Proposed law in Pakistan invades privacy, grants government broad powers
The government of Pakistan is proposing a new law that significantly threatens privacy rights, in a blatant attempt to establish a legal regime containing broad powers when it comes to obtaining, retaining, and sharing data obtained through criminal investigations, including communications data.
The Prevention of Electronic Crimes Act, 2014, contains worrying aspects that threaten the right to privacy, including a provision that would permit unregulated information sharing with foreign governments. Pakistani rights groups are echoing Privacy International’s concerns and demanding that the draft law be rewritten. Pakistan has a poor human rights record and passing the law in its current form would represent a further step backwards in the protection of fundamental rights, such as the right to privacy.
The drafters of the law state that, “the centuries old criminal justice legal framework is inadequate and ill equipped to address the sophisticated online threats of the 21st Century cyber age”, necessitating “a completely new and comprehensive legal framework that focuses on online conduct in the virtual world”. While the proposed law is undoubtedly aimed at filling a lacuna in the criminal law of Pakistan, the drafters have given insufficient attention to the right to privacy and now need to take the opportunity to bring the legislation into line with international human rights law.
Broad power to share data
The draft law contains a troubling provision that would allow the Federal Government of Pakistan to forward information obtained from investigations under the Act to foreign agencies or international agencies. A prior request from the foreign entity would not be required to exercise this power.
This broad power is troubling. The information at stake is expansive: “text, message, data, voice, sound, database, video, signals, software, computer programs, codes including object code and source code”.1 The information shared could include particular sensitive information about individuals or large quantities of data involving significant numbers of people. Once this information has left the hands of the Federal Government, it would no longer be subject to national law and could be used by foreign entities as they see fit.
Information-sharing with foreign entities should be regulated by a specific law which establishes strong oversight mechanisms and provides for domestic accountability mechanisms. Data should only be transferred to foreign jurisdictions where there are strong legal and procedural safeguards in place to ensure the right to privacy is respected.
Another section, on “trans-border access”, would permit the Federal Government or investigation agency to access data that may be “located in a foreign country or territory, if it obtains the lawful and voluntary consent of the person who has the lawful authority to disclose it”. This could include personal data held by foreign corporations. This opens up the possibility of abuse, as “trans-border access” could be used to circumvent the safeguards established in other parts of the draft law.
For example, authorities could access data without a warrant from a corporation based overseas, in circumstances where they would have been required to obtain a warrant had the data been held in Pakistan. Consequently, “trans-border access” should also be governed by a clearly specified process, transparent in its operation and overseen by a judicial authority.
Unclear legal regime
The draft law would permit authorities to “make and retain a copy of any program or data” in specified circumstances. However, the draft law does not specify the procedures through which copied data is retained, stored, deleted or further copied. It also does not regulate the sharing of data among government entities.
These elements should be specifically enumerated and governed by a clear and accessible legal regime that provides for redress for any violations of the right to privacy. Data should not be retained for longer than is necessary, given the purposes for which it was collected. Nor should it be used for purposes outside those specified in the draft law. If an existing law already operates in this area, it should be referenced within the draft law.
Mandatory data retention
Another provision would require a service provider, which is defined in broad terms, to “within its technical capability, retain its traffic data minimum for a period of ninety days” (a requirement may already be in place under the Electronic Transaction Ordinance, 2002). The definition of traffic data includes information “indicating the communication’s origin, destination, route, time, data, size, duration or type of underlying service”.
Imposing a requirement on service providers to retain such data runs contrary to protecting the right to privacy. As the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression has noted:
National data retention laws are invasive and costly, and threaten the rights to privacy and free expression. By compelling communications service providers to create large databases of information about who communicates with whom via a telephone or the Internet, the duration of the exchange, and the users’ location, and to keep such information (sometimes for years), mandatory data retention laws greatly increase the scope of State surveillance, and thus the scope for infringements upon human rights.
The European Court of Justice has also recently declared unlawful an expansive data retention requirement in European law, noting that retaining traffic and other data, “may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them”.
In addition to Privacy International’s fears that the draft law will further diminish protection for the right to privacy in Pakistan, Article 19 and the Digital Rights Foundation Pakistan have serious concerns about the draft law, including the lack of procedural safeguards against surveillance activities carried out by intelligence agencies and the overly broad formulation of the offence of cyber-terrorism. Privacy International reiterates these concerns and joins the call for Pakistan to establish a competent independent oversight mechanism that has the ability to access all potentially relevant information about state surveillance actions.
1.Under the definition proposed by the Act (as defined in clause (o) of the Electronic Transactions Ordinance, 2002).