The current bill, the AIC claims, does not address the industry’s fundamental worries, such as strict restrictions on cross-border data flows and mandated data localization.
AIC, a conglomerate of major international digital media companies, has voiced several objections to the “Pakistan Draft Data Protection Bill 2023.” The current bill, the AIC claims, does not address the industry’s fundamental worries, such as strict restrictions on cross-border data flows and mandated data localization.
In a letter to the Federal Minister for Information Technology and Telecommunication, Ministry of Information Technology and Telecommunication, Jeff Paine, the Managing Director of AIC, expressed his concerns (MoITT). Additionally, the letter was sent to the prime minister.
According to Paine, the bill as it stands will make it more difficult for foreign internet businesses to conduct business in Pakistan and to trade with that nation, which will impede that nation’s economic recovery and discourage foreign investment.
He continued by saying that local Pakistani businesses might lose access to affordable global cloud services, which would reduce their ability to compete as they would have to shell out a lot of money to run and maintain their servers.
Paine added that the Personal Data Protection Bill 2023, which Senator Afnan Ullah Khan introduced as a Private Member Bill before the Pakistani Senate on February 13, 2023, had received recommendations from the AIC and its members.
Five of the 16 core issues in the Bill, as identified in the letter, have a significant impact on Pakistan’s business environment and industry.
These concerns include the necessity of storing personal data in Pakistan, the regulator’s ability to extend the list of what qualifies as “sensitive personal data,” restrictions on particular processing methods for children’s personal data, the lack of a legal basis for processing personal data called “legitimate interest,” and the regulator’s residual ability to create regulations for “big/large data fiduciary/processors, among other categories.
The majority of the industry’s significant concerns, including stringent limitations on cross-border data flow and mandatory data localization, vague definitions of crucial terms like “sensitive personal data” and “critical personal data,” inconsistent data subject rights across the world, and broad Commission powers, are still unaddressed by the Draft Bill, according to the AIC.
Due to the fact that these regulations fall short of international data protection standards like the GDPR, they will have a negative impact on Pakistani consumers and businesses.
The letter continued by stating that AIC appreciates the opportunity to offer feedback on the Draft Bill and that the protection of personal data is a crucial part of any privacy framework. The AIC and its members have collaborated closely with governments from all over the world on the creation of national laws and policies governing the protection of personal data.
They acknowledge the ongoing work being done by the Pakistani government and MOITT to improve the draught law, but they are still concerned, particularly about the cross-border transfer of “critical” and “sensitive” personal data.
To better understand the opinions and priorities resulting from the bill, the AIC has asked for a meeting with the industry. The government’s review of the Personal Data Protection Bill 2023 can be furthered by discussing potential areas of collaboration as well as opportunities for consultation during this opening meeting. A meeting via video conference with the minister and his staff was also welcomed by Paine.
The Coalition pointed out that earlier industry concerns about strict restrictions on cross-border data flow and required data localization are not addressed by the Private Member’s Bill. All personal data appears to be subject to a broad mandate for localization under the bill.
“Every data fiduciary shall ensure that personal data is stored on a server or data centre based in Pakistan,” states Section 30(1) of the Private Member’s Bill.
The Private Member’s Bill only permits cross-border transfer if it is determined that the jurisdiction to which data is being exported offers equivalent protection, despite the fact that both the previous and most recent MOITT Draft Bill provide some additional legal bases for such transfers.
The Coalition has suggested eliminating Section 30(1) of the bill’s requirement that personal data be kept on servers or in data centres located in Pakistan, as well as Section 31’s ban on the export of “some components of sensitive personal data” and “critical personal data.”