Executive Director, Asia, U.S. Chamber of Commerce
President, U.S.-Pakistan Business Council, U.S. Chamber of Commerce
Executive Director, U.S.-Korea Business Council, U.S. Chamber of Commerce
Vice President, International Digital Economy Policy, U.S. Chamber of Commerce
July 21, 2023
The U.S. Chamber of Commerce (“U.S. Chamber”) and the U.S.-Pakistan Business Council (“USPBC”) request the opportunity to provide comments on the final Draft Pakistan Personal Data Protection Bill (“Draft Bill”) that was released by Ministry of Information Technology and Telecommunication (“MoITT”) in May 2023 and made public on the website. While industry did not receive an invitation for comments, we are eager to provide the following submission to ensure that business concerns are adequately heard and addressed. We are committed to fostering a constructive dialogue with the Government of Pakistan to enable the country’s continued economic growth and transformation.
This submission builds on our previous comments sent to then-Federal Minister for Information Technology and Telecommunication Dr. Khalid Maqbool Siddiqui in October 2019, and to Minister of Information Technology and Telecommunication Syed Amin Ul Haque and then-Adviser to the Prime Minister of Pakistan on Commerce and Investment Razak Dawood in October 2020. We also provided comments in April 2021 to MoITT officials following the USPBC virtual discussion with Member IT and Member Legal. This was followed by a submission with comments and recommendations on the August 2021 version of the PDPB in September 2021, and another submission in August 2022 on the January 2022 version of the PDPB.
We appreciate the Government of Pakistan’s consideration of our comments and suggestions following our continued engagements on the PDPB. However, we believe a number of our key concerns remain unaddressed in the Draft Bill. Moreover, we are disappointed as there was no opportunity to review and provide industry feedback on the Draft Bill before it was submitted to the Ministry of Law. We appreciate when governments commit to transparency, collaborate with stakeholders, and use risk and science-based decision making. As such, we respectfully request meaningful consultation with stakeholders, including foreign investors, when considering this Draft Bill.
The U.S. Chamber and USPBC share Pakistan’s goal of creating economic and technological conditions that are conducive to foreign investment and an innovative marketplace. Further, we are committed to ensuring that the PDPB does not generate regulatory uncertainty and erect trade barriers that degrade the development and resiliency of Pakistan’s digital economy.
It is in that spirit that we provide the following comments and recommendations for your consideration. We would welcome a virtual meeting in the coming weeks to discuss our submission in further detail. If you have any questions regarding our submission or need further information, please do not hesitate to contact me at firstname.lastname@example.org and Jordan Heiber, Vice President of International Digital Economy Policy, at JHeiber@uschamber.com.
Key issues and recommendations
Limit the Scope of “Sensitive Personal Data”: In the latest Draft Bill, “sensitive personal data” is defined as “financial information excluding identification number, credit card data, debit card data, account number, or other payment instruments data.” We recommend the continued exclusion of financial data in the final PDPB as the inclusion would pose challenges in implementation without providing meaningful benefit to data subjects, while severely impacting the ability of companies to provide services requested by the user or identify the user.
Recommendation: We recommend excluding financial information from the definition of sensitive personal data in the final PDPB in line with international norms such as the General Data Protection Regulation (GDPR). For example, financial information is not covered as sensitive personal data in GDPR, and in many jurisdictions is instead covered under regulations within the banking sector. Otherwise, organizations in Pakistan will face limited grounds for collecting and processing personal financial information, putting them at a disadvantage with competitors in foreign markets, where such information is treated more flexibly.
In addition, we recommend the removal of “computerized national identity card or passport” from the definition of “sensitive personal data.” As written, the bill would require personal information such as full name and date of birth to be designated as “sensitive personal data.” We further recommend the removal of “biometric data” under the recommendation due to certain security technologies such as face IDs.
Remove the Government’s Mandatory Access to “Sensitive Personal Data”: Section 32 of the Draft Bill introduced a concerning requirement for data controllers to share “sensitive personal data” with the Government of Pakistan upon the request of the Commission. Such a requirement is inconsistent with the Government of Pakistan’s goal of protecting the personal data of individuals and guaranteeing their fundamental right to privacy under Article 14 of the Constitution of Pakistan.
If Pakistan adopts the Draft Bill with a right for the Government of Pakistan to request unfettered access to individuals’ sensitive personal information, this will likely lead to the conclusion under global privacy law norms that the PDPB is not adequate and therefore likely to hamper data transfers into Pakistan.
While we understand that governments may require access to information that is held by an organization under legitimate context, this mechanism should not be legislated through privacy law. Internationally recognized global privacy laws allow data transfers to third party countries that have adequate privacy laws. If
Pakistan’s PDPB were to grant the Government of Pakistan access to individuals’ “sensitive personal data,” companies can be expected to avoid or reduce conducting data transfers into Pakistan.
Furthermore, the Draft Bill would have significant implications for foreign companies as it would place them in an impossible position of trying to adhere to conflicting global laws. For example, U.S. communication providers are subject to U.S. law regardless of the data storage location, which in many cases restricts U.S. communication providers’ ability to disclose user information. They are also prohibited, with limited exceptions, from disclosing contents of electronic communication. The location of where data is stored would not resolve this conflict of law.
Recommendation: We recommend removing the provision that requires data controllers to share data with the Government of Pakistan upon the request of the Commission. Given the concerns listed above, Pakistan would benefit from entering a Mutual Legal Assistance Treaty (MLAT) with the United States, which would provide a diplomatic channel for the Government of Pakistan to request user data from companies that are based in the United States. Countries such as Egypt, Malaysia, and Turkey have already entered into such agreements with the United States. We also suggest Pakistan’s accession to or ratification of the Budapest Convention.
Lastly, we recommend Pakistan establish a single point of contact for government-to-government requests to ensure 1) requesting agencies’ familiarity with and understanding of U.S. legal and constitutional requirements and 2) requesting agencies’ review of requests to ensure they align with U.S. standards.
Remove or Limit the Scope of “Critical Personal Data”: The definition of critical personal data in the Draft Bill under Section 2 g) “personal data retained by the public service provider – excluding data open to the public - as well as data identified by sector regulators and classified by the Commission as critical or any data related to international obligations” – is too broadly defined, such that it would have negative implications for companies operating in Pakistan.
Recommendation: We urge the Government of Pakistan to clarify and limit the scope of the concept of “critical personal data” in the Draft Bill. Given there are not many precedents in global protection laws in categorizing “critical personal data,” this Draft Bill, if implemented, would lead to increased difficulties in cross-border data transfer. A clear framework that classifies data along with accountability and transparency frameworks would align with the Government of Pakistan’s objectives.
Should this language remain included, we request examples of “critical personal data,” which would help provide better clarify businesses’ understanding of this category, especially as “public service provider” under Section 2 gg) is vaguely defined as “any entity dealing with and having personal data while working under government.” If the category is retained, we further recommend it be limited to state-owned data which has an impact on national security or the military. In addition, we request clarity on “international obligations” which is also wide, vague, and undefined. Without a consistent definition of critical personal data, there may be inconsistent treatment of data depending on whether or not an entity is regulated.
Furthermore, the transfer of definitional responsibility to sectoral regulators would unduly broaden the scope, result in inconsistent requirements or application, and limit the digital economy potential of Pakistan. This would also result in substantial challenges to implementation and compliance. We recommend that this responsibility is limited to certain regulators such as the State Bank of Pakistan. When regulations are necessary for certain sectors, we recommend the Government of Pakistan provide guidance on the regulator that takes precedence.
Lastly, it is critical that the Commission does not have unfettered authority to expand the categories of personal data that constitute critical personal data. If the Commission can designate any personal data as critical personal data, industry would be left without any certainty as to what constitutes critical personal data. This will cause significant concern for foreign investors, particularly given the data localization requirements discussed below.
Remove Data Localization Requirements: The Draft Bill contains concerning data localization measures including requirements under Section 31.2 that “Critical Personal Data shall only be processed in a server(s) or digital infrastructure located within the territory of Pakistan.”
Recommendation: We urge the Government of Pakistan to either remove the data localization requirement or limit the definition of “critical personal data” to government-held data.
Data localization is an ill-advised policy as it presents a barrier to international trade, reduces foreign direct investment in Pakistan, and restricts the availability of services to local customers as multinational companies may look to alternative markets that have lower costs of entry. Localization obligations would further make it difficult for growing businesses in Pakistan to compete in global markets as it will result in an immediate increase in the cost of doing business because it would no longer be possible to store their data in the most affordable and business-efficient manner and location. For example, it would make it difficult for companies to gain access to innovative technologies that depend upon cross border data flows such as data analytics, artificial intelligence, or machine learning. Local companies may also lose access to cost-efficient cloud services in the global market and incur substantial costs to operate, maintain additional servers, and increase processing and additional measures to ensure that their data is accurate, secure, and up to date. For startups, and micro-, small and medium-sized enterprises (MSMEs), these costs will effectively negate their margins, thereby disincentivizing the growth of the digital sector in Pakistan.
Data localization also increases cybersecurity risks of Pakistani citizen’s data by storing data in one location. It creates a single point of failure, leaving systems more vulnerable to fraud and cyber threats. It limits and hinders capabilities to tackle cross border financial crime such as money laundering and financing terrorism. In contrast, distributed networks are resilient, allow for redundancy, and ensure business continuity. Global companies that rely on technology use cloud storage solutions as they are not only affordable and scalable when deploying latest cutting-edge technology, but also increase the security of data.
Commit to Cross Border Data Transfer: We are encouraged by Sections 31 and 32 of the Draft Bill that allow conditional cross border data transfer (of non-critical personal data) – this presents a positive development
from previous draft versions that went further in restricting data flows. Section 31.1, however, is concerning as it requires that when personal data is transferred abroad, “the country where the data is being transferred offers at least adequate personal data protection legal regime which is consistent to the protection provided under this Act and the data which is transferred shall be processed as per the provisions of this Act.” It is unclear how Section 31.1 interacts with Section 31.2, which provides exceptional legal bases for cross-border data transfers to countries that are absent adequate data protection regimes. It is also unclear which authority or party will determine adequacy and which criteria will be used to conduct such an assessment. Lastly, Section 31.1 introduces data subject consent as necessary for cross-border transfer “where applicable” while Section 31.2 introduces data subject consent as an exception for adequacy. As written, it is unclear in which circumstances consent is required for cross-border data transfers: for all transfers, for transfers to countries that offer adequate protections, or only for transfers to countries that lack adequate personal data protection.
Recommendation: We urge the Government of Pakistan to commit to cross border data flows and provide clarity on the conditions for data transfers. We recommend a non-prescriptive and principle-based adequacy framework to add clarity on cross border data flows. As written, the stringent requirements for cross border data transfer in the Draft Bill deviate from international norms.
The Personal Data Protection Bill should provide multiple, but effective mechanisms for cross-border data transfer, which support accountability, national security, and digital economic growth. Some suggested mechanisms include:
- Adequacy of the target country’s laws and enforcement mechanisms;
- Pre-approved contractual clauses by the data regulator (Standard Contractual Clauses);
- Approved binding corporate rules for data sharing by multinationals and their service providers across the world;
- Certification mechanisms approved by authorized regulator; and
- Code of Conduct produced by industry and regulators.
We further recommend introducing exceptions in line with international benchmarks such as Article 49 of the GDPR to accommodate situations where, for example, when the transfer is necessary for the performance of a contract between the data subject and the controller or when the transfer is necessary for the establishment, exercise or defense of legal claims relating to the data subject. In addition, we recommend incorporating an additional legal basis of ‘necessity for the provision of services’ to enable routine transfers that are fundamental for business services and operations.
Unimpeded cross border data flows will benefit Pakistan’s economy and ensure Pakistan businesses’ competitiveness in the global economy, by 1) promoting innovation, productivity, and efficacy; 2) lowering costs for businesses and consumers; 3) lowering international trade and investment barriers; 4) increasing access to global products and services; and 5) ensuring businesses in Pakistan can service consumers both at home and abroad.
Revise the Definition of “Anonymized Data”: Under Section 2 a), “anonymized data” is defined as “personal data which has undergone the irreversible process of transforming or converting personal data to a form in
which a data subject-cannot be identified.” We would note, however, that the “irreversible process” is infeasible as processing anonymized data with the goal of reidentifying the data correlates with AI capabilities as well as computing power.
Recommendation: We recommend the removal of “irreversible” in the definition of “anonymized data” in the final bill. Furthermore, we suggest that the Government of Pakistan refer to the approach in Singapore’s Personal Data Protection Act which recognizes that 1) anonymized data is “reversible or irreversible”; and 2) the effectiveness of anonymized data tends to degrade over time.
Remove the Right to Prevent Processing of Personal Data Likely to Cause Damage or Distress: Section 25.1 states that data subjects can request that a data controller cease processing if such processing is causing or is likely to cause “substantial damage or distress to him or a relevant person.” The provision’s vagueness regarding what constitutes “damages” or “distress” creates ambiguity and uncertainty for companies. This lack of specificity may lead to frivolous requests from data subjects, which can hinder companies’ abilities to perform necessary functions, causing operational inefficiencies and potential financial losses.
Recommendation: We recommend the removal of Section 25 as it provides a broad and vague right to data subjects to request prevention of processing of personal data likely to cause damage or distress, which can become challenging for companies to determine the scope and limits of their obligations.
Remove Burdensome Requirements for Data Controllers: Section 5.3 states that data controllers and/or processors “shall register with the Commission.” This is an onerous requirement that may lead to reduced foreign investment in Pakistan and negatively impact Pakistani users as companies may be forced to either reduce or deny services. Furthermore, Section 7.1 f) states the requirement for businesses to “provide the list of third parties to whom the data controller shall or may disclose the personal data.” as well as Section 7.1 f), which requires data controllers to provide a list of third parties. Specifying a list is a burdensome and onerous requirement for companies that work with third party companies on a daily basis. Given the concerns listed above, we recommend the deletion of Section 5.3 and 7.1 f).
Notice through privacy policies is a foundational aspect of any privacy law. We commend the importance of this section’s inclusion in the bill but believe the Government of Pakistan may be unaware of the technical complexity of certain provisions in the Draft Bill. For example, the provision in Section 7 that requires outlining all parties where a transfer to a third party takes place is not an international norm and is absent from global privacy laws because of the technical infeasibility, given that many companies use dozens or hundreds of processors. Processor relationships are controlled by contract and the processor is unable to act on its own accord, making this requirement unnecessary and impractical.
Section 11 requires data controllers to “take adequate steps to ensure that the required personal data is accurate, complete, not misleading, and kept up to date concerning any direct or indirect purpose for which the personal data was collected and processed further.” It would be infeasible for data controllers to review all the personal data under their control. Rather, we recommend that data controllers should be able to operate
under the presumption that individuals’ personal data provided is accurate and fulfill the requirement through reasonable efforts.
Section 12.1 mandates that “A data controller shall keep and maintain a record of each application, notice, request, or any other information concerning the personal data that has been or is processed by him.” We request clarification and additional information regarding the period of keeping and maintaining records as this is currently unclear. We are also concerned with the technical feasibility of keeping a record of each notification or access request. This provision is far outside of international norms and it is unclear how a company would even begin to organize such a significant amount of data while protecting user privacy.
As written, Section 13.1 requires data controllers to notify both the Commission and data subject in the event of a personal data breach. This requirement is burdensome not only for controllers, but also the Commission. We respectfully request that you limit the scope of this requirement to reporting breaches that could lead to significant harm. Furthermore, the requirement should be limited to confirmed data breaches that take place under attacks related to Denial of Service (DoS) and Distributed Denial of Service (DDoS). The requirement to report within 72 hours should take place once the breach has been confirmed, rather than the beginning of the investigation.
Recommendation: As noted above, we request the removal of burdensome requirements for data controllers. Moreover, we request adequate differentiation between the definition, roles, and responsibilities of data controllers and data processors. Otherwise, this could lead to requirements that are not operationally feasible and inappropriately assigned between the data controllers and data processors.
Clarify the “Right to Nominate”: Section 27 of the Draft Bill states that “In the event of the death or disability of the data subject, he shall have the right to nominate, any other individual as may be prescribed, to exercise the rights of the data subject under the provisions of this Act.” This is a new right under a data protection law that could increase business operational costs for companies in Pakistan.
Recommendation: We recommend that the final Personal Data Protection Bill provide clarity on the process for companies to implement this novel “right to nominate.”
Specify the Maximum Penalty Fines: The Draft Bill states that breaches of the Pakistan Data Protection Bill would result in “a fine not exceeding 1% of its annual gross revenue in Pakistan or 200,000 USD whichever is higher or an equivalent amount in Pakistani Rupees or as may be assessed by the Commission.” This provision is concerning as the provision does not specify a maximum fine for breaches.
Recommendation: We urge the clarity on the maximum fine for breaches to provide transparency and certainty to businesses operating in Pakistan. In addition, we recommend that the Commission not have the discretion to impose fines without a maximum limit in the absence of legislative guardrails in order to provide transparency to industry.
Place Adequate Guardrails for the Commission: The powers of the Commission in the Draft Bill are extremely broad and run the risk of adding legal requirements that will be unexpected by controllers and are beyond the scope of requirements set forth in the law. The Commission retains legislative, regulatory, judicial and law enforcement power, including legislating frameworks for cross-border data flow, prescribing security standards, imposing “special measures for compliance” for large data processors, imposing fines, exercising search and seizure powers, summoning witnesses, adjudicating complaints, even reviewing its own decisions. Such broad powers, coupled with the absence of an oversight mechanism, lack appropriate safeguards, such as public consultation and measures to ensure that the companies subject to the Personal Data Protection Act agree to any additional measures.
Recommendation: We recommend protecting the independence of the Commission and not assigning broad power and discretion to create entirely separate regulatory frameworks that are not clearly outlined in the Draft Bill. Rather, there should be additional scoping of expectations in the Bill itself to avoid unintended consequences. For instance, the Draft Bill should elaborate on the criteria that the Commission will use to determine whether a controller needs to comply with additional measures. Lastly, we suggest the removal of sections 5.3 and 40.2 3) that places registration requirements for data controllers and data processors.
Commit to Regular and Transparent Dialogue with Business Community: It is critical that the Government mobilize relevant stakeholders to ensure that effective, transparent, accountable, and consultative regulatory processes are put in place. A long-term commitment to a transparent dialogue helps ensure that Pakistan’s future data protection regime does not result in unintended consequences for the country’s economy and digital transformation.
Recommendation: We recommend including a commitment for the Commission to consult with relevant stakeholders prior to issuing any compliance frameworks or guidelines. This includes providing appropriate time for submission of comments and establishing a consultative process for engagement with industry and relevant stakeholders in the formulation of compliance guidelines and implementation of the Bill.