No More Delays: Need for Data Protection Regulations in Pakistan

The world of e-commerce has entered Pakistan with a boom and progressed at an astonishing speed with many new and upcoming organizations, businesses, and customers. Pakistan has the teledensity of 72.97% while the cellular mobile subscriber base stands at 151 million of whom 59 million use 3G/4G services. Pakistan has 61 million broadband subscribers with 29.14% enjoying fast internet speed. Information communication technology (ICT) related exports are up by 13.5%, to USD 1.066 billion officially and three times the official amount as unaccounted revenue. With such promising figures, while we may find ourselves late in entering the world of e-commerce, one can find a massive rise in online shopping with e-commerce businesses. Rapid penetration of the internet and smartphones, cash on delivery (COD) and online inter bank fund transfer (IBFT) services have made great contribution in overall growing trends of online shopping and still have a huge potential of burgeoning further. Many of these organizations are acquiring and using customer data for their transactions. There is an issue with mobile devices as recently as this July with reports of 42 million attempted attacks on mobile devices. This includes a variety of trojans/hacking attempts where people tried to hijack details related to social media and bank accounts as well as ransomware among other things. 
How to Identify Hacking Attempts and Take Subsequent Action?
Here comes the role of the government to enforce data protection rules and regulations that keep customers’ data secure, but the question is under which regulation or act can this be done? There is a need to have General Data Protection Regulation (GDPR). The GDPR for Pakistan should aim primarily to have control over data protection and privacy for citizens of Pakistan.
There are many companies which are collecting users’ personal and financial data. National and international companies that are collecting this data are doing so without any centralized body overseeing their activity. Thus raising the question whether any checks on these companies have been placed and if any precautions have been taken by the companies for the protection of sensitive user data in their databases. There has been a startling growth of applications that collect data either directly or indirectly (through getting user permissions) in the country. These companies have a responsibility to protect customer data but do not face any repercussions if they fail to fulfill that responsibility. A cellular company operating in Pakistan – Mobilink – was also hacked by a group known as Equation Group and data details along with hacking tools were placed by another hacker group – Shadow Brokers – online, as they were able to obtain access to their database. Despite this, the issue has not been addressed by the company but was rather swept under the rug. 

Knowledge of such hacks and security breaches raises questions regarding big companies who directly or indirectly collect data from customers in the form of mobile applications, making one doubt whether these companies are authorized to do so, and if yes, then under which act. We must have data protection regulations in Pakistan to protect breach of personal and financial information. Such practices of data accumulation and possible theft should be a major concern of our security agencies, too.


There have been recent incidents in different companies regarding data breaches. An example of this is careem, which was hacked in January 2018 leading to the data of 14 million users being compromised. Astonishingly, there was no accountability for the company in question. The reason for this is because no regulations exist to protect personal data. In spite of many Pakistani users falling victim to this security breach, they were not able to legally prosecute or investigate the matter unlike affected persons in other countries, who could do so due to existing checks and balances. Careem, as a company, also handled the matter poorly when it revealed the news of the breach two months after it had happened, putting users at further risk. In these circumstances, user data remains completely in the hands of companies as the government is unable to investigate the matter. Uber is also guilty of the same thing. It concealed a massive data breach of personal information of 57 million customers and drivers in October 2016 and instead of investigating it and filing a lawsuit or prosecuting it, paid the hackers to delete the data. Just like Careem and Uber most companies collect data through mobile applications by seeking permissions to access the contacts, messages, photos, phone, etc. of users’ mobile devices which can be compromised and cause a security breach. 
In a recent cyber attack on British Airways, 380,000 customers paying through card on the company’s website and app had their financial and personal data compromised during a 15-day data breach. The company responded with reassurance, stating that they would assist and compensate any affected customer. This reply was due to the new European GDPR data protection laws, the airline can face fines of up to four percent of its global annual revenue. 
Data protection has been gaining increasing attention, especially with discussions taking place regarding access to a user’s personal data by companies. When shopping online, national as well as foreign companies operating in Pakistan are targeting customers for their personal and financial details. While placing online orders, these companies target two areas; one is personal details and the second is financial details, including debit/credit card. These companies use small discounts as an incentive for users to forfeit their personal data, capitalizing on the lack of technological awareness exhibited by many people. Another strategy that is used is the acquiring of permission to access certain user data is which is agreed to by the customer upon installation. Upon giving consent, companies gain access to a user’s personal data.
Another important issue which every mobile user in Pakistan is facing nowadays is receiving junk or spam messages. People have data of mobile numbers with locations and they are selling it to companies for advertisement. PTA must take action on such issues and look into those selling mobile phone data.
Knowledge of such hacks and security breaches raises questions regarding big companies who directly or indirectly collect data from customers in the form of mobile applications, making one doubt whether these companies are authorized to do so, and if yes, then under which act. We must have data protection regulations in Pakistan to protect breach of personal and financial information. Such practices of data accumulation and possible theft should be a major concern of our security agencies, too.
Although an effort was made to cover this in Para 14 in reference to the “unauthorized use of identity information”, enclosed in Chapter II of the Prevention of Electronic Crimes Act of 2016, further expansion is required under GDPR with emphasis on data protection. The law does not specify the regulatory mechanism under which an individual's private information may be stored or transmitted online by any company.
We neither have legislation for regulating the protection of data in Pakistan, nor is there any national data protection authority in Pakistan. Data controllers or collectors do not need to register with any authority nor are they required to fulfill any security requirements or inform the public of data security breaches/losses. This absence of regulation demands an urgent need for rules and regulations on the export of personal data of citizens of Pakistan and people residing in Pakistan.
It is the responsibility of the Ministry of IT and Commerce to formulate regulations regarding e-commerce. In this regard, guidelines can be obtained from GDPR. GDPR addresses the export of personal data outside the EU and EEA areas. Section 4 of this GDPR details the requirement for applicable firms to appoint a data protection officer (DPO) responsible for handling issues relating to the protection of personal data and will receive the necessary resources to execute his/her duties. The DPO should also be easily available to users who wish to discuss such matters and shall report to the highest management level. We must have regulations that protect personal data and provide users with a sense of security. It will further simplify the regulatory environment of IT and e-commerce for international businesses in Pakistan. If we want to improve our economy and financial standing in the world then we must have comprehensive legislation to address data protection and privacy.


E-mail: [email protected]

Comments



Note: No comments!


Leave a Reply

Success/Error Message Goes Here
Note: Please login your account and then leave comment!
TOP