Comments on PERSONAL DATA PROTECTION BILL 2020 by KPCERC

PERSONAL DATA PROTECTION BILL 2020 is in draft stage and KPCERC has the following observations / recommendations / comments over this bill.

1. Personal Data Protection Bill 2020 draft treats the subject matter as civil as well as criminal in nature, however other data protection laws treat the subject as civil. It is recommended that the bill should be treated as a civil proceeding instead of criminal laws. Compensation in the form of damages may be awarded to the aggrieved party. By treating as criminal law it will overlap with other criminal laws such as the Prevention of Electronic Crimes Act (PECA) and the Pakistan Penal Code (PPC).
2. The territorial scope should be increased: It should apply to the controlling and processing of personal data by controllers and processors in and out of Pakistan, dealing with data of citizen of Pakistan, or data is collected in the physical jurisdiction of Pakistan, regardless of where the data is processed and controlled. This is in line with the territorial scope defined by GDPR.
3. Personal Data Protection Bill 2020 should also apply to the processing of personal data of data subjects in Pakistan by a controller or processor not established in Pakistan, where the activities related to offering goods or services to Pakistan citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within Pakistan. Every data processor / controlled working with citizen data should be registered with the commission / authority.
4. Section 3.1 (a) states that Bill is applicable to personal data only, the other regime of data classification such as sensitive data, medical data and educational data, etc. are not considered, this needs to be reviewed. Encrypted data (in transit or stored) should not be exempted from the law.
5. Few concepts / term are not explicitly defined such as:
   1. Data
   2. Profiling ( User, systems, natural person or any other state or form)
   3. Data generated via automated means i.e Data resulted in consequence of any automated / Artificial intelligence means
   4. Medical Data
   5. Biometric / Genetic Data 
   6. Official / Unique Identifier
   7. Financial Data
   8. Harm
   1. Definition of sensitive data in section 2 (k) should also include Political views
6. Power and functions of authority does not address the concern of all stakeholders’ power to make rules are addressed in a broader context; the working mechanism for the authority is missing. There should be a balanced approach in power and functions of authority and the bill should outline the codes of conduct and ethics for the Authority.
7. The licensing framework for companies (controller and processor) should not be made mandatory. This might slow down the innovation process in the industry. Data controllers and processors should register with authority along with the attributes it intends to collect or process. Breach / violation of any subject rights (Consent, context, additional attributes or any other clause in the subject bill) should be dealt with civil proceedings.
8. Data breach notification is not clearly identified, the exemptions in this regard needs to be addressed. Regardless of any exemption, all data controllers and processors should notify the authority and data subject, as the case may be within 3 working days.
9. Authority is given the power to make exemptions, which is not clear due to open-ended statements. It is recommended that clear Boundaries and principles should be established and the power to make new exemptions should not rest with the authority.
10. There is no technical representative or technical body mentioned in this bill, who will investigate / search / trial a case or carry out forensics or incident response. As the subject matter is technical in nature, member representation from relevant ministries should not exceed two and at least half of the members should be technical members (Cybersecurity, ICT Industry), Controllers and Processors from support industries, legal, financial and civil society (at least two members, representing Data Subjects)
11. It is suggested that the Bill should outline sector-specific and general baseline frameworks, standards, policies, controls for protection of personal data in-line with global standards.
12. Data localization should be encouraged, while controllers and processors should seek one-time approval or inform registration authority in case of cross border data transfer in situations where the host state is a party to any bi-multilateral agreement for cross boarder data transfer (APEC  or any other). If the host country is not in any multilateral agreement with the state of Pakistan, the Controller or Processor should seek NoC before the cross boarder data transfer.
13.  Cross Boarder data transfer regime should be flexible enough to promote start-ups and local IT industry while ensuring the hold accountable technology companies competing against the local industry while not registered or paying any taxes in Pakistan.
14. The framework to allow Cross Boarder data transfer should be based on data classification; however, a copy of the data/ logs shall be kept / made available in Pakistan.
15. To promote innovation and local product development, application of the law should be gradual and data processors & controller should be divided into following 4 categories.

1. International big giants (based on volume of traffic / revenue) providing services in Pakistan.
2. International Small scale companies want to market their services in Pakistan.
3. Local Companies / public sector departments with greater footprints within the country.
4. Small startups and SMEs operating within the country.

16. Compliance framework should be outlined which industry has to meet, if it is desired to be declared after the establishment of authority, and then the Bill should outline the guiding principal for such framework. Compliance submission duration for each industry is expected to be established.  
17. If the proposed bill is to overriding the conflicting provisions with other laws, mechanism to ensure baseline controls and provision outlined by previous laws should be addressed.
18. The base line principals and criteria to establish vital and legitimate interest is requested to be defined in case of consent exemption.
19. In case of Breach Notification; the words and statements like “undue”, “where reasonably possible” and “except where the personal data breach is unlikely to result in a risk to the rights and freedoms of data subject” are confusing and may result in litigation and conflicts.
20. Operational guideline and functional organs of the authority specially the technical (compliance, audit, forensic, incident response and policies and standards) should be outlined.
21. Penalties should be proportionate to the defined “harm” and declared company size/scale.  Penalties should also be introduced for non-compliance of baseline controls/ standards, breach of consent or any controller or processor observed collecting data attributes (regardless of the data classification) beyond the one registered with the authority.
22.  Special provisions / support should be defined for local startups or technology companies holding, storing or processing data in Pakistan as cross-boarder transfer host.  Moreover same for the copyrights / Intellectual Property for new startups / tech companies aims to invest in Pakistan.
23. Vulnerable segments of the society such as minors, women, transgender and minorities are not explicitly mentioned. Personal data for minors may also be treated as sensitive to protect the vulnerable.
24. Bill should make it mandatory for principal data processors or controllers dealing with data (personal or sensitive) to ensure their physical presence in Pakistan, criteria may be established based on number of users, volume of data or any other.
25.  The Bill may address the development of Pakistan’s digital IT / e-commerce strategy, the need to maintain economic competitiveness and to create a balance between an enabling environment for Pakistani digital exporters to access foreign markets and avoiding the harms of data colonization.
26.  Revenue streams, financing, appointment of Head of Authority should be independent of the reporting / concerned ministry to ensure the neutrality and autonomy of the authority.
27.  Remedy in form of financial compensation for the aggrieved individual from the penalty may kindly be added in the bill, especially in relation to sensitive data.
28. Learning from the gaps of implementation of PECA and inadequate human and technical resources to address compliance, audit and grievances of the aggrieved parties and judicial & technical capabilities of the functional organs should be explicitly ensured in the Bill.