1. GOVERNING TEXTS

1.1. Legislation

Currently, Pakistan has no specific legislation in place addressing cybersecurity. However, the Ministry of Information Technology and Telecommunications ('MOITT') has prepared a consultation draft titled Personal Data Protection Bill 2021 ('the Bill'). The Bill inter alia provides for the protection of personal data, obligations of the data controller and data processor, data subject rights, the processing of sensitive personal data, exemptions, the establishment of the National Commission for Data Protection (‘NCPDP’), and complaints and offences. This Guidance Note primarily focuses on the provisions of the Bill.

Nevertheless, other cybersecurity-related legislation includes:

• the Electronic Transactions Ordinance, 2002 ('the Electronic Transactions Ordinance'); and
• the Prevention of Electronic Crimes Act, 2016 ('PECA').

Notably, the MOITT has recently issued a consultation draft of its National Cyber Security Policy 2021. One of the significant aspects of the policy is to develop a 'Cyber Security Act', as well as rules and regulations for a national cybersecurity framework. It is expected that, upon finalisation of the policy, work on the drafting of the Cyber Security Act will begin.

1.2. Regulatory authority

As noted above, the Bill provides for the establishment of the NCPDP. Under the Bill, the NCPDP would be responsible for:

• the protection of the interests of data subjects;
• the enforcement of data protection;
• the prevention of any misuse of personal data;
• the promotion of awareness of data protection; and
• the handling of complaints.

The NCPDP would also have executive and judicial powers, including the powers vested upon a Civil Court under the Code of Civil Procedure, 1908 last amended by the Code of Civil Procedure (Amendment) Act, 2020 to decide a complaint or pass any order for that purpose.

1.3. Regulatory authority guidance

As the Bill is at a consultation stage, and the NCPDP is not yet established, there is no guidance. However, the NCPDP, under Section 51 of the Bill, would be empowered to make the rules with the approval of the Federal Government of Pakistan ('the Government'). The NCPDP may make rules pertaining to:

• codes of conduct and ethics by data controllers and processors;
• compliance, publicity, and enforcement of such codes;
• consultations with data controllers and processors;
• interaction and cooperation with international and regional bodies; and
• setting up or accreditation of bodies to audit the security measures of data controllers and processors.

2. SCOPE OF APPLICATION

As noted above, so far, Pakistan has no specific law on cybersecurity.

The Bill, pertaining to personal data protection, is however applicable when any of the data subject, data controller, or data processer is located in Pakistan. Accordingly, the Bill is applicable to any person who processes, has control over the processing, or authorises the processing of personal data.

Personal data, as per the Bill, means any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that information and other information in the possession of the data controller and/or data processor, including any sensitive personal data. Notably, anonymised or pseudonymised data which is incapable of identifying an individual is not personal data for the purposes of the Bill.

3. DEFINITIONS

Data subject: A natural person who is the subject of personal data.

Data controller: A natural or legal person, or the Government, who either alone or jointly has the authority to make a decision on the collection, obtaining, usage, or disclosure of personal data.

Data processor: A natural or legal person, or the Government, who alone or in conjunction with others processes data on behalf of the data controller.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

4.1. Cybersecurity training and awareness

Sections 33(2)(c) and 33(2)(d) of the Bill provide for the functions of the NCPDP, including:

• taking steps to create public awareness about personal data protection rights; and
• engaging, supporting, guiding, facilitating, training, and persuading data controllers and processors to ensure the protection of personal data.

As the NCPDP is not yet in existence at this point in time, there are no requirements in relation to training and awareness.

4.2. Cybersecurity risk assessments

Section 34(2)(c)(v) of the Bill provides that the NCPDP is empowered to formulate a compliance framework for monitoring and enforcement in order to ensure transparency and accountability, which may include measures, such as Data Protection Impact Assessments ('DPIAs').

As the NCPDP is not yet established at this point in time, there are no requirements in relation to conducting risk assessments.

4.3. Vendor management

Section 8.3 of the Bill provides that where the processing of personal data is carried out by a data processor on behalf of the data controller, the data controller must, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorised or accidental access, disclosure, alteration, or destruction, ensure that the data processor undertakes to adopt applicable technical and organisational international security standards, as prescribed by the NCPDP.

Notably, under Section 8.4 of the Bill, the data processor is independently liable to take steps to ensure compliance with such security standards.

Furthermore, to ensure transparency and accountability, the NCPDP may formulate a compliance framework to regulate the processing of personal data by entities other than the data controller (Section 34(2)(c)(ix) of the Bill).

4.4. Accountability/record keeping

In accordance with Section 11 of the Bill, a data controller is required to keep and maintain a record of each application, notice, request, or any other information relating to personal data that has been, or is being processed, by the data controller. The NCPDP is to determine the manner and form in which such record is to be maintained.

The data controller is to intimate to NCPDP, on a regular basis, the type of data collected and processing undertaken on the collected data.

5. DATA SECURITY

Electronic Transactions Ordinance

For the purposes of conducting electronic transactions, Section 2(x) of the Electronic Transactions Ordinance defines the 'security procedure' as a procedure which:

• is agreed between parties;
• is implemented in the normal course by a business and which is reasonably secure and reliable; or
• in relation to a certificate issued by a certification service provider, is specified in its certification practice statement for establishing the authenticity or integrity, or both, of any electronic document, which may require the use of algorithms or codes, identifying words and numbers, encryption, answer back or acknowledgement procedures, software, hardware, or similar security devices.

The Electronic Certification Accreditation Council ('ECAC'), established under Section 18 of the Electronic Transactions Ordinance, is mandated to grant and renew the security procedures of the certification service providers. ECAC grants accreditation to security procedures of those service providers who comply with the criteria for accreditation specified in the relevant regulations.

Section 41(1) of the Electronic Transactions Ordinance also provides that no person shall be compelled to disclose any password, key, or other secret information exclusively within their private knowledge, which enables their use of the security procedure or advanced electronic signature.

Bill

Section 8.1 of the Bill provides that the NCPDP shall, keeping in mind national interest, prescribe best international standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access, or disclosure, alteration, or destruction. Failure to adopt appropriate data security measures attracts the imposition of a fine. All data controllers and data processors are required to adopt necessary security measures within a period of six months from the day the Bill comes into force.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

Section 13 of the Bill requires the data controller to report, within 72 hours of a data breach, to the NCPDP and the data subject. The exception is where the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject.

In case the notification is made beyond 72 hours, the notification must state valid reasons for the delay.

The notification must contain the following information:

• description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• name and contact details of the data protection officer ('DPO') or another contact point where more information can be obtained;
• likely consequences of the personal data breach; and
• measures adopted or proposed to be adopted by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

7. REGISTRATION WITH AUTHORITY

The Bill empowers the NCPDP to devise a registration mechanism for data controllers and data processors.

8. APPOINTMENT OF A SECURITY OFFICER

The Bill does not have an express requirement to appoint a DPO or a security officer. However, the Bill empowers the NCPDP to formulate a compliance framework for monitoring and enforcement with respect to the responsibilities of a DPO. It follows that, on promulgation of the Bill, the NCPDP would devise rules for the appointment of a DPO and their responsibilities.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial services

The following cybersecurity-related regulations apply to the financial sector:

• Payment Systems and Electronic Funds Transfers Act, 2007 ('the Payment Systems Act');
• State Bank of Pakistan ('SBP') Regulations for Payment Card Security ('Regulations for Payment Card Security');
• SBP Regulations for the Security of Internet Banking ('Regulations for the Security of Internet Banking');
• SBP Payment System Department Circular No. 09 of 2018 ('Circular No. 09'); and
• SBP Banking Policy and Regulations Department Circular No. 7 of 2016 on Prevention against Cyber Attacks.

General requirements

Section 70 of the Payment Systems Act provides that a financial institution or any other authorised party shall not divulge any information relating to electronic fund transfer, affairs, or account of its consumer.

Regulation 4.2(i) of the Regulations for Payment Card Security requires that card service providers must ensure the confidentiality of consumers' data in storage, transmission, and processing.

Regulation 2.2.3(c) of the Regulations for the Security of Internet Banking requires that customer information shall not be transferred to unauthorised storage or access medium.

Risk assessment

The SBP, through Circular No. 09, instructed all the banks/microfinance banks to carry out an extensive vulnerability assessment and penetration testing to identify potential weaknesses. In addition to internal assessment, the banks/microfinance banks are to arrange an independent third-party review/assessment of their payment systems.

Breach notification

For the banking sector, the Regulations for Payment Card Security requires that, in case of a security breach, a detailed report is to be submitted within 14 days to the SBP. In addition, the Regulations for the Security of Internet Banking provide that all established security breaches should be reported to the SBP on a quarterly basis. The impact of a security breach on banks' business, systems, applications, and customers is also required to be submitted.

Telecommunications

• Pakistan Telecommunication Authority ('PTA') Critical Telecom Data and Infrastructure Security Regulations, 2020 ('the Telecom Security Regulations');
• Telecom Consumers Protection Regulations, 2009, last amended by Telecom Consumer Protection (Amendment) Regulations, 2016 ('the Telecom Consumers Regulations'); and
• Regulations for Technical Implementation of Mobile Banking, 2016 ('the Mobile Banking Regulations').

The Telecom Security Regulations are applicable to all PTA licensees for the security of critical telecom data and critical telecom infrastructure related to the telecommunications sector. The Telecom Security Regulations place certain obligations on the licensees, including:

• constituting a steering committee of high-level representation from key operational areas;
• ensuring physical and environmental security;
• putting in place automated network monitoring systems;
• protecting critical telecom infrastructure against malicious software activity;
• ensuring the privacy of critical telecom data stored by the licensee;
• ensuring the protection of critical telecom infrastructure;
• backup maintenance;
• reporting to a computer emergency response team; and
• ensuring service and cybersecurity continuity and carrying out quarterly reviews of cybersecurity measures for analysis and improvement.

Regulation 16 of the Telecom Consumers Regulations requires that telecom services operators and their employees maintain the confidentiality of information about consumers.

Regulation 5(2)(xxi) of the Mobile Banking Regulations requires that a service-level agreement between third-party service providers, telecom operators, and authorised financial institutions shall be covered in a statement of online privacy that consumer information obtained as a result of mobile banking is collected, used, disclosed, and retained as committed or agreed.

Employment

Not applicable.

Education

Not applicable.

Insurance

Not applicable.

10. PENALTIES

11. OTHER AREAS OF INTEREST

Right of complaint

In Section 48 of the Bill, it is provided that any individual or relevant person may file a complaint before the NCPDP against any violation of personal data protection rights, the conduct of any data controller, and data processor of their processes, involving the following:

• a breach of the data subject's consent to process their data;
• a breach of the obligations of the data controller or the data processor during the performance of their functions;
• a provision of incomplete, misleading, or false information while taking consent of the data subject; and
• any other matter relating to the protection of personal data.

The NCPDP is required to provide an answer to the complaint within 30 days of its receipt or within such an extended time, for reasons to be recorded in writing, as reasonably determined by it.

Appeals against the decisions of the NCPDP are to lie with the High Court or to any other Tribunal established by the Government for the purpose in the manner prescribed by the High Court.

Network and information systems

The term 'network' is not defined. However, 'information system' is defined, in Section 2(p) of the Electronic Transactions Ordinance and in Section 2(xx) of PECA, as an electronic system for creating, generating, sending, receiving, storing, reproducing, displaying, recording, or processing information.

Electronic transactions

The provisions of the Electronic Transactions Ordinance are applicable, by virtue of Section 32, notwithstanding the matters being the subject hereof occurring outside Pakistan in so far as they are directly or indirectly connected to information systems within the territorial jurisdiction of Pakistan.

Section 13(1)(c) of the Electronic Transactions Ordinance provides that an electronic communication shall be deemed to be that of the originator if it was sent by an information system programmed by, or on behalf of, the originator.

Section 15 of the Electronic Transactions Ordinance provides the source rules for the determination of the time and place of dispatch and receipt of the electronic communication, unless otherwise agreed between the originator and the addressee. The dispatch occurs when the electronic communication enters an information system outside the control of the originator. The receipt of an electronic communication occurs at the time which the electronic communication enters the information system designated by the addressee, or when the addressee retrieves the same from an information system that is not the designated information system. In case the addressee has not designated an information system, the receipt occurs when the electronic communication enters an information system of the addressee.

The place of dispatch or receipt of electronic communication is not dependent upon the place of location of the information system, but, unless otherwise agreed between the originator and the addressee, is the place where the originator or addressee ordinarily resides or has their place of business.

PECA

Sections 3 and 5 of PECA provide that unauthorised access and interference with an information system is an offence punishable with imprisonment, or a fine, or both (see section 10 above for further information).

Section 27 of PECA provides that any offence, under this law or any other law, shall not be denied legal recognition and enforcement for the sole reason of the offence being committed in relation to or through the use of an information system. Furthermore, reference to 'property' in any law creating an offence in relation to or concerning property shall include information system.

Section 33 of PECA provides the process to be followed by the authorised officer with the seizure of the information system.

Critical information infrastructure operators

Sections 2(x) and 2(xi) of PECA respectively define 'critical infrastructure' and 'critical infrastructure information system or data' as follows:

'Critical infrastructure' means critical elements of infrastructure namely assets, facilities, systems, networks, or processes the loss or compromise of which could result in:

• major detrimental impact on the availability, integrity, or delivery of essential services, including those services, whose integrity, if compromised, could result in significant loss of life or casualties, taking into account significant economic or social impacts; or
• significant impact on national security, national defence, or the functioning of the State.

In this regard, the Government may designate any private or government infrastructure as critical infrastructure as may be prescribed under PECA.

Furthermore, 'critical infrastructure information system or data' means an information system, programme, or data that supports or performs a function with respect to critical infrastructure.

Sections 6, 7, and 8 of PECA provide that unauthorised access, copying, transmission, and interference with a critical information system or data is an offence punishable with imprisonment, or a fine, or both (see section 10 above for further information).

Section 13(2) of PECA provides that committing electronic forgery in relation to a critical infrastructure information system is an offence punishable with imprisonment, or a fine, or both (see section 10 above for further information).

Section 49 of PECA empowers the Government to constitute one or more computer emergency response teams to respond to any threat or attack on any critical infrastructure information system or critical infrastructure data, or any widespread attack on information systems in Pakistan.

Finally, under the Telecom Security Regulations, any equipment/assets whether physical or virtual, which are vital for the provisions of telecom licensed services and for sorting, processing, and transferring data is defined as 'Critical Telecom Infrastructure' (please see section 9 above for further information).

Digital service providers

Section 2(zi) of the Payment Systems Act defines the 'service provider' as an operator or any other electronic fund transfer service provider.

Regulation 2(1)(xxviii) of the Mobile Banking Regulation defines 'Third Party Service Provider ('TPSPs') as a Class Applications Service Provider for technical support of mobile banking services, licenced by the PTA and authorised by the SBP to provide technical services for channelling, routing, and switching transactions for branchless/mobile banking only. It should be noted that TPSPs shall be used for interoperability purposes within branchless banking domain, whereas Payment System Operators ('PSOs') and Payment Service Providers ('PSPs') shall provide an electronic platform for clearing, processing, routing, and switching or electronic transactions under rules for PSOs and PSPs issued, and as amended, by the SBP from time to time.

Saifullah Khan Managing Partner
[email protected]
Saeed Hasan Khan Partner
[email protected]
S.U.Khan Associates Corporate & Legal Consultants, Islamabad