, Burundi.
On the other hand, some states have very detailed and profound legislation similar to GDPR.
-
USA: The US has many privacy and data security legislations among its 50 states and territories. California has more than 25 state privacy and data security laws, including the recently enacted California Consumer Privacy Act of 2018 (CCPA), which has many provisions that overlap GDPR.
-
SOUTH KOREA: South Korea’s Personal Information Protection Act has similar provisions as that of GDPR and provides for very encompassing protection to companies and individuals, including requirements for gaining consent, the scope of applicable data, appointment of a Chief Privacy Officer, and limitation and justification of data retention periods.
-
CHILE: In 2018, Chile’s constitution was amended to include data privacy as a human right. Numerous laws introduced in Chile guarantee legal protections in the spirit of the amendment. These laws bring it to a level comparable to that of GDPR. It includes the creation of a personal data protection agency and regulations regarding handling, collecting, and transferring personal data. There are fines and sanctions also for non-compliance, which increase in case of repeated offences.
-
SOUTH AFRICA: South Africa’s Protection of Personal Information Act, 2021, is a very detailed and sound piece of legislation in South Africa. GDPR is in some ways stricter than POPIA, while in some situations, it is the other way around. For example, GDPR has certain exemptions for SMEs, while in POPIA, there is no such exemption. GDPR has significantly higher fines but no criminal charges, while POPIA does include criminal charges.
-
AUSTRALIA: The Privacy Act 1988 (Privacy Act) is the principal piece of Australian legislation protecting the handling of personal information about individuals. The Privacy Act includes 13 Australian Privacy Principles (APPs) guiding the handling of personal information. Privacy Policies need to detail why and how you collect personal information, the consequences for not providing it, how individuals can access and correct their information, and how individuals can complain about a breach of the principles. Privacy laws in Australia are stringent and impose strict sanctions and fines in cases of breach.
-
INDIA: In a writ petition, the Indian Supreme Court in the case JUSTICE K.S.PUTTASWAMY (Retd.) vs. UNION OF INDIA upheld that privacy is a fundamental right.
This, of course, applies to data privacy and protection and led to the formation of a very comprehensive Personal Data Protection Bill 2019. This bill was withdrawn recently by the government. Currently, there is no sound legislation concerning data protection, and the Information Technology Act 2000 largely governs data protection in India.
Conclusion:
The world has changed rapidly in the past years, and all of the information and sensitive data need to be protected. Protecting privacy in the modern era is essential to effective and good democratic governance. However, despite increasing recognition of and awareness of the right to privacy and data protection worldwide, there is still a lack of legal and institutional processes and infrastructure to support rights protection. Some parts of the world suffer from a void: a lack of regulatory and legal frameworks in many countries and poor implementation and enforcement in others. This is specifically true for Pakistan, where the subject remains largely unregulated and does not provide adequate safeguards against data privacy breaches.
