You are here
State of Privacy Pakistan
The Constitution of the Islamic Republic of Pakistan accords the right to privacy as a fundamental right. Article 14(1) of the Constitution confirms that "[t]he dignity of man and, subject to law, the privacy of home, shall be inviolable."
As a fundamental constitutional right, the right to privacy is meant to take precedence over any other inconsistent provisions of domestic law. Article 8 of the Constitution provides that "[a]ny law, or any custom or usage having the force of law, in so far as it is inconsistent with the rights conferred [under the Constitution], shall, to the extent of such inconsistency, be void." Article 8 (5), furthermore, states that "The rights conferred by this Chapter shall not be suspended except as expressly provided by the Constitution."
Yet Pakistan’s constitution also includes a wide-ranging exception to the primacy of fundamental rights. The provisions of Article 8 do not apply to any law relating to the ‘proper discharge’ of the duties of the Armed Forces or the police. The breadth of this exception is troubling, especially given the central role that the Armed Forces in particular have historically played in Pakistan’s domestic political landscape.
Regional and international conventions
Pakistan is a signatory to the following international and regional instruments with privacy implications:
- The International Covenant on Civil and Political Rights (signed April 2008, ratified June 2010). Article 17 of the ICCPR states that "no one shall be subject to arbitrary or unlawful interference with his privacy, family or correspondence." The ICCPR also commits Pakistan to ensuring the protection of other rights that rely on the protection of privacy such as freedom of expression and freedom of association.
- The Cairo Declaration on Human Rights In Islam (signed August 1990). Article 18 of the CDHRI affirms that: "a) Everyone shall have the right to live in security for himself, his religion, his dependents, his honor and his property. (b) Everyone shall have the right to privacy in the conduct of his private affairs, in his home, among his family, with regard to his property and his relationships. It is not permitted to spy on him, to place him under surveillance or to besmirch his good name. The State shall protect him from arbitrary interference. (c) A private residence is inviolable in all cases. It will not be entered without permission from its inhabitants or in any unlawful manner, nor shall it be demolished or confiscated and its dwellers evicted."
- The Convention on the Rights of the Child (ratified November 1990). Article 16 of the CRC states that "1) No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation. 2) The child has the right to the protection of the law against such interference or attacks."
Surveillance oversight, checks and balances
Surveillance case law
Examples of surveillance
Data protection laws
Pakistan does not at present have direct data protection legislation. As noted above, the Constitution limits the individual's protection of privacy in cases related to the “proper discharge” of the duties of the Armed Forces or the police.
In the absence of direct data protection legislation, data privacy and protection is theoretically regulated through provisions in the following pieces of legislation.
The Electronic Transactions Ordinance (2002)
The Electronic Transactions Ordinance (2002) does not regulate data protection directly, but it criminalises unlawful or unauthorised access to information. Section 36 of the ETO states:
"Any person who gains or attempts to gain access to any information system with or without intent to acquire the information contained therein or to gain knowledge of such information [...] shall be guilty of an offence under this Ordinance punishable with either description of a term not exceeding seven years, or fine which may extend to one million rupees, or with both."
The same law envisages the establishment of a government-appointed body to certify electronic documents, and in Section 43(2)(e) grants powers to that body to make regulations for the privacy and protection of its users. However, it appears that the government is yet to establish this certification body, let alone draft regulation to protect the privacy of its users.
The Freedom of Information Ordinance (2002)
According to section 17 of the Freedom of Information Ordinance, "Privacy and personal information", certain forms of "information is exempt if its disclosure under this ordinance would involve the invasion of the privacy of an identifiable, individual (including individual) other than the requester.”
Prevention of Electronic Crimes Act (2016)
The Prevention of Electronic Crimes Act (2016) also contains a number of sections related to data privacy. However, these are intended to grant law enforcement and other government entities access to the private data of citizens, or to restrict citizens from gaining access to government data. Section 3 makes it a crime for anyone to gain unauthorized access to any information system or data, punishable with a prison sentence up to 3 months or a fine of up to fifty thousand rupees.
Section 28 allows a law enforcement officer to require a person to hand over data if it is believed that it is “reasonably required” for a criminal investigation. This can be done at the discretion of the officer and needs only be brought to the notice of a court within 24 hours after the acquisition of the data. Section 29 requires telephone and Internet service providers to retain traffic data for at least one year and law enforcement bodies can demand access to that data subject to a warrant issued by a court. Section 30 allows courts to issue a warrant to a law enforcement officer to search and seize any data that “may reasonable be required” for a criminal investigation. In cases involving the vaguely defined “cyberterrorism”, the officer can search and seize the data without a warrant and notify the court within 24 hours of its seizure.
Section 32 requires that law enforcement officers carrying out a search and seizure “take all precautions” to maintain the secrecy of the seized data and not interfere with any data not related to the crime being investigated. Under Section 38, if a law enforcement officer knowingly shares seized data to any other person, it can be punished with a prison term of up to three years and a fine of up to one million rupees.
Section 39 allows the government to share any data obtained from its investigation with any foreign government or international agency.
Electronic Data Protection Act 2005 (draft)
In 2005, the Ministry of Information Technology circulated a draft law on data protection, however for unclear reasons it was never tabled in Parliament by the government. It appears that this draft legislation was initially written primarily with the intention of meeting the needs of Pakistan's software industry to conduct international business, rather than to address actual privacy issues. This is made clear in Section 4 of the draft law:
"4. Government activity and exemptions — (1) This Act does not apply to the processing of personal or corporate data carried out by federal, provincial or local government.
(2) The federal government, in respect of local data only, by notification in the official gazette, may exempt any public or private sector, entity or business from the operation of this Act.
The rest of the draft law is filled with similar exemptions and vague terminology.
Law enforcement access to stored data
Since 2004, network providers have been required to comply with requests for interception and access to network data as a standard condition of the PTA’s award of operating licenses to phone companies.
Habeas Data/Subject access requests
Pakistan does not have any legislation explicitly for a person to request data about themselves; however, it may be possible to request this information under Freedom of Information legislation.
Freedom of Information (FOI)
The Constitution has an explicit provision for the public's right to information in Article 19A, which states:
"Every citizen shall have the right to have access to information in all matters of public importance subject to regulation and reasonable restrictions imposed by law."
The federal government and all four provincial governments have passed Freedom of Information laws. The provincial laws for Khyber-Pakhtunkhwa (K-P) and Punjab have received praise from experts, while the FOI laws for the federal government and Sindh and Balochistan have been found to have serious flaws.
In 2013, the federal government drafted a new Right to Information Act that was finalised in 2014 with amendments by the Senate Standing Committee on Information and Broadcasting. The draft has received widespread praise as it incorporates many progressive elements from the K-P and Punjab laws. However, the government has so far not moved forward with the process of getting it passed by Parliament for unclear reasons.
Article 8 of the current federal Freedom of Information Ordinance (2002), excludes a wide range of information from public access under the law. This includes any records relating to defence and national security, and further gives the federal government the discretion to exclude any other document from the purview of the law “in public interest”.
Consumer protection rules
Pakistan has consumer protection legislation for all four of its provinces and the Islamabad Capital territory. The laws establish consumer courts to allow for redress by consumers primarily against defective products and misinformation by sellers.
The laws do not have any provisions explicitly to protect the privacy of consumer data held by suppliers of goods and services. However, there are some provisions that could potentially be exploited for this purpose. For example, Article 13 of the Sindh Consumer Protection Act 2015 states that a “provider of services shall be liable to a consumer for damages proximately caused by the provision of service that have caused damage.” However this would seemingly require the damage from any data breach to have already occurred in order for the provider to be held accountable.
Research published by Digital Rights Foundation in December 2016 found that Pakistan's mobile service providers were inconsistent in their provision and publication of privacy policies, and that none of the privacy policies that were available indicated an awareness of the passage of the 2016 Prevention of Electronic Crimes Act.
Data breaches: case law
Privacy International and Bytes for All are not aware of any legal cases directly related to data protection that have been brought in Pakistani courts. However, there do exist a few informative cases related to the right to privacy which may be precedent-setting.
In Ghulam Hussain vs Addition Sessions Judge, Dera Allah Yar (PLD 2010 Quetta 21) the petitioner complained that the police raided his home on the basis of 'secret information' that it was being used as a gambling den, without a prior enquiry being carried out by a magistrate. The court ruled in favour of the petitioner that only in certain exceptional circumstances can the privacy of the home be violated. The Petitioner was also acquitted of charges.
In Taufiq Bajwa vs CDGK (2010 YLR 2165), the petitioner filed a case stating that his right to life under Article 9 of the Constitution had been violated by the boundary wall of a neighbouring park which was of such a height that it allowed a person to look inside his home. The court supported the petition and held that the park and wall must be reconstructed such that the petitioner's privacy is not violated. The case affirms that the courts interpret Article 9 (“right to life”) widely enough to be used to protect the right to privacy.
Examples of data breaches
In 2010, the Shah Faisal branch of NADRA in Karachi reported a data breach that resulted in the theft of "computers and other equipment", including hard drives, according to Alertboot Endpoint Security. The data breach was low-tech, and involved a physical break-in.
In 2012, a Turkish hacker claimed to have accessed NADRA's servers as well as those of the Federal Investigation Agency (FIA) by spawning backdoors.
In 2014, NADRA received a report from the head of the ISI concerning the possibility of data leaks through the Pakistan government's reliance on third party companies database and verification software and hardware.
In 2015, The Intercept reported that Britain's GCHQ had hacked the Pakistan Internet Exchange in 2008, by exploiting vulnerabilities in Cisco servers. In doing so, it was able to have access to the data of millions of Pakistanis, and could reroute internet traffic towards its own servers.
Since at least 2014, databases have been illegally sold online containing hundreds of thousands of records with names, national ID card numbers, home addresses and phone numbers of mobile phone users. It is believed that this data is used primarily by mobile marketeers to market their products. It is not clear how exactly this data is leaked, but it is speculated that it could be due to a combination of mobile service providers storing consumer data insecurely, as well as the possibility that employees within the companies themselves are leaking the data to those willing to purchase it. It is not clear whether the government has taken any action to combat these crimes.
ID cards and databases
The registration of personal data is widespread in Pakistan, and public opinion is for the most part in favour of it. This in part because recent terrorist attacks and ongoing political instability, and high profile news stories following these have attributed the security services' success tracking down criminals and terrorists to the storage of their information in National Database & Registration Authority (NADRA) databases.
In 2012 NADRA announced a so-called chip-based Smart NIC (SNIC) containing its owner’s biometric photo, a computer chip, address and parental information. NADRA has said that it aims to replace all current CNICs with SNICs by 2020. A SNIC is necessary in order to open a bank account, get a new driver's licence, passport, broadband internet connection or a SIM card.
Biometric data collected by NADRA includes iris scans; fingerprints (both hands); a photograph taken at a NADRA centre, and a scan of the citizen's personal signature. Given the scale of the task, NADRA has found itself at the heart of a number of controversies regarding a lack of proper checks and balances. There have been a number of reports of corruption at NADRA centres, where the biometric verification/application process can be bypassed. Serious misidentification errors can occur and forgery is rife.
In July 2016 NADRA introduced an SMS verification service, to investigate the validity of a citizen's own CNIC, as well as of those in their "family tree", i.e. anyone in their family linked to their CNIC. Although the government has declared this to be a positive step, it has come under fire as knowledge of one CNIC is enough to find out the personal information of other family members, which in turn can put them at risk. This is especially worrying in a country rife with persecution of religious, ethnic and LGBT minorities.
In August 2015, the Government of Pakistan's Election Commission coordinated with NADRA what they reported to be the first election via biometric verification of voters.
The election in a constituency in Haripur district was intended to be a pilot for future elections in other districts and nationwide. NADRA has indicated that this would be a positive means of tackling electoral fraud. There are concerns, however, that requiring biometric verification to vote may disqualify non-verified but legitimate voters from using the ballot. There is also the concern, as with pre-biometric registration, that the biometric verification exercise would not tackle voter intimidation effectively, and may in some instances would make it easier to intimidate voters. This is especially a concern in districts in Pakistan where votes can still be bought by village elders or landlords.
SIM card registration
Registration of personal data is widespread and enjoys a high level of popular support. Terrorist attacks have been cited by the government in its ongoing drive to ensure that all SIM cards are registered via biometric verification. For example, it was reported that the perpetrators of December 2014 attack on an army-run school in Peshawar in which 132 children were killed had used mobile phones with SIM cards that were registered to a woman who had no connection to any of the attackers, indicating that the SIMs had been registered fraudulently.
SIM cards must now be registered to their user. Unlike in most countries with mandatory registration, SIM cards are also biometrically verified against the National Database and Registration Authority’s (NADRA) national database, often by fingerprint. The government plans to have all SIM cards biometrically verified. As of March 2015, 68.7 million SIMs had been biometrically verified out of 103 million SIMs in use at that time. Unfortunately, NADRA has not provided up to date numbers since. However, there have been reports of corruption as well as honest incompetence on the part of the verification system resulting in some SIMs escaping being deactivated. This number has been shrinking however, given the aggressiveness of the re-verification drive.
Encryption in the form of Virtual Private Networks (VPNs) and encrypted messaging apps is illegal in Pakistan, ostensibly for security reasons as, according to the Pakistan Telecommunications Authority in a legal notice sent in 2011, these "conceal communication to the extent that prohibits monitoring".
If a company or individual wishes to use encryption without being penalised, a formal request must be sent to the PTA and accepted. In 2015 Blackberry and its encrypted messaging service, Blackberry Messenger (BBM) were banned and asked to leave Pakistan, as Blackberry would not hand over access to its user base and servers. Blackberry was permitted to stay, although the details of the agreement have not been made public. The popularity of messaging apps that are encrypted by default such as WhatsApp, or Apple's FaceTime and VPN services to access blocked websites, such as the formerly blocked YouTube, have made enforcement of this ban on encryption difficult to impossible to implement. According to reports, however, certain messaging and VOIP services may eventually require a license to operate in Pakistan. It is extremely difficult to see how this would be implemented. There is concern that Pakistan may emulate the United Arab Emirates and Saudi Arabia, both of which have blocked WhatsApp voice calls and FaceTime calls.
Licensing of industry
Over the past two decades, the federal government has laid out several plans and initiatives to promote the use of digital technologies in government services, including:
- the National IT Policy and Action Plan of 2000;
- the Electronic Government Directorate of 2002;
- the promulgation of the Electronic Transaction Ordinance in 2002, to facilitate the use of electronic documents for official purposes;
- the E-Government Strategy and 5-Year Plan for the Federal Government, published in 2005;
- the National Information Technology Board, created in 2014 by merging the Electronic Government Directorate and the Pakistan Computer Bureau;
- the announcement in 2014 that an e-government master plan is being formulated; and
- the announcement of the E-office initiative in 2015.
However, the implementation of these plans and initiatives has been haphazard and unsustained due to political and other reasons. The official e-government portal, pakistan.gov.pk has been neglected in the past. The current form of the portal lists links to other government websites and pages to assist users in finding information related to government services. A large portion of those links are broken.
The quality of the websites of individual ministries and departments varies greatly depending on the enthusiasm and resources of the leadership of those departments at any given time. Most of the federal government websites do not use HTTPS/SSL, however, increasingly, those sites offering services that require users to log in to an account such as the Federal Board of Revenue's Taxpayer Facilitation Unit or the National ID card online application website are now using SSL.
The e-government services offered by the provincial governments vary in the same way. For example, the web portals of the governments of Punjab and Khyber-Pakhtunkhwa are better maintained with up to date information and the former also uses secure data protocol HTTPS/SSL.
All e-government services such as filing taxes or filing a complaint with an ombudsperson require users to provide their national identity card numbers.
Health sector and e-health
According to Pakistani media, which was later confirmed by the Lahore police official Twitter account, hotel and guest house guests in Lahore will be under real-time surveillance, via a "Hotel Eye" software, with a focus on foreigners and "mysterious persons". The threat of terrorist attack was given as a major reason for the initiative.
Please send any further information to: email@example.com
The National Database and Registration Authority (NADRA), the government body responsible for issuing national identity cards, also offers an e-Vehicle Management System to other government departments and the private sector to make it easier for them to identify and track the movement of vehicles using RFID chips. The services offered by NADRA this system are:
- The ability for government authorities to identify and track the movement of vehicles as they pass through road checkpoints;
- The ability to identify a vehicle for the purpose of controlling access to a secured premises through designated gates; and
- A way for road and highway authorities to quickly collect tolls from drivers through an electronic credit mechanism.
It is not clear if these services use NADRA's national registration database for identification and what security provisions are in place to control access to the data.
Motorway e-tags and m-tags
One of the places where this service has been deployed is on a number of motorways connecting Islamabad, Lahore and Peshawar (M-1, M-2, M-3, M-4), for the purpose of collecting tolls at toll gates. Drivers on these roads have the option of installing and RFID in their windshield which automatically deducts the toll fee from a pre-paid account each time they pass through a toll gate. Registering for this system requires drivers to provide their national identity card number.
Originally, tolls on the M-1, M-2 and M-4 were collected by the National Highways Authority (NHA) under the Ministry of Transportation using NADRA's e-tag system. However since 2016, the tolls on all four motorways are collected by the Frontier Works Organization, an administrative branch of the Pakistan Army, using their own "m-tag" system which also uses RFID chips.
It was also reported in February 2016 that the NHA is considering other toll payment options such as the use of mobile phone or credit cards.
The metrobus mass transit systems implemented by the Punjab Government in Lahore and the twin cities of Islamabad and Rawalpindi also use RFID chips to track the distance traveled by riders. Travelers have the option of purchasing either a single-use plastic RFID token for single-rides or a pre-paid RFID-base card for multiple trips. Travelers do not need to provide their national identity card number for either, and the only data needed is the traveler's first and last name in the case of the multiple-use card.
Humanitarian and development programmes
The government of Pakistan has sought to block Facebook pages and Twitter accounts, and obtain information on those accounts' owners. In March 2016, a Pakistani man was given a 13 year prison sentence for allegedly posting "religiously offensive material" on Facebook. Blasphemy is against the law in Pakistan and carries either the death penalty, life or an extended prison sentence.
Beween January and June 2016, according to Facebook's Global Government Requests Report, the Pakistan government had made a total of 712 requests for account information, with 65.45 % of those requests resulting in "some data" being produced. Facebook also restricted access to content "allegedly violating local laws prohibiting blasphemy, desecration of the national flag, and condemnation of the country's independence", based on PTA requests.