Over the last couple of weeks, you may have received emails from organisations such as Twitter, Facebook, YouTube, Instagram, TripAdvisor, Medium, Booking.com, etc claiming to have updated their privacy policies. You may also have read the word GDPR in one of those emails, or have heard it in the news.
What is GDPR and why is everyon talking about it?
GDPR stands for General Data Protection Regulation and is a regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, made by the European Parliament and the Council of the European Union (EU).
Simply put, it is the law that protects personal data from any misuse by organisations. It is a set of rules designed to provide EU citizens greater control over their personal data and streamline EU’s digital economy by creating a simpler and more transparent regulatory environment for businesses and citizens alike.
Why is GDPR important as a global standard for data protection?
Under GDPR, organisations will have to ensure that people’s data is legally gathered and stored under strict conditions. Entities which collect data will be obliged to protect it from theft, exploitation, misuse, and unlawful distribution. GDPR applies to organisations which operate from within the EU, and organisations operating from outside which provide goods and services to the citizens of the EU. Failing to oblige by GDPR, the organisations will face severe penalties.
According to official documents published by the European Union on privacy regulations, there are defined conditions under which companies can store data. It says, “business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done on a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data’s owner. The data owner has the right to revoke this permission at any time”.
This gives users the right to their data and requires the companies to protect the data using the highest possible privacy settings and to not use that data for any reason unknown to the users without their explicit consent.
Globally, data protection is still under discussion, and while many governments are deliberating the best possible methods to design data protection as law, the EU has set a standard for the rest to follow. Not only does GDPR ensure the protection of its citizens, it has also provided a system through which organisations can operate. This is good for businesses in the sense that it prepares them to operate under laws that are inevitably going to be followed across the globe.
Digital Policy Pakistan
The federal cabinet of Pakistan recently approved Pakistan’s first ever Digital Policy. The main objectives of this policy include creating a digital infrastructure in the country through which businesses can operate and connect with each other, to promote the usage of technology in key socio-economic sectors such as health and education, to grow the market size of the e-commerce market and enable greater transactions online in terms of value and number, to bring in women and children in the digital economy, and to increase the export of software and IT related services from Pakistan.
Cybersecurity in Pakistan
On August 11, 2016, the National Assembly (NA) passed a controversial cybercrime law called the Prevention of Electronic Crimes Act, 2016. The Senate had unanimously passed the law, with a number of amendments, in July. The President of Pakistan gave his assent to the legislation on August 18, 2016.
The Act introduces a range of offences involving the unauthorized access, transmission, copying, or interference in an information system or data. Harsher penalties are set for these crimes if they involve information systems or data connection to critical infrastructure.
The act was met with harsh criticism where critics said that the bill was too rough, and left it open to abuse from law enforcement agencies and the government. It was also called vague, and that it restricted freedom of expression and access to information.
Are we missing the whole point?
When we look at the various laws passed around the world for data protection and compare it to the ones passed and debated in Pakistan, we can see that they are focused more towards the protection of businesses or the industry as a whole rather than the people. While the recently approved Digital Pakistan Policy is commendable, as it encourages the growth of the IT sector in the country, we are still not even close to carving out a policy that dictates the protection of private user data from businesses operating within the country, and businesses such as Facebook or Twitter which use our data from outside the country.
Perhaps, Pakistan at first does need to sort out the regulations that can govern its digital economy, and streamline a system under which the government, local and foreign companies can work in harmony – before creating a definitive set of rules which mandate all stakeholders possessing user data to protect it.
Perhaps, a better approach for the government would be to include all the stakeholders such as local businesses in the industry, as well as organisations which advocate for digital rights, to conclude and chalk out a policy that creates a system in which businesses can operate under rules which govern user’s right to their own data.
