The Internet of Things (IoT) refers to the interconnected network of physical devices, vehicles, buildings, and other objects embedded with sensors, software, and network connectivity, enabling them to collect and exchange data. The use, sale, and purchase of IoT devices raise several legal issues, including:
1. Data Protection and Privacy: IoT devices collect and transmit vast amounts of data, including personal data, which may be subject to data protection and privacy laws. Manufacturers and sellers of IoT devices need to ensure that they comply with these laws and provide adequate privacy notices to users.
2. Cybersecurity: IoT devices are vulnerable to cyber attacks, which can compromise the security and privacy of users’ data. Manufacturers and sellers of IoT devices need to implement robust security measures to protect against these risks.
3. Liability: IoT devices can cause physical harm or property damage if they malfunction or are hacked. Manufacturers and sellers of IoT devices need to be aware of their potential liability for such harm and take steps to mitigate their risks.
4. Intellectual Property: IoT devices may incorporate patented technologies, which can give rise to intellectual property disputes between manufacturers and sellers.
5. Consumer Protection: IoT devices are subject to consumer protection laws, which require manufacturers and sellers to provide accurate information about the features, performance, and safety of their products.
6. Jurisdictional Issues: IoT devices are often sold and used across different jurisdictions, which can create legal issues related to jurisdictional competence and conflict of laws.
Overall, the legal issues arising from the use, sale, and purchase of IoT devices are complex and require careful consideration by manufacturers, sellers, and users alike.Our team at Josh and Mak International can give you indepth legal advice on these issues.Send us an email now at aemen@joshandmak.com
Comprehensive Q&A on Metaverse and Digital Economy in Pakistan
1. Metaverse
Q1: What is the current state of laws and regulations regarding the metaverse in Pakistan?
A1: Currently, Pakistan does not have any specific laws or codes of conduct that regulate the metaverse. The concept of the metaverse is still new and emerging, and it necessitates substantial public and legislative education to understand its implications and the necessity for regulation. Existing laws in Pakistan would require significant revisions or amendments to be applicable to the metaverse.
2. Digital Economy
Q2: What are the key challenges in the digital economy sector in Pakistan?
A2: Pakistan faces several challenges in the digital economy sector, primarily due to the absence of general laws or regulations covering the broad concept of the digital economy. However, the Ministry of IT & Telecom introduced the Digital Pakistan Policy in 2018 to foster a digitized ecosystem and encourage knowledge-based economic growth. This policy aims to create a comprehensive digital strategy, promote sectorial digitalization, enhance e-commerce, empower youth, stimulate innovation in the IT sector, boost software exports, and attract foreign and domestic investment. Additionally, it focuses on improving online accessibility for disabled persons and standardizing digital practices. While this policy is not a law, it guides relevant departments in shaping the future development of the digital sector.
Q3: What progress has been made in digital banking in Pakistan?
A3: Digital banking is one of the sectors in the digital economy that has seen significant development in Pakistan. Efforts are being made to modernize banking services and make them more accessible through digital means, facilitating easier and more efficient financial transactions.
Q4: What is the government’s stance on the e-commerce industry?
A4: The Pakistani government has shown keen interest in developing the e-commerce industry, recognizing its potential to contribute significantly to the economy. Efforts are being made to create a more conducive environment for e-commerce businesses to thrive.
Q5: What is Pakistan’s position on cryptocurrencies?
A5: Pakistan remains sceptical about cryptocurrencies, which have become a critical part of the digital economy in some jurisdictions. There is caution and hesitance in embracing cryptocurrencies, largely due to concerns about regulation, security, and stability.
Q6: Is the Digital Pakistan Policy legally binding?
A6: No, the Digital Pakistan Policy is not legally binding. It is more of a guiding document that outlines the vision and objectives for the digital transformation of various sectors in Pakistan. It serves as a roadmap for relevant departments and stakeholders for future development in the digital domain.
Q&A on Digital Banking in Pakistan
Q1: Who is the regulator for banks in Pakistan?
A1: The regulator for banks in Pakistan is the State Bank of Pakistan (SBP).
Q2: What is the SBP’s latest initiative in digital banking?
A2: In January 2022, the SBP issued the Licensing and Regulatory Framework for Digital Banks under the relevant provisions of the Banking Companies Ordinance 1962.
Q3: How is a “digital bank” defined under this new framework?
A3: A “digital bank” is defined as a bank that offers all kinds of financial products and services primarily through digital platforms or electronic channels instead of physical branches.
Q4: What types of digital bank licenses can the SBP grant?
A4: The SBP can grant two types of digital bank licenses:
- Digital Retail Bank (DRB), catering to retail customers.
- Digital Full Bank (DFB), serving both retail customers and business/corporate entities.
Q5: Who is eligible to form and seek a licence for a proposed digital bank?
A5: The following entities are eligible:
- Traditional banks with at least one year of experience in delivering digital financial services (DFS) in the retail customer segments.
- International banks or DFS entities with a minimum of three years’ track record in delivering DFS.
- Electronic Money Institutions (EMIs) seeking to convert into a digital bank with at least one year of DFS experience.
- Those holding majority stakes or exercising control over MFBs, EMIs, international banks, or DFS entities with three years of DFS track record.
- Any other person with at least three years of experience in relevant domains, applying with a minimum of 5% equity in the proposed digital bank.
Q6: Can the experience requirement for traditional banks and EMIs be extended?
A6: Yes, the SBP may advise an extended period of experience for traditional banks and EMIs if their performance in delivering DFS is not considered satisfactory.
Q7: Can the pilot phase operation period of an EMI count towards its experience requirement for transforming into a digital bank?
A7: Yes, the pilot phase operation period of an EMI can be counted towards the one-year operations requirement for transformation into a digital bank.
Q8: Are there any specific requirements for persons with experience in financial services or technology sectors?
A8: Yes, individuals with a minimum of three years of experience in financial services, fintech, ICT, or similar domains can apply for forming a digital bank. They must hold at least 5% equity in the proposed bank, preferably alongside another entity with experience in DFS.
Q&A on Digital Banking and E-Commerce in Pakistan
Q1: What is the current status of the digital banking regime in Pakistan?
A1: The digital banking regime in Pakistan is not immediately effective. It involves a multi-stage process including a no objection certificate (NOC), an in-principle approval, demonstration of operational readiness, and a restricted licence for pilot operations before the final grant of a licence for commercial operations.
Q2: How long does it take to obtain a digital banking license in Pakistan?
A2: The length of time needed to obtain a digital banking license varies based on the fulfilment of each specified criterion in the application process.
Q3: Can you name some entities that have received NOCs for establishing digital banks in Pakistan?
A3: As of 13 December 2023, the SBP has issued NOCs to five applicants:
- Easy Paisa DB (Telenor Pakistan B V & Ali Pay Holding Ltd)
- Hugo Bank (Getz Bros & Co, Atlas Consolidated Pte Ltd and M & P Pakistan Pvt Ltd)
- KT Bank (Kuda Technologies Ltd, Fatima Fertilizer Ltd and City School Pvt Ltd)
- Mashreq Bank (Mashreq Bank UAE)
- Ragami (Kuwait Investment Authority through PKIC and Enertech Holding Co)
Q4: Is there any sector-specific legislation for e-commerce in Pakistan?
A4: Currently, there is no sector-specific legislation applicable to the operation of e-commerce businesses in Pakistan. E-commerce operations are largely governed by existing laws and regulations on general commerce.
Q5: What is the e-Commerce Policy of Pakistan?
A5: The e-Commerce Policy of Pakistan, published in October 2019, is a vision document to enable an environment for the holistic growth of e-commerce across all sectors in Pakistan. It’s not a law but acts as guidance for government departments and entities for the future development of e-commerce operations.
Q6: What does “e-commerce” include as per the policy?
A6: E-commerce includes the buying and selling of goods or services, including digital products, through electronic transactions conducted via the internet or other computer-mediated (online communications) networks.
Q7: What are the main areas addressed by the e-Commerce Policy?
A7: The policy aims to address challenges in areas like:
- E-commerce regulatory and facilitation environment
- Financial inclusion and digitization through payment infrastructure development
- SME and youth empowerment
- Consumer protection in a digital environment
- Taxation on e-commerce activities
- ICT and telecom services
- Logistics for e-commerce platforms
- Data protection and investment
- Global connectivity and multilateral negotiations
Q&A on Digital Currencies and Digital Economy in Pakistan
Q1: What is the current stance of the State Bank of Pakistan (SBP) on cryptocurrencies?
A1: The SBP, under BPRD Circular No. 3 of 2018, has prohibited banks and financial institutions it regulates from facilitating dealings in cryptocurrencies.
Q2: Are there any legal proceedings concerning the regulation of cryptocurrencies in Pakistan?
A2: Yes, legal proceedings are pending to seek a direction that would nullify the SBP’s Circular and implement a regulatory framework for crypto-assets and crypto mining in Pakistan.
Q3: What actions have been taken by the Federal Investigation Agency (FIA) regarding cryptocurrencies?
A3: The FIA has initiated a crackdown on cryptocurrency dealers and has requested the Pakistan Telecommunication Authority (PTA) to shut down around 1,600 websites involved in digital currency fraud.
Q4: Is the SBP considering its own digital currency?
A4: Yes, the SBP is conducting a detailed analysis on launching its own digital currency, known as the Central Bank Digital Currency (CBDC).
Q5: What is the proposed Quick Response (QR) Code-based Person-to-Merchant (P2M) system?
A5: The SBP plans to launch a QR Code-based P2M system to enable merchants and small businesses to receive instant payments from customers.
Q6: What are the Regulations for Electronic Money Institutions (EMIs)?
A6: The Regulations for EMIs, promulgated by the SBP, aim to promote technological innovations and enable the non-banking sector to deliver efficient payment services at lower costs. They provide a regulatory framework for the establishment and operation of EMIs in Pakistan.
Q7: How does the SBP define “electronic money”?
A7: Electronic money is defined as monetary value represented by a claim on the issuer, stored electronically, and accepted as a means of payment by entities other than the issuer.
Q8: What are the stages for granting an EMI licence by the SBP?
A8: The SBP grants an EMI licence in three stages:
- In-Principle approval
- Permission for pilot operations after meeting operational readiness and other requirements
- Full-scale licence for commercial operations upon satisfactory completion of pilot operations
Q9: How many EMIs have been granted full-scale licences in Pakistan?
A9: To date, four non-banking entities have been granted a full-scale licence, with several more receiving in-principle approval.
Q10: What are the key challenges in moving towards a digital economy in Pakistan?
A10: Key challenges include:
- Educating the masses about the purpose and benefits of digitisation
- Ensuring access to fast and reliable communication networks, especially in remote areas
Q&A on Cloud and Edge Computing in Pakistan
Q1: What is the “Pakistan Cloud First Policy”?
A1: The “Pakistan Cloud First Policy,” notified in February 2022 by the Ministry of Information Technology & Communication, aims to encourage cloud adoption across Pakistan. It focuses on empowering organizations to transition to cloud-based solutions.
Q2: What impact is the Cloud Policy expected to have in Pakistan?
A2: The Cloud Policy is expected to drive cloud adoption across various markets and industries, fostering the growth of the local ICT industry. It aims to enable access to cloud-based technologies and complement emerging technologies like AI, machine learning, and the IoT.
Q3: How does the Cloud Policy address information security and data privacy?
A3: The Cloud Policy acknowledges the approach of cloud service providers towards information security and data privacy concerns. It outlines measures and guidelines to ensure data protection in the cloud environment.
Q4: What cloud service models are recognized in the Cloud Policy?
A4: The Cloud Policy recognizes different cloud service models, including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
Q5: What are the different cloud deployment methods mentioned in the Cloud Policy?
A5: The Cloud Policy mentions various cloud deployment methods, including public cloud, government cloud, private cloud, and hybrid cloud.
Q6: What is the role of the cloud office to be set up by the Ministry of Information and Technology?
A6: The Ministry of Information and Technology plans to set up a cloud office to ensure a planned governance structure. This office will enable a roadmap for establishing a formal organization for cloud governance in Pakistan.
Q&A on Framework for Outsourcing to Cloud Service Providers in Pakistan’s Banking Sector
Q1: What is the “Framework on Outsourcing to Cloud Service Providers” in the banking sector?
A1: The “Framework on Outsourcing to Cloud Service Providers” is a regulatory guideline issued by the State Bank of Pakistan (SBP) that sets out minimum requirements for regulated entities (REs) like banks, microfinance banks, electronic money institutions, etc., for outsourcing their workloads to cloud service providers.
Q2: Does the Framework replace any previous guidelines?
A2: Yes, the Framework supersedes the previous “Enterprise Technology Governance and Risk Management Framework,” which was amended several times between 2017 and 2020.
Q3: What are ‘material workloads’ as defined in the Framework?
A3: Material workloads refer to all systems, applications, and services crucial for the business operations of an RE. Disruption in these workloads can significantly impact the institution’s business, reputation, or profitability.
Q4: Are REs still responsible for their operations after outsourcing to cloud providers?
A4: Yes, outsourcing services to cloud providers does not relieve REs of their primary responsibilities, which include effectively managing business operations, adhering to legal and regulatory requirements, and protecting consumer data.
Q5: What is the preference for cloud service providers under the Framework?
A5: REs are encouraged to give preference to onshore (domestic) cloud service providers for outsourcing.
Q6: Can electronic money institutions outsource to offshore cloud service providers?
A6: Yes, electronic money institutions, non-designated payment system operators, and payment service providers are allowed to outsource both material and non-material workloads to offshore cloud service providers.
Q7: What are the conditions for banks and similar institutions for outsourcing to offshore providers?
A7: Banks, microfinance banks, digital banks, and similar institutions can outsource non-material workloads to offshore providers. However, outsourcing material workloads to offshore providers requires SBP’s approval.
Q8: What are other key requirements under the Framework?
A8: Other requirements include monitoring and reviewing cloud workload capacity, providing adequate training, reporting security incidents to the SBP, conducting investigations to prevent future incidents, and providing detailed information to the SBP about material workloads one month before outsourcing.
Q&A on Internal Controls in Cloud Outsourcing Arrangements Under the Pakistan Banking Framework
Q1: What is the significance of internal controls in cloud outsourcing arrangements?
A1: Internal controls are crucial for managing cloud outsourcing arrangements. They help in maximizing benefits and managing associated risks. This involves adapting the organizational structure for effective oversight of cloud service providers and developing comprehensive internal policies.
Q2: What does the Framework require from Regulated Entities (REs) before entering into cloud outsourcing arrangements?
A2: The Framework mandates REs to exercise reasonable care by conducting due diligence of the cloud service providers. This includes assessing their material subcontracting arrangements using criteria defined in the Framework.
Q3: What are the key aspects that REs need to consider in their organizational structure for managing cloud outsourcing?
A3: REs need to adapt their organizational structure by developing specific governance responsibilities for cloud services, establishing comprehensive internal policies, and setting up effective oversight mechanisms for managing cloud service providers.
Q4: What does effective oversight mechanism entail under the Framework?
A4: An effective oversight mechanism includes assessing performance against service levels, evaluating the cloud service provider’s cybersecurity practices, monitoring changes in service locations, subcontracting, ownership, and ongoing review of compliance with laws and contractual obligations.
Q5: Are there any specific requirements for security event monitoring in cloud outsourcing?
A5: Yes, REs must establish mechanisms for security event monitoring in compliance with the requirements outlined in the Framework. This is to ensure the ongoing security and integrity of cloud-based operations.
Q6: How should REs handle changes in service locations or ownership by cloud service providers?
A6: REs are required to constantly monitor and assess any changes in service locations, subcontracting arrangements, or ownership of the cloud service providers. These changes should be reviewed for potential risks and compliance with the Framework’s guidelines.
Q7: What is the role of due diligence in cloud outsourcing according to the Framework?
A7: Due diligence is a critical process where REs evaluate potential cloud service providers based on defined criteria to ensure they meet necessary standards, particularly regarding cybersecurity and legal compliance.
Q8: What is the importance of reviewing cloud service provider compliance?
A8: Regularly reviewing the cloud service provider’s compliance with laws and contractual obligations is essential for maintaining the security, legality, and efficiency of the outsourced services.
