Challenges to Privacy and Data Protection in the Digital Age:
The last two decades have witnessed an exponential growth in the field of information technology. Presently around 4 Billion people are using internet with approximately 3.3 billion social media users. These users are placing an increasing amount of personal data on devices and internet both purposefully – social media uploads and unconsciously – online activities, shopping online or applying for job or searching a topic on Google as everything is being tracked. The ever-increasing accumulation and storage of personal data on the third party servers have raised concerns for cyber privacy and security as well as individual freedom. The invasion into personal privacy in the digital space has exposed the user to security and surveillance threats, aggressive marketing as well as danger of violence on the road. By applying complex Artificial Intelligence algorithms a defined pattern of behaviour and identity can be assessed, shaped and influenced. Cambridge Analytica, a Britain based consultancy firm gathered and analyzed personal data of around 87 Million Facebook users and allegedly used that data to influence the outcome of 2016 US Presidential elections and Brexit vote. Predictably, the legal development is slow and is unable to catch up the growing sophistication of technology and notwithstanding enactment of relevant legislations by US and EU, it has so far failed to address the cyber privacy concerns. The situation in Pakistan is even bleaker. Though Constitution of Pakistan recognizes the “privacy of home” as a fundamental right only to be infringed in exceptional circumstances, such as maintenance of public order etc, however, besides Constitution no other legislation in Pakistan deals with or protects privacy and data protection. In this backdrop, an attempt has been made in this paper to look at the threats posed to privacy by big data breach and a legal framework has been proposed to effectively address the issues relating to privacy and data protection.
Why Privacy and data protection is important?
The law provides every person a legal right to determine the extent of his thoughts which can be communicated to others and unless he appears in the witness box cannot be compelled to disclose his thoughts and opinions. Maintaining autonomy and individuality are important legal rights which should not be trampled upon as a matter of course. Invading inside person’s self without his knowledge and express consent tantamount to breach of his basic human right. Moreover, people tend to have more intellectual activities when sure of privacy and even innovation is dependent upon privacy. Those who support collecting big data argue that data may help to prevent a potential security disaster, address critical issues such as child abuse, including online child pornography and improving education and life saving medicine research”. This may be true to some extent but common good cannot be a valid excuse for infringing individual rights especially when perceived common good is not free from doubt and controversy. As the Cambridge Analytic case shows that practices that generate tiny bit of data, some seemingly insignificant, that can be collected, aggregated and analyzed to reveal patterns, preferences and identity. This is in stark contradiction to the notion of respect for individual autonomy and welfare. A universal expanded interpretation of right to life means to enjoy every facet of life and an exposed personal life does not fit within the modern conception of right to life.
Threats Posed by Infringing Privacy and Data Breach:
Privacy and Government Surveillance:
Privacy concerns were raised to a whole new level in 2013 when Edward Snowden former CIA contractor dropped a bombshell by leaking classified information revealing numerous global surveillance programs mainly run by US state agencies. Since the 2013 revelations, it is now clear that many countries run surveillance programs to monitor the activities of their own citizens and to spy foreign elements. The subject of spying on foreign subjects is a mixed question of international law and diplomacy which is beyond the scope of this paper. This article is mainly concerned with the government surveillance programs that target their own citizens. Governments are especially responsible for ensuring protection of fundamental rights of their citizens. No doubt, fundamental rights are not absolute and these can be curtailed through specific enactments. It shouldn’t, however, be construed that state has unbridled authority in restricting the scope of fundamental rights on flimsiest pretext. Upholding privacy and data protection fosters individual, cultural and intellectual development and is in line with democratic governance and accountability. Nevertheless, the fine line between “vital issues of national security” and “individual freedom” is becoming even more blurred as concerns for terrorism, extremism and separatism are increasing incessantly.
In US, Section 702 was introduced in Foreign Intelligence Surveillance Act by way of amendment in 2008, which allows the NSA (National Security Agency) to tap communication cables passing through the United States. It also empowers the “Agency” from collecting the data of US citizens in communication with targeted foreign nationals. In UK, Investigatory Powers Act 2016 provided unprecedented electronic surveillance powers to UK Intelligence and Community and Police. In an historic judgment, EU court of appeals struck down many provisions of said law being “inconsistent with EU laws”. It would be interesting to see if this legislation is restored once the UK divorce from EU is complete. In Pakistan, section 29 of Prevention of Electronic Crimes Act, 2016 mandates the service provider to retain its traffic data for a period of one year and provide that data to investigation agency or authorized officer whenever so required. Section 34 of the same Act enables the court to issue warrant for disclosure of content data if such data is reasonably required for the purpose of criminal investigation or criminal proceedings with respect to an offence made out under this Act. The PECA 2016 is a controversial enactment as it gives sweeping powers to investigating agency. The use of LEAs for political purpose is an unfortunate aspect of Pakistan’s political history. In this backdrop, giving wide discretion to investigative officer to impinge personal privacy in the name of national security genuinely raises concerns of digital rights workers.
Privacy and commercial use of personal data:
Data is a currency. It is perhaps more valuable than pure gold. The importance of data in terms of commercial value can be gauged from the fact that WhatsApp a freeware and cross-platform messaging and Voice over IP was purchased by Facebook for $19 bn. Up until recently WhatsApp did not advertise on its app and its earning was modest as compared to its incredible selling price. The real value of WhatsApp lies in its database which contains personal data of around 1.5 billion users. Tech companies including Google, Microsoft, Facebook etc. and mobile apps store personal information of users to efficiently serve the personalized advertisement based on interests and location gathered from data accumulated from online activities and user’s devices. This data is used by different entities in number of ways, such as to promote sale and service, personalizing and improving product, customer analysis and business process improvement so as to edge out competitors in a data driven economy. The e-commerce market size is expected to cross $4.5 Trillion by the end of 2021. Pakistan is also expected to surpass the $1bn figure in e-commerce this year. This lucrative industry has put the tech-companies in an eternal competition of gathering more and more information about the potential customer. Most often companies in their quest to know more about their users invade into personal life of an individual and breach moral and legal regulation of privacy. This not only psychologically entraps the potential buyer to persuade him to buy things which he does not need but also infringes his right of privacy, thus, exposing him to unwarranted risks.
Towards framing a policy on privacy and data breach:
The Consent Dilemma:
Although consent should be a cornerstone of any policy aiming at privacy and data protection, yet privacy self-management alone, is insufficient to address the issue holistically in a robust manner. The problem with self-management arises because individuals have to adjust their privacy setting for each entity which they find difficult and cumbersome. One possible solution could be a uniform privacy setting for all entities collecting, storing and processing personal data. Applying, uniform set of privacy settings, however, would be difficult and require an extensive consultation and collaboration among all stakeholders, perhaps, on a global level. However, an integrated approach of self-management and regulation should be devised for effectively addressing privacy concerns. The collection of data may be tacitly consented, but this should not absolve the entity from liability in case of improper use of such data or its breach thereof. Moreover, some content is intrinsically more sensitive than the other. Thus, law should be more responsive depending upon the substance of the content – providing different levels of consent for different types of content. This paternalistic approach is some cases may also be employed in a progressive way – not absolutely restricting consent but giving a fair amount of warning to form an informed opinion.
Role of Intermediaries:
An intermediary is ‘any entity that enables the communication of information from one party to another. A number of entities, including but not limited to, search engines, internet service providers (ISPs), cloud computing service, online social networks etc. though facilitates freedom of expression yet process and store data of user through automated processes. The role of these intermediaries has come under spotlight as governments around the globe are making more and more requests for some specific information to help them in ongoing investigations. The response of intermediaries to government requests for information about personally identifiable data depends on many factors i.e., jurisdiction and applicable law, nature of information sought, basis for information. The commentators on the subject are divided as to what ought to be the policy of these intermediaries: should they assist the governments in their investigations by providing the requisite information or resist their attempts to access personally identifiable information? Whatever it may be, one thing must be kept in mind that technology companies were not created in order to shield our information from, or deliver our information to law enforcement agencies; these are commercial entities with the sole purpose of revenue generation. Tech intermediary companies have reiterated their commitment to privacy and civil liberties over time, but their discretion to respond to request based on their understanding and legality of request needs to be regulated through law.
Suggested Legal Framework for Privacy and Data Protection in Pakistan:
The right to online privacy and being forgotten online is dubbed as 21st century right. The right to privacy of home is well enshrined in law and constitution of Pakistan. There is need to enhance the scope of this right to meet the demands of this technology driven age. An attempt was made in the year 2016 by enacting Prevention of Electronic Crimes Act. The “Act” is first of its kind in Pakistan and provides punishments for unauthorized access, copying, transmission of data from information system or critical infrastructure. Section 14 of PECA, 2016 prohibits the unauthorized use of identity information and prescribes punishment for obtaining, selling, transmitting or using another person’s identity information without authorization. This provision is, however, painfully simple and does not address the underlying core issue comprehensively. It is important to understand that data which may predict personally identifiable traits may not always be stored or collected at one place in a given time rather it may be accumulated over a period of time by different entities working independently. When such data is analyzed by applying complex artificial intelligence algorithms, personally identifiable information may be generated. The law also does not provide any mechanism for dealing with data breach cases. Data breach has enormous disastrous consequences for the individual and society alike. The entity which is in possession of personal data of an individual should be strictly liable to ensure that it remains in safe hands and is used in accordance with law.
PECA 2016 does not address the core privacy threat – government surveillance programs. In fact, 2016 Act direct entities and service providers possessing data to facilitate the investigating agencies by providing requisite data upon issuance of warrant of disclosure of content data with no corresponding obligation on state institutions not to spy on its own citizens. Moreover, organizations holding personal data have not been burdened with liability in case of breach of their security apparatus. The people of Pakistan being citizens of civilized state deserve protection of their online privacy and data. An Act of Parliament (Majlis-e-Shoora) providing the rights and obligations of online users should be passed clearly outlining the responsibility of entities that control and process personal data and circumstances in which such data can be collected, processed, stored, shared and used. The broad features of proposed legislation should incorporate the following features:
Establishment of Data Protection Agency:
A data protection agency should be constituted under law. The “Agency” may entertain grievous petition of user against the organization in case of improper use or breach of his personal data. Moreover, the government’s request of personal data of citizen should be channelled through the agency and be allowed in exceptional circumstances.
A Right to be forgotten online:
A user’s right to be forgotten online must be affirmed and protected. The user’s data should be deleted if he does not want his personal data to be stored and processed.
Access to one’s own data:
The user must have a right to access his own data and have the right to see what data has been stored.
Erasure of data:
The user should have a right to delete any personal identifiable data from the server of the data processing organization.
Permission for storing data:
The user should be alerted whenever his personal data is stored by the organization. No personal identifiable data should ever be collected and stored without the permission of the user. The law must clearly set out that pre-click consent dialog is not a valid consent, but user should be given an appropriate information as to which data and for what purpose the data is being collected, stored and processed so as to make an informed decision over the matter.
Right to inform in case of breach of personal data:
A user has a right to know when his personal data has been breached. He should be made aware of data breach and the extent of the threat within shortest possible time. The “Data Protection Agency” should also be informed about data breach within forty eight-hours. Not informing the agency should entail civil liability.
Liability for data breach:
The organization whose data has been breached must be burdened with civil liability. However, in cases gross negligence or mala fide transmission of data to proscribed agencies, penal liability may be enforced.
Mechanism for data protection:
Any entity collecting, storing and processing personally identifiable data should under law be required to put in place minimum safeguards for data protection. Encryption and other technological measures should be put in place so that data may not be used by any person not legally authorized to handle it.
Use of Data by Government:
The government should only be allowed to access the data in exceptional circumstances. The permission to access user information should be given by a court after giving reasons for its decision. The mass surveillance programs whereby government tracks the online activities of people is violation of fundamental right of citizens and should be outlawed. However, the government may keep the record of convicted felons, terrorists and foreigners with dubious activities in country.
The 21st century has opened a new horizon of exciting opportunities thanks to the development of information technology and artificial intelligence. However, this has also led to fears of state surveillance programs being run on “Big Brother style”. The corporate entities are also hotly pursuing the personal identifiable data of potential customers and are ready to pay big amount for it. No doubt, there are some genuine concerns for state security in the wake of rising terrorism, extremism and separatism. The importance of legitimate use of data for commercial growth is also a hard known fact. But broad perceived national security concerns and economic interests should not serve as a valid excuse for invading into personal space of an individual and violating his fundamental right of privacy. There is a need to strike a balance between the collective use of data for “common good” and individual right of privacy. In this backdrop, a federal law on the basis of recommendations outlined above is an urgent need to address the challenges of privacy and data protection in Pakistan so that Pakistani citizens could reap the real benefits offered by this digital age without exposing themselves to undue and avoidable online risks and dangers.
 Google stores every activity of the user on its database- Location history, search history, Youtube, Calendars, Hangout sessions, even how many steps you walk in a day. Google offers an option to download all the data. www.google.com/takeout.  Article 14 of the Constitution of Islamic Republic of Pakistan.  Warren and Brandeis, The Right to Privacy (Harvard Law Review, 1890)  A.A Allen, Protecting One’s Own Privacy in a Big Data Economy (Harvard Law Review, 2016)  The charter of fundamental rights of the European Union is a binding document and provides two separate fundamental rights – section 7 provides right to privacy whereas section 8 guarantees the right to the protection of one’s personal data in article 8  S. J Daniels, Privacy Self-Management and the Consent Dilemma (Harvard Law Review).  Thomas F. Cotter. 2005. Some Observations on the Law and Economics of Intermediaries. Michigan State Law Review, Vol. 1, p. 2. (Washington & Lee Legal Studies Paper No. 2005-14). http://ssrn. com/abstract=822987  In recent years Apple Inc and FBI have locked horns in various legal battles before US courts on the issue of gaining access of data on I-phones. The issue particularly became contentious in the aftermath of Sans Bernardino shooting that killed 14 people. Police recovered I-Phone 5C near the body of assailant However, Apple Inc refused to create software which could open the phone. FBI ultimately had to seek assistance of third party in unlocking the device.
- Originally Published in PLD 2018 Journal 100
- By Permission from the Author