Pakistan’s Leap Towards Safeguarding Privacy and Data Protection

 Personal Data and Information are soon to be more secure than ever before!

The lack of specific legislation on Data Protection in Pakistan is soon to be rectified, as the government, in light of its constitutional duty under Article 14 (safeguard to privacy) and with the appreciation of the fast-changing digitalized world, has introduced a new draft of the Pakistan Data Protection Bill, 2020 (the “Bill”).

The Ministry of Information Technology and Telecommunication (MITT), after a public consultation period, has finalized the Bill which, as soon as it is passed by both Houses of Parliament and assented by the President of Pakistan, will function as Pakistan’s primary legislation on personal Data Protection and regulation, the purposes of which are currently being served by the Prevention of Electronic Crimes Act, 2016 (“PECA 2016”) to a degree.

The Bill, along with the framework on privacy and Data Protection which it will institute, have been long-awaited and eagerly anticipated, crucial now more than ever for the protection of citizens’ personal information.

The provisions of the Bill are comprehensive, imposing obligations on controllers and processors of data and personal information, creating a regulatory body to ensure application of the rules, and levying accountability towards those in breach of the provisions of the law; it is a groundbreaking piece of legislation which will bring a major reform in Pakistan’s data protection sector.

data protection

Scope and Applicability of the Bill

In accordance with section 3 of the Bill, once it is enacted, it shall be applicable to all persons who process, control, or authorize the processing of any personal Data Protection, whether they are private individuals or government authority, as long as they are within Pakistan’s territorial jurisdiction.

The provisions of this Bill will also apply to those processors or controllers who are operating within the country, whether digitally or non-digitally, and involved in commercial or non-commercial activities in Pakistan, even if they have been incorporated in another jurisdiction.

The Bill will further bring into its confines all those controllers and processors who may not have been established within the country, but owing to international laws, belong to such a region where Pakistan’s laws are applicable.

data protection

Overview of the Legislation

The Bill proposes various stipulations essential in developing a secure legislative framework, some of these key provisions being:

  • The Concept of Consent: The Bill incorporates the notion of consent which has to be freely given, specific, informed and unambiguous indication of the Data Protection subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the collecting, obtaining and processing of personal data relating to him or he Without such consent, no Data Protection controller would be allowed to process any personal Data Protection (including sensitive personal data), unless the need for processing falls within the list of exempt activities within the Bill.
  • Legality of Data Processing: Collection, processing or disclosure of personal Data Protection would be allowed for legitimate purposes specified within the Bill, and would have to be “adequate, relevant and limited to what is necessary in relation to the purposes for which the Data Protection is processed.” The Bill limits processing of personal data by the controller only to situations where such processing
    • is for a lawful purpose directly related to an activity of the Data Protection controller;
    • is necessary for or directly related to that purpose; and
    • is adequate but not excessive in relation to that purpose.
  • Notice To the Data Subject: A written notice would have to be provided by a controller to the Data Protection subject regarding collection of personal information, a description of the personal data to that data subject, the purpose and legal basis for the collection, information on the source of the personal information available to the controller, data subject’s right to access and correction of their personal data, any third-parties to whom the data may be disclosed, and whether it is necessary or voluntary for data subjects to share the information.
  • Obligations and Requirements for Data Controllers: Data Protection controllers would not be allowed to disclose personal data without the consent of the data subject, other than for the purpose mentioned at the time of collection or a purpose directly related to that purpose, or to third-parties other than those mentioned in the notice. Moreover, Data Protection controllers would be subject to multiple obligations with regards to data integrity, security requirements, data retention requirements and record management. In the event of a personal data breach, the controller would be required to notify the data protection authority within 72 hours of becoming aware of said breach, unless it would threaten the rights of the data subjects.
  • Cross-Border Data Transfer and Sensitive Information: if required, and with the consent of Data Protection subjects, personal information may be transferred abroad to a state which has at least the same data protection framework as Pakistan and the data will be processed in accordance with the requirements under the Bill. However, critical personal data would only be processed in servers and data centers located within Pakistan and would be subject to additional limitations and requirements under Chapter IV of the Bill.
  • Rights of Data Subjects: Chapter III of the Bill details the rights of the Data Protection Subjects, who would:
    • have to inform by controllers of their Data Protection being processed;
    • be allowed to request for access to the Data Protection being processed, for a reasonable fee, which the controller would have to comply within under 30 days’ time;
    • have the right to make corrections of their Data Protection where inaccurate, misleading, incomplete or changed;
    • be allowed to withdraw consent to process personal Data Protection if given earlier;
    • have the right to prevent processing if it could cause distress or damage; and
    • have the right to have their Data Protection erased where certain conditions remain unmet.
  • Exemptions: Chapter V of the Bill lists down circumstances where controllers would be exempt from compliance with the provisions of the Bill and the criteria set under it, which include, but are not limited to
    • use of data for the individual’s personal, family or household affairs, including recreational purposes;
    • prevention of a crime or its investigation;
    • prosecution of an offender;
    • assessment or collection of a tax;
    • physical or mental health of a Data Protection subject;
    • preparing statistics or carrying out research;
    • in connection with any order or judgment of a court; and
    • for journalistic, literary or artistic purposes provided certain criteria are followed.
  • The Commission: A five-member Commission shall be set up within six months of passage of the Bill, the functions of which will be receiving and deciding complaints with regard to infringements, examining various laws, rules, policies, bye-laws, regulations to bring the law in conformity with the provisions of the Act, create public awareness about personal Data Protection rights, engaging, supporting, guiding controllers and processors, ensure transparency and accountability, taking prompt and appropriate action in the event of a breach along with a wide array of other responsibilities.
  • Complaint and Offences: The Bill proposes a fine of up to Rupees fifteen million for anyone processing or disclosing personal Data Protection in violation of the Bill, which would be raised up to Rupees twenty-five million in case of a subsequent For failure to adopt appropriate security measures, the Bill proposes a fine of up to five million rupees. A failure to comply with the orders of the Commission or the court shall be punishable with fine of up to Rupees two and a half million. Legal persons or companies have been proposed to be punished with fine of up to 1% of its annual gross revenue in Pakistan or Rupees thirty million, whichever is higher. Appeal against the Commission’s decision shall lie with the High Courts.
data protection

General Data Protection Regulation (GDPR), GDPR in the hand of business. GDPR concept.

The Next Step

As approval of the Bill is highly anticipated, not just by the general public, but KLA as well, we assure our valuable readers that we are on a constant lookout for all relevant developments, and will be updating you all as soon as your Data Protection becomes secure. Our readers are, therefore, recommended to stay connected with our blog to know all the latest happenings!

If this article is useful to you or any of your acquaintances, then we really hope that you will share it with others or that you can integrate it into any of your publications by quoting KLA thanks to a hyperlink.

About KLA – Kashir Law Associates

Whether you are a company or an individual, whether, in litigation or advisory matters, KLA will be able to offer you optimal and personalized assistance as per your needs.

Our International lawyers and exceptionally competent legal experts can support you in multiple areas of innovation such as Personal and Privacy Data Protection, Intellectual property, Cyber laws, e-law, startups, Trade & Investment Laws, etc.