Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Pakistan - Data Protection Overview
November 2022
1. Governing Texts
Pakistan does not have any extensive data protection legislation in place that specifically regulates matters in connection with the processing of personal data. The Prevention of Electronic Crimes Act, 2016 ('PECA') is currently the primary legislation that provides a legal framework in relation to various kinds of electronic crimes and also extends to the unauthorised access to personal data.
The Ministry of Information Technology and Telecommunications ('MOITT') has further promulgated the Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguard) Rules 2021 ('Unlawful Online Content Rules'), under Section 37 of PECA. Section 37 of PECA provides that the Pakistan Telecommunication Authority ('PTA') will have the power to remove, block, or issue directions for the removal or blocking of access to information through any information system if it considers it necessary in relation to, inter alia, incitement of any offence under PECA. In addition to the above, MOITT has introduced the Personal Data Protection Bill 2021 ('the Bill'), which is yet to be promulgated into law. The Bill, once enacted, will be the main legislation regulating controllers and processors of personal data in Pakistan and will apply to any person who processes, has control over, or authorises the processing of any personal data, provided that the data subject, data controller, or data processor (either local or foreign) is located in Pakistan.
1.1. Key acts, regulations, directives, bills
Bill
As mentioned above, the Bill, once enacted, will be the primary law pertaining to the protection of personal data in Pakistan. It will regulate the collection, processing, use, disclosure, and cross-border transfer of personal data. Furthermore, the Bill provides that personal data shall not be processed by a data controller unless the consent of the data subject has been obtained.
The Bill will come into force no later than two years from the date of its promulgation as the Islamic Republic of Pakistan ('the Government') may determine through a notification in the Official Gazette, providing at least three months advance notice of its effective date.
A public consultation process in respect of the Bill is being undertaken. Unfortunately, there is no clear guideline at this time as to when the Bill will be enacted.
Constitution
The Constitution of the Islamic Republic of Pakistan ('the Constitution') provides for the fundamental right to privacy.
Under Article 14(1) of the Constitution, 'privacy of home' shall be inviolable. Such privacy, however, is subject to the laws of Pakistan. In the case of M. D. Tahir v. the Director, State Bank of Pakistan, Lahore, and 3 others [2004 CLD 1680] ('the State Bank of Pakistan Case'), the judgment by the High Court of Lahore stated that, "It can hardly be denied, that the taking of private information without any allegation of wrongdoing of ordinary people is an extraordinary invasion of this fundamental right of privacy".
PECA
PECA is currently the primary legislation in respect of data protection in Pakistan and was promulgated on 18 August 2016. PECA aims to prevent unauthorised acts with respect to information systems and provides for related offences, as well as mechanisms for their investigation, prosecution, trial, and international cooperation with respect thereof.
Unlawful Online Content Rules
The Unlawful Online Content Rules were promulgated under Section 37(2) read with Section 51 of PECA with immediate effect. Section 37 of PECA pertains to unlawful online content. Pursuant to the same, the PTA is empowered to remove or block or issue directions for the removal or blocking of access to information through any information system if it considered it necessary, inter alia, in relation to the commission of or incitement to an offence under PECA. Accordingly, the said rules primarily pertain to the removal and blocking of unlawful online content. It is pertinent to flag that neither PECA, nor the rules, define 'unlawful online content'. However, in view of Section 37 of the PECA, it appears that any online content accessed or shared in contravention of the provisions of PECA would fall within the ambit of 'unlawful online content'. In addition to the foregoing, the Unlawful Online Content Rules also, inter alia, obligate a service provider, a social media company and significant social media company to publish community guidelines for access or usage of any online information system, which guidelines are required to be easily accessible and, inter alia, inform the user of the online information system not to host, display, upload, modify, publish, transmit, update, or share any online content that is in violation of local laws.
1.2. Guidelines
Currently, no guidelines have been issued pertaining to the protection of personal data.
The National Commission for Data Protection ('the Commission') will be established within six months of coming into force of the Bill. The Commission will be empowered to carry out the purposes of the Bill, once enacted, which includes the issuance of guidelines on the protection of personal data.
1.3. Case law
The State Bank of Pakistan Case (see section on key acts, regulations, directives, bills above)
2. Scope of Application
2.1. Personal scope
Bill
The Bill extends to data subjects who are natural persons, present in Pakistan.
The scope of the Bill, when enacted, will apply to any person/government who processes, has control over, or authorises the processing of any personal data, provided any of the data controllers, or processors are established/present in Pakistan. It will further extend to a controller or processor digitally or non-digitally operational in Pakistan but incorporated in any other jurisdiction and involved in commercial or non-commercial activity in Pakistan.
The Bill will also apply to the processing of personal data by a controller and processor not established in Pakistan, but in a place where Pakistani law applies by virtue of private and public international law.
PECA
PECA applies to every citizen of Pakistan wherever they may be and to every other person for the time of being in Pakistan. It also applies to any act committed outside Pakistan by any person if the act constitutes an offence under PECA and affects any person, property, information system, or data located in Pakistan.
Unlawful Online Content Rules
The Unlawful Online Content Rules apply only to those licensees which provide social media or social network services.
Please refer to the section on key definitions for how social media or social network services have been defined under the Unlawful Online Content Rules.
2.2. Territorial scope
Bill
The Bill, once promulgated, will apply to the whole of Pakistan.
PECA
PECA applies to the whole of Pakistan.
Unlawful Online Content Rules
The Unlawful Online Content Rules apply to the whole of Pakistan.
2.3. Material scope
As noted above in the section on key acts, regulations, directives, bills above, the Bill regulates the collection, use, and cross-border transfer of personal data.
Section 31.1 of the Bill provides that personal data processed by an individual only for the purposes of that individual's personal, family, or household affairs, including recreational purposes shall be exempt from the provisions of the Bill.
Subject to the provisions of the Bill, Section 31.2 of the Bill provides the following exemptions:
- personal data processed for the following purposes shall be exempted from Sections 5, 6, 7, and 8(2) and such other related provisions of the Bill as may be prescribed by the Commission:
- the prevention or detection of crime or for the purpose of investigations;
- the apprehension or prosecution of offenders; or
- the assessment or collection of any tax or duty or any other imposition of a similar nature;
- personal data processed in relation to information of the physical or mental health of a data subject shall be exempted from Sections 8(2) and other related provisions of the Bill, of which the application of the provisions to the data subject would be likely to cause serious harm to the physical or mental health of the data subject or any other individual;
- personal data processed for preparing statistics or carrying out research shall be exempted from Sections 5, 6, 7, and 8(2) and other related provisions of the Bill, provided that such personal data is not processed for any other purpose and that the resulting statistics or the results of the research are not made available in a form which identifies the data subject;
- personal data that is necessary for the purpose of or in connection with any order or judgment of a court shall be exempted from Sections 5, 6, 7, and 8(2) and other related provisions of the Bill;
- personal data processed for the purpose of discharging regulatory functions shall be exempted from Sections 5, 6, 7, and 8(2) and other related provisions of the Bill, if the application of those provisions to the personal data would be likely to prejudice the proper discharge of those functions; or
- personal data processed only for journalistic, literary, or artistic purposes shall be exempted from Sections 5, 6, 7, 8, 9, 10, and 11 and other related provisions of the Bill, provided that:
- the processing is undertaken with a view to the publication by any person of the journalistic, literary, or artistic material;
- the data controller subject to reasonable ground, believes that taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest; and
- the processing of personal data in the interests of the security of the State, provided that the processing of personal data shall not be permitted, unless it is authorised pursuant to an express authorisation by the Government and in accordance with the procedure to be laid down by the Government in this regard.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The Bill provides for the establishment of the Commission within six months of the promulgation of the Bill into law, to carry out the purposes of the Bill once promulgated.
In addition, PECA provides for the establishment of an investigative agency for the purpose of investigating any complaints pertaining to any offences under PECA. The Federal Investigative Agency ('FIA') has been appointed by the Government as the investigative agency under PECA. Additionally, PECA provides that the PTA should act as the authority regulating certain rights protected under PECA.
The Unlawful Online Content Rules provide that the PTA, subject to the provision of the rules, may on its own motion take cognisance of any online content and exercise its powers under PECA for removal and blocking of such online content. The Unlawful Content Rules further empower the PTA to issue directions for the removal or blocking access to online content. In addition, the rules obligate service providers, social media companies and significant social media companies to provide the FIA any information, date, content, or sub-content contained in any online information system owned or managed or run by the respective service provider social media company or significant social media company, in decrypted, readable and comprehensible format or plain version of such information, in accordance with the provisions of PECA.
3.2. Main powers, duties and responsibilities
Bill
Functions of the Commission
Section 33 of the Bill states that the Commission shall be responsible for protecting the interest of the data subject and enforce the protection of personal data, preventing any misuse of personal data, promoting awareness of data protection, and entertaining complaints under the Bill.
Other functions of the Commission identified under Section 33(2) of the Bill include:
- receiving and deciding complaints with regard to infringement of personal data protection including violation of any provision of the promulgated act;
- examining various laws, rules, policies, by-laws, regulations, or instructions in relation to the protection of personal data, and suggesting amendments to bring the law in conformity with the provisions of the promulgated act;
- taking steps to create public awareness about personal data protection rights, and filing of complaints against infringement of these rights under the promulgated act;
- engaging, supporting, guiding, facilitating training, and persuading data controllers and data processors to ensure the protection of personal data under the promulgated act;
- ensuring that all its decisions are based on established principles to structure or minimise discretion and ensure transparency and accountability;
- monitoring and enforcing the application of the provisions of the promulgated act;
- taking prompt and appropriate action in response to a data security breach in accordance with the provisions of the promulgated act;
- monitoring cross-border transfers of personal data under the promulgated act;
- monitoring technological developments and commercial practices that may affect the protection of personal data, and promoting measures and undertaking research for innovation in the field of protection of personal data; and
- advising the Government and any other statutory authority on measures that must be undertaken to promote the protection of personal data and ensuring consistency of application and enforcement of the promulgated act.
The Commission will also have the function to make recommendations to the Government on policies with respect to personal data protection in line with international best practices and national requirements and to perform such other functions as the Government may, from time to time, assign to it. The Commission will also be entitled to seek professional input from private or public entities for the purposes of compliance of obligations under the promulgated act.
Powers of the Commission
Section 34 of the Bill provides that the Commission shall have and exercise all powers as shall enable it to effectively perform its functions specified in Section 33 of the Bill (see above), including the powers to:
- decide a complaint or pass any order. For this purpose, the Commission shall be deemed to be a Civil Court and shall have the same powers as are vested in such court under the Code of Civil Procedure Code, 1908;
- formulate, approve, and implement policies, procedures, and regulations for its internal administration, operations, human resource management, procurements, financial management, and partnerships;
- formulate compliance framework for monitoring and enforcement in order to ensure transparency and accountability, subject to the measures including but not limited to the following:
- privacy;
- transparency;
- security safeguards;
- personal data breach;
- Data Protection Impact Assessment ('DPIA');
- record maintenance;
- data audits;
- responsibilities of data protection officer ('DPO');
- processing by entities other than data controller;
- classification of the data controller;
- a grievance redressal mechanism;
- cross-border data sharing; and
- cross border equivalent mechanism and matter ancillary thereto;
- identify big/large data controllers/processors, along with other categories, and define special measures for compliance in accordance with the provisions of the promulgated act;
- formulate a registration framework for data controllers and data processors under the promulgated act;
- take prompt and appropriate action in response to a data security breach in accordance with the provisions of the promulgated Act;
- powers of search and seizure while handling/dealing with a complaint;
- prescribe a schedule of costs and the mode of payment for filing of a complaint and its format;
- seek information from data controllers in respect of data processing and impose penalties for non-observance of data security practices and non-compliance of the provisions of the promulgated act;
- order a data controller to take such reasonable measures as it may deem necessary to remedy an applicant for any failure to implement the provisions of the promulgated act; and
- summon and enforce the attendance of witnesses and compelling them to give oral and written evidence under oath.
Section 35 of the Bill provides for the power of the Commission to call for information as may be reasonably required by it for effective discharging of its functions under the promulgated act. Whenever the Commission requires any information from the data controller or data processor, the concerned officer of the Commission shall provide a written notice to the data controller or the data processor stating the reason for such requisition in a specified manner and form in which such information may be provided.
PECA
Section 30 of PECA empowers officers of the FIA to investigate offences under the PECA ('the Authorised Officer').
Section 31 of PECA provides that to the extent that an Authorised Officer is satisfied that:
- specific data stored in any information system or by means of an information system is reasonably required for the purposes of a criminal investigation; and
- there is a risk or vulnerability that the data may be modified, lost, destroyed, or rendered inaccessible.
The Authorised Officer may, by written notice given to the person in control of the information system, require that person to provide that data, or to ensure that the data specified in the notice be preserved and the integrity thereof is maintained for a period not exceeding 90 days as specified in the notice. The Authorised Officer may apply to the court for the period of preservation to be extended.
Section 33 of PECA provides that an Authorised Officer may apply to the court for a warrant for search or seizure where there exist reasonable grounds to believe that there may be in a specified place an information system, data, device, or other articles that may reasonably be required for the purpose of a criminal investigation or criminal proceedings which may be material as evidence in proving a specifically identified offence made out under PECA or has been acquired by a person as a result of the commission of an offence. Subsequent to obtaining such warrant, an Authorised Officer may enter the specified premises to search and seize or secure any information system, data, device, or other articles relevant to the offence.
Where, however, an offence under Section 10 of PECA is involved and a warrant cannot be obtained without the apprehension of destruction, alteration, or loss of data, information system, data, device or other articles required for the investigation, an Authorised Officer may conduct a search and seizure in relation to the offence without obtaining a warrant from the court, provided that the Authorised Officer not later than 24 hours brings this to the notice of the court.
Section 34 of PECA further states that where an Authorised Officer is able to demonstrate to the satisfaction of the court that there exist reasonable grounds to believe that the data stored in an information system is reasonably required for the purpose of a criminal investigation or criminal proceedings with respect to an offence made out under PECA, the court may, after recording reasons, order that the person in control of such data or information system, provide the Authorised Officer access to the same.
Section 35 of PECA provides for the following powers of an Authorised Officer to:
- have access to and inspect the operation of any specified information system;
- use or cause to be used any specified information system to search any specified data contained in or available to such system;
- obtain and copy only relevant data, use equipment to make copies, and obtain an intelligible output from an information system;
- have access to or demand any information in a readable and comprehensible format of plain version;
- require any person by whom or on whose behalf the Authorised Officer has reasonable cause to believe, any information system has been used to grant access to any data within an information system within the control of such person;
- require any person having charge of or otherwise concerned with the operation of any information system to provide them reasonable technical and other assistance as the Authorised Officer may require for investigation of an offence under PECA; and
- require any person who is in possession of decryption information of an information system, device, or data under investigation to grant them access to such data, device, or information system in unencrypted or decrypted intelligence format for the purpose of investigating any such offence.
Section 35(2) of PECA pertains to the scope of the above powers and provides that in exercising the power of search and seizure of any information system, programme, or data, the Authorised Officer shall at all times conduct themselves as follows:
- with proportionality;
- take all precautions to maintain the integrity and secrecy of the information system and data in respect of which the warrant for search and seizure has been issued;
- not disrupt or interfere with the integrity or running and operation of any information system or data that is not the subject of the offences identified in the application for which a warrant for search or seizure has been issued;
- avoid disruption to the continued legitimate business operations and the premises subject to search or seizure under PECA; and
- avoid disruption to any information system, programme, or data not connected with the information system that is not the subject of the offences identified for which a warrant has been issued or is not necessary for the investigation of the specified offence in respect of which a warrant has been issued.
Section 53 of PECA states that the FIA should submit a half-yearly report to both the National Assembly and Senate of Pakistan for consideration by the relevant committee in respect of its activities, without disclosing identity information, in a manner as prescribed under PECA.
Unlawful Online Content Rules
Pursuant to Rule 4 of the Unlawful Online Content Rules, the PTA is obligated to entertain complaints with regard to online content. The PTA may seek further information or clarification from the complainant for an appropriate decision on the complaint. The PTA is obligated to register the said complaint through the allocation of a unique complaint number to be communicated to the complainant. The PTA is further obligated to ensure that the online content and the identity of the complainant is kept confidential if the sharing of such online content or the identity of the complainant with others may result in proliferation of the online content or harming, harassing, or defaming the complainant, or invasive of the complainant's privacy or relates to the modesty of the complainant. The PTA, subject to the provisions of the Unlawful Online Content Rules, may on its own motion take cognisance of any online content and exercise its powers under PECA for removal or blocking of such online content.
4. Key Definitions
Anonymised data (as defined under the Bill): Information that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Authority (as defined under PECA): The Pakistan Telecommunication Authority established under the Pakistan Telecommunication (Re-Organisation) Act, 1996.
Authorised officer (as defined under PECA): An officer of the investigation agency authorised to perform any function on behalf of the investigation agency by or under PECA.
Community guidelines (as defined under the Unlawful Online Content Rules): Any community guidelines, community standards, policies, rules, and regulations, user agreements, or any other instruments devised by a social media company or service provider.
Complainant (as defined under the Unlawful Online Content Rules): Any person or their guardian, where such person is a minor, aggrieved by unlawful online content and include a Ministry, Division, attached department, sub-ordinate office, provincial or local department or office, a law enforcement or intelligence agency of the Government, or a company owned or controlled by the Government.
Commission (as defined under the Bill): The Commission to be known as National Commission for Personal Data Protection (‘NCPDP') established under Section 32 of the Bill.
Consent (as defined under the Bill): The consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement, or by clear affirmative action, signify agreement to the collecting, obtaining, and processing of personal data relating to them.
Data controller (as defined under the Bill): A natural or legal person or the Government who, either alone or jointly, has the authority to make a decision on the collection, obtaining, usage, or disclosure of personal data.
Data processor (as defined under the Bill): A natural or legal person or the Government who alone or in conjunction with other(s) processes data on behalf of the data controller.
Personal data (as defined under the Bill): Any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data. Anonymised, encrypted, or pseudonymised data which is incapable of identifying an individual is not personal data.
Data (as defined under PECA): Consent data and traffic data.
Data subject (as defined under the Bill): A natural person who is the subject of personal data.
Database server (as defined under the Unlawful Online Content Rules): Back-end system of an online information system or service or Over the Top Application using server architecture, which performs tasks such as data analysis, storage, data manipulation, archiving, and other non-user specific tasks.
Emergency (as defined under the Unlawful Online Content Rules): A serious and potentially dangerous situation requiring immediate action for blocking or removal of blasphemous content, content threatening security or integrity of Pakistan or any other content inciting violence, so as to avoid disturbing public order.
Https (as defined under the Unlawful Online Content Rules): Hyper Text Transfer Protocol Secured used as underlying protocol by the World Wide Web for formatting, transmission, and communication of messages on internet in a secure encrypted form.
Information system (as defined under PECA): An electronic system for creating, generating, sending, receiving, storing, reproducing, displaying, recording, or processing any information.
Investigative agency (as defined under PECA): The law enforcement agency established by or designated under PECA.
Online content (as defined under the Unlawful Online Content Rules): An information or an online information system.
Online information systems (as defined under the Unlawful Online Content Rules): An information system connected with other information systems through internet and any cloud-based content distribution services.
Processing (as defined under the Bill): Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Sensitive data (as defined under the Bill): Data relating to access control (username and/or password), financial information such as bank account details, credit card, or debit card details, or other payment instruments, computerised national identity card, as well as passports, biometric data, physical, behavioural, psychological, and mental health conditions, medical records, and any detail pertaining to an individual's ethnicity, religious beliefs, or any other information for the purposes of the Bill and rules made thereunder.
Health data: There is no definition of 'health data' in the applicable law.
Biometric data: There is no definition of 'biometric data' in the applicable law.
Pseudonymisation (as defined under the Bill): The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
Relevant person (as defined under the Bill): in relation to a data subject:
- in the case of a data subject who is below the age of 18 years, the parent or a guardian appointed by a court of competent jurisdiction;
- in case of a data subject who is incapable of managing their own affairs, a person who is appointed by a court to manage those affairs; or
- a person authorised by the data subject to make a data access and/or data correction request.
Requestor (as defined under the Bill): Anybody who makes request under this Act for any matter related or ancillary to this Act.
Significant social media company (as defined under Unlawful Online Content Rules): a social media company with more than half million users in Pakistan or is in the list specifically notified by PTA for this purpose from time to time.
Social media or social network service (as defined under the Unlawful Online Content Rules): a website, application, or mobile web application, platform or communication channel and any other such application and service that permits a person to become a registered user, establish an account, or create a public profile for the primary purpose of allowing the user to post and share user-generated content through such an account or profile, or enables one or more user to generate content that can be viewed, posted, and shared by other users of such platform. It does not include licensees of PTA unless they specifically provide social media or social network services. Do note that the term 'licensees' is not defined under said rules.
Social media company (as defined under Unlawful Online Content Rules): Any person that owns, provides, or manages online information systems for provisions of social media or social network service.
User (as defined under Unlawful Online Content Rules): Any person who accesses or avails any online information system for the purpose of hosting, publishing, creating, displaying, sharing, or uploading any information including views, and includes other persons jointly participating in using the online information systems.
5. Legal Bases
5.1. Consent
Section 5.1 of the Bill provides that a data controller shall not process personal data including sensitive personal data of a data subject, unless the data subject has given their consent to the processing of the personal data. In addition, a separate consent shall be obtained from the data subject for each purpose.
Furthermore, Section 7 of the Bill provides that no personal data shall, without the consent of the data subject, be disclosed:
- for any purpose other than:
- the purpose for which the personal data was to be disclosed at the time of collection of the personal data; or
- a purpose directly related to the purpose referred to in the clause above; or
- to any party other than a third party of the class of third parties as specified in Section 6 of the Bill.
5.2. Contract with the data subject
Section 5.2(a) of the Bill provides that, notwithstanding the above, a data controller may process personal data about a data subject if the processing is necessary for the performance of a contract to which the data subject is a party.
5.3. Legal obligations
Section 5.2(b) of the Bill provides that, notwithstanding the above, a data controller may process personal data about a data subject if the processing is necessary for compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by a contract.
5.4. Interests of the data subject
Section 5.2(c) of the Bill provides that, notwithstanding the above, a data controller may process personal data about a data subject if the processing is necessary in order to protect the vital interests of the data subject.
Please refer to section on data subject rights below for additional obligations provided under the Bill.
5.5. Public interest
The data controller may disclose personal data of a data subject other than for the purpose for which the personal data was to be disclosed at the time of its collection or any other purpose directly related to that purpose, in the event the disclosure is justified as being in the public interest in circumstances as determined by the Commission in advance of the disclosure.
Furthermore, personal data processed only for journalistic, literary, or artistic purposes shall be exempted from Sections 5, 6, 7, 8, 9, 10, and 11 and other related provisions of the Bill, provided that the data controller subject to reasonable grounds, believes that taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest.
5.6. Legitimate interests of the data controller
Section 5.2(e) of the Bill provides that, notwithstanding the above, a data controller may process personal data about a data subject if the processing is necessary for legitimate interests pursued by the data controller.
5.7. Legal bases in other instances
Bill
In addition to the conditions outlined above, Sections 5.2(d) and (f) of the Bill provides that a data controller may also process personal data about a data subject if the processing is necessary:
- for the administration of justice pursuant to an order of the court of competent jurisdiction; or
- for the exercise of any functions conferred on any person by or under any law.
PECA
PECA requires any person engaged in direct marketing to give an option to the recipient of direct marketing to unsubscribe from such marketing.
6. Principles
Section 5.3 of the Bill provides that personal data shall not be processed unless:
- the personal data is processed for a lawful purpose directly related to an activity of the data controller;
- the processing of the personal data is necessary for or directly related to that purpose; and
- the personal data is adequate but not excessive in relation to that purpose.
In this regard, the Bill provides the following main principles pertaining to the processing of personal data:
- lawfulness: the personal data should be processed for a lawful purpose directly related to an activity of the data controller;
- purpose limitation: the processing of the personal data should be necessary for or directly related to a lawful purpose directly related to an activity of the data controller;
- accuracy and integrity: a data controller should take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed;
- adequacy (data minimisation): the personal data should be adequate but not excessive in relation to a lawful purpose directly related to an activity of the data controller; and
- data retention: the personal data processed for any purpose should not be kept longer than is necessary for the fulfilment of that purpose or as required under the law and it shall be the duty of a data controller to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed. or as required under the law.
7. Controller and Processor Obligations
Security of personal data
Section 8.1 of the Bill states that the Commission, keeping in mind national interest, shall prescribe best international standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access, or disclosure, alteration, or destruction.
Section 8.2 of the Bill states that a data controller or processor shall, when collecting or processing personal data, take practical steps to protect the personal data in the terms mentioned under Section 8.1 by having regard to:
- the place or location where the personal data is stored;
- any security measures incorporated into any equipment in which the personal data is stored;
- the measures taken for ensuring the reliability, integrity, and competence of personnel having access to the personal data; and
- the measures taken for ensuring the secure transfer of personal data.
Section 8.3 of the Bill further provides that where the processing of personal data is carried out by a data processor on behalf of the data controller, the data controller shall, for the purpose of protecting the personal data in the terms mentioned under Section 8.1 of the Bill, ensure that the data processor undertakes to adopt applicable technical and organisational security international standards governing the processing of personal data, as prescribed by the Commission.
Section 8.4 of the Bill provides that the data processor is independently liable to take steps to ensure compliance with security standards prescribed under Section 8.1 of the Bill.
Pursuant to Rule 7(6) (5) of the Unlawful Online Content Rules, a significant social media company shall comply with the user data privacy and data localisation in accordance with applicable laws.
7.1. Data processing notification
While the Bill does not prescribe any registration requirements with respect to the processing of personal data, Section 34 of the Bill empowers the Commission to formulate a registration framework for data controllers and data processors.
7.2. Data transfers
Disclosures to third parties
Section 24 of the Bill provides that personal data of a data subject may be disclosed by a data controller for any purpose other than the purpose for which the personal data was to be disclosed at the time of its collection or any other purpose directly related to that purpose, only under the following circumstances:
- the data subject has given their consent to the disclosure;
- the disclosure:
- is necessary for the purpose of preventing or detecting a crime, or for the purpose of investigations; or
- was required or authorised by or under any law or by the order of a court;
- the data controller acted in the reasonable belief that they have in law the right to disclose the personal data to the other person;
- the data controller acted in the reasonable belief that they would have had the consent of the data subject if the data subject had known of the disclosing of the personal data and the circumstances of such disclosure; or
- the disclosure was justified as being in the public interest in circumstances as determined by the Commission in advance of the disclosure.
Cross-border data transfers
Section 12 of the Bill provides that personal data shall not be transferred to any unauthorised person or system.
Section 14 of the Bill provides for the cross border transfer of personal data in terms of which if personal data is required to be transferred to any system located beyond territories of Pakistan or system that is not under the direct control of any of the governments in Pakistan, or entit(ies) in Pakistan, it shall be ensured that the country where the data is being transferred offers personal data protection legal regime at least equivalent to the protections provided under the Bill and the data so transferred shall be processed in accordance with the Bill, and where applicable, the consent be given by the data subject.
Section 15 of the Bill further provides that personal data other than those categorised as critical personal data may be transferred outside the territory of Pakistan under a framework (on conditions) to be devised by the Commission. More importantly, in accordance with Section 14 of the Bill, critical personal data shall only be processed in a server or data centre located in Pakistan.
The Commission shall also devise a mechanism for keeping some components of sensitive personal data in Pakistan to which this Bill applies, provided that it relates to public order or national security.
7.3. Data processing records
Pursuant to Section 11 of the Bill, a data controller will be required to keep and maintain a record of each application, notice, request, or any other information relating to personal data that has been or is being processed by them. The Commission may determine the manner and form in which the record is to be maintained.
The data controller is required to intimate to the Commission on regular basis the type of data they are collecting, and the processing undertaken on the collective data. This is not applicable on situations where data collection is occasional, unless the processing is likely to result in a risk to the rights and freedoms of data subject.
7.4. Data protection impact assessment
There are no prescribed requirements currently in place. Under the Bill, the Commission is required to formulate a compliance framework for monitoring and enforcement in order to ensure transparency and accountability, subject to the measures including a DPIA.
7.5. Data protection officer appointment
The Bill does not prescribe any requirement for data controllers and processors to appoint a DPO. However, Section 34 of the Bill empowers the Commission under to formulate responsibilities of said officer, if and when appointed.
7.6. Data breach notification
There is currently no specific requirements under existing laws to notify a data breach. However, Section 13.1 of the Bill, not yet in force, provides that in the event of a personal data breach, the data controller shall, without undue delay and where reasonably possible, not beyond 72 hours of becoming aware of the personal data breach, notify the Commission and the data subject in respect of the personal data breach except where the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject.
Furthermore, Section 13.2 of the Bill provides that in the event of a delay in notifying a personal data breach beyond 72 hours, the personal data breach notification to the Commission shall be accompanied by valid reasons for the delay.
Section 13.3 of the Bill provides that minimum information in relation to the personal data breach notification should be provided, which is as follows:
- description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
- name and contact details of the DPO or other contact point where more information can be obtained;
- likely consequences of the personal data breach; and
- measures adopted or proposed to be adopted by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The data controller shall maintain a record of any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action taken. The data processor shall also follow the personal data breach notification requirements under this section in the event of becoming aware of a personal data breach.
7.7. Data retention
Pursuant to Section 9.1 of the Bill, personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose or as required under the law. Further Section 9.2 of the Bill provides that, it shall be the duty of the data controller to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed or as required under Section 9.1 of the Bill.
In addition to the above, the following sector-specific requirements may also be applicable to the protection of personal data within such sectors:
Financial sector
Section 7 of the Payment Systems and Electronic Fund Transfers Act, 2007 provides that financial institutions providing funds transfer facility will be required to retain a complete record of electronic transactions in electronic form in the same manner as provided in Section 6 of the Electronic Transactions Ordinance, 2002 ('the 2002 Ordinance') for a period as may be determined by the State Bank of Pakistan ('SBP'). Section 6 of the 2002 Ordinance provides that the requirement under any law that a certain document, record, information, communication, or transaction be retained will be deemed satisfied by retaining it in electronic form if:
- the contents of the document, record, information, communication, or transaction remain accessible so as to be usable for subsequent reference;
- the contents and form of the document, record, information, communication, or transaction are as originally generated, sent, or received, or can be demonstrated to represent accurately the contents and form in which it was originally generated, sent, or received; and
- such document, record, information, communication, or transaction, if any, as enables the identification of the origin and destination of document, record, information, communication or transaction and the date and time when it was generated, sent or received, is retained.
Banking sector
Pursuant to Section 33A of the Banking Companies Ordinance, 1962 ('BCO'), banks and financial institutions shall, except as otherwise required by law, not divulge any information relating to the affairs of its customers except in circumstances in which, in accordance with the law, it is practice and usage customary among bankers, necessary, or appropriate for a bank to divulge such information.
Pursuant to Section 12 of the BCO, no banking company is permitted to remove from Pakistan to a place outside Pakistan any of its records and documents relating to its business at its branches, whether they are functioning or not, without the prior permission in writing of the SBP, where the term 'records' means ledgers, daybooks, cash books, account books, and all other books used in the business of a banking company, and the term 'documents' means vouchers, cheques, bills, pay orders, securities for advances, and any other documents supporting entries in the books of, or claims by or against, a banking company.
Telecommunications sector
The PTA has recently issued its Critical Telecom Data and Infrastructure Security Regulations, 2020 ('the PTA Regulations') under Section 5(2)(o) of the Pakistan Telecommunication (Re-organization) Act, 1996, which shall apply to all PTA licensees for the security of critical telecom data and critical telecom infrastructure related to the telecom sector.
The expression 'critical telecom data' has been defined in the PTA Regulations as personal data related to PTA licensees, licensee users, and/or customers which is retained by the telecom licensee and such information which is critical for the operations, confidentiality, and security of the licensee telecom systems including voice/data communication of its users/customers being handled by the telecom licensee.
The term 'personal data' for the purposes of the PTA Regulations means information associated with an individual or an organisation, relating to its private, public, and professional identification.
Pursuant to Regulation 5 of the Data Retention of Internet Extended to Public WiFi-Hotspots Regulations, 2018, the owner of a public Wi-Fi hotspot is obligated to record and maintain Network Address Translator ('NAT') and Logs/Port Address Translator ('PAT') logs and system log of their consumers on a mandatory basis. Along with other information, the following additional parameters of NAT/PAT and system log are to be stored for a minimum of 12 months:
- full name of the user;
- computerised national identity card number/passport number (in case of foreigners);
- mobile number;
- date and time of login;
- date and time of log-off;
- data consumption with URLs;
- MAC address;
- internet access log;
- source IP address;
- source IP port;
- translated IP address;
- translated IP port;
- destination IP address; and
- destination IP port.
7.8. Children's data
There are no specific provisions under the Bill in connection with the processing of children's data. The parent or a guardian appointed by a court of competent jurisdiction may act as the 'relevant person' (e.g. in connection with data access requests where the identity of the data subject and the requester are ascertained).
7.9. Special categories of personal data
A data controller shall not process sensitive personal data of a data subject unless the data subject has given their consent to the processing of the personal data.
Pursuant to Section 29.1 of the Bill a data controller shall not process any sensitive personal data of a data subject except in accordance with the following conditions:
- the data subject has given their explicit consent to the processing of the personal data provided that this consent is not restricted by any other applicable law; and/or
- the processing is necessary:
- for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
- in order to protect the vital interests of the data subject or another person, in a case where:
- consent cannot be given by or on behalf of the data subject; or
- the data controller cannot reasonably be expected to obtain the consent of the data subject;
- in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;
- for medical purposes and is undertaken by:
- a healthcare professional; or
- a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional;
- for the purpose of, or in connection with, any legal proceedings;
- for the purpose of obtaining legal advice while ensuring its integrity and secrecy;
- for the purposes of establishing, exercising, or defending legal rights;
- for the administration of justice pursuant to orders of a court of competent jurisdiction; or
- for the exercise of any functions conferred on any person by or under any written law; and
- the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
For the purposes of this Section:
- 'medical purposes' includes the purposes of preventive medicine, medical diagnosis, medical research, rehabilitation, and the provision of care and treatment, and the management of healthcare services; and
- 'healthcare professional' means a medical practitioner, dental practitioner, pharmacist, clinical psychologist, nurse, midwife, medical assistant, physiotherapist, occupational therapist, and other allied healthcare professionals, and any other person involved in the giving of medical, health, dental, pharmaceutical, or any other healthcare services authorised to provide such services under the laws of Pakistan.
7.10. Controller and processor contracts
The Bill prescribes no such requirements.
8. Data Subject Rights
8.1. Right to be informed
Section 16 of the Bill provides that a date subject or relevant person is entitled to be informed by a data controller whether personal data of which that individual is the data subject is being processed by or on behalf of the data controller.
Section 6.1 of the Bill provides that a data controller shall, by written notice, inform a data subject or where this is not practical via a written notice provided by another data controller that exercises control over the same personal data:
- that the personal data of the data subject is being collected by or on behalf of a data controller, providing a description of the personal data to that data subject;
- the legal basis for the processing of personal data and time duration for which data is likely to be processed and retained thereafter;
- the purposes for which the personal data is being or is to be collected and further processed;
- of any information available to the data controller as to the source of that personal data;
- of the data subject's right to request access to and to request correction of the personal data and how to contact the data controller with any inquiries or complaints in respect of the personal data;
- of the class of third parties to whom the data controller discloses or may disclose the personal data;
- of the choices and means the data controller offers the data subject for restricting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;
- whether it is obligatory or voluntary for the data subject to supply the personal data; and
- where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he or she fails to supply the personal data.
Section 6.2 of the Bill stipulates that the notice shall be given as soon as reasonably possible by the data controller:
- when the data subject is first asked by the data controller to provide their personal data;
- when the data controller first collects the personal data of the data subject; or
- in any other case, before the data controller:
- uses the personal data of the data subject for a purpose other than the purpose for which the personal data was collected; or
- discloses the personal data to a third party.
Section 6.3 of the Bill stipulates that a notice shall be in the national and/or English languages, and the individual shall be provided with a clear and readily accessible means to exercise their choice, where necessary, in the national and English languages.
8.2. Right to access
Section 16.2 of the Bill provides that a Requestor may upon payment of a prescribed reasonable fee on administrative cost make a data access request to the data controller:
- for information of the data subject's personal data that is being processed by or on behalf of the data controller; and
- to have communicated to them a copy of the personal data in an intelligible form.
Such rights are subject to circumstances listed in Section 18.1 of the Bill wherein the data controller may refuse the data access request, such as where the data controller is not supplied with such information as the data controller may reasonably require:
- in order to satisfy itself as to the identity of the requestor; or
- where the requestor claims to be a relevant person, the data controller may in order to satisfy itself:
- as to the identity of the data subject in relation to whom the requestor claims to be the relevant person; or
- that the requestor is the relevant person in relation to the data subject; and
- to locate the personal data to which the data access request relates.
Under Section 10.2 of the Bill, a data subject shall be given access to their personal data held by a data controller and data controller be liable to correct that personal data where the personal data is inaccurate, incomplete, misleading, or not up to date, except where compliance with a request to such access or correction is refused under the Bill once promulgated.
8.3. Right to rectification
Section 19 of the Bill provides that a data subject may request the correction of their personal data where:
- a copy of the personal data has been supplied by the data controller in compliance with the data access request, and the requestor considers that the personal data is inaccurate, incomplete, misleading, or not up to date; or
- the data subject knows that their personal data being held by the data controller is inaccurate, incomplete, misleading, or not up to date.
Notwithstanding the foregoing provisions, Section 20.1 of the Bill provides that where the data controller is satisfied that the personal data to which a data correction request relates is inaccurate, incomplete, misleading, or not up-to-date, it shall, inter alia, not later than 30 days from the date of receipt of the data correction request:
- make the necessary correction to the personal data; and/or
- supply the requestor with a copy of the personal data as corrected etc.
The data controller who is unable to comply with a data correction request within the period specified above shall, before the expiration of that period:
- by notice in writing, inform the requestor that they are unable to comply with the data correction request within such period and the reasons why they are unable to do so; and
- comply with the data correction request to the extent that they are able to do so.
Notwithstanding the foregoing, the data controller shall comply in whole with the data correction request not later than 14 days after the expiration of the period stipulated above.
Where a data controller is requested to correct personal data, and the personal data is being processed by another data controller that is in a better position to respond to the data correction request:
- the first-mentioned data controller shall immediately transfer the data correction request to such data controller, and notify the requestor of this fact; and
- relevant provisions applicable to the first-mentioned data controller shall be equally applicable to the other data controller.
Such rights are subject to circumstances listed in Section 21 of the Bill wherein the data controller may refuse the data correction request, such as where:
- the data controller is not supplied with such information as it may reasonably require to ascertain in what way the personal data to which the data correction request relates is inaccurate, incomplete, misleading, or not up-to-date;
- where the data controller is not satisfied that the personal data to which the data correction request relates is inaccurate, incomplete, misleading, or not up-to-date; or
- where the data controller is not satisfied that the correction which is the subject of the data correction request is accurate, complete, not misleading or up-to-date.
8.4. Right to erasure
Section 27 of the Bill provides the data subject with the right to obtain the erasure of personal data concerning them from the data controller without undue delay and the data controller shall have the obligation to erase personal data within 14 days where at least one of the following conditions applies:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to the relevant section of the Bill;
- the personal data have been unlawfully processed; or
- the personal data have to be erased for compliance with a legal obligation.
8.5. Right to object/opt-out
Section 23 of the Bill provides that a data subject may by notice in writing withdraw their consent to the processing of personal data in respect of which they are the data subject. The data controller shall, upon receiving such notice, cease the processing of the personal data.
Section 25.1 of the Bill states that a data subject may, at any time by notice in writing to a data controller, require the data controller at the end of such period as is reasonable in the circumstances, to:
- cease the processing of or processing for a specified purpose or in a specified manner; or
- not begin the processing of or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject if, based on reasons to be stated by them:
- the processing of that personal data or the processing of personal data for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to them or a relevant person; and
- the damage or distress is or would be unwarranted.
Section 25.2 of the Bill provides that Section 25.1 shall not apply where:
- the data subject has given their consent; or
- the processing of personal data is necessary:
- for the performance of a contract to which the data subject is a party;
- for the taking of steps at the request of the data subject with a view to entering a contract;
- for compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by contract;
- in order to protect the vital interests of the data subject; or
- in such other cases as may be prescribed by the Government upon recommendations of the Commission through publication in the Official Gazette.
8.6. Right to data portability
Data subject's right to data portability is protected under Section 28 of the Bill.
8.7. Right not to be subject to automated decision-making
Section 28 of the Bill protects the data subject's right to not be subject to a decision based solely on automated processing, including profiling.
8.8. Other rights
Section 26 of the Bill prescribes that a foreign data subject shall have all of their rights, if any provided under the laws of the country or territory where the foreign personal data has been collected or where the data subject resides, in so far as consistent with the provisions of the Bill.
9. Penalties
Bill
The following sanctions may be imposed by a court of competent jurisdiction after a trial.
Unlawful processing of personal data
Section 44 of the Bill provides that anyone who processes or cause to be processed, disseminates, or discloses personal data in violation of any of the provisions of the Bill shall be punished with fines of up to PKR 15 million (approx. €68,460) , and in case of subsequent unlawful processing of personal data, the fine may be raised up to PKR 25 million (approx. €114,090).
In case the offence committed relates to sensitive personal data, the offender may be punished with a fine of up to PKR 25 million (approx. €114,090).
Corporate liability
Section 47 of the Bill provides that a legal person shall be held liable for a non-compliance committed on its instructions or for its benefit or lack of required supervision by any individual, acting either individually or as part of a group of persons, who:
- has a leading position within it, based on a power of representation of the person;
- is an authority to take decisions on behalf of the person; or
- an authority to exercise control within it.
The legal person shall be punished with a fine not exceeding 1% of its annual gross revenue in Pakistan or PKR 30 million (approx. €136,930), whichever is higher, provided that such punishment shall not absolve the liability of the individual who has committed the offence.
Penalties for continuing to process data after withdrawal of consent
Section 23 of the Bill provides that a data controller who continues processing data despite a data subject withdrawing consent to process such data commits an offence and shall, on conviction, be liable to a fine not exceeding PKR 5 million (approx. €22,820).
Failure to adopt appropriate data security measures
Section 45 of the Bill provides that anyone who fails to adopt the security measures that are necessary to ensure data security, when they are required to do so, in violation of the provisions laid down in the Bill and (the rules which are to be made thereunder) will be punished with a fine up to PKR 5 million (approx. €22,820).
Failure to comply with orders of the Commission
Section 46 of the Bill provides that anyone who fails to comply with the orders of the Commission or court when they are required to do so will be punished with a fine up to PKR 2.5 million (approx. €11,410).
Administrative sanctions
Section 48 of the Bill provides that a complaint may be filed before the Commission against any violation of personal data protection rights as granted under the Bill or the conduct of any data controller, data processor, or their processes in accordance with the relevant procedure set out under the Bill for:
- a breach of the data subject's consent to process data;
- a breach of the obligations of the data controller or the data processor in performance of their functions under the Bill;
- the provision of incomplete, misleading, or false information while taking consent of the data subject; or
- other matters relating to the protection of personal data.
The Commission shall efficiently dispose of a complaint, and it may issue directions to stop the breach of data protection rights of a data subject without first seeking comments from the concerned data processor and data controller, as the case may be. In case of failure of the data collector or data processor, as the case may be, to respond to the Commission or to execute its orders, the Commission may initiate enforcement proceedings as per rules to be prescribed under the Bill.
PECA
Chapter II of PECA catalogues the offences in relation to electronic crimes in Pakistan. The list of acts criminalised under PECA includes illegal access to information systems or data, illegal interference with data or information systems, cyber terrorism, and electronic forgery.
Unauthorised access to information system or data
Section 3 of PECA states that whoever with dishonest intention gains unauthorised access to any information system or data will have committed an offence and shall be punished with imprisonment for a term which may extend to three months, or with a fine which may extend to PKR 50,000 (approx. €230), or with both.
Unauthorised copying or transmission of data
Section 4 of PECA provides that whoever, with dishonest intention and without authorisation, copies or otherwise transmits or causes to be transmitted any data shall be punished with imprisonment for a term which may extend to six months, or with a fine which may extend to PKR 100,000 (approx. €460), or with both.
Interference with information system or data
Section 5 of PECA refers to the offence of illegal interference with information systems or data, such that whoever with dishonest intention, interferes with, or damages, or causes to be interfered with or damage any part or whole of an information system or data shall be punished with imprisonment for a term which may extend to two years, or with a fine which may extend to PKR 500,000 (approx. €2,280), or with both.
Critical infrastructure information system or data
Section 6 of PECA refers to the offence of unauthorised access to any critical infrastructure information system or data, which is punishable with imprisonment for a term which may extend to three years, or with a fine which may extend to PKR 1 million (approx. €4,570), or with both.
Section 7 of PECA provides that unauthorised copying or transmission of such critical infrastructure data shall be punished with imprisonment for a term which may extend to five years, or with a fine which may extend to PKR 5 million (approx. €22,820), or with both.
Section 8 of PECA provides that interference with or damage caused to such critical infrastructure information system or data shall be punished with imprisonment for a term which may extend to seven years, or with a fine which may extend to PKR 10 million (approx. €45,660), or with both.
Glorification of an offence
Section 9 of PECA states that whoever prepares or disseminates information through any information system or device with the intent to glorify an offence relating to, inter alia, terrorism or any person convicted of a terrorism-related crime, will be guilty of an offence under PECA, and such offence shall be punished with imprisonment for a term which may extend to seven years, or with a fine which may extend to PKR 10 million (approx. €45,650), or with both. For the purpose of clarity, note that the term 'glorification' as used herein includes the depiction of any form of praise or celebration in a desirable manner.
Cyber terrorism
Section 10 of PECA underlines the offence of cyber terrorism wherein the commission or threat of commission of any of the offences mentioned in Sections 6 to 9 of PECA above with the intent to coerce, intimidate, overawe, or create a sense of fear, panic, or insecurity in the Government or the public or a section of the public, community, sect or society, or advance inter-faith, sectarian, or ethnic hatred, or advance the objectives or organisations, individuals or groups proscribed under the law, is an offence under PECA. Such offence is punishable with imprisonment for a term, which may extend to 14 years, or with a fine which may extend to PKR 50 million (approx. €228,250), or with both.
Hate speech
Section 11 of PECA refers to the offence of hate speech, stating that whoever prepares or disseminates information through any information system or device, that advances or is likely to advance interfaith, sectarian, or racial hatred shall have committed an offence under PECA punishable with imprisonment for a term which may extend to seven years, or with a fine, or with both.
Recruitment, funding, or planning of terrorism
Section 12 of PECA provides that whoever prepares or disseminates information, through any information system or device, that invites or motivates to fund, or recruits people for terrorism or plans for terrorism shall be punished with imprisonment for a term which may extend to seven years, or with a fine, or with both.
Electronic forgery
Section 13 of PECA refers to the offence of electronic forgery, wherein whoever interferes with or uses any information system, device or data with the intent to cause damage or injury to the public or to any person, or to make any illegal claim or title, or to cause any person to part with property, or to enter into any express or implied contract or with intent to commit fraud by any input, alteration, deletion, or suppression of data resulting in unauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of the fact that the data is directly readable and intelligible or not, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to PKR 250,000 (approx. €1,140), or with both.
Note that any of the above acts committed in relation to a critical infrastructure information ('CII') system or data will also be an offence under PECA and shall be punished with imprisonment for a term, which may extend to seven years, or with a fine which may extend to PKR 5 million (approx. €22,830), or with both.
Electronic fraud
Section 14 of PECA pertains to the offence of electronic fraud, wherein persons with the intent for wrongful gain interfere with or use any information system, device, or data or induce any person to enter into a relationship or deceive any person, whose act or omission is likely to cause damage or harm to that person or any other person, shall be punished with imprisonment for a term which may extend to two years, or with a fine which may extend to PKR 10 million (approx. €45,640), or with both.
Making, obtaining, or supplying device for use in offence
Section 15 of PECA states that whoever produces, makes, generates, adapts, exports, supplies, offers to supply, or imports for use any information system, data, or device with the intent to be used or believing that it is primarily to be used to commit or assist in the commission of an offence shall, without prejudice to any other liability that he may incur in this behalf be punished with imprisonment for a term which may extend to six months, or with a fine which may extend to PKR 50,000 (approx. €230), or with both.
Unauthorised use of identity information
Section 16 of PECA provides that whoever obtains, sells, possesses, transmits, or uses another person's identity information without authorisation will have committed an offence under PECA and shall be punished with imprisonment for a term which may extend to three years or with a fine which may extend to PKR 5 million (approx. €22,820), or with both.
Unauthorised issuance of SIM cards
Section 17 of PECA criminalises the act of unauthorised issuance of subscriber identity module ('SIM') cards, reusable identification module ('R-IUM'), or universal integrated circuit card ('UICC'), or other module designed for authenticating users to establish a connection with the network and to be used in cellular mobile, wireless phone, or other digital devices without obtaining verification of the subscriber's antecedents in the manner prescribed by the PTA. Such offence shall be punished with imprisonment for a term, which may extend to three years, or with a fine which may extend to PKR 500,000 (approx. €2,280), or with both.
Tampering of communication equipment
Section 18 of PECA pertains to the offence of tampering with, changing, altering, or reprogramming unlawfully or without authorisation, any unique device identifier of any communication equipment including a cellular or wireless handset, and using or marketing such device for transmitting and receiving information, and provides that such offence shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to PKR 1 million (approx. €4,560), or with both.
Note that a 'unique device identifier' as used herein refers to an electronic equipment identifier, which is unique to a communication device.
Unauthorised interception
Section 19 of PECA states that whoever with dishonest intention commits unauthorised interception by technical means of:
- any transmission that is not intended to be and is not open to the public, from or within an information system; or
- electromagnetic emissions from an information system that is carrying data,
will have committed an offence under PECA and shall be punished with imprisonment for a term which may extend to two years, or with a fine which may extend to PKR 500,000 (approx. €2,280), or with both.
Offences against the dignity of a natural person
Section 20 of PECA refers to the offences against the dignity of a natural person, wherein whoever intentionally and publicly exhibits, displays, or transmits any information through any information system, which they know to be false, and intimidates or harms the reputation or privacy of a natural person will have committed an offence under PECA and shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to PKR 1 million (approx. €4,560), or with both.
Malicious code
Section 23 of PECA provides that whoever wilfully or without authorisation writes, offers, makes available, distributes, or transmits malicious code through an information system or device with intent to cause harm to any information system or data resulting in the corruption, destruction, alteration, suppression, theft, or loss of the information system or data shall be punished with imprisonment for a term which may extend to two years, or with a fine which may extend to PKR 1 million (approx. €4,560), or with both.
For the purpose of clarity, note that 'malicious code' includes a computer program or a hidden function in a program that damages an information system or data or compromises the performance of such system or availability of data, or uses it without proper authorisation.
Cyberstalking
Section 24 pertains to the offence of cyber-stalking, stating that a person commits the offence of cyber-stalking where such person, with the intent to coerce, intimidate, or harass any person, uses an information system, information system network, the internet, websites, email, or any other similar means of communication to:
- follow a person, or contacts or attempts to contact such person to foster personal interaction repeatedly despite a clear indication of disinterest by such person;
- monitor the use by a person of the internet, email, text message, or any other form of electronic communication;
- watch or spy upon a person in a manner that results in the fear of violence or serious alarm or distress, in the mind of such person; or
- take a photograph or make a video of any person and displays or distributes it without their consent in a manner that harms such person.
Such offence shall be punished with imprisonment for a term, which may extend to three years, or with a fine which may extend to PKR 1 million (approx. €4,350), or with both. Where the victim of cyber-stalking under this Section is a minor, the punishment may extend to five years or with a fine which may extend to PKR 10 million (approx. €43,500), or with both.
Spamming
Section 25 of PECA deals with the offence of spamming, whereby any person who transmits harmful, fraudulent, misleading, illegal, or unsolicited information to any person without their permission or who causes any information system to show any such information for wrongful gain will have committed an offence under PECA and shall be punished with imprisonment for a term which may extend to three months, or with a fine of PKR 50,000 (approx. €230) which may extend to PKR 5 million (approx. €28,820), or with both.
Persons, including institutions and organisations, engaged in direct marketing are required to provide an option to unsubscribe from such marketing to their recipients.
Section 25 also provides for first-time offenders, stating that any person committing the offence of transmitting unsolicited information or engaging in direct marketing without providing the option to unsubscribe to its recipients for the first time shall be punished with a fine not exceeding PKR 50,000 (approx. €230), and for every subsequent violation, such person shall be punished with a fine not less than PKR 50,000 (approx. €230), which may extend to PKR 1 million (approx. €4,570).
Spoofing
Section 26 of PECA pertains to spoofing, wherein whoever with dishonest intention, establishes a website or sends any information with a counterfeit source intended to be believed by the recipient or visitor of the website to be an authentic source, commits the offence of spoofing and shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to PKR 500,000 (approx. €2,280), or with both.
Unlawful Online Content Rules
Rule 5 of the Unlawful Online Content Rules further provides that in case a service provider, a social media company or a significant social media company fails to respond to a written notice issued by PTA to remove or block access to an online content or to comply with the directions issued by PTA within 48 hours, then the PTA may, after affording an opportunity of hearing and by an order in writing, take appropriate action against the service provider, a social media company, or a significant social media company, as the case may be, which includes imposing a penalty up to PKR 500 million (approx. €2.28 million).
9.1 Enforcement decisions
There are no significant enforcement decisions pertaining to the breach of personal data and imposition of penalties in relation thereto.