Protecting people’s privacy is important, but it should not stop innovation and economic growth, concluded experts at a Pakistan Software Houses Association (P@SHA) conference with Facebook managers Thursday.
In October, Pakistan’s government moved closer to making a new privacy law. It sought the public’s comments on the Personal Data Protection Bill, 2018, but civil society and the IT sector say the government should not rush this. The government needs to make sure the law is balanced and protects the interests of stakeholders.
The law should not be too open to abuse, nor be draconian for the industry, they said while discussing ‘Privacy and Data Protection’. “The legislation should not be a choice between privacy and economic growth, because both are achievable [simultaneously],” said Arianne Jimenez, Privacy and Public Policy Manager for Facebook’s Asia Pacific region.
Jimmenez and her colleagues flew to Karachi to share their insights with the industry since they have seen other countries go through similar stages.
P@SHA has teamed up with Facebook to kick-start a conversation, the first of a series of talks planned about the new privacy law, on how the government should do it. The IT sector’s representative body and civil society want their input to be taken seriously as the demons of The Prevention of Electronic Crimes Act, 2016, which became controversial after compromising on civil liberties, still haunt them.
Key takeaway points from the conference:
Why are we making privacy law?
Data protection and right to privacy has become an important issue globally because more and more businesses are forming their business models based on customer data. From global tech giants Facebook, Google and Uber to local telecoms and banks, many businesses are in possession of your personal data. However, this data is not protected as is evident from the rising number of security breaches.
Last month, the UK’s privacy watchdog fined Facebook $645,000 for giving a political data firm illicit access to user data. In 2017, Uber fired its information security chief who paid $100,000 to hackers to keep quiet about a breach in which data of 57 million users was compromised.
By contrast, there are no laws to penalize the companies involved in unauthorized sharing and selling of customer data despite a surge in the number of cybercrime attacks.
In 2016, Pakwheels.com and Zameen.com were hacked and data of their users dumped online. Careem reported a breach in January this year, in which data of 14 million users, including Pakistanis, was hacked. Besides cyberattacks, big corporations, including telecoms and banks or their employees and outsourcing partners are selling data to marketing companies (by the way this explains why your inbox is flooded with spam, targeted messages and emails, every day).
Even in the recent case, in which Bank Islami was attacked and hackers siphoned off Rs2.6 million from customer accounts, there was no penalty on the bank. The bank compensated its customers and the central bank instructed all banks to improve security systems. This is all we heard about it.
Information security experts believe Pakistani companies do not invest in cyber security and this view was echoed by speakers at the conference.
We need a privacy law to protect people’s data, restrict these companies from unauthorized sharing and selling of information, and impose fines in case of failure to do so.
The law should ensure individual rights
The speakers say the law should give people basic rights over their data. Based on global demands, customers want the right to know who is holding their data. They want the right to amend their information and have control over how their data can be used. They also want the right to delete information.
The Act should provide baseline laws for organizations that process or use data
The privacy law should impose restrictions on organizations that use customer data. Some of these include responsible data handling, maintaining privacy by design, and deleting information when not in use. The law should also require encryption of data and a code of conduct that is approved by the regulator.
Regulators should achieve the right balance between privacy and innovation
There should be a strong regulator that can interpret the law for public and organizations and guide them through resolution of disputes. It should enforce the law in an effective and fair way. The regulator should have a dual role. It should focus on both protecting public data and advancing innovation. Our laws tend to overregulated industries thus slow down innovation and economic growth. The regulator should achieve a balance between privacy and innovation.
A balanced law is super important to ensure the private sector does not suffer because there are companies whose business model is designed around customer data. One bad clause can make or break it for them.
The speakers suggested equal enforcement since it is usually the small companies that suffer but big corporations get away with the law because of their influence and economic muscle.
Law should also be applicable to government organizations, outsourcing companies
Pointing to gaps in the draft bill, speakers said government organizations, such as the National Database Registration Authority and the Federal Board of Revenue should also come under this law, which doesn’t seem to be the case.
Similarly, many companies outsource some of their operations to third parties like call centers that ask for customer private information. The speakers said these outsourcing companies should also be included in the scope of this law to ensure better privacy.
The ministry should seek assistance from international consultants
Memories of PECA are still fresh. Civil society and industry representatives said the IT ministry should engage international consultants who are experts in this area. Some of the panelists include people who have worked with the IT ministry and are not convinced with their way of working. The ministry doesn’t have the expertise to manage a sophisticated operation, and the private sector’s input is often not incorporated. These are the people whose livelihood depends on data and know more than bureaucrats and politicians who have no background in IT.
General Data Protection Regulation, a model to follow
Most experts believe that Europe’s General Data Protection Regulation is a good document on what privacy laws should look like.
The GDPR is taking on giants such as Facebook and Google because it offers better privacy protection, imposes huge fines in case of failure to comply.