The Ultimate Guide to Protection of Personal Information
Digitalization has resulted in a daily increase in electronic crimes, as more and more of internet users share their personal online data and information online. Without an extensive legal framework in place, exactly how secure is our online data, and how can the common man ensure that no violations are being made, with unauthorized access and use of his information?
What Rights Do We Have?
The highest law of the land, the Constitution of Pakistan, 1973, guarantees privacy for all men and women, under Article 14(1):
“The dignity of man and, subject to law, the privacy of home, shall be inviolable.”
The right to privacy of the home has been extended to online information privacy under the Lahore High Court judgement in M. D. Tahir v. the Director, State Bank of Pakistan, Lahore, and 3 others [2004 CLD 1680] (‘State Bank of Pakistan Case’) in which it was stated:
“It can hardly be denied, that the taking of private information without any allegation of wrongdoing of ordinary people is an extraordinary invasion of this fundamental right of privacy.”
Which Laws Protect Us?
Currently, the governing statute with regards to online data protection and information privacy is the Prevention of Electronic Crimes Act (‘PECA’), which was enacted in 2016, and is the primary law that curbs various electronic crimes as well as other unauthorized acts or infringements of online data protection and information security.
Furthermore, PECA provides the necessary instruments for an investigation into alleged crimes and unauthorized access of online data, as well as procedures pertaining to the prosecution of alleged offenders, their trial, as well as international cooperation (in case of crimes being committed from outside of Pakistan).
Applicability of PECA
The provisions of PECA apply to:
- The whole of Pakistan;
- All citizens of Pakistan;
- All persons for the time being residing within Pakistan;
- Acts that may have been committed outside of Pakistan’s territorial jurisdiction, but affect persons, properties or any online data or system within Pakistan, and the act itself is an offence under PECA.
Who Will Carry Out the Investigations?
PECA calls for the institution of an investigative agency that would look into the complaints being raised in connection with the offences mentioned within the act, and to carry out inquiries on the matters.
The investigative agency which has been selected by the Government, as required under PECA, is the Federal Investigative Agency (‘FIA’). FIA is required to conduct all necessary investigations on reports of crimes under PECA brought to its notice.
Furthermore, under the provisions of PECA, the Pakistan Telecommunication Authority (‘PTA’) has also been chosen as the regulatory authority regulating certain protected rights.
What Powers Do the Authorities Have?
Under PECA, FIA authorities have been granted the following powers:
- An authorized officer may, through giving notice to a person-in-charge of an information system, have personal online data handed over to him in connection with a criminal investigation, or where there is a threat to that data, provided that the integrity of such data is preserved.
- An authorized person can apply for a warrant from the court for search and seizure where online data in connection with a crime or investigation is kept and required as evidence against an offence under PECA.
- An authorized officer, where he can demonstrate to the court’s satisfaction that data would be required for the purpose of a criminal investigation, maybe handed over such online data from the court.
- An authorized person, furthermore, has the powers of access to the operation of a specified information system, use of any specified information system to search for online data, and can obtain and copy such data.
Offences and Penalties
PECA provides a list of activities that are illegal, as well as the penalties which will be levied if such acts are proved:
- For Unauthorised access to an information system or online data with dishonest intention: imprisonment up to three months or fine up to Rs. 50,000/- or both.
- Unauthorised copying or transmission of online data with dishonest intent: imprisonment up to six months, or fine up to Rs 100,000/- or with both.
- Interference with an information system or online data with dishonest intent, or causing it to be damaged: imprisonment up to two years, or fine up to Rs 500,000/-, or both.
- Unauthorized access to the critical infrastructure information system or online data: imprisonment up to three years, or fine up to Rs 1 million, or both.
- Unauthorised copying or transmission of critical infrastructure online data: imprisonment up to five years, or fine up to Rs 5 million or both.
- Interference with or damage caused to critical infrastructure: imprisonment up to seven years, or fine up to Rs. 10 million or both.
- Glorification of an offence: imprisonment up to seven years, or fine up to PKR 10 million or both.
- Cyber terrorism: imprisonment up to 14 years, or fine up to Rs 50 or both.
- Hate speech: imprisonment up to seven years, or with a fine, or with both.
- Recruitment, funding, or planning of terrorism: imprisonment up to seven years, or with a fine, or with both.
- Electronic forgery: imprisonment up to three years, or fine up to Rs 250,000 or both.
- Electronic fraud: imprisonment up to two years, or fine up to Rs 10 million or both.
- Making, obtaining, or supplying device for use in offence: imprisonment up to six months, or fine up to Rs 50,000 or both.
- Unauthorised use of identity information: imprisonment up to three years or fine up to Rs 5 million, or both.
- Unauthorised issuance of SIM cards: imprisonment up to three years, or fine up to Rs. 500,000 or both.
- Tampering of communication equipment: imprisonment up to three years, or fine up to Rs 1 million or both.
- Offences against the dignity of a natural person: imprisonment up to three years, or fine up to Rs 1 million or both.
- Malicious code: imprisonment up to two years, or fine up to Rs 1 million or both.
- Cyberstalking: imprisonment up to three years, or fine up to Rs 1 million or both. In case the victim is a minor: imprisonment up to five years or fine up to Rs. 10 million or both.
- Spamming: imprisonment up to three months, or fine up to Rs 5 million or both.
- Spoofing imprisonment: up to three years, or fine up to Rs 500,000 or both.
- Unlawful Online Content Rules: fine up to Rs 500 million.
About KLA – Kashir Law Associates
Whether you are a multi-national company or SME or an individual, who requires legal assistance in litigation or advisory matters, KLA will be able to offer you optimal and personalized assistance as per your needs. Our International lawyers and exceptionally competent online data Protection experts can support you in multiple areas of innovation such as Personal and Privacy online data Protection, Intellectual property, Cyber laws, e-law, startups, Trade & Investment Laws, etc.
If this article is useful to you or any of your acquaintances, then we really hope that you will share it with others or that you can integrate it into any of your publications by quoting KLA thanks to a hyperlink.
For more information on our work with startups, please see: