The Ministry of Information Technology and Telecommunication has finalized the Personal Data Protection Bill, 2021, and has sent it to the Ministry of Law to be vetted.

It proposes a fine of up to Rs. 25 million for those who process or cause to be processed, disseminate, or disclose personal data in violation of the provisions of the proposed legislation.

The proposed legislation will govern the collection, processing, use, and disclosure of personal data, and will establish and make provisions for offenses related to the violation of an individual’s right to the privacy of the data by collecting, obtaining, or processing personal data by any means.

It is also expedient to provide for the processing, obtaining, holding, usage, and disclosure of data while respecting the rights, freedom, and dignity of natural persons with special regard to their rights to privacy, secrecy, and personal identity, and for related and supporting matters.

It was mentioned in the draft bill that personal data has become an extremely valuable commodity in today’s digital age, and the sole source of income for many businesses is the personal data of users that they generate. Personal data is often collected, processed, and even sold without the knowledge of the person to whom it belongs. In some cases, such personal information is used for relatively less troublesome commercial purposes like targeted advertising. However, the data thus captured or generated can be misused in many ways, such as blackmailing, behavior modification, and phishing scams, etc.

To attain the goal of the full-scale adoption of e-governance, the delivery of services to people at their doorsteps, and increase users’ confidence in the confidentiality and integrity of government databases, it is essential for users’ data to be fully protected from any unauthorized access or usage, and for remedies for the misuse of their data to be provided to them.

Additionally, the accelerated growth in the use of broadband with the advent of Next Generation Mobile Service and Networks in Pakistan has led to increasingly enhanced reliance on technology, which has prompted a call for the prevention of the misuse of people’s data to maintain their confidence in the use of new technologies.

While Pakistan already has sectoral arrangements and frameworks for data protection, and the Prevention of Electronic Crimes Act, 2016 (Act No. XL of 2016), that deals with crimes related to unauthorized access to data, there is still a need for a comprehensive legal framework in line with the constitution and international best practices for personal data protection.

The protection of personal data is also necessary for the provision of legal certainty to businesses and public functionaries whose activities involve the processing of personal data. The desired legal framework will spell out the responsibilities of the data controllers and processors, and the rights and privileges of the data subjects along with institutional provisions for the regulation of activities related to the collection, storage, processing, and usage of personal data.

The collection, processing, and disclosure of personal data will only be done as necessary in compliance with the provisions of the proposed act. The data be collected for specified, explicit, and legitimate purposes, and will not be processed further in a manner that is incompatible with these purposes but will be adequate, relevant, and limited to what is necessary regarding the purposes for which the data is processed.

A data controller will not process personal data, including the sensitive personal data of a data subject unless the latter has consented to the processing of the personal data. Separate consent will be obtained from the data subject for each purpose. Notwithstanding subsection (1), a data controller may process personal data about a data subject if the processing is necessary for either of the following:

  1. for the performance of a contract to which the data subject is a party;
  2. for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by a contract;
  3. to protect the vital interests of the data subject;
  4. for the administration of justice pursuant to an order of the court of competent jurisdiction;
  5. for legitimate interests pursued by the data controller;
  6. for the exercise of any functions conferred on any person by or under any law.

Personal data will not be processed unless:

  1. the personal data is processed for a lawful purpose that is directly related to an activity of the data controller;
  2. the processing of the personal data is necessary for or directly related to that purpose;
  3. the personal data is adequate but not excessive in relation to that purpose.

Subject to section 24, no personal data is to be disclosed without the consent of the data subject for a) any purpose other than i. the purpose for which the personal data was to be disclosed at the time of collection of the personal data; or ii. a purpose directly related to the purpose referred to in subparagraph (i); or b) to any party other than a third party of the class of third parties as specified in clause (e) of sub-section (1) of Section 6.

The personal data processed for any purpose will not be kept longer than necessary for the fulfillment of that purpose or as required under the law. It will be the duty of a data controller to take all the reasonable steps to ensure that all the personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed, or as required under sub-section (1).

In the event of a breach of personal data, the data controller is to promptly notify the Commission and the data subject about it where reasonably possible but not beyond 72 hours of becoming aware of the breach, except where the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject. If notifying about the breach is delayed beyond 72 hours, the notification to the Commission and the data subject is to be accompanied by valid reasons for the delay.

If personal data is to be transferred to a system located beyond Pakistan’s territories or a system that is not under the direct control of the Government of Pakistan or entity/entities of Pakistan, it is to be ensured that the country where the data is being transferred offers a personal data protection legal regime that is at least equivalent to the protections provided under this act, and that the data thus transferred will be processed in accordance with this act and the consent of the data subject where applicable.

Critical Personal Data is only to be processed in a server or data center within Pakistan. Personal data other than the ones categorized as critical personal data may be transferred outside the territory of Pakistan under a framework (on conditions) to be devised by the Commission. The Commission will also devise a mechanism to keep some components of the sensitive personal data in Pakistan to which this act applies, provided that it is related to public order or national security.