The right to be forgotten in Pakistan
Tuesday 22 August 2023
Sahar Iqbal
Akhund Forbes, Karachi
sahar.iqbal@akhundforbes.com
Abstract
The right to be forgotten pertains to online privacy, granting individuals the authority to request businesses and organisations to delete their personal information from their systems and servers, which indirectly means that the private data of individuals will not appear in internet searches, search engines or online directories. The idea that people deserve the liberty to lead their lives privately and without concern for past events or associated stigmas has become increasingly prevalent due to the accessible and intrusive nature of social media and the internet. However, deleting data from one source does not guarantee its complete removal, as it traverses numerous servers and gets stored in various locations across the ‘cloud’. Consequently, organisations may face obstacles in complying with a data deletion request.
This article shall discuss the fundamental rights to privacy as enshrined in the Constitution of Pakistan 1973 (‘Constitution’)[1] and the legal mechanisms to maintain privacy through the erasure of personal data as provided in the Personal Data Protection Bill 2023 (‘Bill’).[2]
Fundamental rights to privacy in Pakistan
In Pakistan, the right to privacy is enshrined in the Constitution as a fundamental right under Article 14. Courts have ruled, in cases such as the Mohtarma Benazir Bhutto case,[3] that surveillance, including phone tapping and eavesdropping, not only violates privacy but also infringes on the constitutional right to life. The Supreme Court emphasised that privacy extends beyond one’s home to public spaces and any illegal intrusion should be prohibited to preserve individuals’ dignity. Although not explicitly stipulated by the Constitution, the right to be forgotten, ie, the right to remove personal information from the public domain, directly relates to the constitutional rights to privacy and dignity.
Furthermore, Pakistan has ratified various international instruments to safeguard citizens’ privacy. These include the Universal Declaration on Human Rights (Article 12),[4] the International Covenant on Civil and Political Rights (Article 17),[5] the Convention on the Rights of the Child (Article 16),[6] and the Cairo Declaration on Human Rights in Islam (Article 18).[7] These instruments emphasise the importance of privacy and impose obligations on Pakistan to respect and protect this fundamental right. Notably, the draft Bill appears to extensively take these instruments into account.
The right to be forgotten under Pakistan’s Personal Data Protection Bill 2023
While Pakistan’s incumbent personal data protection laws are outdated and do not directly deal with online privacy and the erasure of personal data, the Bill, which is expected to be passed into law soon, extensively provides mechanisms and obligations to protect individuals’ fundamental rights to privacy and dignity.
Section 26 of the Bill pertains to the rights to erasure of data, which grants data subjects the authority to request the deletion of their personal data held by a data controller without undue delay. The data controller, in turn, is obliged to erase the personal data within 14 days under specific conditions. First, if the personal data is no longer necessary for the purposes for which it was originally collected or processed. Second, if the data subject withdraws their consent, provided there is no other legal basis for the data processing. Third, if the data subject objects to the processing and there are no legitimate reasons for the processing. Further, if the personal data has been processed unlawfully. Finally, if erasure is necessary to comply with a legal obligation.
Significantly, in cases where the data controller has made the personal data public and is required to erase it, they must take appropriate measures, considering available technology and implementation costs. This includes informing data processors who have been processing the personal data for erasure, along with any links, copies or replications of the data. It is essential to note, however, that due to the nature of the internet, information that has once been made publicly available is impossible to completely erase upon the request of data subjects. Due to the exponential advancements in technology and the growing practices of hoarding data for targeted advertisements, it has become impossible to truly delete one’s online digital footprint. Nevertheless, the law provides a comprehensive mechanism for data controllers to adopt when required to erase data, the effectiveness of which depends on the extent of data controllers’ means and compliance. As the law currently exists as a Bill, it is not possible to determine its effectiveness yet.
Under Section 26 of the Bill, certain exceptions apply, and the right to erasure may not be applicable under specific circumstances. These exceptions involve instances where processing is necessary for exercising the right of freedom of expression and information as protected by Article 19 of the Constitution. Furthermore, the processing of data may be allowed for compliance with a legal obligation, the performance of a task carried out in the public interest or the exercise of official authority vested in the data controller. Additionally, data processing may be justified for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific, historical or statistical research purposes. Therefore, legislators recognise the fact that a complete right to the erasure of personal data is impractical and needs to be reconciled with the fundamental rights to freedom and expression as enshrined in the Constitution.
Conclusion
Inspired by the EU Regulation,[8] the right to erasure of data as enshrined in Section 26 of the Bill addresses the critical aspect of online privacy, granting individuals the authority to request the deletion of their personal information from businesses and organisations’ systems. While this right acknowledges the fundamental rights to privacy and dignity enshrined in the Constitution, it will potentially face challenges due to the complexities of data storage and the internet. However, certain exceptions recognise the importance of freedom of expression and other public interests. Therefore, striking a balance between privacy and other constitutional rights remains essential as technology continues to advance.
[3] Mohtarma Benazir Bhutto v President of Pakistan PLD 1998 Supreme Court 388 at https://privacylibrary.ccgnlud.org/case/mohtarma-benazir-bhutto-and-ors-vs-president-of-pakistan-and-ors accessed 8 August 2023.
[8] Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 [2016] OJ L119/1.