Article 14(1) of the constitution of 1973 states: “The dignity of man and, subject to law, the privacy of home, shall be inviolable”.
There is currently no national law on data protection of personal information. A draft Electronic Data Protection Act based on a subset of EU standards on data protection is currently being considered.
The Electronic Transaction Ordinance, 2002 (LI of 2002) creates a legal framework for digital signatures. Section 36 provides some ICT-related privacy protections. Section 42 gives immunity for people to disclose their security keys unless it is being used for commission of a crime.
In 2005 the Pakistan Telecommunications Authority (PTA) demanded that all ISPs monitor customers' activities and keep personal records.1 The purposes were quite diverse: to put maximum restrictions on illegal business operations and protect interest of the licensed operators. The industry responded negatively to these demands. According to one industry official, the PTA request
"has failed to mention under which evidence, act or penal code such a liability has been laid on the shoulders of the licensees. Even on the Day of Judgment, Almighty Allah will not hold anyone responsible for the act or omission of others."
The Prevention of Electronic Crimes Ordinance 2008 (Ordinance No. IX of 2008) was approved in November 2008. The Government claims it is based on the Council of Europe Cybercrime Convention. It contains a number of surveillance provisions including giving investigators broad powers of search and seizure and can require users to users to disclose encryption keys, service providers are also required to retain communications data for 90 days. A great deal of media attention has focused on the possible imposition of the death penalty for committing cyber-terrorism resulting in death. Positively, there is a prohibition on unauthorized interception. It appears to have replaced the Prevention of Electronic Crimes Ordinance, 2007.
The Senate Standing Committee on Interior in April 2008 ordered Pakistan Telecommunication Authority to order mobile companies to block unregistered mobile SIMS. All phones must be approved by the National Database Registration Authority by providing a copy of the person’s ID document. There are an estimated 85 million subscribers. By June 2008 it was found that 7 million unregistered connections remained unblocked, and the authorities discovered a further 3.5 million more unregistered subscribers.2 A reported 10.5 million were blocked by the end of October 2008. Starting in January 2009, phone SIMs will need to be registered before they are activated. In one case, a mobile phone company was found to have sold 10,000 connections registered in the name of a single person.
The National Database Registration Authority (Nadra) was set up in 2000 to create a “Comprehensive Citizens' Database”. It has issued 60 million Computerized National Identity Cards (CNIC). After operators were found in 2008 to be making fake ID cards, the deputy chairman said that the database is fully secure.
The Penal Code has limited protections of privacy. The only section that appears to give any protections is §509, which states:
Whoever, intending to insult the modesty of any woman, utters any word, makes any sound or gesture, or exhibits any object, intending that such word or sound shall be heard, or that such gesture or object shall be seen, by such woman, or intrudes upon the privacy of such woman, shall be punished with simple imprisonment for a term which may extend to one year, or with fine, or with both.
The FOI Ordinance was adopted in 2005. A draft bill is currently being discussed. The government has promised to introduce the bill in the near future.
The government is focussed on industry requirements for outsourcing. The Pakistan Software Export Board (PSEB) has issued Recommendatory Guidelines for the adaptation of Model Clauses for transfer of personal data from the EU to third countries and Binding Corporate Rules for international transfers of personal data.3
There is a strong civil society for consumer protections, though not as much work has been done on privacy issues. News reports point to the need for laws and strong financial regulation to stop the theft of personal information of bank customers, which are said to be linked to the rise in telemarketing calls.4
- 1. 'ISPs told to monitor customers' activities, keep their record', Imran Ayub, Daily Times, September 14, 2005.
- 2. 'Cellphone companies fail to block unregistered SIMS', Dawn News, June 15, 2008.
- 3. 'PSEB issues guidelines to meet EU's secure data transfer needs', Pakistan Daily Times, September 11, 2008.
- 4. 'Law needed to bar access to bank customers' data', Shahzad Anwar, April 20, 2008.