On a hot July day, two advocates wait in the Session Court amid a case hearing on digital personal data sharing. The Judge enters the courtroom, strolling from his chambers, the Lords rise from their seats in respect. The proceeding starts, advocating for the plaintiff to move forward with his case, supplying the court with a provision from the ‘Personal Data Protection Bill 2020’ to prosecute the defendant as data was shared without consent. Nevertheless, the defendant files a motion to dismiss on the grounds that his client has not committed any digital crime, according to PECA, as the data was shared with just cause. The Judge sits there in confusion and is left to decide which law prevails (Events from 2022, Session Court, Islamabad).
We have been taught, for years, by senior national security officials, never to bring them a problem without suggesting a solution to it. This article indeed reveals some problems with our current cyber laws. Let us start with the questions: How do we look at the current National laws in cyberspace, and how do we implement them? Is there any Abuse of Power on the part of the state due to the current laws, and do they trample Pakistani citizens’ rights? Do we need a National Steering Committee solely focused on developing future laws, and how these committees are motivated? Have these laws been copied from foreign sources, inconsiderate of local requirements? Can these laws coexist, and what provision of which law, in the end, would prevail over the others? The three legislations discussed are: ‘National Cyber Security Council Bill 2014 (NCSC), Prevention of Electronic Crimes (PECA), and Personal Data Protection Bill (PDPB).
Senator Mushahid Hussain presented the NCSC as the first-ever Bill on cybersecurity for the establishment of the National Cyber Security Council, in an attempt to secure Pakistan’s digital space with the goal of ‘educating the digital regime stretching around the globe knowing no legal boundary.’ We dove deep in the NCSC bill and found that Section 4(1)(a) of the Bill states that the council may comprise 21 members from the Federal Government. Section 3(5) states that decisions would be taken at a majority vote by the council. Has anyone ever heard of the saying “too many cooks spoil the broth”? The Bill further portrays powers of administration, initiatives, oversight, and constitution of an advisory group to the council. A 21-member council team from the Federal Government implies that the council will be more focused on personal bravado, on ‘POLITICAL ISSUES’ rather than real ‘CYBER ISSUES.’ One can easily predict a lack of performance from such a council, bearing blurred ambitions.
Still, the NCSC was presented fully equipped in the context that the purpose of the Bill was not only to establish a National Cyber Security Council but was also armed with the functioning of said council to the extent that the Bill provided a model to be followed if defects were discovered in its constitution. It was rejected, and for 21 reasons, we assume. One may speculate why a fully equipped model of a Cyber Council, imagining a formation within 60 days of enactment, was rejected while the Parliament approved a broad and speculative Act ‘PECA’ of Pakistan?
PECA, a digital bill enacted in 2016, is an embodiment of everything wrong with our legislative system. Reviewing PECA, we could not help but realize that “Proximity to power deludes some into thinking they wield it.” The framework depicts the fact that this Bill was regulated, majorly, to prevent crimes over social networking websites, which is a good thing but, the real question here lies – at what costs? PECA Ch. 2, Para 3-9 criminalizes crimes over the general internet services and is focused on the offenses against critical infrastructure data. Furthermore, Para 10 acknowledges cyber terrorism in a vague fashion. Cyber terrorists can easily sidestep the law because the Act leaves most recognized cyber terrorism activities in a ‘grey area.’ The remainder of the Act can be summarized as to ‘criminalizing social networking with malicious intent.’
PECA’s initial framework can be deemed inadequate as the legislation does not provide direction to corporations where consumers’ digital information is sensitive. There is visible inadequacy when implementing PECA as Ch. 3 of the Act explicitly affirms an establishment of an investigation agency with procedural powers and defines the agency’s powers and authority (including Ch. 4). According to PECA, the Federal Government has been granted the discretion to establish or designate a law enforcement agency with powers to investigate the crimes stipulated in the Act. In reality, the Federal government tends to retain this ‘unfettered discretion’ of establishing an agency. The promise of PECA Ch. 3 is as ensuring as ‘bringing an end to load-shedding’ once and for all in Pakistan’s context.
PECA further arranges for special training of presiding officers on ‘computer science, cyber forensics, electronic transactions, and data protection’ (Ch. 5 Para 41) instead of a rational decision to hand the ‘trial authority’ a national oversight committee on cybersecurity. The Bill is an insubstantial mixture of EU digital laws coupled with Cyber regulations of other countries. Globally, digital, or cyber regulations aim to protect digital public information, be it as consumers of a corporation or consumers of the internet. On the other hand, PECA is an ironic contradiction of digital consumer’s rights. It grants the government digital autonomy, infringing data rights in the shadow of the idea of the rule of law.
Amid the pandemic in 2020, Pakistan, once again, attempted to digitalize and ensure the privacy of data with the Ministry of Information issuing a Personal Data Protection Bill. The Bill was anticipated to be in superiority to its predecessors, in terms of its Cyber model. The PDPB was presented not only to realize a digital Pakistan but also to progress the right stated in Article 14 of the Constitution of Pakistan, which ensures that every citizen of Pakistan enjoys the privacy of his/her information. In this day and age, digital information falls within the sphere of this right.
Albeit the Bill is yet to be presented in the National Assembly, a review can materialize how the ‘consultation draft’ would serve the country’s digital needs. As a draft, the Bill bears its issues. It contradicts itself on several occasions and leaves various cybercrimes in the grey. The Bill prescribes the responsibilities of data collectors and processors and further expresses that authority will implement Bill’s cyber model over the subjects falling within its domain. The Bill initially defines that the authority will be institutionalized within six months of this law’s promulgation. The issue with the realization of such a policy is that the law will be enacted while the authority, which is to monitor its implementation, is still ‘underdevelopment.’ This leaves the reader of the Act stranded as to what actions will be taken in those 6 months.
Confusion ensues when the Bill, as per standard, prescribes its authority over other laws. The issue that arises here is the UNCONVENTIONAL and DESPERATE authority given to this Bill. It enables the Federal Government to change any provision within any existing law of the country, if said law provides a difficulty for the implementation of this Bill, within two years of the commencement of this Bill. This provision (Section 50) is put in place instead of the rational decision of making provision in lines with the general law of the land or removing the difficulties prior to the enactment of this Bill.
The PDPB leaves a critical cybercrime in the grey as the law does not apply to encrypted data. So, let us suppose that a corporate agency’s encrypted data is leaked. Then the encryption is compromised, compromising the critical information of its clients. According to Bill, this leak of information will not be punishable. None of the victims will be able to pursue a claim against the corporation because their data was ‘encrypted.’ It does not fall within the domain of personal data.
As ‘old habits die hard,’ the PDPB takes away data subjects’ rights like its predecessor, PECA. The Bill idealizes that the people have no right to discern that their data’s confidentiality, integrity, and privacy has been compromised. The Bill has two expectations that raise the eyebrows of the sane. A data processor may collect or process data if he/she deems that it is (i) in the ‘vital interest’ of that citizen or, (ii) there is a legitimate reason for processing the data against the will of the citizen to whom the data actually belongs.
In summary, the ‘consultation draft’ of the PDPB bears significant drawbacks. The Bill’s scope is not adequately defined in its cyber model, and the Bill seems to be a replica of the EU Data Privacy Bill or the GDPR 2018. The irony is that the ‘copy’ is limited to the terms used in the Act, while the critical and substantive elements of GDPR are left out.
Until now, we have summarized the issues and gaps of the three legislations, respectively: NCC, PECA, and PDPB. For our audience’s sake, we speculate on the possible outcome if authorities look for a solution by combining the three legislations. To begin with, we review the implementation of PECA to examine whether the three provisions can work together or create a sense of confusion for those charged with the implementation of the law.
From various accounts, it is clear that PECA has been used as an instrument for abuse of power by the state, stripping citizens of freedom of speech, right to privacy, and guarding itself against criticism all under the name of protecting its citizens. This explains the secretive approval of this legislation from both houses of Parliament. One notorious event of abuse of power through PECA was the summoning of political activists and journalists by the FIA’s anti-terrorist wing under the umbrella of ‘investigating into anti-state activity,’ resulting in the seizure of electronic devices without warrants and just cause. This was an abuse of power by the state and portrayed the intended use of the Act.
The PDPB does have provisions in place to protect the data of the citizens. While the Act is crowded with gaps and even contradicts itself on some occasions, the intention of data protection and right of privacy is apparent. Aligning the Bill with PECA seems to be a difficult task, creating a sense of nuisance in implementing these laws. PECA has been employed to strip people of their rights, and the PDPB advocates the opposite. This gives rise to an incessant contradiction among the two, owing to Section 50 of PDPB that enables the Federal Government to remove any provision acting as a difficulty for the implementation of the Bill. PECA will invoke this Section 50 always, slowing down the implementation of the Bill, leaving lawmakers to remove and modify provisions always. On the topic of slowing down, bringing NCSC into the picture means slackening the implementation even further. The provision employs 21 departments into its steering committee and would take ages to come to a decision.
In conclusion, the Judge may find a solution and may rule against the defendant if the prosecutor can prove the absence of ‘a just cause’ in the transmitting or sharing the data and may bring an end to the hearing. Although this solves the overlapping law issue, digital cases are not as straightforward as the example used in this article. There is a dire need to find a permanent solution by establishing fair and precise laws.
*About the authors:
- Qasim is pursuing LLM at Macquarie University Australia, majoring in Criminology and Cybersecurity Law. He aims to increase research into Cyberspace and Cyber Policy in the context of Pakistan. He can be reached at: [email protected]
- Hammad is an entrepreneur and member advisory Strategic Warfare Group. He aims to provide accurate and transparent cyber information to the general public. His expertise are Cyber Warfare Operations, SIGINT and Kinetic Warfare. He can be reached at [email protected]