Considering Gendered Implications When Drafting Data Protection Law in Pakistan

By Hija Kamran

Digital Rights Foundation (DRF) acknowledges the support of Friedrich Naumann Foundation for Freedom (FNF) for the series of essays written in January-September 2021 on “Transforming Technologies during Covid-19” as part of an essay competition. However, the contents of this publication is the responsibility of the Author and do not necessarily represent the views of the Digital Rights Foundation (DRF).


In 2013, MuckRock, a non-profit organisation based in the United States of America (USA), filed a request for information under the Freedom Of Information Act (FOIA) of the country to the National Security Agency (NSA), requesting access to the guide for the internet titled Untangling the Web, developed by the NSA.1 The released version is the twelfth edition of the book that, according to its preface, was started as a small handout, and was published in 2007.2 The guide intends to explain and understand the way the internet functions, and outlines the basics of the internet – consumer version and the hidden version, its tools, and the comprehensive guide on the ways to strengthen online privacy.

The authors, Robyn Winder and Charlie Speight, write, “The internet – in all its glory of information and misinformation – is for all practical purposes limitless, which of course means we can never know it all, see it all, understand it all, or even imagine all it is and will be. The more we know about the internet, the more acute is our awareness of what we do not know. The internet emphasises the depth of our ignorance because ‘our knowledge can only be finite, while our ignorance must necessarily be infinite.’ My hope is that Untangling the Web will add to our knowledge of the internet and the world while recognising that the rock will always roll back down the hill at the end of the day.”

It further says, “As with all new technologies, it comes at a cost – many costs, in fact. We pay for the benefits of the internet less in terms of money and more in terms of the currency of our age: time, energy and privacy.”

The book was written 14 years ago with special emphasis on 100 pages on the importance of privacy and how to ensure it. Mathew Gault, a reporter at Vice, writes that this section is still relevant as he finds himself agreeing to most of the things the book mentions about online privacy, and further adds, “It’s not that the people at the NSA were cutting edge thinkers, they just knew things that the rest of the world didn’t at the time.”3

A discussion on privacy is at the core of how we access and experience the internet in the current age when it has become a necessity rather than a luxury that it was 14 years ago. The importance that is regarded, or should be regarded, to the right to privacy of individuals is based on the sensitivities attached to the kind of information that people willingly, and most of the time unwillingly, submit to the websites and platforms they access online. The protection of this information collectively has, in the past few years, come parallel with individual’s right to privacy, especially in light of the immeasurable amount of breaches and violations of the collected data by multiple actors collecting, storing, processing and accessing this information. The phenomenon widely called Data Protection has increasingly become an important discussion on policy level with various countries focusing on drafting and passing legislations to protect their citizens’ digital information.

The conversation was dramatically added in the mainstream discourse when the European Union (EU) passed General Data Protection Regulation, commonly known as the GDPR, in 2016 which mandates all businesses and entities to prioritise data protection by design for people residing within the EU. It applies hefty financial penalties in instances of non-compliance, and restricts businesses and platforms as big as Facebook, Google and others to enforce a separate version of privacy and data processing policies within the EU.4 For instance, in early 2021, WhatsApp which is owned by Facebook Inc., changed its Terms of Service (ToS) that mandated users to accept the changes which included the sharing of data of business accounts with Facebook for its ads targeting.5 The update that was met with backlash from users around the world was compulsory to be agreed with, leading to the services of the largest communication platform to be unavailable to those who do not accept the changes in the policy.6 However, where the change applied to users across the world, WhatsApp had a different version of the same policy for EU and UK residents that limits the sharing of their data with third parties owing to the strong data protection regulation in the region.7

With their selective application of these policies, technology companies fail to recognise how sharing of sensitive data of their users impacts the most vulnerable. In the case of WhatsApp, only adding the backdrop of authoritarian regimes puts a large group of people – human rights defenders, journalists, dissidents, women, gender and sexual minorities – at the risk of being disproportionately targeted under draconian legislation which are not unique in many countries across the world. As seen in the EU, the prioritisation of users’ interests, privacy and protection of data lead to the world’s biggest tech companies changing their policies. However, despite this, even GDPR that is considered a gold standard for data protection regulations across the globe does not adequately acknowledge the implications of violation of privacy in cases of vulnerable communities within its jurisdiction. 

Minorities in any country remain the most vulnerable to falling victim to any regulation that does not consider their protections and interests as a primary concern. Where GDPR compliance has been strong, there have been instances where gender minorities have experienced the implications of privacy violations despite having a law that protects it. For instance, Egon Botteghi, a trans parent from Italy shared their experience of traveling outside of Italy that requires them to reveal their trans identity to individuals they have never met, and probably will never meet again. They said in a blog post shared by Thomas Reuters Foundation News, “I didn’t know that as a trans parent it would be very hard for us to travel without our privacy being violated,” adding, “Whenever we travelled, I had to come out as trans to complete strangers, over and over again and explain that I was indeed the parent of my children.”8

Botteghi’s experience is not unique, however, is one of the very few that have been reported. Although GDPR does provide protection of sensitive data of gender and sexual minorities, on-ground violations of privacy of vulnerable populations continues to impact by the way the information is shared and digitised, coupled with mechanisms handled by humans in place to implement the regulations. It is imperative to mention that gendered implications and protections are not the primary considerations in the way the laws are made right now.

The backdrop of GDPR is critical to establish the main premise of this paper that explores how gendered privacy is regarded in Pakistan, and how it is translated in policy making, if at all. Pakistan is in the process of passing a Personal Data Protection Bill (PDPB) which outlines the safeguards to be granted to people’s digital data collected and processed by various public and private actors operating in the country. This paper particularly looks at gendered implications of privacy violations in a country like Pakistan that is conservative and authoritarian in nature, and based on the reported incidents of privacy, informs recommendations to make PDPB an inclusive legislation that focuses on privacy as a default rather than an afterthought – something that has been seen in other regulations pertaining to online spaces in the country.

Privacy and Gender in Pakistan

Privacy is famously regarded as a luxury in Pakistan, and one that is only demanded by someone who has something to hide. The cultural connotations to privacy discourages the expectation and demand of this basic necessity within and outside of homes. From not allowing family members to close or lock the doors in homes to installing CCTV cameras in workplaces with an intention to keep an eye on employees to mass collection of citizens’ data on government level which is later used to surveil them, infringement of privacy is prevalent and normalised everywhere in the country. This normalisation impacts every person across the board, it is, however, exacerbated when gendered implications are considered.

Anecdotal evidence and lived experiences suggest that where men have fairly easy access to their rights, just like in any patriarchal society, women are denied any form of agency over their guaranteed rights, and are routinely seen struggling to expect, demand and exercise said rights. This denial of rights is reflected in virtual and online spaces as well which mirror values and shortcomings of the society in the offline world as well.

For instance, the right to privacy is protected under Article 14 of the Constitution of Pakistan for every citizen of the country. Despite this, the politics of privacy dramatically differ for women and gender minorities than it does for men. This disregard begins within homes when women are not allowed to have any sense of privacy and time of their own, and are left to seek permissions from families controlling them. Shmyla Khan, Director Research and Policy at Digital Rights Foundation, tells Digital Rights Monitor that this denial of privacy for girls is seen on the internet as well. She says, “Within the home girls are not granted much privacy, likewise women’s online presence is seen in a similar way, as if you are less deserving of it.”9

The implications of violation or absence of privacy are often seen to be drastic for women. Multiple reported incidents suggest that when women’s privacy is violated, it has led to physical violence further ending in murder of women in the name of so-called honour which continues to be prevalent in Pakistan.10 One such case that garnered widespread attention happened in May 2012 in Kohistan, when five women were killed in the name of honour after the video of them cheering with two young boys in a wedding celebration in 2011 went viral on the internet.11 Afzal Kohsitani, the man who brought the case to national attention, was also murdered in March 2019 after fighting for justice for seven years.12 The same year, in September 2019, a sessions court in Khyber Pakhtunkhwa (KP) sentenced three men who were related to the three murdered women, to life imprisonment, whereas five accused men were acquitted.13 There is a direct correlation of how violation of women’s privacy in the real world reflects in the online world and then subsequently poses physical harm to the victims.

Similarly, another high profile case where violation of privacy led to the murder of a woman was that of Qandeel Baloch, a social media celebrity who used pseudonym online owing to her affiliation with a conservative family and village.14 After years of constant trolling, Qandeel’s identity was revealed when her passport was aired on national TV and on social media leading to her brother being informed of her work that also fed her family. While visiting her home in Multan in July 2016, Qandeel’s brother murdered her in her sleep in the name of honour.15 This case is a prime example of how when the right to privacy of women is violated on the internet, it has direct implications in the offline world that quickly turn life-threatening and fatal. 

Arooj Aurangzeb, an activist from Lahore, writes16 in Digital Rights Monitor, “For women to occupy space and express themselves freely on the internet there is an additional and often the primary layer of patriarchal control with real world consequences.”

Privacy, Gender and Data Protection in Pakistan

While these instances have strictly been individual cases, public and private institutions play a significant role in failing to protect the right to privacy of women and gender minorities in Pakistan. The large amount of data that is constantly collected by these entities is stored on servers without privacy protocols, leading to violations that directly and indirectly leave gendered impact. 

Private corporations, particularly telecom companies, under the Prevention of Electronic Crimes Act (PECA), 2016, are obligated to store and retain user data of Pakistani subscribers for upto one year. While the law has directed this retention, it fails to outline data protection protocols to ensure safety of the private and sensitive data of 183 million people in the country.17 As a result constant breach of privacy through unauthorised access has been experienced recorded through multiple anecdotal and reported instances.

In April 2020, reports of the sale of 115 million Pakistani users on dark web were highlighted by a Pakistani specialised cybersecurity firm Rewterz Threat Intelligence,18 which were then raised by Senator Rehman Malik, Chairman of the Senate Standing Committee on Interior who directed the Federal Investigation Agency (FIA) to investigate the claims.19

The hacked data that was allegedly being sold for 300 Bitcoins, approximately $2.1 million USD, contained full name, Computerised National Identity Card (CNIC) number, phone number, residential address and tax number. While this is the first reported incident of breach of citizens’ data on a large scale, various rogue websites have emerged in the past that enable anyone to enter a mobile number and/or CNIC number to access private details of the user. This is a result of the breach in the database of National Database and Registration Authority (NADRA) which issues, controls and manages the biometric database of the residents of Pakistan. The data stored with NADRA has been subjected to multiple data breaches, unauthorised access and sharing, and hacking attempts leading to compromising the sensitive information of millions of Pakistanis.

While these instances apparently do not have gendered implications, however, the pattern and lack of security protocols have led to cases where women were subjected to surveillance and violation of their right to privacy through unauthorised access of their digital data.

Intimate partner surveillance has been prevalent in Pakistan with husbands keeping a close eye on their wife’s mobility and communication, and making most personal decisions like the choice of clothing, who the woman talks to, where she goes, and how she carries herself in public along with every intimate detail. Constant surveillance and the violation of restrictions  would often lead to physical and psychological violence. The trend has increasingly been translated to online media as well, where women are subjected to unprecedented spying from their intimate partners on digital platforms and devices. Not only are the phones regularly checked, but lax security protocols of telecom companies play a significant role in advancing this surveillance. It is important to acknowledge that humans are the weakest link in data protection and privacy protocols of data servers and information stored on them. And despite all mechanisms in place to protect the servers and its content, a person not authorised to have access to sensitive information of users can lead to the breach of privacy.

This particular method has resulted in various instances of intimate partner surveillance. IS*, a Twitter user who spoke on the condition of anonymity, shared that a relative of hers divorced his wife after conducting extensive surveillance on her mobile communication with various men – the data he got access to by using his contacts in the telecom company she was subscribing to. She also added that until 2020 she has used her contacts in telecom companies’ customer support to extract information on men who would not stop texting her. “Multiple times guys/stalkers got [my] information from their friends who worked at phone companies. Couple times, I got [information from a friend who worked in the telecom company] about men who won’t stop texting [me] to threaten them that I have information about them and they will suffer consequences if they don’t stop,” she said in a Twitter message.

Similar instances where an employee of the company has leaked information or data through unauthorised access to the system have emerged in other companies as well. In August 2019, a night vision CCTV camera footage from a cinema in Lahore was leaked where couples were seen engaging in sexual activities.20 The footage went viral on the internet after it was leaked through unauthorised access to the system by an employee of the cinema. The couples in the video were identified by people who later harassed them. This harassment, which was faced by both parties involved, could have led to more damage for women who could potentially face violence for, a) being in a cinema with a man if they were not married, and b) for dishonouring family by doing activities that are considered immoral in Pakistani society.

Likewise, CCTV camera footage from a private hospital in Lahore was leaked and uploaded on Youtube in the same year where a patient in the Intensive Care Unit (ICU) could be seen engaging in sexual activities with a woman. The video that has now been deleted from YouTube, was also leaked through unauthorised access, potentially by a hospital staff member.

These are only a few of the reported incidents of unauthorised access from security cameras controlled by private entities. Whereas, such breach of privacy has also been seen in government institutions and law enforcement agencies.

In January 2019, screengrabs taken from CCTV cameras installed in Lahore as part of the Punjab Safe Cities Authority (PSCA) initiative under the Punjab Police, were leaked on social media where passengers’ faces and car’s number plates are clearly visible.21 The drivers and passengers who were women were identified through the number plate and were harassed by various people. When the images first surfaced, they were assumed to be extracted from the Islamabad Safe City project footage. At the time, Safe City SP Hassam Iqbal said that the project in Islamabad works under strict security guidelines to avoid such incidents. He told Dawn,22 “Downloading snaps and videos is also restricted and only authorised officials may do so after providing their login and password.”

Even though the photos were later found to be from Lahore Safe Cities project, Iqbal’s comment is an indication that such incidents cannot be avoided even in the presence of security guidelines in place specifically to avoid these events. Breaching the privacy of authorised persons to access this database is easy, especially when individuals pay little to no attention to their digital security. As a result, individuals with no knowledge that they are being recorded at any given point bear the brunt of this violation.

Cases like these are not rare where government authorities project disregard for people’s privacy. NADRA’s database, which used to be the largest biometric database in the world23 until India’s Adhaar took over, had been breached, leaked, accessed with authority, shared without citizens’ consent or information and has been subjected to various instances of hacking. A Digital Rights Foundation survey of these instances from 2017 found that there have been multiple events of mismanagement of citizens’ biometric data stored and controlled by NADRA, with no accountability.24 Time and again, these instances have continued to happen with no expressed intention to deploy stringent security mechanisms to protect this data.25 In May 2018, TechJuice reported that after NADRA granted access to its database to Punjab IT Board (PITB), owing to a bug in its servers, the data of millions of Pakistanis was dumped in plain text for anyone to access on the internet, leading to many suspicious websites hosting sensitive information as sensitive as home address of citizens available to be searched anytime.26

These particular instances have a direct gendered impact that can significantly and negatively impact women and gender minorities had someone gotten access to these websites or data stored on them. It is imperative to mention here that there exists an appetite for this information within the general public that arises from their innate want to surveil on women around them, and/or to breach their privacy in the name of their protection. For instance, the author of this paper, after speaking at a television show about the lack of privacy and data protection protocols in Pakistan where she mentioned the aforementioned websites, when went off-camera, the crew member enquired about the URL of the website so he could check information of his friends. Similarly, countless videos with thousands of views exist on YouTube that supposedly explain how the call history of any mobile number can be extracted by downloading an app; all of these videos imply surveillance on girlfriend or wife and are targeted for viewership towards men.

A screenshot from a video on YouTube with 191,000 views

The existence of a large amount of these videos on YouTube, with explained methods being fake or not, points towards the popularity of the intention to surveil women through their digital data. To an extent, the data, if accessible, would most likely be extracted through various mediums of authorised access and availability of CNIC and mobile data on the aforementioned websites. The implications of such data out in the open could not just be a violation of the right to privacy, but could be life threatening for women at the hands of a jealous or abusive man around them.

COVID-19, Gender and Privacy in Pakistan

The spread of COVID-19 has brought forth many inequalities, including structural, political, social and economic disparities when it comes to access to all kinds of human rights. Since March 2020 when Pakistan went into lockdown, the already severe societal inequalities were exacerbated with little to no recourse available to the affected. As with all forms of discriminations, this had a direct gendered tone as well. Where COVID-19 impacted everyone across the spectrum, women and gendered minorities remained more affected, particularly in the Pakistani society. Along with workplace layoffs, education, access to healthcare,27 and access to communication, women were subjected to constant surveillance within their homes as a result of their restricted mobility and that of their male partners or other family members. Arooj Aurangzeb, in the Digital Rights Monitor, narrates the experience of Shazina, a young student from a conservative village in Sindh, as she interviews her on call for the article. She writes, “The call was short, in secrecy, interrupted by bad signals, and it ended when she was signalled by her younger sister on the look-out, that her mother might be approaching. This is reflective of how a lot of women end up conducting conversations on their phones, with look-outs in place due to the complete lack of privacy.”

Constant surveillance on women’s communication increased during the COVID-19 lockdown when men and women were at home during the lockdown, which led to increased cases of domestic violence in the country. According to DW, government officials reported a 25 percent increase in domestic violence cases during the lockdown.28

While domestic violence was prevalent, anecdotes suggest that women were barred from answering their phone and using the internet for communication and entertainment, whereas, as they were forbidden to leave their house, access to mobile credit was also limited. This led to further suffocation within homes. Women Disconnected: Feminist Case Studies on the Gender Digital Divide Amidst COVID-19, a research study by Media Matters for Democracy, published in January 2021, explored how working class women accessed and experienced the internet. The research found that 6 in 10 women who were surveyed faced restrictions from families in accessing the internet, whereas, 1 in 10 women had to share their account details and usage with men in the family.29

The surveillance in Pakistan is normalised from the state level to individual level, with laws legitimising it through the years. The violation of privacy of citizens is done under the garb of national security, and under the pretense of protecting the citizens while disregarding their rights. This is also done within homes, when the abuser or the violator of privacy used ‘safety’ or ‘concern’ for the victim as their reason for surveillance and subsequent abuse.

Specifically during COVID-19 pandemic in Pakistan, the government took proactive technological measures to control the spread of the virus in the country. For instance, a contact tracing mechanism was set up that located the infected person’s geolocation collected through their mobile phone data, and alerted people who came in close contact with the sick person in the last 7 days asking them to isolate themselves. According to the official definition, any person who has come in close contact with the infected person for more than 15 minutes within 1 meter radius is considered high-risk for contracting the virus.30 The health departments, through GPS data of the infected person’s mobile phone, traced people – an approach that was first employed in South Korea to contain the spread of the virus.

This was not the only approach that was witnessed in Pakistan to control COVID-19 in Pakistan. Prime Minister Imran Khan, in a fundraiser telethon for government’s COVID-19 relief fund in April 2020, said, “The ISI has given us a great system for track and trace,” adding, “It was originally used against terrorism, but now it is has come in useful against coronavirus.” Khan further said, “Track and trace is the best way [to combat the virus] and … this is the only way if you want to restart your businesses.”31

The technology that Khan said the government was using at the time to mitigate rising COVID-19 cases in the country has previously been used, as Khan expressed, to trace terrorists, and the same approach was now being employed to track the patients. While it is argued that the healthcare crisis demanded extreme measures to be employed, however, it is pertinent to mention that with the lack of transparency that was shown in implementing an intrusive surveillance system that was once used to identify criminals and also to incriminate dissenting voices in the country, the data of millions of Pakistanis could be at risk of abuse. All of the technological measures that the government of Pakistan employed to control the pandemic in the country followed a pattern of non-transparency, did not define the scope of the usage of the data that was being collected, the time frame the data was being collected for, retention period of the collected data, and the security protocols to protect the collected data. Seemingly, this may not matter especially in the context of and in times of global healthcare emergency, but in the short and long term, the implications of the breach of security of this data can lead to severe damage to individuals whose data, and in extension their privacy, would be compromised.

In all of the instances of security breaches, gendered implications could be severe. And the security considerations and protocols, however limited they may be, do not take special measures to protect gendered identity and data of gendered individuals. This disregard is then also reflected in policy making when any law that pertains to privacy and security of people’s digital data does not consider gender as a primary qualifier rather than an afterthought during the implementation process.

Considerations in the Legal Framework

Online and offline privacy cannot be separated in Pakistan as they are intricately related, and one impacts the other. The same way, the trends and policies that protect, or fail to protect, people’s privacy offline set a precedent for those online. And even though Article 14: Right to Privacy of Home, etc. of the Constitution of Pakistan has been interpreted in the context of online privacy in multiple cases since the 1990s,32 online privacy continues to be challenged through policies that use ambiguous language and terms to legitimise its violation. And while the demand of privacy is often challenged by the popular cultural notion of linking it with having to hide something, these archaic beliefs do not account for the fact that just like it is innate to lock the door when entering the house to protect one’s property, it is also intrinsic to expect people to exercise the same privacy and expect security on the internet that stores their digital property.

Once breached, this intrusion of privacy has very different ramifications for different people. A Media Matters for Democracy report titled, The Internet As We See It: Gendered Perceptions from Pakistan, published in August 2019, finds that while men were concerned about online privacy invasion by private companies and through state surveillance, for women, this invasion of privacy differed. The research states, “Women mentioned the use of pictures, where photos of themselves they posted online could be morphed into different images. They also mentioned how pictures they posted online were also used to solicit marriage proposals by “rishta aunties” which they felt was an invasion of their privacy and space online.”33

Experiences of online spaces and invasion of privacy on these platforms drastically vary for men and women in Pakistan. An intersectional view into this depicts that it further varies with sexual and gender orientations, socio-economic class and political views. Analysing experiences of those who identify as women on Pakistani internet reveals that women react differently to situations, and where one woman might fight back against the violation of her privacy through legal routes, another woman might choose to self-censor or leave the internet altogether.

However, in the process of lawmaking, the gendered implications of violation of privacy and the gendered implications of a law that fails to protect privacy fail to be considered. As a result, a policy is passed that is used for political incrimination of dissenters instead of granting fundamental rights to the citizens.

This is particularly evident in case the Prevention of Electronic Crimes Act (PECA), 2016 that, although was passed in the name of protecting daughters of the nation,34 as claimed by the then-Minister of IT, Anusha Rehman, however, the law has been used to curtail civil liberties in the country as soon as it was passed. The inefficiency of the law, and that of the law enforcement authorities, is evident by the number of cases that were resolved under PECA. As of January 2021, the Federal Investigation Agency (FIA), the authority tasked to handle cyber crimes related cases under PECA solved 616 cases out of the 135,000 complaints that it received since August 2016.35 Whereas, official stats of FIA, acquired for this policy brief, under section 21 of PECA that deals with offences against modesty of natural person, which includes instances of non-consensual use of intimate images, morphing of photos and videos, and generally anything that could damage the reputation of a person through electronic means, suggests that since 2017, the authority registered a total of  5,781 enquiries, however, only 622 arrests were made. The backlog of FIA in cases that require gender sensitivity and are also time sensitive is enormous. Lack of resources and inadequate training on implementation of the law and gender sensitisation remain only some of the reasons that FIA has to deal with while handling cases of cybercrimes of gendered nature.

Additionally, it is also crucial to acknowledge that while  the law was passed hastily after the murder of Qandeel Baloch whose privacy was violated when her passport was plastered on national television and across the internet, the law has done very little to protect the privacy of women, or anyone else for that matter. For instance, PECA mandates service providers to retain data of subscribers for up to one year, however, it fails to outline the data protection protocols, essentially putting the sensitive communication data of 220 million Pakistan at the risk of being breached. The law, however, looks seemingly progressive when it comes to criminalising gender-related crimes on the internet, it falls short in implementation revealing that the process of policy making did not regard societal and structural inequalities while drafting the regulation.

For example, women who turned to the FIA to seek legal recourse were met with victim blaming, and were also later harassed by the investigation officers assigned to their case who got access to their contact information from the case files, eventually forcing women to withdraw their complaint. In contrast, there have been events like the one in September 2020,36 when even though the perpetrator was in prison for harassing a girl, his friends continued to harass her for having him arrested. And in the absence of any help from FIA, the girl died by suicide, In other cases, the authority has refused to help the survivor of online abuse.37

This is a result of negligence in considering how the law will be implemented, who will implement it, how will the marginalised and oppressed individuals and communities of the country be impacted, and whether there is anything that could be done at the drafting phase to avoid shortcomings of the law that is being passed. The PECA, also known as the cybercrime law, failed to acknowledge this. However, a similar trend is seen when it comes to the Personal Data Protection Bill (PDPB) which will reportedly be passed soon. The PDPB pertains to protecting Pakistani citizens’ data stored on the servers of service providers, and is proposed by the Ministry of Information Technology and Telecommunication (MoITT) to “govern the collection, processing, use and disclosure of personal data and to establish and making provisions about offenses relating to violation of the right to data privacy of individuals by collecting, obtaining or processing of personal data by any means.”

Termed as draconian and anti-democratic by civil society organisations like Media Matters for Democracy, the bill seems to be an attempt of the government to control citizens’ data instead of protecting it.38 Amidst its many problematic sections that the civil society has highlighted and submitted recommendations39 to MoITT for rectification on, the bill and all of the commentary around it has failed to consider impact on women and gender minorities in the country. The experiences and implications of violation of privacy and lack of data protection differs in gendered context. A data breach of a period tracking app,40 or that of the ride hailing app,41 or easy accessibility of women’s data stored on food delivery app’s servers,42 or that on the social media website, all impact women differently and drastically, and laws protecting this data need to be cognisant of such intricacies as a primary concern during policy making.

This lack of consideration for rights for women is, however, not unique to Pakistan, in fact, global commentary around data protection generalises everyone and assumes their experiences of violations of privacy and need for protection to be one and the same. The then policy officer of Web Foundation, Ana Brandusescu, in February 2018 wrote a blog post43 highlighting how the conversation during a conference on data protection missed a very important point. She wrote, “Notably absent from these conversations, however, was a theme critical to each of these issues: gender,” adding, Though the link between these topics and gender might not appear obvious at first glance, gender plays a significant role in the design and implementation of technology, online privacy, and data protection. In turn, how technology is deployed, how online privacy is protected, and how data is collected and used all impact women differently than men.”


Based on the in-depth analysis of the situation around right to privacy and its direct relevance with gender rights in the context of data protection, it is important to acknowledge that policy making in Pakistan needs to be more inclusive. Following are some of the recommendations that build on the research and commentary conducted for this policy brief:

  1. As established in the paper through thorough review of the situation of privacy and its relation with gender in Pakistan, it becomes unavoidable to give the right to privacy from a gendered lens a primary consideration within policy making for data protection of citizens in the country. It is also crucial to acknowledge, on the policy level, that any kind of violation of the right to privacy impacts women and gender minorities differently than it does men. Acknowledgment is the first step towards action.
  2. While drafting policies that will impact the masses, lawmakers must exhibit acceptance of women’s concerns in the conversation who make up half of the population in the country, and instead of a panel of men doing the most and major part of the drafting, women who understand the intricacies of right to privacy and data protection and their impact from gendered perspective should be tasked to assist and draft gender sensitive policies around data protection.
  3. While women policy makers must be given integral positions on the legislation drafting table, civil society and grassroots organisations, representatives and gender rights activists should be made active part of the process in order to ensure an inclusive policy is formed.
  4. It is imperative to account for the international conversation on digital privacy and data protection from gendered lens along with analysing local situations on the same, and adopt regulations based on international best practices in the local context. Policy makers, while drafting data protection law, must take into account that protecting the data should be the priority rather than controlling the data, when gender rights to privacy remain a sensitive conversation in the country.
  5. It would be in the best interest of women and gender minorities in the country to have an exclusive section pertaining to their rights and protection of their data in the law to rule out any and every confusion in the implementation process. Various precedents have been set now based on the preexisting regulations that identify where the policy lacks when it comes to women’s protection on the internet and that of their data. These incidents should be taken as learning opportunities to draft better legislation that unconditionally protect the interests of the oppressed in the country.
  6. Lawmakers should remain mindful of the impact of any policy that they draft and approve. This impact becomes evident during the implementation phase when law enforcement authorities and regulators are applying the law. At this point, rigorous training of law enforcement departments on the application of law must be mandatory in order to effectively implement the new policy.
  7. In addition to the training on implementation of the data protection law, law enforcement authorities should also be given a thorough training to right to privacy, the cultural connotations to it, and gender sensitisation training which should also be mandatory for all officers enrolled in the authority.
  8. Data protection laws are different in nature than the ones that deal with cybercrimes which directly pertain to the users of the internet. Whereas, data protection laws deal with the protection of information stored on the servers of the data controllers. In such a case, it becomes important to explore how any breach of data, and various natures of breaches of data, may impact gender rights in the country and what consequences they might have. In light of these considerations, the law and its implementation must be mindful of the accountability of data breaches from gendered lenses.
  9. Existing laws that deal with privacy on the internet in any shape or form must be amended to include gender considerations and protections, particularly the Prevention of Electronic Crimes Act (PECA), 2016, which has time and again proved to have failed to protect the privacy of the victims of online gender based violence when it is implemented through the law enforcement authority.
  10. Time sensitivity is crucial in cases of data protection failures. And the law must be mindful of the time it outlines for the data controllers and processors to protect the breached data, and highlight the impact on gendered data that was affected. This will help the researchers to analyse the gendered impact of any data breach, and also for the law to strengthen protections to the individuals impacted.
  11. The discussion of protection of gender rights and privacy through digital data must be a topic of discussion on the floor of the parliament where legislative matters are discussed. Parliamentarians must be encouraged to highlight gender rights on the internet regularly so as to make it a primary consideration in lawmaking.
  12. Protection of government controlled data, which remains one of the most sensitive forms of data and has been subjected to significant breaches, be made particularly strong through policy intervention through the proposed data protection law.
  13. The number of authorised personnel to access data within government controlled and privately controlled servers must be limited, and a directory of these personnel be kept to ensure accountability in events of unauthorised access and breach. They must be given training in digital security, and be penalised, not criminalised, for negligence in protecting the access that they have been granted.
  14. The law should set a stringent mechanism of accountability on private corporations and government departments in cases of data breaches. These accountability measures must be kept transparent, and a report must be issued afterwards. The negligence in protection of this data must be penalised instead of being criminalised.
  15. Continuous updating on security protocols of servers be mandated under law keeping in mind that technology is constantly evolving, and what is the best security practice right now might become weak as technology and its security protocols advance with time.
  16. Transparency be ensured in implementation of the law.

Civil society organisations have been raising alarms regarding the implications of a draconian, weak and ambiguous data protection regulation since the bill was proposed in 2017. It is crucial to take their recommendations and concerns into consideration and pass a legislation that unconditionally protects citizen’s sensitive data instead of putting it at risk of being controlled against them or be breached and used against them.

1  Freedom of Information request by Muckrock to NSA to request access to the copy of Untangling the Web, (September 2013),

2  Winder, R., & Speight, C. (2007). Untangling the web: a guide to internet research. Center for Digital Content, National Security Agency.

3  Gault, M. (May 2021). This Is the NSA’s 650-Page Guide to the Internet. VICE.

4  Endpoint Protector. (n.d.). GDPR Compliance: The Most In-Depth Guide – Endpoint Protector.

5  BBC News. (2021, January 7). WhatsApp and Facebook to share users’ data outside Europe and UK.

6  The Verge. (2021, May 7). WhatsApp relaxes deadline for accepting its new privacy policy.

7  BBC News. (2021, January 7). WhatsApp and Facebook to share users’ data outside Europe and UK.

8  Botteghi, E. (May 4, 2021). I’m a trans parent – I can’t travel freely with my children. Thomas Reuters Foundation.

9  Aurangzeb, A. (September 4, 2020). For women, access to the internet is more than simply having a device. Digital Rights Monitor.

10  Wikipedia contributors. (May 2, 2021). Honour killing in Pakistan. Wikipedia.

11  Khan, R. S. (January 8, 2013). Murders in Paradise. DAWN.COM.

12  Hashim, A. (March 26, 2019). How a Pakistani whistle-blower was killed for ‘honour.’ Gender Equity | Al Jazeera.

13  Tribune. (September 5, 2019). Three sentenced in infamous Kohistan wedding video case. The Express Tribune.

14  Wikipedia contributors. (2021b, May 8). Qandeel Baloch. Wikipedia.

15  Gabol, I., & Subhani, T. (July 23, 2016). Qandeel Baloch murdered by brother in Multan: police. DAWN.COM.

16  Aurangzeb, A. (September 4, 2020). For women, access to the internet is more than simply having a device. Digital Rights Monitor.

17  Pakistan Telecommunication Authority. (2021, March). Telecom Indicators. PTA.

18  Zakir, H. (2020, April 10). 115 Million Pakistani Mobile Users Data Go on Sale on Dark Web, claims cybersec company. TechJuice.

19  Khan, I. A. (2020, April 12). FIA asked to probe ‘data breach of 115m mobile users.’ DAWN.COM.

20  Bhatti, S. R. (2019, September 1). Outrage after Lahore cinema releases CCTV footage of dating couples | SAMAA. Samaa TV.

21  Pictures allegedly taken from Safe City cameras stir controversy. (2019, January 22). Digital Rights Monitor.

22  Azeem, M. (2019, January 27). Leaked Safe City images spark concern among citizens. DAWN.COM.

23  Digital Persona. (2016, December 9). Pakistan Has World’s Largest Biometric Citizen Database.

24  Lack of Accountability in NADRA (June 2017). Digital Rights Foundation.

25  Digital Rights Foundation. (2018, October 3). DRF condemns yet another breach of NADRA database and demands strong data protection legislation.

26  Baig, A. (2019, August 29). A privacy nightmare: rogue website publicises mobile subscribers & CNIC data in Pakistan. Digital Rights Monitor.

27  Global Gender Gap Report 2021. (2021). World Economic Forum.

28  Deutsche Welle ( (2020, July 9). Women trapped between coronavirus and domestic violence. DW.COM.

29  Kamran, H., Rehman, Z., & Khan, Z. B. (2021, January). Women Disconnected: Feminist Case Studies on the Gender Digital Divide Amidst COVID-19. Media Matters for Democracy.

30  The Diplomat. (2021, April 17). Inside Pakistan’s COVID-19 Contact Tracing.

31  Hashim, A. (2020, April 24). Pakistan using intelligence services to track coronavirus cases. Coronavirus Pandemic News | Al Jazeera.

32  Pakistani courts upholding citizens’ right to privacy online. (January 28, 2021). Media Matters for Democracy, Twitter.

33  Ghani, A., & Khan, S. (2019, August). The Internet As We See It: Gendered Perceptions from Pakistan. Media Matters for Democracy.

34  Dad, N., & Khan, S. (2017, December 10). Naila Rind killed herself because Pakistan’s cybercrime laws failed her. DAWN.COM.

35  FIA’s cybercrime wing received over 135,000 complaints, resolved 616. (2021, January 31). Digital Rights Monitor.

36  Girl commits suicide after threats over harassment case. (2020, September 26). The News International.

37  Kamran, H., & Ahmad, M. (2021, May 8). Pakistan’s revenge porn law is stronger than most. For one woman, that made no difference. Rest of World.

38  Media Matters for Democracy expresses concerns over the new draft of data protection law; warns it will create a dangerous precedent. (2020, April 22). Media Matters for Democracy.

39  Personal Data Protection Bill: Concerns, Comments and Recommendations. (2020, July). Media Matters for Democracy.

40  Khan, S. (2020, April 28). Data bleeding everywhere: a story of period trackers. Deep Dives.

41 (2018, April 23). Careem users’ personal data compromised in massive data breach.

42  Exclusive: How safe is your ‘private’ information stored in the databases of private food delivery chains and call centers? Digital Rights Monitor investigates. (2017, November 16). Digital Rights Monitor.

43  Brandusescu, A. (2018, February 14). Gender must be central to the data protection conversation, not a side note. World Wide Web Foundation.