The Ministry of Information Technology and Telecommunications introduced, on 9 April 2020, the Personal Data Protection Bill 2020 (‘the Bill’) and launched a consultation on the same. In particular, the Bill, which replaces the Personal Data Protection Bill 2018 (‘the 2018 Bill’), outlines general requirements for personal data collection and processing, and contains provisions on data retention requirements, data breach notification obligations, cross-border data transfers, data subject rights, and the establishment of a personal data protection authority (‘the Authority’).

What are the key provisions introduced by the Bill?

The Bill includes a number of additional requirements to those outlined in the 2018 Bill. In particular, Mian Sami ud Din Partner at Bhandari Naqvi Rizvi (BNR), told OneTrust DataGuidance that, ”Section 3 of the Bill appears to have expanded its scope to include foreign based data controllers and data processors, providing they process the personal data of a data subject in Pakistan. [Furthermore], the Commission for Personal Data Protection [established by the 2018 Bill] has been replaced with a seven member Authority [which has the] power to call for information from any data controller or processor for the effective discharge of its functions.”

In addition, the Bill introduces a definition of ‘consent,’ contains provisions on the restriction of transfers outside of Pakistan, and outlines a number of significantly larger penalties for non-compliance than those contained in the 2018 Bill, including fines of up to PKR 5 million (€27,470) for processing personal data without consent, and up to 25 million (approx. €137,100) for the unlawful processing of personal data. Moreover, the Bill outlines that a legal entity held liable for non-compliance may be fined 1% of its annual gross revenue in Pakistan or PKR 30 million (approx. €164,380), whichever is higher.

Shafaq Rehman and Sara Ansari, Senior Associate and Associate respectively at RIAA Barker Gillette, told OneTrust DataGuidance, ”The Bill is definitely a move in the right direction and aims fills the gap of much needed data protection legislation, [however] the amendments do not appear to fully address all of the relevant gaps in the 2018 version. For example, while a definition of consent has now been included in the Bill, the definition provides that consent may be granted by a statement, or by a clear affirmative action. Clarification has not been provided in the Bill as to what will, or will not, qualify or be deemed a ‘clear affirmative action.’ In addition, it would appear that the Federal Government’s powers thereunder are wide and discretionary, including in relation to exempting data controllers on any terms it thinks fit from provisions of the Bill, which is likely to be an aspect that material stakeholders raise concerns on.”

How does the Bill compare with other global data protection laws?

Although the Bill would increase the amount of penalties for non-compliance, the monetary fines still remain significantly low in comparison with other privacy laws, in particular the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), which provides for administrative fines of up to €20 million, or in the case of an undertaking, up to 4% of the agency’s total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5) of the GDPR).

Moreover, Sami ud Din highlighted that, ”The Bill attempts to replicate many of the provisions contained in the GDPR, including data subject rights. However, there are certain exceptions within the Bill, which restrict these rights, for instance the Bill creates an exception to the right to access data from a data controller or processor on grounds of confidentiality. The Bill also does not mention the right to data portability, nor does it require the data controller or the Authority to notify the data subject in case of a data breach.”

Next steps?

If passed, the Bill states that it would come into force one year from the date of its promulgation, or such other date not falling beyond two years from the date of its promulgation. As such, Rehman and Ansari, noted that, ”This should allow businesses sufficient time to reconsider their practices in relation to the collection, control and processing of data and to bring them in line with the Bill. In particular, Businesses will need to review whether they qualify as a ‘data processor’ or ‘data controller’ within the definitions outlined in the Bill and ensure that their practices comply with the requirements of the Bill.”

The Bill is currently open for public consultation. Comments can be submitted via email to [email protected] until 15 May 2020.

Comments provided by:

Mian Sami ud Din Partner

Bhandari Naqvi Rizvi (BNR)

Shafaq Rehman Partner

RIAA Barker Gillette

Sara Ansari Senior Associate

RIAA Barker Gillette

