The concept of authorisation under Pakistan’s data protection laws against the backdrop of the EU General Data Protection Regulation
Yousaf Amanat Khan
Yousaf Amanat & Associates, Islamabad
Introduction
The very concept of the law on privacy revolves around keeping information secure and private. This information is considered to be data and keeping it secure through various protection mechanisms is the purpose that laws on data protection offer in many countries. Central to data protection is the concept of privacy and the need for authorisation for the transfer, storage and usage of such data. The European Union’s General Data Protection Regulation (GDPR), which is a very detailed piece of legislation on the topic of data protection, contains detailed provisions on how consent is granted for processing data and what this consent should contain, the data subjects’ rights, the role of the data controller and data processor, how data is to be processed, what to do in case of a data breach and matters regarding cross-border data transfers.
Pakistan has a long way still to go in terms of data protection. No dedicated law presently exists on the subject. The personal data protection bill, which was passed by the Cabinet of Pakistan, was returned by the Parliament of Pakistan to the Ministry of Information Technology and Telecommunication on the basis that it had been introduced by a single member of government. If enacted, this bill would have been a dedicated law on data protection, containing provisions on consent, the processing of data, the cross-border transfer of data, the role of supervisory authorities and data controllers, the requirements related to data breaches the and rights of data subjects.
The National Database and Registration Authority (NADRA) Ordinance 2000 and the Electronic Transactions Ordinance 2002 are not dedicated to data protection, but they both include certain data protection-related provisions.
The concept of consent under the EU GDPR
Processing personal data is generally prohibited under the EU GDPR unless it is expressly allowed by law or the data subject has provided their consent to the processing. While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the GDPR. The other grounds for processing are when related to a contract, concerning legal obligations, when the processing relates to the vital interests of the data subject, when it is in the public interest and when it related to a legitimate interest, as stated in Article 6(1) GDPR.
The basic requirements for securing valid legal consent are outlined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The term ‘free’ implies that a real choice has been given to the data subject. Any element of inappropriate pressure or influence that could affect the outcome of that choice renders the consent invalid. In doing so, the legal text acknowledges that an imbalance could exist between the data controller and the data subject. For example, in an employer–employee relationship, the employee may worry that their refusal to give their consent may have severe negative consequences on their employment relationship, thus consent in such a scenario can only be a lawful basis for processing in a few exceptional circumstances. In addition, a so-called ‘coupling prohibition’ or ‘prohibition of coupling or tying’ applies. Thus, the performance of a contract may not be made dependent upon the consent to process further personal data, which is not needed for the performance of that contract.
For consent to be informed and specific, the data subject must, at the very least, be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations, as a safeguard against ‘function creep’. The data subject must also be informed about their right to withdraw their consent anytime. The withdrawal of consent must be as easy as giving consent. Where relevant, the data controller also has to inform the data subject about the use of their data for automated decision-making, the possible risks of data transfers due to the absence of an adequacy decision or other appropriate safeguards.
The data subject’s consent must be bound to one or several specified purposes, which must be sufficiently explained. If the consent legitimises the processing of special categories of personal data, the information provided to the data subject must expressly refer to this.
There must always be a clear distinction between the information needed in regard to securing informed consent from the data subject and the information provided about other contractual matters.
Last, but not least, consent must be unambiguous, which means it requires either the provision of a clear statement to that effect or a clear affirmative act. Consent cannot be implied and must always be given through the use of an opt-in option, a declaration or an active motion, so that there is no room for misunderstanding in regard to whether the data subject has consented to the particular data processing involved. That being said, there is no approved format for consent provided within the law, it can even be given in electronic form. In this regard, the consent of children and adolescents in relation to information society services is subject to certain special requirements. For those who are under the age of 16, there is an additional consent or authorisation requirement in regard to the holder of parental responsibility. The age limit is subject to a flexibility clause. European Member States may provide for a lower age in national law, provided that such age is not below the age of 13 years. When a service offering is explicitly not addressed to children, it is freed from the need to adhere to this rule. However, this exemption does not apply to offerings that are addressed to both children and adults.
As one can see, consent is not a one-shoe-fits-all solution when it comes to the processing of personal data. Especially considering that the European data protection authorities have made it clear, via a statement from the Article 29 Working Party in its updated guidance on consent, ‘that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent’. Interpreted strictly, this means that the data controller is not allowed to switch from the legal basis of consent to legitimate interest once the data subject withdraws their consent. This restriction applies even if a valid legitimate interest existed initially. Therefore, consent should always be chosen as the last option for processing personal data.
The concept of consent under the Prevention of Electronic Crimes Act
The Prevention of Electronic Crimes Act 2016 (PECA) in Pakistan is a law which predominantly deals with cybercrime and cyberterrorism; however, inter alia, it also contains provisions with regard to data protection. The PECA includes a number of provisions that prohibit the unauthorised transmission, storage, use and obtaining of data. Authorisation is very simply defined, as being permission that by law or by the person empowered to make such an authorisation pursuant to the law. This is all that the PECA provides on authorisation. There are no concepts within the PECA concerning the data subject or the data protection regulator as provided under the EU GDPR.
Identifying information is defined within the PECA to mean any information which may authenticate or identify an individual or an information system and enable access to any data or information system. The relevant regulatory authority is identified within the PECA as the Pakistan Telecommunication Authority. Data has been defined as including content data and traffic data. Traffic data has been defined as data relating to a communication, including its origin, destination, type, size, route and the size of the communication. Information has been defined as including text messages, data, voice, sound, databases, videos, signals, software, computer programs and any forms of intelligence.
Sections 3 through to 8 and then section 16 of the PECA specifically mention the terms data, identity information and the transmission and storage of data and identity information. These sections repeatedly make use of the phrase authorisation and reiterate the legal fact that the use, transmission and storage of data cannot occur without authorisation. The term authorisation is defined within the PECA to mean authorisation by law or by the person empowered to make such authorisation under the law.
It can be argued that the use of the terms data and identity information within these sections of the PECA lean more towards the malicious use of data and identity-related data for crimes such as cyberstalking and hacking, however since the same terms are not defined as such and because Pakistan does not have a dedicated data protection law, the above provisions, in particular in section 16, are viewed as dealing with data protection.
The above sections have a common theme in terms of authorisation for the use of personal data. These sections provide that in order to access data, store data, transmit data, transfer data and use data such activities should be authorised by law or authorised by the person empowered under the law to make such an authorisation. In our opinion, and which is generally the understanding that we provide to those seeking an opinion on data protection under the ambit of Pakistan law, authorisation for the use of data rests with the person to whom the data belongs/relates. In terms of identifying information as defined above, and interpreted in regard to Article 8 (1) of the Constitution of Pakistan 1973, every individual has a right to privacy. It is, thus, our considered legal opinion that in terms of identifying information, in particular, the use, transmission, storage, access and storage of such data can only be conducted with the explicit authorisation of the person who is the owner of the identifying information and this owner is likely to be an ordinary citizen of Pakistan whose identifying information is at risk of being used.
Section 41 of the PECA specifically provides that any person, service provider or authorised officer from the cybercrime wing of the Federal Investigation Agency who accesses data belonging to any person or an entity should keep the same confidential and can only disclose the same if required by law, with the consent of the person to whom the data belongs/relates.
Although section 41 of the PECA does not deal specifically with consent and authorisation, it indirectly makes it clear that authorisation and consent are mandatory under the PECA for the use of personal data.
Conclusion
Normally where the law is lacking, case law compensates for this lack. However, in the case of the concept of authorisation, there are no present guidelines in Pakistan that have been developed by the courts either. All of the case law developed under the PECA deals mostly with cybercrime and, where this involves data, it is only to the extent of the ‘illegal use of data’. There is no information at all in the case law so far on what would constitute the legal use of such data.
When advising clients on the subject, we always make sure that we mention that although the understanding is that the unauthorised use of data is forbidden, no clear principles exist on authorisation and the legal use of data both within the law and case law, as such basing best practices on the concepts developed within the EU GDPR, at least in regard to strong binding documents on consent and authorisation, should be used, which clearly show how the unambiguous granting of authorisation can be obtained from the data subject for use of their data.