Privacy leadership….Omer Imran Malik


IN the last couple of years, there has been a push to increase Pakistans overall exports on the back of Pakistans growing IT industry. With the growth of remote work culture post-Covid and an abundance of skilled software engineers in the country, relatively cheap input costs, easy scalability, and a strong, robust and growing international market all the elements are there for Pakistan to actually achieve international recognition in the development and creation of software products, applications, and new digital technologies.

But if Pakistan wishes to attract the best tech companies to invest here to further develop our IT sector, it will have to show the world that the personal data of foreigners, which will be transferred here for storage, processing, or analysis for the development of these software and digital technology products, will remain protected, and the processing of personal data in Pakistan, either by private parties or by public authorities, will always be lawful, ethical, proportionate, and appropriate to the rights of data subjects, and that those rights will be respected and enforced without fear or favour.

Pakistan needs to join the civilised world in enacting these rules, as over 60 per cent of the worlds countries have passed stringent data privacy laws which are ruthlessly enforced by regulators. It is estimated that between January 2021 and January 2022, nearly 1.1 billion euros in fines were imposed by European data protection authorities for a wide range of GDPR (General Data Protection Regulation) infringements. This represents a 54 per cent annual increase in fines. The Federal Trade Commission recently fined EPIC games $500 million for using dark patterns to collect childrens consent to collect their data. The reason for this enhanced enforcement is because data privacy is fast becoming the top-level concern of consumers when it comes to adopting new digital technologies as per many recent consumer surveys, over 60pc-70pc are concerned about the data privacy practices of the businesses they buy from, and they would spend more with a brand they trust to handle their personal data responsibly.

This is why global technology companies are also voluntarily adopting best privacy practices to ensure reduction of their regulatory risk and to retain their market leadership. Apple, one of the biggest and richest technology companies of the world, has already tilted the marketing campaign of its premier iPhone product and its internal operating system, IOS, towards being privacy friendly. Thus, for digital and technology companies, trust is no longer just a compliance requirement that has to be met it is becoming a competitive factor.

Therefore, if we want to make Pakistan the next global IT leader, we need to pass stringent and comprehensive data privacy and protection laws and regulations to first make it achieve privacy leadership in South Asia. These laws and regulations will need to be modelled after international best practices, such as the European Unions GDPR, and will require consultation and collaboration amongst a variety of players in digital industries, policymakers and human rights lawyers, etc.

Secondly, we will also have to instil the privacy by design or PbD culture in our IT-exporting companies. As per the philosophy of PbD, data privacy concerns must be addressed throughout the software development lifecycle, and privacy controls should be in-built and embedded within the software. This ensures that privacy protections within a new technology are not incorporated in the post-development phase as an afterthought, but are organic and foundational. If we can help our IT exporters inculcate the PbD philosophy, our IT products will undoubtedly find it much easier to meet the safety and privacy standards which are becoming the norm globally.

Obviously, this path would not be without challenges. For one, our policymakers are not well versed in the areas of data privacy and cybersecurity. From our politicians to our policymakers to even some of our most well-known software professionals, no one will be able to tell you the most common privacy requirements expected to be provided in the global market. A similar scenario exists for cybersecurity. Without expert opinion or advice, our lawmakers will remain clueless. It should be kept in mind that flawed legislation could prove disastrous for our fledging young industry.

Many also believe that stringent data privacy/protection policies might make Pakistan an unattractive destination for global tech companies and could stifle innovation and investment by increasing bureaucratic red tape and compliance costs without much advantage. However, that is a very short-term and regressive view, similar to how some industrialists argue that strict labour laws drive away industrial investors they dont, because the world has evolved: data privacy rights matter because consumers across the world care about them, and, accordingly, you wont be able to sell your product if the consumer cant trust you to respect his/her values.

Thus, from a purely capitalistic angle, privacy protections are required in Pakistan because, across the world, countries are passing privacy laws and establishing strict standards that require technology companies to transfer the personal data of their users only to jurisdictions which provide equal or similar privacy protections as the users country of origin and to only import software from countries where privacy controls are embedded in the initial design process.

A draft data protection bill was prepared and was supposed to be tabled before parliament this year. However, the IT ministry has announced that the bill will be redrafted. One hopes they dont waste too much time wringing their hands and losing out on this opportunity to make Pakistan gain privacy leadership in South Asia, so that the one industry which can increase our export base can continue to grow and flourish in these troubled economic times.

Courtesy Dawn