Personal Data Protection Act, 2023.-Pakistan- Comments-Scope/Applicability
Ramesh Ramani
Data Privacy,Business Continuity, Information Security and IT Service Management Professional
IMHO the toughest articles to conceive and draft relate to scope/applicability of any act in general and privacy act in particular. Also, most number of legal cases hinge on this simple argument-According to this law, case on my client is not applicable and hence this case needs to be withdrawn. Just as I had told about laws having lesser number of definitions, IMHO, laws should?make scope/applicability very explicit and detailed
If we see GDPR, there are tomes of back papers/materials in this regard with many examples cited so that average, non-legal persons can comprehend and follow the laws. Typically two questions cover this aspect
1.??????Does the law cover the target people that we want to cover?
2.??????More importantly, is this enforceable?
Whilst GDPR chooses to address scope under material and territorial contexts, let us look at the scope of the Pakistan’s law which is covered in 4 small subsections and ?are paraphrased below
1.??????Where any data controller or a data processor is established/present/registered within the territory of Pakistan.
2.??????Where any data controller or a data processor incorporated in any other jurisdiction, carries out processing of personal data concerning any commercial or non-commercial activity including profiling data subjects within the territory of Pakistan.
3.??????Where a data controller and a data processor not having a physical presence within the territory of Pakistan carries out the processing of personal data in a territory where Pakistani law applies under public or private international law.?
4.??????Where a data controller or data processor collects personal data of a data subject within the territory of Pakistan including a foreign data subject who is physically present at the time of collection.
To start with I do not see the difference between 2 and 3. What is another glaring omission is to categorically state where the law is not applicable . For example, GDPR , Article 2 (2) lays down this aspect clearly.
Leaving these aside, let us look at two definitions which is of relevance?in this context
“Significant” means any data controller or processor which is sufficiently great or important to be worthy of attention by its sales revenue, profit, number of employees, market share, capital employed, or any other indicator such as number of users, type of data collected or a combination thereof that may constitute it as significant
“person” includes: (i) an individual; (ii) a company; (iii) a firm;?(iv) or an association or body of individuals, whether incorporated or not;
领英推荐
Please note that the word ‘significant’ does not appear anywhere under Article 3 (Scope and applicability)
So let us see whether the?law answers these questions categorically
1.??????You have a?personal podcast in Pakistan and ?collect personal data from both Pakistani and Non Pakistani clients without profiling. Is this law Applicable to you?
2.??????You have a business with Headquarters Outside Pakistan that has a fully-owned branch office located in Pakistan. You are collecting personal data from a few people in Pakistan. Is this law applicable to you?
3.??????You are based in the US and have an e-commerce website. All data processing activities are exclusively carried out in the US. You plan to establish a Pakistan office?in order to lead and implement marketing campaigns towards S Asia. Should you worry about this law?
4.??????You are a tour provider outside Pakistan offering package deals through your website for tours including tours within Pakistan. Is this law applicable to you?
5.??????You are a mobile app developer in the US catering strictly only to people in S Asia. Processing of your data happens in India. Is this law applicable to you?
6.??????You are a company based outside Pakistan processing personal sensitive data on behalf of a company ( controller) based in the Pakistan. Should you worry about this law?
Whilst there could be answers to all these questions, enforceability process seems weak in all cases. Let us look at Article ?2-2 ( c) of GDPR for instance
2.??????This Regulation does not apply to the processing of personal data:
? by a natural person in the course of a purely personal or household activity;
Next step.. Processing of personal data and obligations of data controllers and data processors …
--
4 个月I hope this message finds you well. My name is Shumaila Batool, and I am a PhD student in Nursing Science at the University of Turku, Finland. As part of my doctoral research, I will be collecting data from patients with colorectal cancer in Pakistan. The data, including sociodemographic information and qualitative interviews, will be collected by research assistants and securely transferred from Pakistan to Finland. The data will then be stored in the secure system at the University of Turku. I am seeking your guidance on how to properly address this process in my ethics application for review, as I couldn't find a relevant reference. I have confirmed with the IRB head at the institution in Pakistan where the data will be collected, and he has indicated that data transfer is permissible with the appropriate permissions. Could you provide advice or guidance on how to detail this in my ethics submission?