Data protection legislation


The ride-hailing app Careem recently announced the staggering numbers of users and captains whose private data was compromised in a breach. The company took a couple of months to make this public and this lack of accountability is even more worrying. Sadly, there has been little public debate on this sensitive issue.
We believe that the issue of user data’s privacy and the magnitude of problem have been downplayed by the company. Not to mention that Careem wasn’t exactly forthcoming in its carefully crafted, statement that was more of a public relations exercise.
It is estimated that data of over 14 million users, who reside in various countries where Careem operates — including UAE, Turkey and Pakistan — and half a million of its captains, was stolen in the breach. Some have even suggested we shouldn’t be worried because even though there are no clear data protection laws in the country, Careem has to comply with the ones in Gulf countries and therefore we must be safe as well. Such a notion should be dispelled and we shouldn’t have to take company’s word for it.
While no technology company is completely immune to data breaches, there is a need for a wider debate on data protection and audit for any such hacks. Tech companies like Careem need to be more transparent with its customers especially when it involves the private information of the users.
There is a critical need for legislation on data protection and mandatory audits of such breaches. We understand that over regulation kills creativity and would advise against regressive steps, in the name of accountability, to hinder growth of the fledgling tech ecosystem in the country.
The state and regulating authorities have to come up with a system where they facilitate tech ventures while ensuring transparency and accountability of the users’ data. The starting point for this is the data protection legislation. And it has to be unambiguous unlike the recently enacted cybercrime law.
It is a pity that our media and parliamentarians are so occupied with political engineering underway that vital issues of public interest have been sidelined. It is time for the numerous civil society organizations to prepare a legislative framework so that the next parliament can enact a robust law. In the meantime, the relevant authorities should issue necessary directives to regulate this issue. Privacy is a basic right and it is time to enforce it.