Data Privacy: Elections And Beyond

Amongst the many developments that the past couple of years have seen in the country’s political landscape, a major change has been the degree to which technology has been utilised by parties.

Data Privacy: Elections And Beyond

Pakistan heads to the polls on February 8 2024. Amongst the many developments that the past couple of years have seen in the country’s political landscape, a major change has been the degree to which technology has been utilized by parties to make a mark on the public.

We are witnessing the advent of the ‘deepfake elections’ in real time, where disinformation and disillusionment have been key players in the mix. Another potent element has been the employment of data as currency.

The 2016 U.S Presidential elections saw the Cambridge Analytica data scandal play out, widening the global public’s awareness of the value of their information and demonstrated just how far candidates could go to turn the tide their way. 

The main crux of the scandal was the use of data to accurately target political advertising, the lifeblood of this constitutionally sanctioned power play.

In Pakistan, a practice that has anecdotally come to light has been the reception of automated calls from candidates contesting elections tomorrow’s elections. 

The use of phone calls to target voters may be a smart ploy to garner favour, given the 189 million users and 78.93% mobile tele-density quoted by the Pakistan Telecom Authority (PTA), however the lack of a national data protection framework introduces serious qualms.

Since 2018, the Ministry of IT has introduced draft after draft of the proposed Personal Data Protection Bill that has yet to come to fruition. 

This fact opens up Pakistan’s citizens to unmitigated data privacy violations and deepens the existing lack of trust in the system overall.

Given this, when a Pakistani citizen, who has not signed up or consented to it, receives communication from one of the 44 political parties contesting elections, arguably the first question to consider is where did they get their contact information from?

A close second would be to ask who holds our data.

If we examine the larger gatekeepers of personal data and contact information in the country, NADRA is the largest repository of national biometric data in Pakistan, with a notable history of data breaches.

Next to it, our mobile and network service providers hold valuable customer data with regards to demographics such as location and of course, mobile numbers. 

Within today’s particular context, the voter lists collated and maintained by the Election Commission of Pakistan is also a very precious commodity in terms of the data it contains.

Unfortunately, both the telecom sector and NADRA have had documented data breaches and the ECP has not been safe from malicious attacks itself.

Therefore, these three databases and perhaps even more become logical contenders in this equation, based on the prolific history of data leaks in the country, the current election timeline and the lack of a robust data protection regime.

Pakistan is one of 20 countries who have Bills introduced on the matter of regulation of personal data privacy, setting it behind the 162 nations that have created legal protections for their citizens. Our problem lies not only in not having a cogent and binding document protecting our interests, but the lacunas in the proposed law itself.

As this policy brief by the Digital Rights Foundation outlines, there are three key areas in which amendments need to be made before the imminent draft can be in compliance with a human rights-centric approach to data privacy. The primary element is the allocation of powers, where the National Commission of Data Protection (NCPDP) should operate with full autonomy without the say-so or extended involvement of the federal government. 

The secondary is a lack of clarity in the language employed in the draft with terms such as ‘legitimate interest’ and ‘critical personal data’ inviting ambiguity, and the tertiary element is the requirement of data localization which is concerning given the lack of an infrastructure to host such mammoth quantities of data safely.

Given the lack of accountability measures, a missing legal framework to protect the privacy of personal data and the dearth of transparency employed by state departments at large, it is no wonder that public perception of data safety is questionable at best, hopeless at the worst.

In the lead-up to the elections, another crucial element has also been that while the parties campaigning and vying for votes may have updated their methodology to reflect technological advancement and the ubiquity of modern devices, our laws have not. The Elections Act 2017, which was introduced prior to the last general elections cycle Pakistan witnessed, gives detailed instructions on analog modes but fails to account for digitized canvassing, leaving a wide gap within which our current conundrum of unsolicited vote calls lies. 

Protecting privacy in the modern era is essential to effective and good democratic governance. It is also a vital indicator of the viability of fundamental freedoms in a country. Pakistan’s databases have a storied history of proving unreliable as a safe location for the country’s data.

For political parties to employ dubious methods in violation of the base expectations of privacy of voters and for the government machinery and unregulated business practices to support it calls for urgent accountability of the status quo. 

Zainab Durrani is a Senior Project Manager at Digital Rights Foundation.