Careem privacy breach calls for stronger data protection laws in Pakistan


Data storage and protection is one of the widely discussed issues in the current digital age, however, Pakistan has failed to introduce the data protection legislation in the past many years. Case in point; the recent Careem’s database hack.

Despite Careem admitting to a massive data leak – 14 million consumers losing all their personal information – not much can be done by authorities in Pakistan due to a lack of data protection laws.

Careem’s database was hacked on January 14, 2018, but it took the company over three months to unveil the security breach. Despite the lag in revealing the security breach, the Ministry of Information Technology and Telecommunication (MoITT) cannot hold the company accountable.

Talking to Pakistan Today Minister of State for Information Technology and Telecommunication Anusha Rahman admitted that “data should not be shared with third parties without prior user consent,” but accepted that the ministry failed to take any practical steps.

In 2017, MoITT was ready to implement its Data Protection Act, but couldn’t do so since the bill was not passed by the Parliament.

According to a report published on Profit, several Pakistani tech giants including and PakWheels have been hacked in past due to their security-related flaws. Even though security analysts and ‘ethical hackers’ highlight such flaws, no one bats an eye.

While some enterprises are hacked into giving away data, others simply see it as their own product and sell it. Both Facebook and Google admit to collecting user data. Cambridge Analytica breach in which Facebook’s user data of over 50 million accounts was extracted, is an example in itself.

A report by The Mail went as far as to claim that Google spied on millions of its users by storing records, including an individual’s web browsing, only to sell the data to businesses for their adverts.

The utility of data protection laws is not limited to technology companies alone. From the hacked government-regulated databases to ATM skimming, data of various types can be stolen in a variety of ways and the damage is not always monetary.

In Pakistan, hackers had reportedly compromised the computer systems of National Database and Registration Authority (NADRA) – which is responsible for maintaining all the important information pertaining to Pakistani citizens – multiple times by breaching its website security.

Similarly, several telecom companies in Pakistan are believed to be selling their user data to third-party clients. Small and large businesses can buy such personal details, including contact number, to add to their potential buyers’ list.

The reliance on digital solutions is increasing day by day. Everything, from food delivery to payments, is done through mobile apps. Since no one actually reads the privacy policies, it’s easier for the application developers to make users accept the terms blindly.

Concerns including privacy, underage users and copyright infringement can only be addressed through a legislative framework. According to the policy recommendations made by Digital Rights Foundation (DRF), there is a need to identify unauthorised access to information system for wrongful doing.

All licensing agreements of the private sector that allow communication surveillance should be reviewed while an independent privacy commission should probe complaints and impose penalties over data breach, DRF suggests, adding that transparency should be ensured so that individuals can also request amendments in the policies.

DRF also asks the government to “take measures to ensure that personal information can only be disclosed, used or retained (by public or private sector) for the original purposes, except with the knowledge of the individual…(and) it must be deleted when no longer necessary for that purpose.”