1 RELEVANT LEGISLATION AND COMPETENT AUTHORITIES

1.1 What is the principal data protection legislation?

The legislation on data protection is in draft/Bill stage and yet to be passed by the Parliament. Its title is the Personal Data Protection Bill 2018 ("the Bill").

1.2 Is there any other general legislation that impacts data protection?

The Prevention of Electronic Crimes Act, 2016 also contains certain significant provisions about data protection.

1.3 Is there any sector-specific legislation that impacts data protection?

Within the banking sector, the Payment Systems and Electronic Funds Transfers Act, 2007 provides for the secrecy of financial institutions' customer information; violation is punishable with imprisonment or a financial fine, or both. For the telecoms industry, the Telecom Consumers Protection Regulations, 2009 confers on subscribers of telecoms operators the right to lodge complaints for any illegal practices with the Pakistan Telecommunication Authority, "illegal practices" being a broad term which includes, inter alia, illegal use of personal data of subscribers.

1.4 What authority(ies) are responsible for data protection?

Under the Bill, the proposed National Commission for Personal Data Protection would primarily be responsible for data protection.

2 DEFINITIONS

2.1 Please provide the key definitions used in the relevant legislation:

"Personal Data"

"Personal data" means any information in respect of commercial transactions, which:

  1. is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
  2. is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
  3. is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data and expression of opinion about the data subject.

"Processing"

"Processing", in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including:

  1. the organisation, adaptation or alteration of personal data;
  2. the retrieval, consultation or use of personal data; and
  3. the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
  4. the alignment, combination, correction, erasure or destruction of personal data.

"Controller"

"Data controller" means a person who, either alone or jointly or in common with other persons, processes any personal data or has control over, or authorises the processing of, any personal data; this, does not, however, include a data processor.

"Processor"

"Data processor", in relation to personal data, means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data controller, and does not process the personal data for any of his own purposes.

"Data Subject"

"Data subject" means an individual who is the subject of the personal data.

"Sensitive Personal Data"

"Sensitive personal data" means:

  • personal data revealing: racial or ethnic origin, religious, philosophical or other beliefs; political opinions; membership of political parties, trade unions, organisations and associations of a religious, philosophical, political or trade-union nature; or providing information as to the health or sexual life of an individual, or the commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, or the disposal of such proceedings or the sentence of any court in such proceedings, or financial or proprietary confidential personal data; or
  • any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Commission may determine by order published in the Gazette.

"Data Breach"

There is no definition of this term in the relevant national legislation.

Other key definitions – please specify (e.g., "Pseudonymous Data", "Direct Personal Data", "Indirect Personal Data")

"Commercial transaction" means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.

"Vital interests" means matters relating to life, death or security of a data subject.

3 TERRITORIAL SCOPE

3.1 Do the data protection laws apply to businesses established in other jurisdictions? If so, in what circumstances would a business established in another jurisdiction be subject to those laws?

Section 3(2)(b) of the Bill brought the applicability of the Bill on businesses (persons) not established in Pakistan but using equipment in Pakistan for processing personal data otherwise than for the purposes of transit through Pakistan. Those persons are required to nominate a representative in Pakistan for the purposes of the Bill.

4 KEY PRINCIPLES

4.1 What are the key principles that apply to the processing of personal data?

Transparency

The principle of transparency is not dealt with in the Bill.

Lawful basis for processing

Personal data shall not be processed unless the personal data are processed for a lawful purpose directly related to an activity of the data controller.

Purpose limitation

Personal data shall not be processed unless the processing of the personal data is necessary for or directly related to that purpose.

Data minimisation

Personal data shall not be processed unless the personal data are adequate but not excessive in relation to that purpose.

Proportionality

This is not dealt with in the Bill.

Retention

The Bill stipulates that personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose. The Bill confers a duty on the data controller to take all reasonable steps to ensure that all personal data are destroyed or permanently deleted if they are no longer required for the purpose for which they were to be processed.

Other key principles – please specify

The Bill recognises and provides for consent to be an essential requirement to process personal data of the data subject. The Bill also provides that the data controller may not disclose personal data without the consent of the data subject. The data controller is further required to take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.

5 INDIVIDUAL RIGHTS

5.1 What are the key rights that individuals have in relation to the processing of their personal data?

Right of access to data/copies of data

The data subject is granted the right of access to personal data, upon payment of a prescribed fee, and the data controller with information as to the data subject's personal data that are being processed by or on behalf of the data controller, must comply with such data access request within 21 days. The data subject is entitled to:

  • information as to the data subject's personal data that are being processed by or on behalf of the data controller; and
  • have communicated to him a copy of the personal data in an intelligible form.

Right to rectification of errors

In the case that personal data have been supplied to the data subject upon his request and the same is inaccurate, incomplete, misleading or not up to date, or when the data subject knows that his personal data are so inaccurate, incomplete, misleading or not up to date, the data subject has the right to get it corrected by making a written request to the data controller.

Right to deletion/right to be forgotten

The data subject has the right to request that the data controller, without undue delay, erase personal data in following situations:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based;
  • the data subject objects to the processing;
  • the personal data have been unlawfully processed; or
  • the personal data have to be erased for compliance with a legal obligation.

Right to object to processing

The data subject has the right to give "data subject notice" in writing to the data controller to:

  1. cease the processing, or processing for a specified purpose, or in a specified manner; or
  2. not begin the processing, or processing for a specified purpose, or in a specified manner.

The data subject has to state reasons in the "data subject notice" that:

  1. the processing of that personal data or the processing of personal data for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another person; and
  2. the damage or distress is or would be unwarranted.

Right to restrict processing

As explained above.

Right to data portability

There is no such right in the Bill.

Right to withdraw consent

The data subject has the right to withdraw his consent.

Right to object to marketing

The data subject has the right to give "data subject notice" in writing to the data controller to:

  1. cease the processing of the data or their processing for a specified purpose or in a specified manner; or
  2. not begin the processing of the data or their processing for a specified purpose, or in a specified manner.

The data subject has to state reasons in the "data subject notice" that:

  1. the processing of that personal data or the processing of personal data for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another person; and
  2. the damage or distress is or would be unwarranted.

Right to complain to the relevant data protection authority(ies)

The data subject may file a complaint before the National Commission for Personal Data Protection against any violation of personal data protection rights as granted under the Bill, regarding the conduct of any data controller, data processor or their processes which the data subject regards as involving:

  1. a breach of data subject's consent to process data;
  2. a breach of obligations of the data controller or the data processor in the performance of their functions under the Bill;
  3. the provision of incomplete, misleading or false information while taking consent of the data subject; or
  4. any other matter relating to protection of personal data.

Other key rights – please specify

None other than the above.

To read in full, please click here.

Originally published by The International Comparative Legal Guide to: Data Protection 2019 (6th edition), Global Legal Group, London.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.