Recently, the Federal Cabinet led by Prime Minister Imran Khan approved Pakistan’s pioneering e-Commerce Policy Framework. The document comes after a hiatus of three years due to various systemic delays and perhaps because of a tumultous and uncertain political environment.

The transmission of commercial data through virtual payment gateways, national authentication protocols and certification standards is essential so that data of industries, SMEs and consumers can be shielded from malicious actors, even those that may be operating at the behest of certain nation states.

Source: aekpani.net

Issue

Electronic data, especially personally-identifiable information, is presently unguarded not only outside Pakistan’s geographic territories but within as well. There are overlapping mandates assigned on adhoc basis to different law enforcement agencies which have any modestly-staffed technical workforce.

Laws such as ETO (2002), Payment Systems and Electronic Fund Transfers Act (2007) and PECA (2016) cited as legislative foundations for e-Commerce Policy Framework have become obsolete. This fact has also been acknowledged in the document as follows:-

The Existing laws give legal recognition to online transactions, documents and e-Signatures and cater for essentials of e-Commerce. However, the said laws will have to be amended from time to time to keep pace with new developments as new and innovative e-Businesses evolve. Apart from laws and regulations specific to online/electronic transactions and businesses, other general laws of Pakistan, including IP laws, are applicable to e-Commerce businesses just like any other form of business. Moreover, there are laws specific to particular sectors and industries which are also applicable to online businesses.” (pg 12)

After all, if the objective is to provide national-level support by encouraging SMEs to sell their products online, the data protection of all concerned stakeholders (manufacturer, transactional intermediary and end-user) should be the number one legislative priority.

The document acknowledges that laws related to data protection “can only be found in fragments under different legislations[…]Regions such as EU do not allow their enterprises to transact with companies of such countries which do not offer same level of data protection which is available under the EU Regulations [sic]” (pg 25).

The State Bank of Pakistan (SBP) frequently issues policy guidelines including some related to online data security but these are simply advisories and do not enforce any regulatory and accountability mechanisms upon the intermediaries which actually manage the flow of commerce.

The Ministry of Commerce intends to constitute a National e-Commerce Council which might may one day further propose the establishment of a dedicated National e-Commerce Authority (NECA). It is rightly pointed out, however, that lawmakers will first need to approve the passage of Personal Data Protection (PDP) Bill, drafted by the federal Ministry of IT & Telecom (MoITT).

As Pakistan does not have a cyber security strategy or a nodal agency for data protection of citizens, immediate priority should be given to the establishment of a ‘Data Security Forum‘ within the proposed e-Commerce Council with representation of cyber experts from federal law enforcement agencies, primarily the FIA.

The onus of responsibility cannot be placed upon SBP alone; registered companies based within or operating inside Pakistan must conform with data security protocols. This is where another critical issue of Data Localisation arises.

Will e-Commerce companies operating from outside the territory of Pakistan agree to host their servers inland for data security audits by relevant authorities?

Realistically speaking, data localisation is at present too good a dream for Pakistan to achieve. The state’s purported ‘dismal‘ track record in respect of digital rights, privacy and surveillance including freedom of speech does not help in alleviating concerns by domestic and international observers.

So who will oversee this aspect, and how?

Recommendations

As an immediate solution, the state can condition the licensing of any e-Commerce company operating in Pakistan with the dedicated employment of an internationally-certified Chief Information Security Officer (CISO); not some regular IT system administrator or network support engineer. These CISOs will be responsible for coordinating with cyber experts in the National e-Commerce Council and share monthly compliance reports.

In addition, foreign-based e-Commerce giants operating domestically should appoint a Point-of-Contact with the Government of Pakistan, sort of like a Country Representative but who will be assisted by a CISO of national origin.

If the establishment of NECA is approved in the long term, it should maintain an internal department responsible for data protection of associated commercial entitities.

However, these modalities will be unnecessary if the incumbent or future federal government sets up a dedicated national-level cyber authority with sectoral-level CERTs to represent Commerce, Industry and Textiles.

Conclusion

Despite appreciation for the efforts behind passage of e-Commerce Policy Framework, measures to address core concerns on data security are unclear.

It would have been better if the Prime Minister had constituted an e-Commerce Task Force with adequate representation from MoITT.

The existing policy framework is, at best, the product of isolated effort.