Data Privacy Tool
You may also be interested in our Data Privacy Scorebox to assess your organization's level of data protection maturity.
Pakistan currently has not enacted data protection legislation per se similar to data protection legislation enacted in other countries of the world, however the Prevention of Electronic Crimes Act, 2016 (“PECA 2016”) at present serves the same purpose to a certain extent.
Moreover, a consultation draft of the Personal Data Protection Bill 2020 (“PDPB”) has been introduced by the Ministry of Information Technology and Telecommunications with a view to having the same being promulgated into law after public consultation, approval from both Houses of Parliament and receipt of assent from the President of Pakistan.
Definition of personal data
The term “personal data” is defined in PECA 2016 in Section 2(xviii) as ““identity information” means an information which may authenticate or identify an individual or an information system and enable access to any data or information system.”
“Data” in PECA 2016 is defined in Section 2(xiii) as ““data” includes content data and traffic data.”
The use of the word ‘include’ in the abovementioned definition of ‘data’ is indicative of the fact that the legislators intended for the definition of ‘data’ to include content data and traffic data in addition to what the typical dictionary meaning and definition of the word ‘data’ is.
Hence, identity information means any piece of information that is capable of authenticating or identifying an individual and enable access to any piece of information that may indirectly assist in authenticating or identifying an individual.
On the other hand, the PDPB defines “personal data” as any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data. Provided that anonymized, encrypted or pseudonymized data which is incapable of identifying an individual is not personal data.
For the purpose of clarity, “data subject” under the PDPB means a natural person who is the subject of the personal data, whereas “data controller” means a natural or legal person or the government, who either alone or jointly has the authority to make a decision on the collection, obtaining, usage or disclosure of personal data.
In addition, the PDPB defines “anonymized data” as information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. The PDPB defines “pseudonymisation” as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
It must be noted, however, that the PDPB is yet to be promulgated into law and therefore the content of the promulgated legislation may differ from the consultation draft.
Definition of sensitive personal data
PECA 2016 does not differentiate between the terms “personal data” and “sensitive personal data”, and therefore a piece of information that is considered as “sensitive personal data” shall be covered under PECA 2016 if the same is capable of being classified as “identity information” under the aforementioned legislation.
The PDPB however specifically provides a definition of “sensitive personal data” to mean and include data relating to access control (username and/or password), financial information such as bank account, credit card, debit card, or other payment instruments, and, passports, biometric data, and physical, psychological, and mental health conditions, medical records, and any detail pertaining to an individual’s ethnicity, religious beliefs, or any other information for the purposes of the PDPB and rules made thereunder.
It must be noted, however, that the PDPB is yet to be promulgated into law and therefore the content of the promulgated legislation may differ from the consultation draft.
There is currently no national data protection authority in Pakistan.
However, the PDPB provides for the creation of a Personal Data Protection Authority of Pakistan (“Authority”) within six months of the coming into force of the PDPB as law.
There is currently no registration requirement.
However, the PDPB, which is yet to be promulgated, confers upon the Authority the power to devise the appropriate registration requirements.
There is currently no law in force which makes mandatory the appointment of a Data Protection Officer.
However, the PDPB, which is yet to be promulgated into law, recognizes the existence and role of a Data Protection Officer.
Section 16 of PECA 2016 (“Section 16”), reproduced below for ease of reference, puts restriction on the collection and procession of personal data without the consent of the person whose personal data is being collected and processed:
“Whoever obtains, sells, possesses, transmits or uses another person’s identity information without authorization shall be punished with imprisonment for a term which may extend to three years or with fine which may extend to five million rupees, or with both.”
The PDPB, in addition, provides for the imposition of an obligation upon the data controller to intimate to the data subject the following: the collection of personal data pertaining to the data subject; the legal basis of such data collection and data processing; the purpose for such data collection and data processing; the data subject’s right to request access to the personal data so collected and processed; the data subject’s right to request correction of personal data so collected and processed; the class of third parties to whom the personal data may be disclosed; the mandatory or voluntary nature of such data collection and data processing; and the consequences of failing to supply such personal data for data collection and data processing where mandatory. As per the PDPB, where the processing pertains to critical personal data, the PDPB shall (if implemented in its current form) require the same to be processed in a server or data center within Pakistan.
It must be noted, however, that the PDPB is yet to be promulgated into law and therefore the content of the promulgated legislation may differ from the consultation draft.
Section 16 prohibits the transmission of identity information of a person without consent.
In addition, Pakistan prohibits data transfers to any country that it does not recognize, including: Israel, Taiwan, Somaliland, Nagorno, Karabakh, Transnistria, Abkhazia, Northern Cyprus, Sahrawi Arab Democratic Republic, South Ossetia and Armenia. This list may change from time to time. Additionally, data transfers to India must be justifiable by the transferor.
Data collated by banks, insurance firms, hospitals, defense establishments and other ‘sensitive’ institutions may not be transferred to any individual or body without authorization from the relevant regulator on a confidential basis. Such data is further regulated by contractual terms. In certain cases, data may not be transferred without authorization from the data subject.
However, banks and financial institutions must maintain confidentiality in banking transactions.
Similarly, the PDPB, which is yet to be promulgated, proposes prohibiting the transfer of personal data to unauthorized persons or systems. Where the transfer of personal data pertains to a transfer to a territory outside of Pakistan, the PDPB would require the territory where personal data is to be transferred to offer an equivalent degree of personal data protection as that provided for in Pakistan, provided that such data transfer is done in accordance with a framework for the transfer of personal data outside of Pakistan as devised by the Authority.
There are currently no additional data security requirements as long as the relevant entities are compliant with the provisions of PECA 2016.
However, once promulgated, the PDPB would require data collectors and data processors to comply with the standards so prescribed by the Authority in order to protect personal data.
There is, at present, no requirement to report data breaches to any individual or regulatory body.
However, the PDPB would, upon coming into force, require the data controller to notify the Authority regarding any personal data breaches that are likely to result in a risk to the rights and freedoms of the data subject. Moreover, the data processor would similarly be required to intimate any breach of personal data to the Authority in the event that the data processor is made aware of such breaches.
For breaches of provisions of PECA 2016 appropriate relief may be sought through courts of law having jurisdiction in the matter.
Additionally, the PDPB, which is yet to be promulgated, would permit the relevant regulatory authority to exercise all powers required to enable the same to enforce the provisions of the PDPB.
The legislation at present does not provide a comprehensive framework to regulate electronic marketing and the processing or transmission of any personal data as a result of electronic marketing. Section 25 of PECA 2016 however prohibits any person from engaging in spamming (including transmission of harmful, fraudulent, misleading, illegal or unsolicited information), though it may be noted that the aforementioned prohibition is only applicable where such spamming is done by a person for a wrongful gain.
PECA 2016 criminalizes unauthorized access to information systems or data, copying or transmission of data and use of identity information. PECA 2016 further criminalizes “offenses against the dignity of a natural person,” including the transmission of information through an information system which “harms the reputation or privacy of a natural person.”