Legal Advice on Data Protection Laws in Pakistan by Josh and Mak International
As a leading law firm in Pakistan, Josh and Mak International offers expert legal advice on data protection laws to individuals, businesses, and organizations operating in the country. This advice aims to ensure compliance with data protection regulations and protect the rights and privacy of data subjects.
Data Protection Compliance:
Our legal experts can assist your organization in understanding the requirements envisaged of the latest Personal Data Protection Bill, 2023, as well as the current legislation in force. We will review your data processing practices to ensure they align with the provisions of the law. This includes examining data collection processes, consent mechanisms, data retention policies, and international data transfers.
Drafting Privacy Policies and Consent Forms:
Once the Personal Data Protection Bill, 2023, becomes law, organizations will be required to obtain explicit consent from data subjects for processing their personal data. Our team can draft comprehensive privacy policies and consent forms tailored to your specific business activities, ensuring that they are in line with the legal requirements and provide clear and transparent information to data subjects.
Data Breach Response:
In the event of a data breach, swift action is essential to minimize potential damages. Our experienced lawyers will guide you through the process of assessing the breach, notifying the relevant authorities and affected data subjects within the required time frame, and implementing remedial measures to prevent future breaches.
Data Subject Rights:
Once the Personal Data Protection Bill, 2023, it will grant various rights to data subjects, including the right to access, correct, and erase their personal data. We will advise you on how to handle data subject requests efficiently, ensuring compliance with the law and protecting individuals’ rights.
Data Transfer Mechanisms:
International data transfers require careful consideration if you are working with companies or clients registered in foreign jurisdictions. Our legal experts will guide you on the appropriate mechanisms to transfer personal data outside Pakistan, such as NCPDP adequacy decisions, binding contracts, or explicit consent from data subjects.
Employee Training and Awareness:
Ensuring your employees understand data protection laws and their responsibilities is crucial to maintaining compliance. We can conduct training sessions and raise awareness among your staff to minimize the risk of data breaches and promote a culture of data protection within your organization.
In the event of legal disputes or enforcement actions related to data protection, our skilled litigators can provide strong legal representation in courts or before relevant regulatory bodies.Data protection compliance is a vital aspect of modern business operations, and non-compliance can lead to severe consequences. With Josh and Mak International’s expert legal advice, you can navigate the complexities of data protection laws in Pakistan and establish robust data protection practices, ensuring the privacy and security of personal data while maintaining your organization’s reputation and trustworthiness.
Contact us now at email@example.com
Below is a discussion on the legal aspects and applicable laws pertaining Data Protection in Pakistan.
The Absence of a Consolidated Data Protection Law in Pakistan
In Pakistan, there is no single comprehensive law that addresses data privacy and protection across all sectors. Instead, various sector-specific laws and guidelines impose limited restrictions on the collection and handling of data. This fragmented approach creates uncertainties and gaps in safeguarding personal information.
Under the Constitution of Pakistan, 1973, the right to privacy is considered a fundamental right. Article 14(1) of the Constitution declares that the “dignity of man, and subject to law, the privacy of home, shall be inviolable.” Over time, the courts have interpreted this provision expansively, extending its protection to communications and data. However, despite recognizing the importance of privacy, Pakistan lacks a consolidated statute that comprehensively regulates the collection, retention, handling, processing, transfer, and transmission of data, including personal data. In this legal note, we explore the current state of data privacy laws in Pakistan, highlighting the limited scope of existing regulations and the need for a dedicated data protection law.
The Prevention of Electronic Crimes Act, 2016 (PECA) is the principal legislation in Pakistan that establishes a legal framework to address various forms of electronic crimes. Additionally, PECA extends its purview to encompass unauthorized access to personal data. This comprehensive legal note examines the powers vested in Authorised Officers under PECA, focusing on their ability to investigate offences and conduct searches and seizures related to electronic crimes.
Application and Jurisdiction:
PECA applies to all citizens of Pakistan, regardless of their location, and to any person present in Pakistan at the time of the offence. Furthermore, the act extends to acts committed outside Pakistan by any person if the act constitutes an offence under PECA and affects any person, property, information system, or data located in Pakistan.
Investigatory Powers of Authorised Officers:
Under Section 30 of PECA, officers designated as Authorised Officers have the authority to investigate offences defined by the act. Section 31 empowers these officers to take specific actions if they believe that certain data stored in an information system is necessary for a criminal investigation and there is a risk of data alteration, loss, destruction, or inaccessibility. The Authorised Officer can issue a written notice to the person in control of the information system, requiring them to provide the data or preserve it for up to 90 days, with the option to seek an extension from the court.
Search and Seizure:
Section 33 of PECA allows an Authorised Officer to apply to the court for a search or seizure warrant. If reasonable grounds exist to believe that an information system, data, device, or other articles are essential for a criminal investigation, the officer may enter specified premises with the warrant to search and seize relevant evidence. In cases of Section 10 offences, where the apprehension of data destruction or alteration exists, an Authorised Officer can conduct a search and seizure without a warrant, but they must inform the court within 24 hours.
Access to Data:
Section 34 of PECA enables an Authorised Officer to seek the court’s permission to access data stored in an information system if it is deemed necessary for a criminal investigation. The court may grant access after recording reasons for the decision.
Powers of Authorised Officers under Section 35:
Section 35 of PECA confers several powers on Authorised Officers:
- Access and inspection of specified information systems.
- Use of information systems to search for specified data.
- Obtaining and copying relevant data from information systems.
- Access to information in a readable and comprehensible format.
- Requiring access to data within the control of a person using an information system.
- Seeking technical assistance for the investigation from individuals responsible for operating an information system.
- Obtaining decryption information for accessing encrypted data.
Scope of Powers and Conduct of Authorised Officers:
Section 35(2) of PECA specifies guidelines for the exercise of powers by Authorised Officers:
- Exercise powers with proportionality.
- Maintain integrity and secrecy of information systems and data during search and seizure.
- Avoid interference with legitimate business operations and unrelated information systems.
- Minimize disruption to premises and data not subject to investigation.
PECA Reporting Requirements:
Section 53 of PECA mandates the Federal Investigation Agency (FIA) to submit bi-annual reports to the National Assembly and Senate, providing an overview of its activities without disclosing identity information.
PECA empowers Authorised Officers to effectively investigate electronic crimes and protect sensitive data while adhering to strict procedural guidelines. These powers are essential for combating cybercrimes and ensuring the integrity and security of information systems in Pakistan. However, it is crucial to strike a balance between law enforcement measures and individual privacy to ensure the effective implementation of PECA’s provision
Limited Redressal Options for Unauthorized Use of Personal Data: Data collected by entities, including retail businesses, for the provision of goods and services, is often protected under contractual arrangements. While such agreements may offer some level of data protection, they often do not provide sufficient recourse in case of unauthorized use of personal data. Consequently, individuals may find it challenging to seek remedies for data breaches or misuse.
Sector-Specific Laws and Policies: Certain laws and policies in Pakistan focus on specific data protection issues within particular sectors or industries. For instance, the Prevention of Electronic Crimes Act, 2016 (PECA) includes provisions related to data and information systems protection. PECA criminalizes unauthorized access to data or information systems, electronic forgery, unauthorized interception or use of identity information, and confidentiality breaches.
In specific sectors such as banking and telecommunications, there are special regimes and regulations in place to protect consumer data and ensure confidentiality. Some notable examples include:
- Section 70 of the Payment Systems and Electronic Fund Transfers Act, 2007 prohibits financial institutions and authorized parties from disclosing any information related to electronic fund transfers, consumer affairs, or accounts of its customers.
- Regulation 4.2(i) of the State Bank of Pakistan’s Regulations for Payment Card Security mandates card service providers to maintain the confidentiality of consumer data during storage, transmission, and processing.
- Regulation 2.2.3(c) of the State Bank of Pakistan’s Regulations for the Security of Internet Banking requires that customer information should not be transferred to an unauthorized storage or access medium.
- Regulation 16 of the Telecom Consumers Protection Regulations, 2009 obliges telecommunications service operators and their employees to uphold the confidentiality of consumer information.
- Regulation 5(2)(xxi) of the Regulations for Technical Implementation of Mobile Banking, 2016 requires that service-level agreements between third-party service providers, telecommunications operators, and authorized financial institutions include provisions for online privacy, ensuring that consumer information obtained through mobile banking is collected, used, disclosed, and retained only as agreed upon.
These regulations are put in place to safeguard sensitive data, including financial and personal information, in the banking and telecommunications sectors, and to ensure that customer privacy is respected and protected. Additionally, other specific sectors like insurance, healthcare, and advertising may also have their own set of regulations to safeguard specific types of data, such as biometric data or medical records.
Penalties under PECA: PECA outlines penalties for offences related to data and information systems. For instance, Section 4 of PECA prescribes imprisonment and fines for unauthorized copying or transmission of data with dishonest intent. Violators may face imprisonment for up to six months, a fine up to PKR 100,000, or both.
Investigating Agency and Authorization Requirements under Pakistan’s Data Protection Laws
The Federal Investigation Agency (FIA) has been assigned the role of investigating agency under the Prevention of Electronic Crimes Act, 2016 (PECA). For complaints related to unauthorized access or transmission of data in violation of PECA, citizens can approach the FIA’s Cyber Crime Wing. However, it is crucial to obtain prior authorization from the data subject to avoid infringing on PECA provisions.
Authorization Requirement under PECA and the Electronic Transactions Ordinance, 2002 (ETO): Obtaining the data subject’s authorization is a critical step to ensure compliance with PECA. This requirement is consistent with provisions in the Electronic Transactions Ordinance, 2002 (ETO), which governs the recognition of electronic records, communications, and transactions and accredits service providers.
Previously, the ETO included penalties for unauthorized access to any information system, regardless of the intent behind the access. It also prohibited unauthorized acts intending to alter, modify, delete, remove, generate, or transmit information through an information system. However, these offences were later incorporated into PECA, leading to their omission from the ETO.
Prohibitions under the Pakistan Telecommunication (Re-organisation) Act, 1996 (PTRA): The Pakistan Telecommunication (Re-organisation) Act, 1996 (PTRA) also sets forth prohibitions on unauthorized transmission through a telecommunication system or service of false, fabricated, indecent, or obscene intelligence.
Role of the FIA’s Cyber Crime Wing: As the designated investigating agency under PECA, the FIA’s Cyber Crime Wing handles complaints related to unauthorized data access or transmission. To protect individuals’ privacy and data rights, it is essential to engage the Cyber Crime Wing in cases where such unauthorized activities are suspected or detected.
The Unlawful Online Content Rules ( Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguard) Rules 2021 ) were enacted under Section 37(2) in conjunction with Section 51 of the Prevention of Electronic Crimes Act (PECA) and were immediately enforced. Section 37 of PECA deals with unlawful online content, granting authority to the Pakistan Telecommunication Authority (PTA) to remove, block, or issue directions for such content’s removal or blocking if it is deemed necessary in relation to the commission of or incitement to an offence under PECA. These rules primarily pertain to the removal and blocking of unlawful online content.
It is noteworthy that neither PECA nor the rules provide a specific definition for ‘unlawful online content.’ However, it can be inferred from Section 37 of PECA that any online content accessed or shared in violation of PECA’s provisions falls within the scope of ‘unlawful online content.’
The Unlawful Online Content Rules also impose certain obligations on service providers, social media companies, and significant social media companies. They are required to publish community guidelines for accessing or using any online information system. These guidelines should be easily accessible and inform users not to host, display, upload, modify, publish, transmit, update, or share any online content that violates local laws.
It is important to note that the Unlawful Online Content Rules only apply to licensees providing social media or social network services. These terms are defined in the rules.
Rule 4 of the Unlawful Online Content Rules obligates the PTA to entertain complaints regarding online content. The PTA may seek further information or clarification from the complainant to make an appropriate decision. Upon registering the complaint, the PTA allocates a unique complaint number to be communicated to the complainant. The PTA must maintain the confidentiality of the online content and the complainant’s identity if sharing such information may lead to the proliferation of the content or cause harm, harassment, defamation, invasion of privacy, or relates to the complainant’s modesty.
Additionally, the PTA, subject to the provisions of the Unlawful Online Content Rules, can initiate action on its own motion by taking cognizance of any online content and exercising its powers under PECA to remove or block such content.
Implications of the Official Secrets Act, 1923 on Data Handling and Transfer
While obtaining necessary authorization under the Prevention of Electronic Crimes Act, 2016 (PECA) and the Pakistan Telecommunication (Re-organisation) Act, 1996 (PTRA) is essential, it is equally crucial to consider the implications of the colonial-era Official Secrets Act, 1923 (OSA) on the handling and transfer of data.
Prohibitions under the Official Secrets Act, 1923: The Official Secrets Act, 1923, a colonial-era law that is still in force, prohibits the communication of any State secret, official code, password, document, prohibited location data, or information that could be useful to an enemy of Pakistan, potentially compromising Pakistan’s safety or security.
Data Handling and Transfer Implications: Despite obtaining authorization under PECA and PTRA, organizations and individuals must be mindful of the sensitive nature of certain information and data. If any data, particularly classified or confidential information that falls within the ambit of the Official Secrets Act, is communicated, transmitted, or mishandled, it could lead to severe legal consequences.
Ensuring Compliance: To ensure compliance with the Official Secrets Act, organizations should implement robust data classification and handling procedures. It is crucial to distinguish between public information and sensitive data that requires protection under the OSA. Employees must be trained and made aware of the specific requirements for handling, storing, and transferring classified or sensitive data.
Importance of Due Diligence: Organizations dealing with sensitive information or collaborating with the government must exercise due diligence to avoid unintentional breaches of the Official Secrets Act. Implementing strong security measures, conducting regular audits, and establishing clear protocols for data handling will help mitigate potential risks.
While obtaining authorization under PECA and PTRA is crucial for data handling and transfer, compliance with the Official Secrets Act, 1923, is equally significant. Organizations must take necessary precautions to safeguard sensitive information and prevent any inadvertent violations of the OSA. By being diligent and proactive in data handling, organizations can maintain data security and integrity while respecting the laws and regulations governing the protection of classified information in Pakistan.
Industry-Specific Frameworks and the Need for Comprehensive Data Protection Law
Industry-specific frameworks and regulations play a crucial role in governing the handling of specific kinds of data. Regulators like the State Bank of Pakistan (SBP) and public sector entities have issued frameworks to guide banks, financial institutions, and government-owned entities in their data handling practices. However, these frameworks are limited to specific industries, leaving a gap in data protection for other entities. This emphasizes the necessity for a comprehensive data protection law in Pakistan.
State Bank of Pakistan’s Frameworks: The SBP has issued the Enterprise Technology Governance and Risk Management Framework for Financial Institutions (2017) and the Framework for Risk Management in Outsourcing Arrangements by Financial Institutions (2019). These frameworks apply to banks, financial institutions, and licensees under SBP regulation. They outline compliance guidelines, information technology usage, approval requirements, and obligations for data handling and transmission in the financial sector.
Public Sector Entities and the Cloud Policy: Public sector entities, wholly or partially owned by the Government of Pakistan, must comply with additional restrictions related to cloud computing services as stipulated in the Pakistan First Cloud Policy, 2022. The Cloud Policy aims to prevent unauthorized data transmission outside the country and mandates that certain cloud infrastructure exclusive to public sector entities should not be hosted outside Pakistan.
Inadequacy of Existing Frameworks: While the mentioned frameworks are essential for their respective industries, they do not cover data handling practices of many other entities. There is a lack of comprehensive regulation for data obtained, retained, and transferred by entities outside the scope of these specific frameworks.The existing frameworks, along with the Prevention of Electronic Crimes Act (PECA), Pakistan Telecommunication (Re-organisation) Act (PTRA), and Official Secrets Act (OSA), underscore the need for a comprehensive data protection law in Pakistan. Such a law should protect the right to privacy granted by the Constitution and align with international data protection best practices.
Industry-specific frameworks are valuable in guiding data handling practices within their sectors. However, a comprehensive data protection law is imperative to cover data protection for all entities, ensuring that the right to privacy is safeguarded across industries and in accordance with global standards. By establishing a robust data protection framework, Pakistan can enhance data security, foster public trust, and promote responsible data management practices.
The Personal Data Protection Bill, 2021 has been replaced by the Personal Data Protection Bill, 2023 (see below). The draft Personal Data Protection Bill (2021) had been in the pipeline since 2021.In contrast to the then limited industry-specific protections of data, the draft Bill was notably wide in its application. It was intended to be applicable to any entity/individual who had control over personal data, any entity operating in Pakistan that controlled or processed data, and any data subject in Pakistan.The draft Bill aimed to provide individuals with more control over their personal data by, for example, requiring data controllers to inform data subjects, through a written notice, of the collection of their personal data and the source, purposes, duration, further processing of such data, and information about the class of third parties who would have access to the data.7Furthermore, the draft Bill placed an obligation on data controllers to take all reasonable steps to ensure that all personal data was destroyed or permanently deleted if it was no longer required for the purpose for which it was to be processed.
The Draft Data Protection Bill (2021) also envisaged that to build public trust, the law should establish a regulatory authority responsible for overseeing data protection compliance and enforcing penalties for violations. This authority should be equipped with the necessary resources and expertise to effectively monitor and address data protection concerns.
The Draft Data Protection Bill 2021 has been revised as of 2023.
Legal Update: Personal Data Protection Bill, 2023 – Key Highlights (May 2023)
The Pakistan Ministry of Information Technology and Telecommunication (MITT) has introduced a new draft of the Personal Data Protection Bill, 2023 (PDPB) on 19th May 2023. The primary objective of the PDPB is to regulate the collection, processing, use, disclosure, and transfer of personal data, while also imposing penalties for violations of data privacy rights.
The PDPB has a broad scope that extends beyond Pakistan’s borders and applies to data controllers or processors falling under the following categories:
- Entities processing personal data within Pakistan’s territory.
- Entities incorporated in other jurisdictions but operating digitally or non-digitally within Pakistan, processing personal data related to commercial or non-commercial activities, including profiling of data subjects within Pakistan.
- Entities processing personal data in territories where Pakistani law applies under public or private international law, despite having no physical presence within Pakistan.
- Entities collecting personal data of data subjects within Pakistan, including foreign individuals present in Pakistan during data collection and data processing.
All data controllers and processors are required to register with the National Commission for Personal Data Protection (NCPDP) within six months of the PDPB’s commencement.
In case of a personal data breach, data controllers must notify the NCPDP and the data subject within 72 hours of becoming aware of the breach, unless the breach poses no significant risks to the data subject’s rights and freedoms. Data processors must follow a similar notification process but need only inform the data controller and the NCPDP. Additionally, data controllers are obligated to maintain a data breach register.
The PDPB places specific emphasis on the protection of children’s personal data (under 18 years). Controllers and processors must consider the rights and interests of children and obtain parental consent before processing their personal data. Tracking or behavioral monitoring of children, as well as targeted advertising directed at them, is strictly prohibited.
Similar to the GDPR, the PDPB lays down legitimate grounds for data processing, including consent, contract, legal obligations, protection of vital interests, court orders, legitimate interests of data controllers, public health, research in medical emergencies, and exercising functions conferred by law.
Sensitive and critical personal data require explicit consent from data subjects, except in specific circumstances such as compliance with employment obligations, protection of vital interests, medical purposes by healthcare professionals, legal proceedings, and obtaining legal advice.
“Sensitive data” encompasses financial information, health data, digital national identity cards or passports, biometric and genetic data, data related to religious beliefs, criminal records, political affiliations, ethnicity, or caste. “Critical personal data” refers to data retained by public service providers, data related to international obligations, or data identified as critical by sector regulators or the NCPDP. Enhanced safeguards apply to sensitive and critical personal data, and critical personal data must be processed within servers or digital infrastructures located within Pakistan’s territory.
The PDPB grants various rights to data subjects, including the right to access, correct, and erase their personal data, the right to prevent processing likely to cause harm, the right to redress grievances with controllers and the NCPDP, data portability, and the right not to be subject to solely automated decision-making, including profiling.
International data transfers (excluding critical personal data) can be conducted based on NCPDP adequacy decisions, binding contracts, explicit consent of data subjects (not conflicting with Pakistan’s national security or public interest), international agreements, or other conditions specified by the NCPDP.
The Personal Data Protection Bill, 2023, if enacted, will significantly impact data protection practices in Pakistan, aiming to enhance privacy rights and data security for individuals. Businesses and organizations must familiarize themselves with the provisions of the PDPB and ensure compliance with its requirements.
Additionally, promoting awareness and educating individuals and organizations about data protection practices is crucial. Training programs and campaigns can empower citizens to understand their rights, make informed decisions, and exercise greater control over their personal data.
In conclusion, as Pakistan continues its journey towards technological advancement and digital transformation, a well-crafted and comprehensive data protection law is essential to uphold citizens’ privacy rights and foster a secure digital ecosystem. The Government, in collaboration with relevant stakeholders, must prioritize the development and implementation of such a law to create a safer and more transparent digital environment for all.
While the Constitution of Pakistan recognizes the right to privacy as a fundamental right, the country lacks a comprehensive data protection law to safeguard individuals’ personal data adequately. The absence of a consolidated statute hinders the establishment of a robust framework for data privacy and protection across all sectors. Consequently, individuals may face challenges in seeking redressal for unauthorized data use or breaches. The existing sector-specific laws and policies, such as PECA, offer some protection, but a dedicated data protection law is essential to address the complexities and concerns associated with the collection, handling, and transfer of personal data in Pakistan. As data privacy becomes an increasingly critical issue in the digital age, it is crucial for policymakers to prioritize and enact comprehensive data protection legislation to protect the rights of individuals and foster trust in the digital economy.