1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

At present, Pakistan has no specific law relating to data protection. However, in August 2021 the Ministry of Information Technology and Telecommunication released a consultation draft of the Pakistan Personal Data Protection Bill, 2021 (the draft bill) After the consultation stage, the draft bill will be presented to Parliament for debate and passage. Once passed by the Parliament, the law will be promulgated by presidential assent. The answers in this Q&A are based on the provisions as currently set out in the draft bill, which are subject to change during the legislative process until the law is finally promulgated.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Banking: Section 70 of the Payment Systems and Electronic Fund Transfers Act, 2007 provides that a financial institution or any other authorised party must not divulge any information relating to electronic fund transfers, affairs or accounts of its consumers.

Regulation 4.2(i) of the State Bank of Pakistan's Regulations for Payment Card Security requires that card service providers ensure the confidentiality of consumers' data in storage, transmission and processing.

Regulation 2.2.3(c) of the State Bank of Pakistan's Regulations for the Security of Internet Banking requires that customer information not be transferred to an unauthorised storage or access medium.

Telecommunications: Regulation 16 of the Telecom Consumers Protection Regulations, 2009 requires that telecommunications services operators and their employees maintain the confidentiality of consumer information.

Regulation 5(2)(xxi) of the Regulations for Technical Implementation of Mobile Banking, 2016 requires that service-level agreements between third-party service providers, telecommunications operators and authorised financial institutions include a statement on online privacy, confirming that consumer information obtained as a result of mobile banking is collected, used, disclosed and retained only as committed or agreed.

Specific types of data: The draft bill recognises and provides for separate treatment of 'sensitive personal data' and 'critical personal data'. 'Biometric data' is included within the definition of 'sensitive personal data'. Sensitive personal data can be processed only with the explicit consent of the data subject and only for the following purposes:

  • the exercise or performance of any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
  • the protection of the vital interests of the data subject or another person;
  • the protection of the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;
  • for medical purposes, where the processing is undertaken by a healthcare professional;
  • for the purpose of, or in connection with, any legal proceedings;
  • for the purpose of obtaining legal advice while ensuring its integrity and secrecy;
  • for the purpose of establishing, exercising or defending legal rights;
  • for the administration of justice pursuant to orders of a court of competent jurisdiction; or
  • for the exercise of any functions conferred on any person by or under any written law.

'Critical personal data' means data relating to public service providers, un-regulated e-commerce transactions and data related to international obligations Commission.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

No.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

Within six months of the entry into force of the draft bill, the federal government will establish the National Commission for Personal Data Protection Commission of Pakistan (the Commission). The Commission will be responsible for:

  • protecting the interests of data subjects and ensuring the protection of personal data;
  • preventing the misuse of personal data;
  • promoting awareness of data protection; and
  • entertaining complaints.

The Commission will have all necessary powers to enable it to perform its functions effectively, including the power to decide on complaints and to pass any order. To this end, the Commission will be deemed to be a civil court and will enjoy all powers vested in a civil court under the Code of Civil Procedure, 1908. In addition, the Commission will have rule-making powers.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Under Section 8 of the draft Bill, the Commission will prescribe standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. Data controllers and data processors must adhere to the standards prescribed by the Commission. In terms of compliance and regulatory enforcement, the standards prescribed by the Commission will prevail over industry practices. However, it is likely in prescribing the standards, the Commission will take cognisance of industry-level best practices.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The draft bill is not 'entity' driven; rather, it defines and brings under its ambit the 'data controller' and 'data processor', irrespective of their legal form.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

General exemption: Personal data processed by an individual for the purposes of his or her personal, family or household affairs, including recreational purposes, is exempt from the scope of application of the draft bill.

Exemption from specific provisions: Certain processing is exempted from specified provisions of the draft bill, as follows.

Nature of processing Exempt from...
Critical personal data processed for the prevention or detection of crime or for the purpose of investigations; the apprehension or prosecution of offenders; the assessment or collection of any tax or duty; or any other imposition of a similar nature by the relevant Commission. Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the standards prescribed by the Commission
Data processed in relation to the physical or mental health of a data subject Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with standards prescribed by the Commission
Data processed to prepare statistics or carry out research Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with standards prescribed by the Commission
Data processed for the purposes of or in connection with any order or judgment of a court Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with standards prescribed by the Commission
Data processed for the purpose of discharging regulatory functions Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with standards prescribed by the Commission
Data processed only for journalistic, literary or artistic purposes Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with standards prescribed by the Commission; data retention requirements; data integrity and access requirements; record-keeping requirements

2.3 Does the data privacy regime have extra-territorial application?

The draft bill is applicable on a controller or a processer digitally or non-digitally operational in Pakistan but incorporated in any other jurisdiction and involved in a commercial or non-commercial activity in Pakistan.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(b) Data processor

A natural or legal person, or the government, which alone or in conjunction with others processes data on behalf of the data controller.

(c) Data controller

A natural or legal person, or the government, which either alone or jointly with others has the authority to make a decision on the collection, obtaining, usage or disclosure of personal data.

(d) Data subject

A natural person who is the subject of the personal data.

(e) Personal data

Any information that relates directly or indirectly to a data subject who is identified or identifiable from that information, or from that and other information in the possession of a data controller, including any sensitive personal data. Anonymised, encrypted or pseudonymised data which is incapable of identifying an individual is not personal data.

(f) Sensitive personal data

This includes:

  • data relating to access control (username and/or password);
  • financial information such as details of bank accounts, credit cards, debit cards or other payment instruments;
  • passport information;
  • biometric data;
  • information on the data subject's physical, psychological or mental health conditions;
  • medical records;
  • details pertaining to an individual's ethnicity or religious beliefs; and
  • any other information for the purposes of the draft bill and rules issued thereunder.

(g) Consent

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the collection, obtaining and processing of his or her personal data.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

Third party: Any person other than:

  • a data subject;
  • a relevant person in relation to a data subject;
  • a data controller;
  • a data processor; or
  • a person authorised in writing by the data controller to process personal data under the direct control of the data controller.

Relevant person:

  • In the case of a data subject who is below the age of 18, the parent or a guardian appointed by a court of competent jurisdiction;
  • In the case of a data subject who is incapable of managing his or her own affairs, a person who is appointed by a court to manage those affairs; or
  • A person authorised by the data subject to make a data access and/or data correction request.

Vital interests: Matters relating to the life, death or security of a data subject.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

Sections 34(2)(e) and (f) of the draft bill empower the Commission to devise and formulate a registration and licensing mechanism/framework for data controllers and data processors. The details regarding who must be registered, the registration process and the consequences of failure to register will be dealt with under a framework devised by the Commission after its establishment.

4.2 What is the process for registration?

Not yet established.

4.3 Is registered information publicly accessible?

Not as yet.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

The lawful basis for processing personal data is as follows:

  • The data is processed for a lawful purpose directly related to an activity of the data controller;
  • The processing of the personal data is necessary for or directly related to that purpose; and
  • The personal data is adequate, but not excessive in relation to that purpose.

The lawful basis for processing sensitive personal data is listed under question 1.2.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

The following key principles apply:

  • Notice to data subject: Written notice provided by the data controller to the data subject about the collection and processing of his or her personal data.
  • Non-disclosure of personal data: No unauthorised disclosure.
  • Meeting the data security requirements: Compliance with the prescribed security standards to protect the data.
  • Data retention requirements: Not to keep data for longer than is required.
  • Data integrity and access: To ensure that data is accurate and that the data subject is given access to his or her data.
  • Record keeping: The retention of records on any application, notice, request or other information relating to personal data that it has processed or is processing.

In certain circumstances the processing of personal data is exempt from the scope of application of these key principles (see question 2.2).

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

The draft bill includes only the requirements set out in questions 5.1 and 5.2. Once the law has been promulgated and enforced, the Commission, under its rule-making powers, will issue a compliance framework.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

Section 12 of the draft bill requires that personal data not be transferred to any unauthorised person or system.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

The draft bill sets out the following requirements and restrictions on the transfer of personal data outside Pakistan:

  • Critical personal data shall be processed only in a server or data centre located in Pakistan.
  • The country to which personal data is being transferred must offer protection that is at least equivalent to the protection provided under the draft bill (equal protection principle).
  • Personal data may be transferred outside Pakistan on the basis of a framework to be devised by the Commission
  • The Commission will devise a mechanism for the retention of copies of any personal data in Pakistan which is transferred outside Pakistan.

Under the draft bill, the same data transfer requirements apply irrespective of the destination. This might be addressed by the Commission when devising the framework for the transfer of data outside Pakistan.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

The draft bill includes only the requirements set out in questions 6.1 and 6.2. Once the law has been promulgated and enforced, the Commission, under its rule-making powers, will issue a framework setting out further requirements.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

The draft bill confers the following rights on the data subjects:

  • the right to access personal data;
  • the right to correct personal data;
  • the right to withdraw consent;
  • the right to prevent processing that is likely to cause damage or distress;
  • the right to erasure;
  • the right not to be subjected to automated decision making including profiling; and
  • the right of data portability.

There are no exemptions to these rights. However, the draft bill specifies instances in which a data controller may refuse to comply with a request by data subject to have these rights, as follows.

Right to access personal data:

  • The data controller is not provided with such information as it may reasonably require.
  • The data controller cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information.
  • Another data controller controls the processing of the personal data to which the data access request relates in such a way as to prohibit the data controller from complying with the data request, whether in full or in part.
  • The provision of access may constitute a violation of an order of a court.
  • The provision of access may disclose confidential information relating to business of the data controller.
  • The requested access is regulated by another law.

Right to correct personal data:

  • The data controller is not provided with such information as it may reasonably require.
  • The data controller is not provided with such information as it may reasonably require to ascertain the way in which the personal data to which the data correction request relates is inaccurate, incomplete, misleading or out of date.
  • The data controller is not satisfied that the personal data to which the data correction request relates is inaccurate, incomplete, misleading or out of date.
  • The data controller is not satisfied that the correction which is the subject of the data correction request is accurate, complete, not misleading or up to date.
  • Another data controller controls the processing of the personal data to which the data correction request relates in such a way as to prohibit the data controller from complying with the data correction request, whether in full or in part.

Right to prevent processing that is likely to cause damage or distress:

  • The data subject has given his or her consent.
  • The processing of personal data is necessary:
    • to perform a contract to which the data subject is a party;
    • to take steps at the request of the data subject with a view to entering into a contract;
    • to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract; or
    • to protect the vital interests of the data subject.
  • Such other cases as may be prescribed by the Federal Government upon recommendations of the Commission through publication in the Official Gazette.

Right to erasure:

Where processing is necessary:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health;
  • for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Data subjects must present a written request to the data controller.

7.3 What remedies are available to data subjects in case of breach of their rights?

The first remedy under the draft bill is to file a complaint with the Commission. Appeals against decisions of the Commission must be referred to the high court or to any other tribunal established by the federal government for the purpose in the manner prescribed by the high court.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

Section 34(2)(c)((viii) of the draft bill empowers the Commission to formulate a compliance framework regarding the responsibilities of the data protection officer. The draft bill does not define the term or provide any further details. On the establishment of the Commission, this framework will be devised addressing matters such as mandatory or voluntary appointment of data protection officer and the consequences of failure to do so.

8.2 What qualifications or other criteria must the data protection officer meet?

Not currently applicable.

8.3 What are the key responsibilities of the data protection officer?

Not currently applicable.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Not currently applicable.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

Section 11 of the draft bill provides that a data controller must retain a record of any application, notice, request or any other information relating to personal data that has been or is being processed by it. The Commission may determine the manner and form in which this record must be maintained.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

The draft bill includes only the requirements set out in questions 8.1 and 8.5. Once the law has been promulgated and enforced, the Commission, under its rule-making powers, will issue a framework setting out further requirements.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

The Commission, under Section 8 of the draft bill, is to prescribe standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. The data controller and the data processor must comply with the standards prescribed by the Commission.

Once the law has been promulgated and enforced, the Commission, under its rule-making powers, will issue a framework setting out further requirements.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Section 13 of the draft bill requires that the data controller report a data breach to the Commission and to the data subject within 72 hours. The exception is where the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject.

Where the notification is made beyond 72 hours, the notification must state the reasons for delay.

The notification must contain the following information:

  • a description of the nature of the personal data breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach; and
  • the measures adopted or proposed to be adopted by the data controller to address the personal data breach, including where appropriate measures to mitigate its possible adverse effects.

The draft bill stipulates no process for notifying the data breach to the Commission. The procedural aspect of requirement to notify will be dealt under the rule-making powers of the Commission.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

As discussed at question 9.2.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

The draft bill includes only the requirements set out in questions 9.1 and 9.2. Once the law has been promulgated and enforced, the Commission, under its rule-making powers, will issue a framework setting out further requirements.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

A data controller can process sensitive personal data (with consent) for the purposes of exercising or performing any right or obligation which is conferred or imposed on the data controller in connection with employment.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

The draft bill is silent in this regard.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

The draft bill is silent in this regard.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

The draft bill provides a right to the data subjects to not to be subjected to a decision solely based upon automated processing including profiling.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

The requirements and restrictions with respect to the transfer of personal data outside Pakistan will apply as set out in question 6.2, as in essence the cloud computing may entail the transfer of data outside the territorial jurisdiction of Pakistan.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

The draft bill is silent in this regard. However, it is likely that the Commission will take inspiration from best international practices when framing rules for this purpose.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

The first step to bring a dispute is by filing a complaint with the Commission. Appeals against decisions of the Commission may be referred to the high court or to any other tribunal established by the federal government for the purpose in the manner prescribed by the high court.

12.2 What issues do such disputes typically involve? How are they typically resolved?

As the law is not yet in force, there have been no such disputes as yet.

12.3 Have there been any recent cases of note?

None – see question 12.2.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The draft bill after consultation has been approved by the Federal Cabinet. Now, the draft Bill will be presented to the Parliament for passage into a law. After promulgation, the draft bill will come into force within a period of two years from its promulgation. The date on which it will enter into force will be determined by the federal government through notification in the Official Gazette at least three months in advance.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

The draft bill is progressing through the developmental legislative stages. This is the ideal time for meaningful consultation and dialogue among all persons likely to be impacted by the law. This will help to achieve the law's intended objectives.

Before the proposed law, there is also a need to learn from and adopt the best practices of jurisdictions that have already promulgated and enforced similar laws. In particular, guidance from mature jurisdictions on issues such as security standards, code of conduct and grievance settlement will help to accelerate the legislative process in Pakistan.

Another significant issue is the awareness of data subjects in Pakistan. The law on personal data protection aims to provide safeguards to these individuals. Therefore, at this stage, more attention and efforts are required to educate data subjects on their rights and privileges under the proposed law and on how to enforce those rights and privileges. The Ministry of Information Technology and Telecommunication may initiate a comprehensive campaign to educate people on the basic principles and rights of data subjects. Otherwise, those individuals will not be in a position to claim any protection under the proposed law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.