Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Pakistan - Data Protection Overview
July 2024
1. Governing Texts
Pakistan does not have any extensive data protection legislation in place that specifically regulates matters in connection with the processing of personal data. The Prevention of Electronic Crimes Act, 2016 (PECA) is currently the primary legislation that provides a legal framework in relation to various kinds of electronic crimes and also extends to unauthorized access to personal data.
The Ministry of Information Technology and Telecommunications (MOITT) has further promulgated the Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguard) Rules 2021 (Unlawful Online Content Rules), under Section 37 of PECA. Section 37 of PECA provides that the Pakistan Telecommunication Authority (PTA) will have the power to remove, block, or issue directions for the removal or blocking of access to information through any information system if it considers it necessary in relation to, inter alia, incitement of any offense under PECA. In addition to the above, MOITT has introduced the Personal Data Protection Bill 2023 (the Bill) for the Personal Data Protection Act, 2023 (the Act), which is yet to be promulgated into law. The Bill, once enacted, will be the main legislation regulating controllers and processors of personal data in Pakistan and will apply to any person who processes, has control over, or authorizes the processing of any personal data, provided that the data subject, data controller, or data processor (either local or foreign) is located in Pakistan.
1.1. Key acts, regulations, directives, bills
Bill
As mentioned above, the Bill, once enacted, will be the primary law pertaining to the protection of personal data in Pakistan. It will regulate the collection, processing, use, disclosure, and cross-border transfer of personal data. Furthermore, the Bill provides that personal data shall not be processed by a data controller unless the consent of the data subject has been obtained.
The Bill will come into force no later than two years from the date of its promulgation as the Islamic Republic of Pakistan (the Government) may determine through a notification in the Official Gazette, providing at least three months advance notice of its effective date.
The Federal Cabinet approved in principle the Bill on the recommendation of MOITT. Unfortunately, there is no clear guideline at this time as to when the Bill will be enacted.
Constitution
The Constitution of the Islamic Republic of Pakistan (the Constitution) provides for the fundamental right to privacy.
Under Article 14(1) of the Constitution, 'privacy of home' shall be inviolable. Such privacy, however, is subject to the laws of Pakistan. In the case of M. D. Tahir v. the Director, State Bank of Pakistan, Lahore, and 3 others [2004 CLD 1680] (the State Bank of Pakistan Case), the judgment by the High Court of Lahore stated that 'It can hardly be denied, that the taking of private information without any allegation of wrongdoing of ordinary people is an extraordinary invasion of this fundamental right of privacy.'
PECA
PECA is currently the primary legislation in respect of data protection in Pakistan and was promulgated on August 18, 2016. PECA aims to prevent unauthorized acts with respect to information systems and provides for related offenses, as well as mechanisms for their investigation, prosecution, trial, and international cooperation with respect thereof.
Unlawful Online Content Rules
The Unlawful Online Content Rules were promulgated under Section 37(2) and read with Section 51 of PECA with immediate effect. Section 37 of PECA pertains to unlawful online content. Pursuant to the same, the PTA is empowered to remove or block or issue directions for the removal or blocking of access to information through any information system if it is considered necessary, inter alia, in relation to the commission of or incitement to an offense under PECA. Accordingly, the said rules primarily pertain to the removal and blocking of unlawful online content. It is pertinent to flag that neither PECA nor the rules define 'unlawful online content.' However, in view of Section 37 of the PECA, it appears that any online content accessed or shared in contravention of the provisions of PECA would fall within the ambit of 'unlawful online content.' In addition to the foregoing, the Unlawful Online Content Rules also, inter alia, obligate a service provider, a social media company and significant social media company to publish community guidelines for access or usage of any online information system, which guidelines are required to be easily accessible and, inter alia, inform the user of the online information system not to host, display, upload, modify, publish, transmit, update, or share any online content that is in violation of local laws.
1.2. Guidelines
Currently, no guidelines have been issued pertaining to the protection of personal data.
The National Commission for Personal Data Protection (Commission) will be established within six months of the Bill coming into force. The Commission will be empowered to carry out the purposes of the Bill, once enacted, which includes the issuance of guidelines on the protection of personal data.
1.3. Case law
The State Bank of Pakistan Case (see the section on key acts, regulations, directives, and bills above).
2. Scope of Application
2.1. Personal scope
Bill
The Bill extends to data subjects who are natural persons, present in Pakistan.
The scope of the Bill, when enacted, will apply to any person/government who processes, has control over, or authorizes the processing of any personal data, provided any of the data controllers, or processors are established/present in Pakistan. It will further extend to a controller or processor digitally or non-digitally operational in Pakistan but incorporated in any other jurisdiction and involved in commercial or non-commercial activity in Pakistan.
The Bill will also apply to the processing of personal data by a controller and processor not established in Pakistan, but in a place where Pakistani law applies by virtue of private and public international law. The scope of the Bill also encompasses situations where a data controller or data processor gathers personal data from a data subject within Pakistan's jurisdiction, including foreign data subjects who are physically present during the data collection process within Pakistan's borders. However, it is essential to note that in the case of foreign data subjects, this collection must align with the privacy laws of the country where the data controller is registered.
PECA
PECA applies to every citizen of Pakistan wherever they may be and to every other person for the time of being in Pakistan. It also applies to any act committed outside Pakistan by any person if the act constitutes an offense under PECA and affects any person, property, information system, or data located in Pakistan.
Unlawful Online Content Rules
The Unlawful Online Content Rules apply only to those licensees who provide social media or social network services.
Please refer to the section on key definitions for how social media or social network services have been defined under the Unlawful Online Content Rules.
2.2. Territorial scope
Bill
The Bill, once promulgated, would apply to the whole of Pakistan.
PECA
PECA applies to the whole of Pakistan.
Unlawful Online Content Rules
The Unlawful Online Content Rules apply to the whole of Pakistan.
2.3. Material scope
As noted above in the section on key acts, regulations, directives, and bills above, the Bill regulates the collection, use, and cross-border transfer of personal data.
Section 34(1) of the Bill provides that personal data processed by an individual only for the purposes of that individual's personal, family, or household affairs, including recreational purposes shall be exempt from the provisions of the Bill.
Subject to the provisions of the Bill, Section 34(2) of the Bill provides the following exemptions:
- personal data processed for the following purposes shall be exempted from Sections 6, 7, 8, and 9(2) and such other related provisions of the Bill as may be prescribed by the Commission:
- the prevention, detection, investigation, or prosecution of any criminal offense;
- the apprehension or prosecution of offenders;
- the enforcement of any legal right or claim;
- the enforcement of any decree of court, tribunal, or for the performance of a judicial or quasi-judicial function; or
- the assessment or collection of any tax or duty or any other imposition of a similar nature;
- personal data processed in relation to information of the physical or mental health of a data subject shall be exempted from Sections 9(2) and other related provisions of the Bill, of which the application of the provisions to the data subject would be likely to cause serious harm to the physical or mental health of the data subject or any other individual;
- personal data processed for preparing statistics or carrying out research shall be exempted from Sections 6, 7, 8, and 9(2) and other related provisions of the Bill, provided that such personal data is not processed for any other purpose and that the resulting statistics or the results of the research are not made available in a form which identifies the data subject;
- personal data that is necessary for the purpose of or in connection with any order or judgment of a court shall be exempted from Sections 6, 7, 8, and 9(2) and other related provisions of the Bill;
- personal data processed for the purpose of discharging regulatory functions shall be exempted from Sections 6, 7, 8, and 9(2) and other related provisions of the Bill, if the application of those provisions to the personal data would be likely to prejudice the proper discharge of those functions; or
- personal data processed only for journalistic, literary, or artistic purposes shall be exempted from Sections 6, 7, 8, 9, 10, 11, 12, and 16(1) and other related provisions of the Bill, provided that:
- the processing is undertaken for publication;
- the data controller subject to reasonable ground, believes that taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest; and
- the processing of personal data in the interests of the security of the State, provided that the processing of personal data shall not be permitted unless it is authorized pursuant to an express authorization by the Government and in accordance with the procedure to be laid down by the Government in this regard; and
- subject to Section 33, infrastructure providers whose infrastructure is used by the data controller and/or data processor and do not process the data may apply for exemptions as permitted under the Bill, and Rules made thereunder; and
- the Commission may propose a time-bound exemption to the Federal Government if requested by a data controller or data processor only in case of specific situations/use cases.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The Bill provides for the establishment of the Commission within six months of the promulgation of the Bill into law, to carry out the purposes of the Bill once promulgated.
In addition, PECA provides for the establishment of an investigative agency for the purpose of investigating any complaints pertaining to any offenses under PECA. The Federal Investigative Agency (FIA) has been appointed by the Government as the investigative agency under PECA. Additionally, PECA provides that the PTA should act as the authority regulating certain rights protected under PECA.
The Unlawful Online Content Rules provide that the PTA, subject to the provision of the rules, may on its own motion take cognizance of any online content and exercise its powers under PECA for removal and blocking of such online content. The Unlawful Content Rules further empower the PTA to issue directions for the removal or blocking of access to online content. In addition, the rules obligate service providers, social media companies, and significant social media companies to provide the FIA any information, date, content, or sub-content contained in any online information system owned or managed or run by the respective service provider social media company or significant social media company, in decrypted, readable, and comprehensible format or plain version of such information, in accordance with the provisions of PECA.
3.2. Main powers, duties and responsibilities
Bill
Functions of the Commission
Section 39 of the Bill states that the Commission shall be responsible for protecting the interest of the data subject and enforcing the protection of personal data, precluding any illegal activities, preventing any misuse of personal data, promoting awareness of data protection, and entertaining complaints under the Bill.
Other functions of the Commission identified under Section 39(2) of the Bill include:
- receiving and deciding complaints with regard to infringement of personal data protection including violation of any provision of the promulgated Act;
- examining various laws, rules, policies, by-laws, regulations, or instructions in relation to the protection of personal data, and suggesting amendments to bring the law in conformity with the provisions of the promulgated Act;
- taking steps to create public awareness about personal data protection rights, and filing complaints against infringement of these rights under the promulgated Act;
- engaging, supporting, guiding, facilitating training, and persuading data controllers and data processors to ensure the protection of personal data under the promulgated Act;
- ensuring that all its decisions are based on established principles to structure or minimize discretion and ensure transparency and accountability;
- monitoring and enforcing the application of the provisions of the promulgated Act;
- taking prompt and appropriate action in response to a data security breach in accordance with the provisions of the promulgated Act;
- monitoring cross-border transfers of personal data under the promulgated Act;
- monitoring technological developments and commercial practices that may affect the protection of personal data, promoting measures, and undertaking research for innovation in the field of protection of personal data;
- advising the Government and any other statutory authority on measures that must be undertaken to promote the protection of personal data and ensure consistency of application and enforcement of the promulgated Act; and
- for the compliance of obligations under the promulgated Act, seeking professional input from private or public entities.
The Commission will also have the function to make recommendations to the Government on policies with respect to personal data protection in line with international best practices and national requirements and to perform such other functions as the Government may, from time to time, assign to it. The Commission will also be entitled to seek professional input from private or public entities for the purposes of compliance with obligations under the promulgated Act.
Powers of the Commission
Section 40 of the Bill provides that the Commission shall have and exercise all powers as shall enable it to effectively perform its functions specified in Section 39 of the Bill (see above), including the powers to:
- decide a complaint or pass any order. For this purpose, the Commission shall be deemed to be a Civil Court and shall have the same powers as are vested in such court under the Code of Civil Procedure Code, 1908;
- formulate, approve, and implement policies, procedures, and regulations for its internal administration, operations, human resource management, procurements, financial management, and partnerships;
- formulate a compliance framework for monitoring and enforcement in order to ensure transparency and accountability, subject to the measures including but not limited to the following:
- privacy;
- transparency;
- security safeguards;
- personal data breach;
- Data Protection Impact Assessment (DPIA);
- record maintenance;
- data audits;
- responsibilities of data protection officer (DPO);
- processing by entities other than the data controller;
- classification of the data controller;
- a grievance redressal mechanism;
- special permissions regarding biometric data;
- cross-border data sharing;
- adequacy framework for cross-border data flows; and
- data portability and automated processing, including profiling; and
- identify big/large data controllers/processors, along with other categories, and define special measures for compliance in accordance with the provisions of the promulgated Act or rules and regulations;
- formulate a registration framework for data controllers and data processors under the promulgated Act or the Commission may impose additional requirements;
- take prompt and appropriate action in response to a data security breach in accordance with the provisions of the promulgated Act;
- powers of search and seizure while taking cognizance of the complaint;
- prescribe a schedule of costs and the mode of payment for filing a complaint, its format, and matters ancillary thereto;
- seek information from data controllers in respect of data processing and impose penalties for non-observance of data security practices and non-compliance with the provisions of the promulgated Act;
- prescribe increased penalties/fines after every three years if deemed appropriate;
- order a data controller to take such reasonable measures as it may deem necessary to remedy an applicant for any failure to implement the provisions of the promulgated Act;
- summon and enforce the attendance of witnesses and compelling them to give oral and written evidence under oath; and
- take any action to carry out the purposes of the promulgated Act.
Section 41 of the Bill provides for the power of the Commission to call for information as may be reasonably required by it for the effective discharging of its functions under the promulgated Act. Whenever the Commission requires any information from the data controller or data processor, the concerned officer of the Commission shall provide a written notice to the data controller or the data processor stating the reason for such requisition in a specified manner and the form in which such information may be provided.
PECA
Section 30 of PECA empowers officers of the FIA to investigate offenses under the PECA (Authorized Officer).
Section 31 of PECA provides that to the extent that an Authorized Officer is satisfied that:
- specific data stored in any information system or by means of an information system is reasonably required for the purposes of a criminal investigation; and
- there is a risk or vulnerability that the data may be modified, lost, destroyed, or rendered inaccessible.
The Authorized Officer may, by written notice given to the person in control of the information system, require that person to provide that data or to ensure that the data specified in the notice be preserved and the integrity thereof is maintained for a period not exceeding 90 days as specified in the notice. The Authorized Officer may apply to the court for the period of preservation to be extended.
Section 33 of PECA provides that an Authorized Officer may apply to the court for a warrant for search or seizure where there exist reasonable grounds to believe that there may be in a specified place an information system, data, device, or other articles that may reasonably be required for the purpose of a criminal investigation or criminal proceedings which may be material as evidence in proving a specifically identified offense made out under PECA or has been acquired by a person as a result of the commission of an offense. After obtaining such a warrant, an Authorized Officer may enter the specified premises to search and seize or secure any information system, data, device, or other articles relevant to the offense.
Where, however, an offense under Section 10 of PECA is involved and a warrant cannot be obtained without the apprehension of destruction, alteration, or loss of data, information system, data, device, or other articles required for the investigation, an Authorized Officer may conduct a search and seizure in relation to the offense without obtaining a warrant from the court, provided that the Authorized Officer not later than 24 hours brings this to the notice of the court.
Section 34 of PECA further states that where an Authorized Officer is able to demonstrate to the satisfaction of the court that there exist reasonable grounds to believe that the data stored in an information system is reasonably required for the purpose of a criminal investigation or criminal proceedings with respect to an offense made out under PECA, the court may, after recording reasons, order that the person in control of such data or information system, provide the Authorized Officer access to the same.
Section 35 of PECA provides for the following powers of an Authorized Officer to:
- have access to and inspect the operation of any specified information system;
- use or cause to be used any specified information system to search any specified data contained in or available to such system;
- obtain and copy only relevant data, use equipment to make copies, and obtain an intelligible output from an information system;
- have access to or demand any information in a readable and comprehensible format of plain version;
- require any person by whom or on whose behalf the Authorized Officer has reasonable cause to believe, any information system has been used to grant access to any data within an information system within the control of such person;
- require any person having charge of or otherwise concerned with the operation of any information system to provide them reasonable technical and other assistance as the Authorized Officer may require for investigation of an offense under PECA; and
- require any person who is in possession of decryption information of an information system, device, or data under investigation to grant them access to such data, device, or information system in unencrypted or decrypted intelligence format for the purpose of investigating any such offense.
Section 35(2) of PECA pertains to the scope of the above powers and provides that in exercising the power of search and seizure of any information system, program, or data, the Authorized Officer shall at all times conduct themselves as follows:
- with proportionality;
- take all precautions to maintain the integrity and secrecy of the information system and data in respect of which the warrant for search and seizure has been issued;
- not disrupt or interfere with the integrity or running and operation of any information system or data that is not the subject of the offenses identified in the application for which a warrant for search or seizure has been issued;
- avoid disruption to the continued legitimate business operations and the premises subject to search or seizure under PECA; and
- avoid disruption to any information system, program, or data not connected with the information system that is not the subject of the offenses identified for which a warrant has been issued or is not necessary for the investigation of the specified offense in respect of which a warrant has been issued.
Section 53 of PECA states that the FIA should submit a half-yearly report to both the National Assembly and Senate of Pakistan for consideration by the relevant committee in respect of its activities, without disclosing identity information, in a manner as prescribed under PECA.
Unlawful Online Content Rules
Pursuant to Rule 4 of the Unlawful Online Content Rules, the PTA is obligated to entertain complaints with regard to online content. The PTA may seek further information or clarification from the complainant for an appropriate decision on the complaint. The PTA is obligated to register the said complaint through the allocation of a unique complaint number to be communicated to the complainant. The PTA is further obligated to ensure that the online content and the identity of the complainant is kept confidential if the sharing of such online content or the identity of the complainant with others may result in the proliferation of the online content or harming, harassing, or defaming the complainant, or invasive of the complainant's privacy or relates to the modesty of the complainant. The PTA, subject to the provisions of the Unlawful Online Content Rules, may on its own motion take cognizance of any online content and exercise its powers under PECA for removal or blocking of such online content.
4. Key Definitions
Anonymized data (as defined under the Bill): Means personal data that has undergone the irreversible process of transforming or converting personal data to a form in which a data subject cannot be identified.
Authority (as defined under PECA): The Pakistan Telecommunication Authority was established under the Pakistan Telecommunication (Re-Organization) Act, 1996.
Authorized officer (as defined under PECA): An officer of the investigation agency authorized to perform any function on behalf of the investigation agency by or under PECA.
Child (as defined under the Bill): A person who has not attained the age of 18 years.
Community guidelines (as defined under the Unlawful Online Content Rules): Any community guidelines, community standards, policies, rules, regulations, user agreements, or any other instruments devised by a social media company or service provider.
Complainant (as defined under the Unlawful Online Content Rules): Any person or their guardian, where such person is a minor, aggrieved by unlawful online content and includes a Ministry, Division, attached department, sub-ordinate office, provincial or local department or office, a law enforcement or intelligence agency of the Government, or a company owned or controlled by the Government.
Commission (as defined under the Bill): The Commission to be known as the National Commission for Personal Data Protection (NCPDP) was established under Section 35 of the Bill.
Consent (as defined under the Bill): The consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement, or by clear affirmative action, signify agreement to the collecting, obtaining, and processing of personal data relating to them provided that it conforms with Section 13 and 14 of the Contract Act, 1872.
Data controller (as defined under the Bill): A natural or legal person or the Government who, either alone or jointly, has the authority to make a decision on the collection, obtaining, usage, or disclosure of personal data.
Data processor (as defined under the Bill): A natural or legal person or the Government who alone or in conjunction with other(s) processes data on behalf of the data controller.
Personal data (as defined under the Bill): Any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data. Anonymized, encrypted, or pseudonymized data which is incapable of identifying an individual is not personal data.
Data (as defined under PECA): Consent data and traffic data.
Data subject (as defined under the Bill): A natural person who is the subject of personal data.
Database server (as defined under the Unlawful Online Content Rules): Back-end system of an online information system or service or Over-the-Top Application using server architecture, which performs tasks such as data analysis, storage, data manipulation, archiving, and other non-user-specific tasks.
Emergency (as defined under the Unlawful Online Content Rules): A serious and potentially dangerous situation requiring immediate action for blocking or removal of blasphemous content, content threatening the security or integrity of Pakistan, or any other content inciting violence, so as to avoid disturbing public order.
Https (as defined under the Unlawful Online Content Rules): Hyper Text Transfer Protocol Secured used as an underlying protocol by the World Wide Web for formatting, transmission, and communication of messages on the internet in a secure encrypted form.
Information system (as defined under PECA): An electronic system for creating, generating, sending, receiving, storing, reproducing, displaying, recording, or processing any information.
Investigative agency (as defined under PECA): The law enforcement agency established by or designated under PECA.
Online content (as defined under the Unlawful Online Content Rules): An information or an online information system.
Online information systems (as defined under the Unlawful Online Content Rules): An information system connected with other information systems through the internet and any cloud-based content distribution services.
Processing (as defined under the Bill): Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Sensitive data (as defined under the Bill): Any personal data relating to:
- financial information excluding identification number, credit card data, debit card data, account number, or other payment instruments data;
- health data (physical, behavioral, psychological, and mental health conditions, or medical records);
- computerized national identity card or passport;
- biometric data;
- genetic data;
- religious beliefs;
- criminal records;
- political affiliations;
- caste or tribe; an
- individual's ethnicity.
Health data (as defined under the Bill): Any personal data related to the physical or mental health of a data subject including the recordings regarding the past, present, or future state or provision of health care services, which may reveal information about their health status.
Biometric data (as defined under the Bill): Any personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a person, which allows or confirms the unique identification of that person, such as facial images or dactyloscopic data.
Pseudonymization (as defined under the Bill): The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
Relevant person (as defined under the Bill): In relation to a data subject:
- in the case of a data subject who is below the age of 18 years, the parent or a guardian appointed by a court of competent jurisdiction;
- in case of a data subject who is incapable of managing their own affairs, a person who is appointed by a court to manage those affairs; or
- a person authorized by the data subject to make a data access and/or data correction request.
Requestor (as defined under the Bill): Anybody who makes a request under the promulgated Act for any matter related or ancillary to the promulgated Act.
Significant social media company (as defined under Unlawful Online Content Rules): A social media company with more than half a million users in Pakistan or is in the list specifically notified by PTA for this purpose from time to time.
Social media or social network service (as defined under the Unlawful Online Content Rules): A website, application, or mobile web application, platform, or communication channel and any other such application and service that permits a person to become a registered user, establish an account, or create a public profile for the primary purpose of allowing the user to post and share user-generated content through such an account or profile, or enables one or more user to generate content that can be viewed, posted, and shared by other users of such platform. It does not include licensees of PTA unless they specifically provide social media or social network services. Do note that the term 'licensees' is not defined under said rules.
Social media company (as defined under Unlawful Online Content Rules): Any person that owns, provides, or manages online information systems for provisions of social media or social network service.
User (as defined under Unlawful Online Content Rules): Any person who accesses or avails any online information system for the purpose of hosting, publishing, creating, displaying, sharing, or uploading any information including views, and includes other persons jointly participating in using the online information systems.
5. Legal Bases
5.1. Consent
Section 6(1) of the Bill provides that a data controller shall not process personal data including sensitive personal data of a data subject unless the data subject has given their consent to the processing of the personal data. In addition, the consent of the data subject must be a free, specific, informed, and unambiguous indication of the data subject's intentions that signifies agreement to the processing of their data for the specified purpose communicated to them. The burden of proof to establish that the data subject has given their consent to the processing of data under this section shall lie with the data controller. The data subject shall have the right to withdraw their consent to the processing of personal data at any time. The consequences of such withdrawal shall be borne by the data subject. The withdrawal of consent shall not affect the lawfulness of processing the personal data based on consent taken before its withdrawal. When the data subject withdraws their consent to the processing of personal data, the data controller shall, within a reasonable time, cease and direct its data processors to cease processing the personal data of such data subject, unless such processing can happen without the consent of the data subject or is authorized under the law.
Furthermore, Section 9 of the Bill provides that no personal data shall, without the consent of the data subject, be disclosed:
- for any purpose other than:
- the purpose for which the personal data was to be disclosed at the time of collection of the personal data; or
- a purpose directly related to the purpose referred to in the clause above; or
- to any party other than a third party of the class of third parties as specified in clause (f) of sub-section (1) of Section 7 of the Bill.
5.2. Contract with the data subject
Section 6(6) (a) of the Bill provides that a data controller may process the personal data of a data subject if the processing is necessary for the performance of a contract to which the data subject is a party.
5.3. Legal obligations
Section 6(6) (c) of the Bill provides that, a data controller may process the personal data of a data subject if the processing is necessary for compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by a contract.
5.4. Interests of the data subject
Section 6(6)(e) of the Bill provides that, a data controller may process the personal data of a data subject if the processing is necessary in order to protect the vital interests of the data subject.
Please refer to the section on data subject rights below for additional obligations provided under the Bill.
5.5. Public interest
The data controller may disclose the personal data of a data subject other than for the purpose for which the personal data was to be disclosed at the time of its collection or any other purpose directly related to that purpose, in the event the disclosure is justified as being in the public interest in circumstances as determined by the Commission in advance of the disclosure.
Furthermore, personal data processed only for journalistic, literary, or artistic purposes shall be exempted from Sections 6, 7, 8, 9, 10, 11, 12, and 16(1) and other related provisions of the Bill, provided that the data controller subject to reasonable grounds believes that taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest.
5.6. Legitimate interests of the data controller
Section 6(6)(g) of the Bill provides that, a data controller may process the personal data of a data subject if the processing is necessary for legitimate interests pursued by the data controller.
5.7. Legal bases in other instances
Bill
In addition to the conditions outlined above, Sections 6(6)(f) and (h) of the Bill provide that a data controller may also process the personal data of a data subject if the processing is necessary:
- for compliance with any order of competent jurisdiction; or
- for the exercise of any functions conferred on any person by or under any law.
PECA
PECA requires any person engaged in direct marketing to give an option to the recipient of direct marketing to unsubscribe from such marketing.
6. Principles
Section 5 of the Bill provides that:
- personal data shall be collected, processed, and disclosed by a data controller/data processor lawfully and fairly by complying with the provisions of the promulgated Act;
- the personal data shall be collected for specified, explicit, and legitimate purposes, which shall not be processed further that is incompatible with the aforementioned purposes and shall be adequate, relevant, and limited to the purposes for which the data is processed;
- the data controller and/or data processor whether digitally or non-digitally operational within the territory of Pakistan shall register with the Commission in such manner as may be specified by the registration framework to be formulated by the Commission, provided that the data controller and/or data processor is already registered with any public body in that case Commission; and
- the data controller and/or data processor identified as 'significant' by the Commission shall be required to appoint a DPO, who is well-versed in the collection and processing of personal data and the risks associated with processing.
7. Controller and Processor Obligations
Security of personal data
Section 9(1) of the Bill states that the Commission, keeping in mind national interest, shall prescribe the best international standards to protect personal data from any loss, misuse, modification, unauthorized or accidental access, or disclosure, alteration, or destruction.
Section 9(2) of the Bill states that a data controller or processor, when collecting or processing personal data, must take practical steps to protect the personal data as per the terms mentioned below, by considering the nature of the personal data and the harm that may result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction:
- the place or location where the personal data is stored;
- any security measures incorporated into any equipment in which the personal data is stored;
- the measures taken for ensuring the reliability, integrity, and competence of personnel having access to personal data; and
- the measures taken to ensure the secure transfer of personal data.
Section 9(3) of the Bill further provides that where the processing of personal data is carried out by a data processor on behalf of the data controller, the data controller shall, for the purpose of protecting the personal data in the terms mentioned under Section 9(1) of the Bill, ensure that the data processor undertakes to adopt applicable technical and organizational security international standards governing the processing of personal data, as prescribed by the Commission.
Section 9(4) of the Bill provides that the data processor is independently liable to take steps to ensure compliance with security standards prescribed under Section 9(1) of the Bill.
Pursuant to Rule 7(6)(5) of the Unlawful Online Content Rules, a significant social media company shall comply with user data privacy and data localization in accordance with applicable laws.
7.1. Data processing notification
Section 5(3) of the Bill states that the data controller and/or data processor whether digitally or non-digitally operational within the territory of Pakistan shall register with the Commission in such manner as may be specified by the registration framework to be formulated by the Commission, and provided that the data controller and/or data processor is already registered with any public body in that case, it shall only be required to intimate the Commission. Section 40 of the Bill empowers the Commission to formulate a registration framework for data controllers and data processors.
7.2. Data transfers
Disclosures to third parties
Section 24 of the Bill provides that the personal data of a data subject may be disclosed by a data controller for any purpose other than the purpose for which the personal data was to be disclosed at the time of its collection or any other purpose directly related to that purpose, only under the following circumstances:
- the data subject has given their consent to the disclosure;
- the disclosure:
- is necessary for the purpose of preventing or detecting a crime, or for the purpose of investigations; or
- was required or authorized by or under any law or by the order of a court;
- the data controller acted in reasonable belief that they have in law the right to disclose the personal data to the other person;
- the data controller acted in reasonable belief that they would have had the consent of the data subject if the data subject had known of the disclosing of the personal data and the circumstances of such disclosure; or
- the disclosure was justified as being in the public interest in circumstances as determined by the Commission in advance of the disclosure.
Cross-border data transfers
Section 7(1)(d) of the Bill states that a data controller shall, through written notice, including digital means, inform a data subject. In cases where this is not practical, the information shall be provided by another data controller that exercises control over the same personal data. This information pertains to any cross-border transfer of personal data that the data controller intends to carry out, if applicable.
Section 31 of the Bill provides for the cross-border transfer of personal data. In cases where personal data is required to be transferred to any system located beyond the territories of Pakistan or a system that is not under the direct control of any of the governments in Pakistan, or entit(ies) in Pakistan, it shall be ensured that the country where the data is being transferred offers personal data protection legal regime at least equivalent to the protections provided under the Bill and the data so transferred shall be processed in accordance with the Bill, and where applicable, the consent be given by the data subject.
Section 32 of the Bill further provides that personal data other than those categorized as critical personal data may be transferred outside the territory of Pakistan after fulfilling necessary explicit consent requirements under the promulgated Act. In the absence of an adequate data protection legal regime, the Commission may allow for the transfer of personal data outside Pakistan in the following cases:
- binding contract/agreement;
- explicit consent of the data subject that does not conflict with the public interest or national security of Pakistan;
- international cooperation is required under relevant international obligations; and
- any further conditions specified by the Commission.
The Commission shall also devise a mechanism for sharing sensitive personal data with the Government of Pakistan, provided that the data relates to public order or national security and the same is required within the parameters of applicable law. The data controllers or data processors are also required to share a copy of the requested data in the stipulated timeframe, as prescribed by the Commission.
Furthermore, Section 47 of the Bill provides that the Commission may, subject to the prior approval of the Government, cooperate with any foreign authority or international organization in the field of data protection/data privacy/data theft/unlawful data transfer on the terms and conditions of any program or agreement for cooperation to which such authority or organization is a party, or pursuant to any other international agreement made, or after the commencement of the promulgated Act.
7.3. Data processing records
Pursuant to Section 12 of the Bill, a data controller will be required to keep and maintain a record of each application, notice, request, or any other information relating to personal data that has been or is being processed by them. The Commission may determine the manner and form in which the record is to be maintained.
The data controller shall be required to intimate to the Commission on a regular basis the type of data they are collecting, and the processing undertaken on the collective data. This is not applicable in situations where data collection is occasional unless the processing is likely to result in a risk to the rights and freedoms of the data subject as enshrined in the Constitution.
7.4. Data protection impact assessment
There are no prescribed requirements currently in place. Under the Bill, the Commission is required to formulate a compliance framework for monitoring and enforcement in order to ensure transparency and accountability, subject to the measures including a DPIA.
7.5. Data protection officer appointment
Section 5(4) of the Bill provides that the data controller and/or data processor identified as significant by the Commission shall be required to appoint a DPO, who is well versed in the collection and processing of personal data and the risks associated with processing. Furthermore, Section 40 of the Bill empowers the Commission to formulate the responsibilities of said officer, if and when appointed.
7.6. Data breach notification
There are currently no specific requirements under existing laws to notify a data breach. However, Section 13(1) of the Bill, not yet in force, provides that in the event of a personal data breach, the data controller shall, without undue delay and where reasonably possible, not beyond 72 hours of becoming aware of the personal data breach, notify the Commission and the data subject in respect of the personal data breach except where the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject.
Furthermore, Section 13(2) of the Bill provides that in the event of a delay in notifying a personal data breach beyond 72 hours, the personal data breach notification to the Commission shall be accompanied by valid reasons for the delay.
Section 13(3) of the Bill provides that minimum information in relation to the personal data breach notification should be provided, which is as follows:
- description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
- name and contact details of the DPO or other contact point where more information can be obtained;
- likely consequences of the personal data breach; and
- measures adopted or proposed to be adopted by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The data controller shall maintain a record of any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action taken. The data processor shall also follow the personal data breach notification requirements under this section except that the data processor should only inform the data controller and Commission.
7.7. Data retention
Pursuant to Section 10(1) of the Bill, personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose or as required under the law. Further Section 10(2) of the Bill provides that, it shall be the duty of the data controller to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed or as required under Section 10(1) of the Bill.
In addition to the above, the following sector-specific requirements may also be applicable to the protection of personal data within such sectors:
Financial sector
Section 7 of the Payment Systems and Electronic Fund Transfers Act, 2007 provides that financial institutions providing funds transfer facilities will be required to retain a complete record of electronic transactions in electronic form in the same manner as provided in Section 6 of the Electronic Transactions Ordinance, 2002 (the 2002 Ordinance) for a period as may be determined by the State Bank of Pakistan (SBP). Section 6 of the 2002 Ordinance provides that the requirement under any law that a certain document, record, information, communication, or transaction be retained will be deemed satisfied by retaining it in electronic form if:
- the contents of the document, record, information, communication, or transaction remain accessible so as to be usable for subsequent reference;
- the contents and form of the document, record, information, communication, or transaction are as originally generated, sent, or received, or can be demonstrated to represent accurately the contents and form in which it was originally generated, sent, or received; and
- such document, record, information, communication, or transaction, if any, as enables the identification of the origin and destination of the document, record, information, communication, or transaction, and the date and time when it was generated, sent, or received, is retained.
Banking sector
Pursuant to Section 33A of the Banking Companies Ordinance, 1962 (BCO), banks and financial institutions shall, except as otherwise required by law, not divulge any information relating to the affairs of its customers except in circumstances in which, in accordance with the law, it is practice and usage customary among bankers, necessary, or appropriate for a bank to divulge such information.
Pursuant to Section 12 of the BCO, no banking company is permitted to remove from Pakistan to a place outside Pakistan any of its records and documents relating to its business at its branches, whether they are functioning or not, without prior permission in writing of the SBP, where the term 'records' means ledgers, daybooks, cash books, account books, and all other books used in the business of a banking company, and the term 'documents' means vouchers, cheques, bills, pay orders, securities for advances, and any other documents supporting entries in the books of, or claims by or against, a banking company.
Telecommunications sector
The PTA has recently issued its Critical Telecom Data and Infrastructure Security Regulations, 2020 (PTA Regulations) under Section 5(2)(o) of the Pakistan Telecommunication (Re-organization) Act, 1996, which shall apply to all PTA licensees for the security of critical telecom data and critical telecom infrastructure related to the telecom sector.
The expression 'critical telecom data' has been defined in the PTA Regulations as personal data related to PTA licensees, licensee users, and/or customers that are retained by the telecom licensee and such information that is critical for the operations, confidentiality, and security of the licensee telecom systems including voice/data communication of its users/customers being handled by the telecom licensee.
The term 'personal data' for the purposes of the PTA Regulations means information associated with an individual or an organization, relating to its private, public, and professional identification.
Pursuant to Regulation 5 of the Data Retention of Internet Extended to Public WiFi-Hotspots Regulations, 2018, the owner of a public Wi-Fi hotspot is obligated to record and maintain Network Address Translator (NAT) and Logs/Port Address Translator (PAT) logs and system log of their consumers on a mandatory basis. Along with other information, the following additional parameters of NAT/PAT and system log are to be stored for a minimum of 12 months:
- full name of the user;
- computerized national identity card number/passport number (in case of foreigners);
- mobile number;
- date and time of login;
- date and time of log-off;
- data consumption with URLs;
- MAC address;
- Internet access log;
- source IP address;
- source IP port;
- translated IP address;
- translated IP port;
- destination IP address; and
- destination IP port.
7.8. Children's data
Section 14 of the Bill provides for the processing of children's personal data. Section 14(1) provides that every data controller or data processor shall process a child's personal data in such a manner that protects the rights and interests of a child. Section 14(2) further provides that, the data controller or a data processor shall, before processing any personal data relating to a child, verify their age and seek the consent of their parent or relevant person or authorized person having parental responsibility over the child to decide on their behalf.
Section 14(3) states that the manner for age verification and parental consent under sub-section 14 shall be prescribed by rules to process children's data, taking into consideration:
- the volume of personal data processed;
- the proportion of such personal data likely to be that of the child;
- possibility of harm to the child arising out of the processing of personal data; and
- such other factors as may be prescribed.
Section 14 also stipulates that a data controller or a data processor shall not process any personal data of a child that is likely to cause them harm and shall also not undertake tracking or behavioral monitoring of children or targeted advertising directed at children.
7.9. Special categories of personal data
A data controller shall not process sensitive personal data of a data subject unless the data subject has given consent to the processing of the personal data.
Pursuant to Section 15(1) of the Bill a data controller shall not process any sensitive personal data of a data subject except in accordance with the following conditions:
- the data subject has given their explicit consent to the processing of the personal data provided that this consent is not restricted by any other applicable law; and/or
- the processing is necessary:
- for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
- in order to protect the vital interests of the data subject or another person, in a case where:
- consent cannot be given by or on behalf of the data subject; or
- the data controller cannot reasonably be expected to obtain the consent of the data subject; and
- in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;
- for medical purposes and is undertaken by:
- a healthcare professional; or
- a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional; and
- for the purpose of, or in connection with, any legal proceedings;
- for the purpose of obtaining legal advice while ensuring its integrity and secrecy;
- for the purposes of establishing, exercising, or defending legal rights;
- for the administration of justice pursuant to orders of a court of competent jurisdiction; or
- for the exercise of any functions conferred on any person by or under any written law; and
- the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
For the purposes of the Bill, 'medical purposes' and 'healthcare professional' are defined as follows:
- Medical purposes: Includes the purposes of preventive medicine, medical diagnosis, medical research, rehabilitation, the provision of care and treatment, and the management of healthcare services; and
- Healthcare professional: Means a medical practitioner, dental practitioner, pharmacist, clinical psychologist, nurse, midwife, medical assistant, physiotherapist, occupational therapist, and other allied healthcare professionals, and any other person involved in the giving of medical, health, dental, pharmaceutical, or any other healthcare services authorized to provide such services under the laws of Pakistan.
7.10. Controller and processor contracts
The Bill prescribes no such requirements.
8. Data Subject Rights
8.1. Right to be informed
Section 16 of the Bill provides that a data subject or relevant person is entitled to be informed by a data controller whether the personal data of which that individual is the data subject is being processed by or on behalf of the data controller.
Section 7(1) of the Bill provides that a data controller shall, through written notice, including digital means, inform a data subject. In cases where this is not practical, the information shall be provided by another data controller exercising control over the same personal data. Information should be on:
- that the personal data of the data subject is being collected by or on behalf of a data controller, providing a description of the personal data to that data subject;
- the legal basis for the processing of personal data and time duration for which data is likely to be processed and retained thereafter for the purpose for which the personal data is or to be collected and processed further;
- the source of personal data;
- any cross-border transfer of personal data that the data controller intends to carry out, if applicable;
- the rights of the data subject as mentioned in the Bill, including the data subject's right to request access and correction of the personal data and provide information on contacting the data controller with any inquiries or complaints concerning personal data;
- the list of third parties to whom the data controller shall or may disclose the personal data;
- the choices and means the data controller offers the data subject for restricting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;
- whether it is obligatory or voluntary for the data subject to supply the personal data; and
- where it is obligatory for the data subject to supply the personal data, but in case of failure to comply with the request, the data subject shall face the consequences.
Section 7(2) of the Bill stipulates that the notice shall be given as soon as reasonably possible by the data controller:
- when the data subject is first asked by the data controller to provide their personal data;
- when the data controller first collects the personal data of the data subject; or
- in any other case, before the data controller:
- uses the personal data of the data subject for a purpose other than the purpose for which the personal data was collected; or
- discloses the personal data to a third party.
Section 7(3) of the Bill stipulates that notices shall be in English, or any other language as specified in Article 251 of the Constitution, and that the individual shall be provided with a clear and readily accessible means to make their choice of language.
8.2. Right to access
Section 16 of the Bill states that a data subject shall be given access to their personal data held by a data controller except where compliance with a request for access is declined under the provisions of the promulgated Act. It further provides that, a data subject shall have the right to obtain confirmation from a data controller, whether the personal data of a data subject is under processing or has been processed, by or on behalf of the data controller.
Section 16(3) of the Bill provides that a requestor may upon payment of a prescribed fee on an administrative cost make a data access request to the data controller:
- for information on the data subject's personal data that is being processed by or on behalf of the data controller; and
- to provide them with a copy of the personal data in an intelligible form.
Where a data controller has shared the data with another data controller/processor, the first data controller possessing any consent of the data subject is liable.
Such rights are subject to circumstances listed in Section 18(1) of the Bill wherein the data controller may refuse the data access request, such as where the data controller is not supplied with such information as the data controller may reasonably require:
- in order to satisfy itself as to the identity of the requestor; or
- where the requestor claims to be a relevant person, the data controller may in order to satisfy itself:
- as to the identity of the data subject in relation to whom the requestor claims to be the relevant person; or
- that the requestor is the relevant person in relation to the data subject; and
- to locate the personal data to which the data access request relates.
Under Section 11 of the Bill, a data controller shall take adequate steps to ensure that the required personal data is accurate, complete, not misleading, and kept up to date concerning any direct or indirect purpose for which the personal data was collected and processed further.
8.3. Right to rectification
Section 19 of the Bill provides that a data subject may request the correction of their personal data where:
- a copy of the personal data has been supplied by the data controller in compliance with the data access request, and the requestor considers that the personal data is inaccurate, incomplete, misleading, or not up to date; or
- the data subject knows that the personal data being held by the data controller is inaccurate, incomplete, misleading, or not up to date.
Where a data controller has shared the data with another data processor or a controller, the data controller possessing the consent of the data subject shall be liable under Section 19.
Notwithstanding the foregoing provisions, Section 20(1) of the Bill provides that where the data controller is satisfied that the personal data to which a data correction request relates is inaccurate, incomplete, misleading, or not up to date, it shall, inter alia, not later than 30 days from the date of receipt of the data correction request:
- make the necessary corrections to the personal data; and/or
- supply the requestor with a copy of the personal data as corrected etc.
The data controller who is unable to comply with a data correction request within the period specified above shall, before the expiration of that period:
- by notice in writing, inform the requestor that they are unable to comply with the data correction request within such period and the reasons why they are unable to do so; and
- comply with the data correction request to the extent that they can do so.
Notwithstanding the foregoing, the data controller shall comply in whole with the data correction request not later than 14 days after the expiration of the period stipulated above.
Where a data controller is requested to correct personal data and the personal data is being processed by another data controller that is in a better position to respond to the data correction request:
- the first-mentioned data controller shall immediately transfer the data correction request to such data controller, and notify the requestor of this fact; and
- relevant provisions applicable to the first-mentioned data controller shall be equally applicable to the other data controller.
Such rights are subject to circumstances listed in Section 21 of the Bill wherein the data controller may refuse the data correction request, such as where:
- the data controller is not supplied with such information as it may reasonably require ascertaining in what way the personal data to which the data correction request relates is inaccurate, incomplete, misleading, or not up to date.
- where the data controller is not satisfied that the personal data to which the data correction request relates is inaccurate, incomplete, misleading, or not up to date; or
- where the data controller is not satisfied that the correction which is the subject of the data correction request is accurate, complete, not misleading, or up to date.
8.4. Right to erasure
Section 26 of the Bill provides the data subject with the right to obtain the erasure of personal data concerning them from the data controller without undue delay and the data controller shall have the obligation to erase personal data within 14 days where at least one of the following conditions applies:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to the relevant section of the Bill;
- the personal data have been unlawfully processed; or
- the personal data have to be erased for compliance with a legal obligation.
8.5. Right to object/opt-out
Section 23 of the Bill provides that a data subject may by notice in writing withdraw their consent to the processing of personal data in respect of which they are the data subject. The data controller shall, upon receiving such notice, cease the processing of the personal data.
Section 25(1) of the Bill states that a data subject may, at any time by notice in writing to a data controller, require the data controller at the end of such period as is reasonable in the circumstances, to:
- cease the processing of or processing for a specified purpose or in a specified manner; or
- not begin the processing of or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject if, based on reasons to be stated by them:
- the processing of that personal data or the processing of personal data for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to them or a relevant person; and
- the damage or distress is or would be unwarranted.
Section 25(2) of the Bill provides that Section 25(1) shall not apply where:
- the data subject has given their consent; or
- the processing of personal data is necessary:
- for the performance of a contract to which the data subject is a party;
- for the taking of steps at the request of the data subject with a view to entering a contract;
- for compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by contract;
- in order to protect the vital interests of the data subject; or
- in such other cases as may be prescribed by the Government upon recommendations of the Commission through publication in the Official Gazette.
8.6. Right to data portability
The data subject's right to data portability is provided under Section 29 of the Bill.
Section 29 provides that the data subject shall have the right to receive their personal data from a data controller in a proper form, that is easy to use and in a machine-readable format, and the data subject shall have the right to transmit that data to another data controller or processor without any objection where:
- the data subject has given their explicit consent; and
- the processing is carried out by automated means.
Section 29 of the Bill further provides that the data subject shall have the right to transmit their personal data from one data controller to another directly, where it is technically feasible.
8.7. Right not to be subject to automated decision-making
Section 29 provides that the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which results in legal obligations or significantly harms the data subject, unless the data subject has given explicit consent.
The data subject shall have the right to obtain from the data controller:
- specific information about automated decision-making including profiling; and
- human intervention.
The data subject rights mentioned in Section 29 shall not apply to the extent where processing is necessary for the performance of a task carried out in the public interest and the rights mentioned in this section shall not affect the rights and freedoms of other data subjects.
8.8. Other rights
Section 27 of the Bill prescribes that, in the event of the death or disability of the data subject, they shall have the right to nominate any other individual as may be prescribed, to exercise the rights of the data subject under the provisions of the promulgated Act.
Section 28 of the Bill provides the right to redress a grievance. In case of any complaint/grievance of the data subject, they shall be provided with a means to register their complaint in writing with a data controller. The data controller officials shall immediately take up the matter for redressal. In the case where a data controller fails to satisfy a data subject with a satisfactory response concerning a grievance or receives no response within the prescribed period, they may register a complaint with the Commission in such manner as may be prescribed.
9. Penalties
Bill
The following sanctions may be imposed by a court of competent jurisdiction after a trial.
Unlawful processing of personal data
Section 48 of the Bill provides that anyone who processes or causes to be processed, disseminates, or discloses personal data in violation of any of the provisions of the Bill shall be punished with fines of up to $125,000 or an equivalent amount in Pakistani Rupees, and in case of subsequent unlawful processing of personal data, the fine may be raised up to $250,000 or an equivalent amount in Pakistani Rupees.
In case the offense committed relates to sensitive personal data, the offender may be punished with a fine of up to $500,000 or an equivalent amount in Pakistani Rupees.
Where the offense is committed relates to critical personal data, the offender may be punished with a fine of up to $1,000,000 or an equivalent amount in Pakistani Rupees or as the Commission deems appropriate.
Penalties for continuing to process data after withdrawal of consent
Section 23 of the Bill provides that a data controller who continues processing data despite a data subject withdrawing consent to process such data commits an offense and shall, on conviction, be liable to a fine not exceeding $50,000 or an amount equivalent to Pakistani Rupees.
Failure to adopt appropriate data security measures
Section 49 of the Bill provides that anyone who fails to adopt the security measures that are necessary to ensure data security when they are required to do so, in violation of the provisions laid down in the Bill and (the rules which are to be made thereunder) will be punished with a fine up to $50,000 or an equivalent amount in Pakistani Rupees.
Failure to comply with orders of the Commission
Section 50 of the Bill provides that anyone who fails to comply with the orders of the Commission or court when they are required to do so will be punished with a fine up to $50,000 or an equivalent amount in Pakistani Rupees.
Where a data controller and/or data processor contravenes with any provision of this promulgated Act or the rules or regulations made thereunder or policy issued by the Government, or any direction issued by the Commission or condition of the registration, the Commission may by a written notice within 15 days require data controller and/or data processor reasons for the non-issuance of the enforcement order. The notice shall specify the nature of the contravention and adequate steps to be taken by the licensee for the redressal of the contravention.
Where anyone fails to:
- respond to the notice;
- satisfy the Commission about the alleged contravention; or
- remedy the contravention within the time allowed by the Commission,
The latter may by a written order and furnishing reasons for that levy a fine which may extend to $2,000,000 or an equivalent amount in Pakistani Rupees.
Notwithstanding anything mentioned above, the legal person shall be punished with a fine not exceeding 1% of its annual gross revenue in Pakistan or $200,000, whichever is higher, or an equivalent amount in Pakistani Rupees or as may be assessed by the Commission.
Administrative sanctions
Section 51 of the Bill provides that a complaint may be filed before the Commission against any violation of personal data protection rights as granted under the Bill or the conduct of any data controller, data processor, or their processes in accordance with the relevant procedure set out under the Bill for:
- a breach of the data subject's consent to process data;
- a breach of the obligations of the data controller or the data processor in the performance of their functions under the Bill;
- the provision of incomplete, misleading, or false information while taking consent of the data subject; or
- other matters relating to the protection of personal data.
The Commission shall efficiently dispose of a complaint, and it may issue directions to stop the breach of data protection rights of a data subject without first seeking comments from the concerned data processor and data controller, as the case may be. In case of failure of the data collector or data processor, as the case may be, to respond to the Commission or to execute its orders, the Commission may initiate enforcement proceedings as per rules to be prescribed under the Bill.
PECA
Chapter II of PECA catalogs the offenses in relation to electronic crimes in Pakistan. The list of acts criminalized under PECA includes illegal access to information systems or data, illegal interference with data or information systems, cyber terrorism, and electronic forgery.
Unauthorized access to information systems or data
Section 3 of PECA states that whoever with dishonest intention gains unauthorized access to any information system or data will have committed an offense and shall be punished with imprisonment for a term which may extend to three months, or with a fine which may extend to PKR 50,000 (approx. $180), or with both.
Unauthorized copying or transmission of data
Section 4 of PECA provides that whoever, with dishonest intention and without authorization, copies or otherwise transmits or causes to be transmitted any data shall be punished with imprisonment for a term which may extend to six months, or with a fine which may extend to PKR 100,000 (approx. $360), or with both.
Interference with information systems or data
Section 5 of PECA refers to the offense of illegal interference with information systems or data, such that whoever with dishonest intention, interferes with, damages, or causes to be interfered with or damage any part or whole of an information system or data shall be punished with imprisonment for a term which may extend to two years, or with a fine which may extend to PKR 500,000 (approx. $1,800), or with both.
Critical infrastructure information systems or data
Section 6 of PECA refers to the offense of unauthorized access to any critical infrastructure information system or data, which is punishable with imprisonment for a term that may extend to three years, or with a fine that may extend to PKR 1 million (approx. $3,590), or with both.
Section 7 of PECA provides that unauthorized copying or transmission of such critical infrastructure data shall be punished with imprisonment for a term which may extend to five years, or with a fine which may extend to PKR 5 million (approx. $17,960), or with both.
Section 8 of PECA provides that interference with or damage caused to such critical infrastructure information system or data shall be punished with imprisonment for a term which may extend to seven years, or with a fine which may extend to PKR 10 million (approx. $35,920), or with both.
Glorification of an offence
Section 9 of PECA states that whoever prepares or disseminates information through any information system or device with the intent to glorify an offense relating to, inter alia, terrorism or any person convicted of a terrorism-related crime, will be guilty of an offense under PECA, and such offense shall be punished with imprisonment for a term which may extend to seven years, or with a fine which may extend to PKR 10 million (approx. $35,920), or with both. For clarity, note that the term 'glorification' as used herein includes the depiction of any form of praise or celebration in a desirable manner.
Cyber terrorism
Section 10 of PECA underlines the offense of cyber terrorism wherein the commission or threat of commission of any of the offenses mentioned in Sections 6 to 9 of PECA above with the intent to coerce, intimidate, overawe, or create a sense of fear, panic, or insecurity in the Government or the public or a section of the public, community, sect or society, or advance inter-faith, sectarian, or ethnic hatred, or advance the objectives or organizations, individuals or groups proscribed under the law, is an offense under PECA. Such offense is punishable with imprisonment for a term, which may extend to 14 years, or with a fine which may extend to PKR 50 million (approx. $179,600), or with both.
Hate speech
Section 11 of PECA refers to the offense of hate speech, stating that whoever prepares or disseminates information through any information system or device, that advances or is likely to advance interfaith, sectarian, or racial hatred shall have committed an offense under PECA punishable with imprisonment for a term which may extend to seven years, or with a fine, or with both.
Recruitment, funding, or planning of terrorism
Section 12 of PECA provides that whoever prepares or disseminates information, through any information system or device, that invites or motivates to fund, or recruits people for terrorism or plans for terrorism shall be punished with imprisonment for a term which may extend to seven years, or with a fine, or with both.
Electronic forgery
Section 13 of PECA refers to the offense of electronic forgery, wherein whoever interferes with or uses any information system, device, or data with the intent to cause damage or injury to the public or to any person, or to make any illegal claim or title, or to cause any person to part with property, or to enter into any express or implied contract or with intent to commit fraud by any input, alteration, deletion, or suppression of data resulting in unauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of the fact that the data is directly readable and intelligible or not, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to PKR 250,000 (approx. $900), or with both.
Note that any of the above acts committed in relation to a critical infrastructure information ('CII') system or data will also be an offense under PECA and shall be punished with imprisonment for a term, which may extend to seven years, or with a fine which may extend to PKR 5 million (approx. $17,960), or with both.
Electronic fraud
Section 14 of PECA pertains to the offense of electronic fraud, wherein persons with the intent for wrongful gain interfere with or use any information system, device, or data or induce any person to enter into a relationship or deceive any person, whose act or omission is likely to cause damage or harm to that person or any other person, shall be punished with imprisonment for a term which may extend to two years, or with a fine which may extend to PKR 10 million (approx. $35,920), or with both.
Making, obtaining, or supplying devices for use in offense
Section 15 of PECA states that whoever produces, makes, generates, adapts, exports, supplies, offers to supply, or imports for use any information system, data, or device with the intent to be used or believing that it is primarily to be used to commit or assist in the commission of an offense shall, without prejudice to any other liability that he may incur in this behalf be punished with imprisonment for a term which may extend to six months, or with a fine which may extend to PKR 50,000 (approx. $180), or with both.
Unauthorized use of identity information
Section 16 of PECA provides that whoever obtains, sells, possesses, transmits, or uses another person's identity information without authorization will have committed an offense under PECA and shall be punished with imprisonment for a term which may extend to three years or with a fine which may extend to PKR 5 million (approx. $17,960), or with both.
Unauthorized issuance of SIM cards
Section 17 of PECA criminalizes the act of unauthorized issuance of subscriber identity module (SIM) cards, reusable identification module (R-IUM), universal integrated circuit cards (UICC), or other modules designed for authenticating users to establish a connection with the network and to be used in cellular mobile, wireless phone, or other digital devices without obtaining verification of the subscriber's antecedents in the manner prescribed by the PTA. Such offense shall be punished with imprisonment for a term, which may extend to three years, or with a fine which may extend to PKR 500,000 (approx. $1,800), or with both.
Tampering of communication equipment
Section 18 of PECA pertains to the offense of tampering with, changing, altering, or reprogramming unlawfully or without authorization, any unique device identifier of any communication equipment including a cellular or wireless handset, and using or marketing such device for transmitting and receiving information, and provides that such offense shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to PKR 1 million (approx. $3,590), or with both.
Note that a 'unique device identifier' as used herein refers to an electronic equipment identifier, which is unique to a communication device.
Unauthorized interception
Section 19 of PECA states that whoever with dishonest intention commits unauthorized interception by technical means of:
- any transmission that is not intended to be and is not open to the public, from or within an information system; or
- electromagnetic emissions from an information system that is carrying data,
will have committed an offense under PECA and shall be punished with imprisonment for a term which may extend to two years, or with a fine which may extend to PKR 500,000 (approx. $1,800), or with both.
Offences against the dignity of a natural person
Section 20 of PECA refers to the offenses against the dignity of a natural person, wherein whoever intentionally and publicly exhibits, displays, or transmits any information through any information system, which they know to be false, and intimidates or harms the reputation or privacy of a natural person will have committed an offense under PECA and shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to PKR 1 million (approx. $3,590), or with both.
Malicious code
Section 23 of PECA provides that whoever willfully or without authorization writes, offers, makes available, distributes, or transmits malicious code through an information system or device with intent to cause harm to any information system or data resulting in the corruption, destruction, alteration, suppression, theft, or loss of the information system or data shall be punished with imprisonment for a term which may extend to two years, or with a fine which may extend to PKR 1 million (approx. $3,590), or with both.
For clarity, note that 'malicious code' includes a computer program or a hidden function in a program that damages an information system or data compromises the performance of such system or availability of data, or uses it without proper authorization.
Cyberstalking
Section 24 pertains to the offense of cyber-stalking, stating that a person commits the offense of cyber-stalking where such person, with the intent to coerce, intimidate, or harass any person, uses an information system, information system network, the internet, websites, email, or any other similar means of communication to:
- follow a person, or contacts or attempts to contact such person to foster personal interaction repeatedly despite a clear indication of disinterest by such person;
- monitor the use by a person of the internet, email, text message, or any other form of electronic communication;
- watch or spy upon a person in a manner that results in the fear of violence or serious alarm or distress, in the mind of such person; or
- take a photograph or make a video of any person and display or distribute it without their consent in a manner that harms such person.
Such offense shall be punished with imprisonment for a term, which may extend to three years, or with a fine which may extend to PKR 1 million (approx. $3,5900), or with both. Where the victim of cyber-stalking under this Section is a minor, the punishment may extend to five years or with a fine which may extend to PKR 10 million (approx. $35,920), or with both.
Spamming
Section 25 of PECA deals with the offense of spamming, whereby any person who transmits harmful, fraudulent, misleading, illegal, or unsolicited information to any person without their permission or who causes any information system to show any such information for wrongful gain will have committed an offense under PECA and shall be punished with imprisonment for a term which may extend to three months, or with a fine of PKR 50,000 (approx. $180) which may extend to PKR 5 million (approx. $17,960), or with both.
Persons, including institutions and organizations, engaged in direct marketing are required to provide an option to unsubscribe from such marketing to their recipients.
Section 25 also provides for first-time offenders, stating that any person committing the offense of transmitting unsolicited information or engaging in direct marketing without providing the option to unsubscribe to its recipients for the first time shall be punished with a fine not exceeding PKR 50,000 (approx. $180), and for every subsequent violation, such person shall be punished with a fine not less than PKR 50,000 (approx. $180), which may extend to PKR 1 million (approx. $3,590).
Spoofing
Section 26 of PECA pertains to spoofing, wherein whoever with dishonest intention, establishes a website or sends any information with a counterfeit source intended to be believed by the recipient or visitor of the website to be an authentic source, commits the offense of spoofing and shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to PKR 500,000 (approx. $1,800), or with both.
Unlawful Online Content Rules
Rule 5 of the Unlawful Online Content Rules further provides that in case a service provider, a social media company or a significant social media company fails to respond to a written notice issued by PTA to remove or block access to online content or to comply with the directions issued by PTA within 48 hours, then the PTA may, after affording an opportunity of hearing and by an order in writing, take appropriate action against the service provider, a social media company, or a significant social media company, as the case may be, which includes imposing a penalty up to PKR 500 million (approx. $1.8 million).
9.1 Enforcement decisions
There are no significant enforcement decisions pertaining to the breach of personal data and imposition of penalties in relation thereto.