The Federal Board of Revenue (FBR) is facing a significant investigation ordered by the Federal Tax Ombudsman (FTO) over its controversial move to force businesses to adopt an online integration system through SRO 428, which links retail outlets and other businesses to the FBR’s e-computerized system. The investigation also addresses serious discrepancies in data protection and the privacy violations arising from the use of third-party private companies for the integration process.
The complaint, lodged by a Lahore-based taxpayer via Advocate Waheed Shahbaz Butt, claims that FBR’s actions not only burdened taxpayers with excessive costs but also jeopardized the privacy of taxpayers’ sensitive data. According to the complaint, FBR’s forced integration of businesses with its e-invoicing and Point-of-Sale (POS) systems has been carried out with little transparency and oversight, raising alarms about data security and compliance with Pakistan’s privacy laws.
FBR’s Data Protection Failures: A Digital Tech Nightmare
One of the core concerns in the complaint is the handling of taxpayer data by private companies selected by FBR to manage the online integration process. The complainant argues that under the current setup, private firms—acting as POS integrators—are granted access to vast amounts of sensitive fiscal information without sufficient legal safeguards or data protection mechanisms.
This issue takes on added significance in light of Pakistan’s privacy laws, particularly Section 216, which mandates the protection of taxpayer data. The complainant further refers to a Supreme Court ruling (PLD 2021 SC1) that clearly outlines disciplinary action against tax officials who contravene these protections. The ruling highlights the inappropriate sharing of data with third parties and calls for strict enforcement of privacy protocols.
“How can a private company hold and use taxpayer data without clear legal authority or oversight?” questioned Advocate Waheed Shahbaz Butt, raising a significant point about the lack of transparency in the selection of third-party integrators and the absence of clear data handling procedures. He added that taxpayers were left in the dark about the specifics of the data flow and protection measures when their personal and business information was handed over to private entities.
FBR’s Digital Push: A Double-Edged Sword
The government’s e-invoicing initiative, intended to digitally integrate businesses with the tax system, has been one of the cornerstones of FBR’s digitization efforts. However, while the online integration process promises benefits like increased tax collection efficiency and improved compliance, it also raises important questions about digital infrastructure and data governance.
At the heart of the issue is the fact that FBR has entrusted private companies with the responsibility of integrating businesses into the e-invoicing system, including the handling of sensitive fiscal data through Point-of-Sale (POS) technology. This shift towards relying on private integrators rather than a fully public-sector-driven system has led to concerns related to monopolistic control by a handful of private companies, lack of transparency in the selection process for these companies, and, most importantly, data security and privacy breaches, especially considering the absence of clear data-sharing protocols and accountability measures.
Advocate Butt also pointed out the exorbitant costs businesses are forced to bear when adopting these online solutions, adding further stress to an already burdensome tax compliance process. The financial strain on small and medium-sized enterprises (SMEs) has been particularly harsh, making the initiative more about cost recovery for integrators than about actual tax reform.
New Developments: More Private Companies, Same Concerns
Despite the ongoing investigation, FBR has proceeded with the licensing of additional private firms to expand its digital tax infrastructure. Two new companies have been granted the license to integrate businesses into FBR’s electronic invoicing system, with Pakistan Revenue Automation Limited (PRAL) continuing to offer free POS integration services. The total number of private companies now stands at four along with PRAL.
While these developments indicate that FBR is pushing forward with its goal of widespread digital integration, they also raise critical data protection concerns. The integration of multiple third-party companies could result in fragmented systems, leading to more opportunities for data leaks and privacy violations.
The Need for Stronger Safeguards and Clearer Regulations
This case highlights the need for robust regulatory frameworks to govern the integration of private companies into national tax systems. Without clear rules governing data access, privacy, and security, businesses will continue to face serious risks when handing over sensitive information to these third parties.
The FTO’s investigation into the data protection discrepancies and forced POS integration has the potential to reshape the way FBR implements its digital reforms. Taxpayers and stakeholders have raised several concerning questions like:
- What legal authority allows the FBR to delegate taxpayer data to private companies?
- What guarantees exist to protect against data breaches and privacy violations, and how will FBR handle the matter if a business’s data is breached ?
- How can FBR ensure a level playing field and eliminate the perception of favoritism in the selection of private partners?
If the FTO’s investigation finds that FBR has failed to meet its legal obligations regarding data protection, it could lead to significant policy changes and new regulations to ensure that taxpayer data is handled securely and in compliance with privacy laws.
A Better Alternative for FBR: Developing a Self-Managed E-Invoicing System
Instead of outsourcing the responsibility of integrating businesses into the e-invoicing system to private companies, the FBR could have taken a more secure and efficient approach by developing its own in-house digital e-invoicing system. This system could have been designed in such a way that businesses could integrate it directly, without needing to share sensitive data with third-party companies. This would not only eliminate privacy concerns but also reduce reliance on external firms.
A successful precedent for this approach is the Device Identification, Registration, and Blocking System (DIRBS) developed by Smart Forum (formerly CACF) for Pakistan Telecommunication Authority (PTA). The DIRBS system, which was designed and implemented by Smart Forum, is now fully managed by the PTA, ensuring data security and self-sufficiency in managing the device registration process without involving private companies.
The Future of Digital Taxation in Pakistan
While the digitization of Pakistan’s tax system promises benefits like streamlined compliance, increased efficiency, and enhanced transparency, this case serves as a cautionary tale about the need for comprehensive data protection measures and accountability in the implementation of digital initiatives.
As the investigation continues, taxpayers and business owners are left waiting for clarity on whether the FBR’s ambitious push for digital tax reform will also lead to a re-evaluation of the role of private firms in managing sensitive government data. The outcome will likely have wide-reaching implications for how digital tax systems are deployed across Pakistan—and how taxpayer privacy is safeguarded in the digital age.
