INTRODUCTION
The very concept of the law on privacy revolves around keeping information secure and private. The information is then data and keeping it secure would be the protection which the law of data protection offers in countries. Central to this protection is the concept of privacy is the authorization for the transfer, storage and usage of the data. The EU GDPR which is a very detailed legislation on the topic of data protection contains detailed provisions on how consent is required for processing data and what this consent should contain, what are the data subjects' rights, the role of the data controller and processor, how data is to be processed, what to in case of data breach and matters regarding cross border data transfers.
Pakistan has a long way yet to go in terms of data protection. No dedicated law presently exists on the subject. The Personal Data Protection Bill which was passed by the Cabinet however was returned from the Parliament to the Ministry of Information Technology on the basis that it had been introduced by a single member. If enacted this would have been a dedicated law on data protection containing provisions on consent, processing of data, cross border transfer of data, role of supervisor authorities and data controllers, data breaches and rights of data subjects.
The NADRA Ordinance 2000 and the Electronic Transactions Ordinance 2002 are not dedicated laws for data protection however both provide scattered provisions on the subject.
CONCEPT OF CONSENT UNDER THE EU-GDPR
Processing personal data is generally prohibited under EU-GDPR, unless it is expressly allowed by law, or the data subject has consented to the processing. While being one of the more well-known legal basis for processing personal data, consent is only one of six basis mentioned in the General Data Protection Regulation (GDPR). The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR.
The basic requirements for the effectiveness of a valid legal consent are defined under Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element "free" implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. In doing so, the legal text takes a certain imbalance between the controller and the data subject into consideration. For example, in an employer-employee relationship: The employee may worry that his refusal to consent may have severe negative consequences on his employment relationship, thus consent can only be a lawful basis for processing in a few exceptional circumstances. In addition, a so-called "coupling prohibition" or "prohibition of coupling or tying" applies. Thus, the performance of a contract may not be made dependent upon the consent to process further personal data, which is not needed for the performance of that contract.
For consent to be informed and specific, the data subject must at least be notified about the controller's identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against 'function creep'. The data subject must also be informed about his or her right to withdraw consent anytime. The withdrawal must be as easy as giving consent. Where relevant, the controller also has to inform about the use of the data for automated decision-making, the possible risks of data transfers due to absence of an adequacy decision or other appropriate safeguards.
The consent must be bound to one or several specified purposes which must then be sufficiently explained. If the consent should legitimize the processing of special categories of personal data, the information for the data subject must express refer to this.
There must always be a clear distinction between the information needed for the informed consent and information about other contractual matters.
Last but not least, consent must be unambiguous, which means it requires either a statement or a clear affirmative act. Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion, so that there is no misunderstanding that the data subject has consented to the particular processing. That being said, there is no approved format for consent provided within the law, it can even be given in electronic form. In this regard, consent of children and adolescents in relation to information society services is a special case. For those who are under the age of 16, there is an additional consent or authorization requirement from the holder of parental responsibility. The age limit is subject to a flexibility clause. Member States may provide for a lower age by national law, provided that such age is not below the age of 13 years. When a service offering is explicitly not addressed to children, it is freed of this rule. However, this does not apply to offers which are addressed to both children and adults.
As one can see consent is not a one shoe fits all when it comes to the processing of personal data. Especially considering that the European data protection authorities have made it clear "that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent." Strictly interpreted, this means the controller is not allowed to switch from the legal basis consent to legitimate interest once the data subject withdraws his consent. This applies even if a valid legitimate interest existed initially. Therefore, consent should always be chosen as a last option for processing personal data.
CONCEPT OF CONSENT UNDER THE PECA
The Prevention of Electronic Crimes Act 2016 ("PECA") is predominantly a law which deals with cyber crimes and cyber terrorism however interalia it also contains provisions with regard to data protection. The PECA has a number of provisions which forbid the unauthorized transmission, storage, use and obtaining of data. Authorization is very simply defined as being that by law or by the person empowered to make such authorization under the law. This is all that the PECA provides on authorization. There is no concept within the PECA of data subject or regulator as provided under the EU-GDPR.
Identity Information has been defined within PECA to mean an information which may authenticate or identify an individual or an information system and enable access to any data or information system. Authority has been defined within PECA to mean the Pakistan Telecommunication Authority. Data has been defined as including content data and traffic data. Traffic data has been defined as data relating to a communication including its origins, destination, type, size, route and size of communication. Information has been defined as including text message, data, voice, sound, database, video, signals, software, computer programs and any forms of intelligence.
Sections 3 through 8 and then section 16 of the PECA specifically mention the terms data, identity information and the transmission and storage of data and identity information. These sections repeatedly make use of the phrase authorization and the legal fact that use, transmission, and storage of data cannot be without authorization. The term "authorization" has been defined within PECA to mean authorization by law or by the person empowered to make such authorization under the law.
It can be argued that the use of the terms "data" and "identity information" within these sections of the PECA lean more towards the malicious use of data and identity data for crimes such as cyber stalking and hacking however since the same is not defined as such and because Pakistan does not have dedicated data protection law, the above provisions in particular section 16 deals with data protection.
The above sections have a common theme in terms of authorization for the use of the data. These sections provide that in order to access data, store data, transmit data, transfer data and use data the same should be authorized by law or by authorized by the person empowered under the law to make such an authorization. In our opinion and generally the understanding which we provide to those seeking an opinion on data protection under the ambit of Pakistan law, the authorization for use of data rests with the person who the data belongs to. In terms of identity information as defined above read with Article 8 (1) of the Constitution of Pakistan 1973, every individual has a right to his/her privacy. It is thus our considered legal opinion that in terms of identity information in particular carrying out the use, transmission, storage, access and storage of such data can only be done with the explicit authorization of the person who is the owner of the identity information and this owner would be any ordinary citizen of Pakistan whose identity information is at risk of being used.
Section 41 of the PECA specifically provides that any person, a service provider or an authorized officer of the cyber crime wing of the FIA who comes into access of data belonging to any person or an entity should keep the same confidential and can only disclose the same if required by law, with the consent of the person to whom the data belongs to.
Although section 41 does not deal specifically with consent and authorization but it indirectly makes it clear that authorization and consent is mandatory under the PECA for the use of data.
CONCLUSION
Normally where the law lacks case law compensates however in the case of the concept of authorization there are no present guidelines developed by the courts either. All of the entire case law developed under the PECA deals focuses mostly on cyber crimes and where this involves data it is only to the extent of "illegal use of data". No development at all on what would be the legal use of data.
When advising clients on the subject we always make sure to mention that i) although the concept is that the unauthorized use of data is forbidden, ii) no clear principles exist on authorization and legal use of data both within the law and case law, iii) basing best practices on concepts developed within the EU-GDPR at least strong binding documents on consent and authorization should be used which should clearly show unambiguous grant of authorization for use of data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
