Despite several attempts to enact strong data protection legislation that respects people’s data privacy and fosters progress, the proposed law on data protection needs to balance the expectations of those who provide data with those who handle or otherwise control it.
The proposed law has some important flaws, including the need for data localization, the Commission for Data Protection’s authority, and the government’s access to sensitive personal information under the guise of national security. The fact that it is based on the General Data Protection Regulation (GDPR), a European data protection statute, presents another issue.
Although Pakistan is not the first nation to base its data privacy regulations on the GDPR, it would likely suffer, particularly given how it will affect entrepreneurs. According to studies conducted in the EU, for instance, the GDPR has significantly impacted small firms due to rising compliance and monitoring costs and restrictions that make data-driven organizations less scalable.
Like GDPR, the proposed law also grants rights such as data access, rectification, and withdrawal of permission. The issue is not with the rights but with their scope and the penalties for violating them. The lengthy and onerous compliance procedure makes dealings between data subjects and controllers needlessly expensive.
The proposed data protection law needs to be revised.
Consider the right to rectification as an illustration. If personal data is incorrect, incomplete, misleading, or out-of-date, the data subject has the right to request that the data processor or controller correct it. The proposed law neither distinguishes between the types of activities for which data is needed nor defines what constitutes personal data.
Although the definition stipulates that the data must be able to identify a person, it is silent as to how much information is required to do so or what criteria must be met for the data to qualify as personal data. It also needs to address the issue of whether a piece of information is accurate or not.
Is it inaccurate or insufficient information if you see a chocolate commercial based on your search the night before and then start a diet the next morning? Your preferences should be reflected in your search engine selections. Despite being simple, these inquiries highlight the flaws in the law.
The processing of children’s data is another illustration. According to the law, Any person under 18 must have their parent’s or legal guardian’s consent before a data controller or processor can handle their information.
Aside from the age restriction dispute, how would data controllers be expected to contact parents or verify guardianship? In what circumstances would paternalistic surveillance be more expensive than beneficial? Is it possible for a 17-year-old to open an Instagram account?
These are only a few things that could be improved with how the law is written. The main problem is that it needs to catch up to industry advancements. Given how the notion has changed in the internet industry due to the employment of dark patterns, the legislation should have controlled the process for gaining consent.
Instead, it uses antiquated methods to get consent and permits data subjects to decline to exercise their rights as long as their consent is “free, specific, informed, and unambiguous.”
This has always been the situation under the rules of contracts, and the proposed law neither clarifies how permission is to be gained or regarded as “informed,” nor does it add anything new. Would a large text document written in legalese satisfy the criteria, or would a brief, concise statement at each stage be adequate?
Dark patterns are user interfaces that leverage heuristics (rules of thumb) or personal biases to persuade users to choose alternatives the data processor may want them to take rather than what they would genuinely prefer. An illustration of a dark pattern might be to continually display the same screen to entice someone to consent to being tracked or to preselect the choice the controller wants the user to make.
Although many of these actions may satisfy legal requirements, they diverge between users’ actual preferences and those manipulated by the controllers. This starts a cycle where the more data the controllers collect, the more exploitative they become.
A proposal that fails to address the issues of data collection, storage, processing, etc., by businesses and imposes a high cost for pointless compliance should not become a law of parliament, leaving aside the ethical implications of data exploitation. Source