In the recent news, the IT Ministry of Pakistan has finalized the Personal Data Protection Bill, 2021, and has sent it to the Ministry of Law to be vetted. The draft introduces a penalty of up to Rs. 25 million for those who process or cause to be processed, distributed, or reveal personal data in breach of the terms of the proposed legislation.
According to Personal Data Protection Bill 2021, the proposed legislation will oversee the collecting, processing, usage, and revelation of personal data, and will set and make provisions for transgressions related to the violation of an individual’s right to the privacy of the data by gathering, acquiring, or processing personal data by any means.
Data will be Processed in Accordance with the Person’s Privacy Rights
Personal Data Protection Bill 2021 further expedients to provide for the processing, collecting, holding, usage, and revealing of data while considering the rights, freedom, and dignity of a person with special value to their rights to privacy, secrecy, and individual identity, and for similar and supporting concerns. As per the Personal Data Protection Bill 2021 the provision of judicial assurance to businesses and public officials whose activities require the processing of personal data.
The gathering, processing, and revealing of personal data will only be performed as required in compliance with the provisions of the proposed Personal Data Protection Bill 2021. The data will be collected for defined, specific, and legal purposes, and will not be processed further in a way that is incompatible with these purposes but will be sufficient, relevant, and limited to what is essential concerning the purposes.
Personal Data Protection Bill 2021 Restricts Data Controller from Processing Data without Consent
In addition to this, a data controller will not process personal data, involving the sensitive personal data of a data subject unless the latter has allowed the processing of the personal data. Personal Data Protection Bill 2021 also states that separate approval will be obtained from the data subject for each purpose. Notwithstanding subsection (1), a data controller may process personal data about a data subject if the processing is unavoidable for either of the following:
- for the execution of a contract to which the data subject is a party;
- for agreement with any legal obligation to which the data controller is subject, other than a responsibility imposed by a contract;
- to preserve the vital interests of the data subject;
- for the department of justice according to an order of the court of competent jurisdiction;
- for legitimate cases proceeded by the data controller;
- for the operation of any functions presented on any person by or under any law.
Personal Information will not be Processed Unless:
- the personal data is processed for a legitimate purpose that is directly related to an action of the data controller;
- the processing of the personal data is crucial for or directly related to that purpose;
- the personal data is adequate but not excessive concerning that purpose.
According to the subject to section 24 in Personal Data Protection Bill 2021, no personal data is to be revealed without the consent of the data subject for a) any purpose other than i. the purpose for which the personal data was to be unveiled at the time of collection of the personal data; or ii. a purpose directly related to the purpose referred to in subparagraph (i); or b) to any party other than a third party of the class of third parties as specified in clause (e) of sub-section (1) of Section 6.
Source: Pro Pakistani