Data Privacy

There is no dedicated law on data privacy in Pakistan. The Prevention of Electronic Crimes Act (PECA) 2016 and the Electronic Transactions Ordinance 2002 (ETO) primarily deal with cybercrime and the use of electronic signatures, respectively; however, they contain certain provisions which indirectly pertain to data privacy.

No special regimes apply to specific sectors or specific data types.

While the government of Pakistan officially cooperates with governments on data sharing and law enforcement through the Mutual Legal Assistance Act 2020, Pakistan has not formally ratified any international multilateral instrument on data protection and privacy.

There are no bodies responsible for enforcing data privacy legislation in Pakistan. There are no bodies that regulate data protection and privacy in Pakistan.

In the absence of specific legislation on data protection and privacy, organisations must rely on best practices and standards suggested by regulatory bodies, such as the State Bank of Pakistan for financial institutions. The bodies that issue such best practices require strict adherence to the same by the companies and organisations which are subject to their supervision.

There is no data privacy law in Pakistan; however, the provisions on data privacy in the Prevention of Electronic Crimes Act (PECA) 2016 and the Electronic Transactions Ordinance 2002 may be interpreted as being applicable to all government bodies, private institutions and citizens of Pakistan, both within and outside Pakistan.

There is no specific data protection law in Pakistan. Exemptions are provided in legislation which specifically deals with data protection laws.

Yes, Pakistan’s data privacy regime has extra-territorial application, although its scope varies under current and proposed laws.

Under the PECA, extra-territorial jurisdiction applies where an offence is committed outside Pakistan but the affected data, system or individual is located within the country. This allows authorities – particularly the Federal Investigation Agency’s Cybercrime Wing – to take action against cross-border cyber-offences that impact Pakistani individuals or infrastructure. However, enforcement is limited by practical barriers such as:

• the lack of mutual legal assistance treaties; and
• jurisdictional challenges.

None of the above terms is defined under the Prevention of Electronic Crimes Act (PECA) 2016 or the Electronic Transactions Ordinance 2002.

The following terms are defined under the PECA 2016:

• ‘unauthorised access’;
• ‘unauthorised interception’;
• ‘unsolicited information’;
• ‘traffic data’;
• ‘dishonest intention’;
• ‘identity information’;
• ‘information’; and
• ‘information system’.

The context for the above terms is that identity information and traffic data of a citizen of Pakistan cannot be accessed by dishonest intention. An information system which is intercepted without authorisation or which is damaged with dishonest intention will fall under the definition of a ‘crime’ under the PECA.

While the PECA mainly pertains to cybercrime, the inclusion of ‘identity information’ and ‘information’ in its provisions makes indirect reference to data protection and privacy – albeit without elaborating on a system for the protection of such information.

There is no mention of data controllers in the Prevention of Electronic Crimes Act (PECA) 2016.

There is no requirement for the registration of data controllers or definition of the same in the PECA.

There is no mention of data controllers in the PECA.

No lawful basis for processing personal data is set out in the Prevention of Electronic Crimes Act (PECA) 2016.

No provisions on data processing are set out in the PECA.

No requirements on data processing are set out in the PECA.

There are no specific requirements under the Prevention of Electronic Crimes Act (PECA) 2016 on the transfer of data to third parties. The unauthorised transmission of data is prohibited under the PECA. An interpretation of this specific provision would indicate that data can only be transferred to third parties with specific authorisation from the person or entity that owns the data.

There are no specific requirements and restrictions on the transfer of data abroad, other than the broad requirement mentioned in question 6.1 for authorised transfers of data.

Consent should be obtained in writing from the owner of the data. The consent form should be detailed, specifying the purpose, extent and destination of the data transfer.

In the absence of a specific data protection law, the processing of personal data is not addressed in Pakistan law.

In the absence of a specific data protection law, the rights of data subjects with regard to data protection are limited to the broad requirement for prior authorisation for the use of data. Data subjects can invoke this requirement in order to assert their rights to their data; however, this is open to interpretation.

In the absence of specific rights to the protection of data, there are no remedies available for breaches.

There is no such requirement under Pakistan law.

No such requirement presently exists.

There is no requirement to appoint a data protection officer under Pakistan law.

There is no requirement for the appointment of a data protection officer under Pakistan law.

In the absence of a particular data protection law, there are no specific requirements on record keeping and documentation.

Best practices may include obtaining signed written authorisations or consent forms from data subjects for the storage and use of their data. These consent forms if drafted should:

• be detailed;
• include a full explanation of how the data will be used; and
• contain clear consent provisions on the use of the data.

There are no provisions under Pakistan law that relate to data controllers and processors.

There are no such requirements.

There are no such requirements.

The Pakistan Telecommunication Authority has issued guidelines for internet service providers and telecoms operators in Pakistan, focusing on:

• network security;
• data privacy; and
• cyber threat mitigation.

These guidelines encourage:

• the use of encryption and secure data transfer protocols; and
• the establishment of incident response plans.

The aim is to:

• enhance the security of Pakistan’s telecommunications infrastructure; and
• promote proactive measures to protect against cybercrime and fraud.

The State Bank of Pakistan and the Security Exchange Commission of Pakistan have both issued frameworks and guidelines for banks and companies respectively. These frameworks and guidelines have been issued along the lines of the National Cyber Security Policy 2021.

There are no specific requirements and restrictions on the handling of personal data of employees. The broad requirement for prior authorisation and consent will also apply to the handling of employee data. At the time of hiring an employee, a consent form on data use should be signed by the employee.

There are no restrictions on employee surveillance, as long as this is limited to the use of closed-circuit TV (CCTV) cameras. The recording of calls is not allowed for private organisations and even law enforcement agencies require prior court permission before they can record or track calls.

Surveillance by CCTV cameras should be included in the consent form to be signed by employees at the time of hiring (see question 10.1).

From a compliance and best practice perspective, employers should:

• limit access to personal data to authorised personnel only;
• ensure the secure storage and timely deletion of data; and
• minimise the data collected to what is strictly necessary.

Employment contracts and policies should include data privacy clauses; and any third-party service providers (eg, for payroll or benefits) should be contractually bound to follow data protection standards. Surveillance or monitoring of employees must be:

• proportionate;
• transparent; and
• justified by a legitimate business interest.

Employers should also:

• train HR staff on privacy compliance; and
• establish procedures for handling employee data requests and potential breaches.

In summary, data privacy in employment requires a careful balance between business needs and the employee’s right to privacy, ensuring transparency, accountability and security throughout the employment relationship.

There is no legislation on the use of cookies.

There is no legislation on cloud computing services. However, the Pakistan Cloud First Policy does provide that:

• data stored in the cloud should be end-to-end encrypted; and
• the cloud service provider, as well as the entities with which it contracts, is responsible for:
• • the safekeeping of data; and
  • maintaining the privacy of data.

There are no restrictions or requirements under the existing law. However, best practice is that websites and online platforms should provide a consent form through which data subjects can consent to use of the data.

There are no forums for the handling of data/privacy disputes. Under the cybercrime provisions of the Prevention of Electronic Crimes Act (PECA) 2016, cybercrimes are investigated by the Cybercrime Wing of the Federal Investigation Agency.

Please see question 12.1.

• In Muhammad Rahmatullah v The State (2024), the Lahore High Court held that extracting information from the accused’s mobile phone without consent or a magistrate’s warrant violated the constitutional right to privacy. The court emphasised that privacy is a fundamental right, outweighing inconsistent domestic laws.
• In June 2024, Justice Babar Sattar of the Islamabad High Court issued an injunction preventing telecoms companies from sharing call records, messages and internet data with intelligence and law enforcement agencies unless authorised under:
• • the Telegraph Act;
  • the Telecommunication Act;
  • the Fair Trial Act; or
  • the PECA.
• This decision temporarily halted the Pakistan Telecommunication Authority-mandated Lawful Intercept Management System mass surveillance programme.
• A joint investigation team reported that sensitive personal data of approximately 2.7 million Pakistani citizens was leaked from the National Database and Registration Authority between 2019 and 2023 and circulated internationally. This incident highlighted the urgent need for robust data protection legislation.

While Pakistan lacks dedicated data protection enforcement bodies or data privacy litigation, these judicial rulings underscore the growing concerns around privacy rights and surveillance. They have spurred legislative attention and reinforced judicially recognised constitutional protections under Article 14.

Pakistan’s data privacy landscape is in a state of transition, with increasing awareness and legal attention focused on the protection of personal information. The main anticipated development is the draft Personal Data Protection Bill, 2023, which is expected to be enacted within the next 12 months. Once passed, the law will:

• introduce a comprehensive regulatory framework for the collection, use, storage and transfer of personal data; and
• establish the National Commission for Personal Data Protection as the central enforcement authority.

Currently, data privacy protections are derived from general constitutional provisions – in particular:

• the right to privacy under Article 14; and
• sector-specific regulations, such as those under:
• • the Prevention of Electronic Crimes Act 2016; and
  • the telecoms laws.

However, these laws offer only fragmented and limited coverage.

Key trends include:

• increased judicial scrutiny of unlawful surveillance and data misuse;
• rising public concern over data breaches (especially involving government databases);
• growing demand for corporate accountability in digital practices; and
• the adoption of internal data governance policies by companies and organisations in anticipation of stricter legal obligations.

Companies should not assume that since Pakistan does not have a dedicated data protection law, the data protection and privacy requirements that apply in other jurisdictions are simply inapplicable in Pakistan. The Prevention of Electronic Crimes Act (PECA) 2016 – a law that predominantly deals with cybercrime – also contains provisions which can fall within the ambit of data protection and privacy. As the PECA prohibits the unauthorised use of data, companies should utilise detailed and well-drafted consent forms on the use and processing of data. Legal advice is essential when handling matters regarding data protection and privacy.