Comparative Guides

Welcome to Mondaq Comparative Guides - your comparative global Q&A guide.

Our Comparative Guides provide an overview of some of the key points of law and practice and allow you to compare regulatory environments and laws across multiple jurisdictions.

Start by selecting your Topic of interest below. Then choose your Regions and finally refine the exact Subjects you are seeking clarity on to view detailed analysis provided by our carefully selected internationally recognised experts.

4. Results: Answers
Data Privacy
1.
Legal and enforcement framework
1.1
Which legislative and regulatory provisions govern data privacy in your jurisdiction?
Pakistan

Answer ... At present, Pakistan has no specific law relating to data protection. However, in April 2020 the Ministry of Information Technology and Telecommunication released a consultation draft of the Pakistan Personal Data Protection Bill, 2020. After the consultation stage, the draft bill will be presented to Parliament for debate and passage. Once passed by the Parliament, the law will be promulgated by presidential assent. The answers in this Q&A are based on the provisions as currently set out in the draft bill, which are subject to change during the legislative process until the law is finally promulgated.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
1.2
Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
Pakistan

Answer ... Banking: Section 70 of the Payment Systems and Electronic Fund Transfers Act, 2007 provides that a financial institution or any other authorised party must not divulge any information relating to electronic fund transfers, affairs or accounts of its consumers.

Regulation 4.2(i) of the State Bank of Pakistan’s Regulations for Payment Card Security requires that card service providers ensure the confidentiality of consumers’ data in storage, transmission and processing.

Regulation 2.2.3(c) of the State Bank of Pakistan’s Regulations for the Security of Internet Banking requires that customer information not be transferred to an unauthorised storage or access medium.

Telecommunications: Regulation 16 of the Telecom Consumers Protection Regulations, 2009 requires that telecommunications services operators and their employees maintain the confidentiality of consumer information.

Regulation 5(2)(xxi) of the Regulations for Technical Implementation of Mobile Banking, 2016 requires that service-level agreements between third-party service providers, telecommunications operators and authorised financial institutions include a statement on online privacy, confirming that consumer information obtained as a result of mobile banking is collected, used, disclosed and retained only as committed or agreed.

Specific types of data: The draft bill recognises and provides for separate treatment of ‘sensitive personal data’ and ‘critical personal data’. ‘Biometric data’ is included within the definition of ‘sensitive personal data’. Sensitive personal data can be processed only with the explicit consent of the data subject and only for the following purposes:

  • the exercise or performance of any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
  • the protection of the vital interests of the data subject or another person;
  • the protection of the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;
  • for medical purposes, where the processing is undertaken by a healthcare professional;
  • for the purpose of, or in connection with, any legal proceedings;
  • for the purpose of obtaining legal advice while ensuring its integrity and secrecy;
  • for the purpose of establishing, exercising or defending legal rights;
  • for the administration of justice pursuant to orders of a court of competent jurisdiction; or
  • for the exercise of any functions conferred on any person by or under any written law.

‘Critical personal data’ is left to be classified by the Personal Data Protection Authority of Pakistan, with the approval of the federal government. Under Section 14 of the draft bill, critical personal data cannot be transferred outside Pakistan.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
1.3
Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
Pakistan

Answer ... No.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
1.4
Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
Pakistan

Answer ... Within six months of the entry into force of the draft bill, the federal government will establish the Personal Data Protection Authority of Pakistan. The authority will be responsible for:

  • protecting the interests of data subjects and ensuring the protection of personal data;
  • preventing the misuse of personal data;
  • promoting awareness of data protection; and
  • entertaining complaints.

The authority will have all necessary powers to enable it to perform its functions effectively, including the power to decide on complaints and to pass any order. To this end, the authority will be deemed to be a civil court and will enjoy all powers vested in a civil court under the Code of Civil Procedure, 1908. In addition, the authority will have rule-making powers.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
1.5
What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
Pakistan

Answer ... Under Section 8 of the draft Bill, the Personal Data Protection Authority of Pakistan will prescribe standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. Data controllers and data processors must adhere to the standards prescribed by the authority. In terms of compliance and regulatory enforcement, the standards prescribed by the authority will prevail over industry practices. However, it is likely in prescribing the standards, the authority will take cognisance of industry-level best practices.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
2.
Scope of application
2.1
Which entities are captured by the data privacy regime in your jurisdiction?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 is not ‘entity’ driven; rather, it defines and brings under its ambit the ‘data controller’ and ‘data processor’, irrespective of their legal form.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
2.2
What exemptions from the data privacy regime, if any, are available in your jurisdiction?
Pakistan

Answer ... General exemption: Personal data processed by an individual for the purposes of his or her personal, family or household affairs, including recreational purposes, is exempt from the scope of application of the draft bill.

Exemption from specific provisions: Certain processing is exempted from specified provisions of the draft bill, as follows.

Nature of processing Exempt from…
Critical personal data processed for the prevention or detection of crime or for the purpose of investigations; the apprehension or prosecution of offenders; the assessment or collection of any tax or duty; or any other imposition of a similar nature by the relevant authority. Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the Personal Data Protection Authority of Pakistan’s prescribed standards
Data processed in relation to the physical or mental health of a data subject Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the authority’s prescribed standards
Data processed to prepare statistics or carry out research Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the authority’s prescribed standards
Data processed for the purposes of or in connection with any order or judgment of a court Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the authority’s prescribed standards
Data processed for the purpose of discharging regulatory functions Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the authority’s prescribed standards
Data processed only for journalistic, literary or artistic purposes Consent; lawful purpose; provision of written notice by the data controller to the data subject; non-disclosure; compliance with the authority’s prescribed standards; data retention requirements; data integrity and access requirements; record-keeping requirements

Further exemptions: The federal government, upon the recommendation of the Personal Data Protection Authority of Pakistan, is empowered to exempt any data controller or class of data controller from the application of any provision of the draft bill. The federal government must issue an order in this regard, to be published in the Official Gazette.

The federal government may impose any terms or conditions as it thinks fit in respect of such exemption, and can also revoke such an exemption (on the recommendation of the authority) by order published in the Official Gazette.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
2.3
Does the data privacy regime have extra-territorial application?
Pakistan

Answer ... Section 3 of the Pakistan Personal Data Protection Bill, 2020 provides that the bill will have extra-territorial application and a data controller or data processor which is not registered/established in Pakistan is to nominate a representative in Pakistan.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
3.
Definitions
3.1
How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
Pakistan

Answer ... (a) Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(b) Data processor

A natural or legal person, or the government, which alone or in conjunction with others processes data on behalf of the data controller.

(c) Data controller

A natural or legal person, or the government, which either alone or jointly with others has the authority to make a decision on the collection, obtaining, usage or disclosure of personal data.

(d) Data subject

A natural person who is the subject of the personal data.

(e) Personal data

Any information that relates directly or indirectly to a data subject who is identified or identifiable from that information, or from that and other information in the possession of a data controller, including any sensitive personal data. Anonymised, encrypted or pseudonymised data which is incapable of identifying an individual is not personal data.

(f) Sensitive personal data

This includes:

  • data relating to access control (username and/or password);
  • financial information such as details of bank accounts, credit cards, debit cards or other payment instruments;
  • passport information;
  • biometric data;
  • information on the data subject’s physical, psychological or mental health conditions;
  • medical records;
  • details pertaining to an individual’s ethnicity or religious beliefs; and
  • any other information for the purposes of the Pakistan Personal Data Protection Bill, 2020 and rules issued thereunder.

(g) Consent

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the collection, obtaining and processing of his or her personal data.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
3.2
What other key terms are relevant in the data privacy context in your jurisdiction?
Pakistan

Answer ... Third party: Any person other than:

  • a data subject;
  • a relevant person in relation to a data subject;
  • a data controller;
  • a data processor; or
  • a person authorised in writing by the data controller to process personal data under the direct control of the data controller.

Relevant person:

  • In the case of a data subject who is below the age of 18, the parent or a guardian appointed by a court of competent jurisdiction;
  • In the case of a data subject who is incapable of managing his or her own affairs, a person who is appointed by a court to manage those affairs; or
  • A person authorised by the data subject to make a data access and/or data correction request.

Vital interests: Matters relating to the life, death or security of a data subject.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
4.
Registration
4.1
Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
Pakistan

Answer ... Sections 34(2)(e) and (f) of the Pakistan Personal Data Protection Bill, 2020 empower the Personal Data Protection Authority of Pakistan to devise and formulate a registration and licensing mechanism/framework for data controllers and data processors. The details regarding who must be registered, the registration process and the consequences of failure to register will be dealt with under a framework devised by the Personal Data Protection Authority of Pakistan after its establishment.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
4.2
What is the process for registration?
Pakistan

Answer ... Not yet established.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
4.3
Is registered information publicly accessible?
Pakistan

Answer ... Not as yet.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
5.
Data processing
5.1
What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
Pakistan

Answer ... 5. Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

The lawful basis for processing personal data is as follows:

  • The data is processed for a lawful purpose directly related to an activity of the data controller;
  • The processing of the personal data is necessary for or directly related to that purpose; and
  • The personal data is adequate, but not excessive in relation to that purpose.

The lawful basis for processing sensitive personal data is listed under question 1.2.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
5.2
What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
Pakistan

Answer ... The following key principles apply:

  • Notice to data subject: Written notice provided by the data controller to the data subject about the collection and processing of his or her personal data.
  • Non-disclosure of personal data: No unauthorised disclosure.
  • Meeting the data security requirements: Compliance with the prescribed security standards to protect the data.
  • Data retention requirements: Not to keep data for longer than is required.
  • Data integrity and access: To ensure that data is accurate and that the data subject is given access to his or her data.
  • Record keeping: The retention of records on any application, notice, request or other information relating to personal data that it has processed or is processing.

In certain circumstances the processing of personal data is exempt from the scope of application of these key principles (see question 2.2).

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
5.3
What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 includes only the requirements set out in questions 5.1 and 5.2. Once the law has been promulgated and enforced, the Personal Data Protection Authority of Pakistan, under its rule-making powers, will issue a compliance framework.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
6.
Data transfers
6.1
What requirements and restrictions apply to the transfer of data to third parties?
Pakistan

Answer ... Section 12 of the draft Pakistan Personal Data Protection Bill, 2020 requires that personal data not be transferred to any unauthorised person or system.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
6.2
What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 sets out the following requirements and restrictions on the transfer of personal data outside Pakistan:

  • Critical personal data shall be processed only in a server or data centre located in Pakistan.
  • The country to which personal data is being transferred must offer protection that is at least equivalent to the protection provided under the draft bill (equal protection principle).
  • The federal government may notify certain categories of personal data (except for sensitive personal data) to which the equal protection principle does not apply, on the grounds of necessity or the strategic interests of the state.
  • The transfer of personal data outside Pakistan must follow a framework to be devised by the Personal Data Protection Authority of Pakistan.
  • The authority will devise a mechanism for the retention of copies of any personal data in Pakistan which is transferred outside Pakistan.

Under the draft bill, the same data transfer requirements apply irrespective of the destination. This might be addressed by the authority when devising the framework for the transfer of data outside Pakistan.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
6.3
What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 includes only the requirements set out in questions 6.1 and 6.2. Once the law has been promulgated and enforced, the Personal Data Protection Authority of Pakistan, under its rule-making powers, will issue a framework setting out further requirements.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
7.
Rights of data subjects
7.1
What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 confers the following rights on the data subjects:

  • the right to access personal data;
  • the right to correct personal data;
  • the right to withdraw consent;
  • the right to prevent processing that is likely to cause damage or distress; and
  • the right to erasure.

There are no exemptions to these rights. However, the draft bill specifies instances in which a data controller may refuse to comply with a request by data subject to have these rights, as follows.

Right to access personal data:

  • The data controller is not provided with such information as it may reasonably require.
  • The data controller cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information.
  • Another data controller controls the processing of the personal data to which the data access request relates in such a way as to prohibit the data controller from complying with the data request, whether in full or in part.
  • The provision of access may constitute a violation of an order of a court.
  • The provision of access may disclose confidential information relating to business of the data controller.
  • The requested access is regulated by another law.

Right to correct personal data:

  • The data controller is not provided with such information as it may reasonably require.
  • The data controller is not provided with such information as it may reasonably require to ascertain the way in which the personal data to which the data correction request relates is inaccurate, incomplete, misleading or out of date.
  • The data controller is not satisfied that the personal data to which the data correction request relates is inaccurate, incomplete, misleading or out of date.
  • The data controller is not satisfied that the correction which is the subject of the data correction request is accurate, complete, not misleading or up to date.
  • Another data controller controls the processing of the personal data to which the data correction request relates in such a way as to prohibit the data controller from complying with the data correction request, whether in full or in part.

Right to prevent processing that is likely to cause damage or distress:

  • The data subject has given his or her consent.
  • The processing of personal data is necessary:
    • to perform a contract to which the data subject is a party;
    • to take steps at the request of the data subject with a view to entering into a contract;
    • to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract; or
    • to protect the vital interests of the data subject.
  • Such other cases as may be prescribed by the federal government upon recommendations of the Personal Data Protection Authority of Pakistan through publication in the Official Gazette.

Right to erasure:

Where processing is necessary:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health;
  • for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
7.2
How can data subjects seek to exercise their rights in your jurisdiction?
Pakistan

Answer ... Data subjects must present a written request to the data controller.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
7.3
What remedies are available to data subjects in case of breach of their rights?
Pakistan

Answer ... The first remedy under the draft Pakistan Personal Data Protection Bill, 2020 is to file a complaint with the Personal Data Protection Authority of Pakistan. Appeals against decisions of the authority must be referred to the high court or to any other tribunal established by the federal government for the purpose in the manner prescribed by the high court.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
8.
Compliance
8.1
Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
Pakistan

Answer ... Section 34(2)(c)((viii) of the draft Pakistan Personal Data Protection Bill, 2020 empowers the Personal Data Protection Authority of Pakistan to formulate a compliance framework regarding the responsibilities of the data protection officer. The draft bill does not define the term or provide any further details. On the establishment of the authority, this framework will be devised addressing matters such as mandatory or voluntary appointment of data protection officer and the consequences of failure to do so.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
8.2
What qualifications or other criteria must the data protection officer meet?
Pakistan

Answer ... Not currently applicable.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
8.3
What are the key responsibilities of the data protection officer?
Pakistan

Answer ... Not currently applicable.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
8.4
Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Pakistan

Answer ... Not currently applicable.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
8.5
What record-keeping and documentation requirements apply in the data privacy context?
Pakistan

Answer ... Section 11 of the draft Pakistan Personal Data Protection Bill, 2020 provides that a data controller must retain a record of any application, notice, request or any other information relating to personal data that has been or is being processed by it. The Personal Data Protection Authority of Pakistan may determine the manner and form in which this record must be maintained.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
8.6
What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 includes only the requirements set out in questions 8.1 and 8.5. Once the law has been promulgated and enforced, the Personal Data Protection Authority of Pakistan, under its rule-making powers, will issue a framework setting out further requirements.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
9.
Data security and data breaches
9.1
What obligations apply to data controllers and processors to preserve the security of personal data?
Pakistan

Answer ... The Personal Data Protection Authority of Pakistan, under Section 8 of the draft Pakistan Personal Data Protection Bill, 2020, is to prescribe standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. The data controller and the data processor must comply with the standards prescribed by the authority.

Once the law has been promulgated and enforced, the authority, under its rule-making powers, will issue a framework setting out further requirements.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
9.2
Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Pakistan

Answer ... Section 13 of the draft Pakistan Personal Data Protection Bill, 2020 requires that the data controller report a data breach to the Personal Data Protection Authority of Pakistan within 72 hours. The exception is where the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject.

Where the notification is made beyond 72 hours, the notification must state the reasons for delay.

The notification must contain the following information:

  • a description of the nature of the personal data breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach; and
  • the measures adopted or proposed to be adopted by the data controller to address the personal data breach, including where appropriate measures to mitigate its possible adverse effects.

The draft bill stipulates no process for notifying the data breach to the authority. The procedural aspect of this notifying requirement will be dealt under the rule-making powers of the authority.

The draft bill includes a mandatory requirement to notify the authority of data breaches, leaving no room for voluntary notification.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
9.3
Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Pakistan

Answer ... There is no requirement to notify the affected data subjects. The draft Pakistan Personal Data Protection Bill, 2020 includes no provisions on voluntary notification; however, this may be governed under the contractual stipulations between the data controller and data subject at the time of collection of personal data, following the promulgation and enforcement of the law.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
9.4
What other requirements, restrictions and best practices should be considered in the event of a data breach?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 includes only the requirements set out in questions 9.1 and 9.2. Once the law has been promulgated and enforced, the Personal Data Protection Authority of Pakistan, under its rule-making powers, will issue a framework setting out further requirements.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
10.
Employment issues
10.1
What requirements and restrictions apply to the personal data of employees in your jurisdiction?
Pakistan

Answer ... A data controller can process sensitive personal data (with consent) for the purposes of exercising or performing any right or obligation which is conferred or imposed on the data controller in connection with employment.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
10.2
Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 is silent in this regard.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
10.3
What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 is silent in this regard.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
11.
Online issues
11.1
What requirements and restrictions apply to the use of cookies in your jurisdiction?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 is silent in this regard.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
11.2
What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
Pakistan

Answer ... The requirements and restrictions with respect to the transfer of personal data outside Pakistan will apply as set out in question 6.2, as in essence the cloud computing may entail the transfer of data outside the territorial jurisdiction of Pakistan.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
11.3
What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 is silent in this regard. However, it is likely that the Personal Data Protection Authority of Pakistan will take inspiration from best international practices when framing rules for this purpose.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
12.
Disputes
12.1
In which forums are data privacy disputes typically heard in your jurisdiction?
Pakistan

Answer ... The first step to bring a dispute is by filing a complaint with the Personal Data Protection Authority of Pakistan. Appeals against decisions of the authority may be referred to the high court or to any other tribunal established by the federal government for the purpose in the manner prescribed by the high court.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
12.2
What issues do such disputes typically involve? How are they typically resolved?
Pakistan

Answer ... As the law is not yet in force, there have been no such disputes as yet.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
12.3
Have there been any recent cases of note?
Pakistan

Answer ... None – see question 12.2.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
13.
Trends and predictions
13.1
How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 is at the consultation stage and the Ministry of Information Technology and Telecommunication has issued a consultation draft of the bill. After progressing through the consultation stage, the draft bill will be presented to Parliament for reading, debate, passage and, finally, presidential assent to promulgation. After promulgation, there will be a grace period of between 12 and 24 months before it enters into force. The date on which it will enter into force will be determined by the federal government through notification in the Official Gazette at least three months in advance.

It is anticipated that in the next couple of months, there will be constructive consultation between stakeholders and the Ministry of Information Technology and Telecommunication, resulting in many suggestions to be incorporated in the draft bill to achieve sufficient consensus to start the legislative process. It is likely that during next 12 months, the draft bill (with amendments incorporated as a result of the consultation process) will be passed to the Law Ministry and the Federal Cabinet for their approval/concurrence, before it is presented to the Parliament.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
14.
Tips and traps
14.1
What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
Pakistan

Answer ... The draft Pakistan Personal Data Protection Bill, 2020 is progressing through the developmental legislative stages. This is the ideal time for meaningful consultation and dialogue among all persons likely to be impacted by the law. This will help to achieve the law’s intended objectives.

Before the proposed law, there is also a need to learn from and adopt the best practices of jurisdictions that have already promulgated and enforced similar laws. In particular, guidance from mature jurisdictions on issues such as security standards, code of conduct and grievance settlement will help to accelerate the legislative process in Pakistan.

Another significant issue is the awareness of data subjects in Pakistan. The law on personal data protection aims to provide safeguards to these individuals. Therefore, at this stage, more attention and efforts are required to educate data subjects on their rights and privileges under the proposed law and on how to enforce those rights and privileges. The Ministry of Information Technology and Telecommunication must initiate a comprehensive campaign to educate people on the basic principles and rights of data subjects. Otherwise, those individuals will not be in a position to claim any protection under the proposed law.

For more information about this answer please contact: Saifullah Khan from S.U.Khan Associates Corporate & Legal Consultants
Contributors
Topic
Data Privacy