ARTICLE
3 September 2025

Data Privacy Comparative Guide

Yousaf Amanat & Associates

Contributor

Yousaf Amanat & Associates logo
Explore Firm Details
Data Privacy Comparative Guide for the jurisdiction of Pakistan, check out our comparative guides section to compare across multiple countries
Pakistan Privacy
Yousaf Amanat and Sahar Riaz

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

There is no dedicated law on data privacy in Pakistan. The Prevention of Electronic Crimes Act (PECA) 2016 and the Electronic Transactions Ordinance 2002 (ETO) primarily deal with cybercrime and the use of electronic signatures, respectively; however, they contain certain provisions which indirectly pertain to data privacy.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

No special regimes apply to specific sectors or specific data types.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

While the government of Pakistan officially cooperates with governments on data sharing and law enforcement through the Mutual Legal Assistance Act 2020, Pakistan has not formally ratified any international multilateral instrument on data protection and privacy.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

There are no bodies responsible for enforcing data privacy legislation in Pakistan. There are no bodies that regulate data protection and privacy in Pakistan.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

In the absence of specific legislation on data protection and privacy, organisations must rely on best practices and standards suggested by regulatory bodies, such as the State Bank of Pakistan for financial institutions. The bodies that issue such best practices require strict adherence to the same by the companies and organisations which are subject to their supervision.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

There is no data privacy law in Pakistan; however, the provisions on data privacy in the Prevention of Electronic Crimes Act (PECA) 2016 and the Electronic Transactions Ordinance 2002 may be interpreted as being applicable to all government bodies, private institutions and citizens of Pakistan, both within and outside Pakistan.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

There is no specific data protection law in Pakistan. Exemptions are provided in legislation which specifically deals with data protection laws.

2.3 Does the data privacy regime have extra-territorial application?

Yes, Pakistan's data privacy regime has extra-territorial application, although its scope varies under current and proposed laws.

Under the PECA, extra-territorial jurisdiction applies where an offence is committed outside Pakistan but the affected data, system or individual is located within the country. This allows authorities – particularly the Federal Investigation Agency's Cybercrime Wing – to take action against cross-border cyber-offences that impact Pakistani individuals or infrastructure. However, enforcement is limited by practical barriers such as:

  • the lack of mutual legal assistance treaties; and
  • jurisdictional challenges.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

None of the above terms is defined under the Prevention of Electronic Crimes Act (PECA) 2016 or the Electronic Transactions Ordinance 2002.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

The following terms are defined under the PECA 2016:

  • 'unauthorised access';
  • 'unauthorised interception';
  • 'unsolicited information';
  • 'traffic data';
  • 'dishonest intention';
  • 'identity information';
  • 'information'; and
  • 'information system'.

The context for the above terms is that identity information and traffic data of a citizen of Pakistan cannot be accessed by dishonest intention. An information system which is intercepted without authorisation or which is damaged with dishonest intention will fall under the definition of a 'crime' under the PECA.

While the PECA mainly pertains to cybercrime, the inclusion of 'identity information' and 'information' in its provisions makes indirect reference to data protection and privacy – albeit without elaborating on a system for the protection of such information.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

There is no mention of data controllers in the Prevention of Electronic Crimes Act (PECA) 2016.

4.2 What is the process for registration?

There is no requirement for the registration of data controllers or definition of the same in the PECA.

4.3 Is registered information publicly accessible?

There is no mention of data controllers in the PECA.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

No lawful basis for processing personal data is set out in the Prevention of Electronic Crimes Act (PECA) 2016.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

No provisions on data processing are set out in the PECA.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

No requirements on data processing are set out in the PECA.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

There are no specific requirements under the Prevention of Electronic Crimes Act (PECA) 2016 on the transfer of data to third parties. The unauthorised transmission of data is prohibited under the PECA. An interpretation of this specific provision would indicate that data can only be transferred to third parties with specific authorisation from the person or entity that owns the data.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

There are no specific requirements and restrictions on the transfer of data abroad, other than the broad requirement mentioned in question 6.1 for authorised transfers of data.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

Consent should be obtained in writing from the owner of the data. The consent form should be detailed, specifying the purpose, extent and destination of the data transfer.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

In the absence of a specific data protection law, the processing of personal data is not addressed in Pakistan law.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

In the absence of a specific data protection law, the rights of data subjects with regard to data protection are limited to the broad requirement for prior authorisation for the use of data. Data subjects can invoke this requirement in order to assert their rights to their data; however, this is open to interpretation.

7.3 What remedies are available to data subjects in case of breach of their rights?

In the absence of specific rights to the protection of data, there are no remedies available for breaches.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

There is no such requirement under Pakistan law.

8.2 What qualifications or other criteria must the data protection officer meet?

No such requirement presently exists.

8.3 What are the key responsibilities of the data protection officer?

There is no requirement to appoint a data protection officer under Pakistan law.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

There is no requirement for the appointment of a data protection officer under Pakistan law.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

In the absence of a particular data protection law, there are no specific requirements on record keeping and documentation.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

Best practices may include obtaining signed written authorisations or consent forms from data subjects for the storage and use of their data. These consent forms if drafted should:

  • be detailed;
  • include a full explanation of how the data will be used; and
  • contain clear consent provisions on the use of the data.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

There are no provisions under Pakistan law that relate to data controllers and processors.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

There are no such requirements.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

There are no such requirements.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

The Pakistan Telecommunication Authority has issued guidelines for internet service providers and telecoms operators in Pakistan, focusing on:

  • network security;
  • data privacy; and
  • cyber threat mitigation.

These guidelines encourage:

  • the use of encryption and secure data transfer protocols; and
  • the establishment of incident response plans.

The aim is to:

  • enhance the security of Pakistan's telecommunications infrastructure; and
  • promote proactive measures to protect against cybercrime and fraud.

The State Bank of Pakistan and the Security Exchange Commission of Pakistan have both issued frameworks and guidelines for banks and companies respectively. These frameworks and guidelines have been issued along the lines of the National Cyber Security Policy 2021.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

There are no specific requirements and restrictions on the handling of personal data of employees. The broad requirement for prior authorisation and consent will also apply to the handling of employee data. At the time of hiring an employee, a consent form on data use should be signed by the employee.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

There are no restrictions on employee surveillance, as long as this is limited to the use of closed-circuit TV (CCTV) cameras. The recording of calls is not allowed for private organisations and even law enforcement agencies require prior court permission before they can record or track calls.

Surveillance by CCTV cameras should be included in the consent form to be signed by employees at the time of hiring (see question 10.1).

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

From a compliance and best practice perspective, employers should:

  • limit access to personal data to authorised personnel only;
  • ensure the secure storage and timely deletion of data; and
  • minimise the data collected to what is strictly necessary.

Employment contracts and policies should include data privacy clauses; and any third-party service providers (eg, for payroll or benefits) should be contractually bound to follow data protection standards. Surveillance or monitoring of employees must be:

  • proportionate;
  • transparent; and
  • justified by a legitimate business interest.

Employers should also:

  • train HR staff on privacy compliance; and
  • establish procedures for handling employee data requests and potential breaches.

In summary, data privacy in employment requires a careful balance between business needs and the employee's right to privacy, ensuring transparency, accountability and security throughout the employment relationship.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

There is no legislation on the use of cookies.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

There is no legislation on cloud computing services. However, the Pakistan Cloud First Policy does provide that:

  • data stored in the cloud should be end-to-end encrypted; and
  • the cloud service provider, as well as the entities with which it contracts, is responsible for:
    • the safekeeping of data; and
    • maintaining the privacy of data.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

There are no restrictions or requirements under the existing law. However, best practice is that websites and online platforms should provide a consent form through which data subjects can consent to use of the data.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

There are no forums for the handling of data/privacy disputes. Under the cybercrime provisions of the Prevention of Electronic Crimes Act (PECA) 2016, cybercrimes are investigated by the Cybercrime Wing of the Federal Investigation Agency.

12.2 What issues do such disputes typically involve? How are they typically resolved?

Please see question 12.1.

12.3 Have there been any recent cases of note?

  • In Muhammad Rahmatullah v The State (2024), the Lahore High Court held that extracting information from the accused's mobile phone without consent or a magistrate's warrant violated the constitutional right to privacy. The court emphasised that privacy is a fundamental right, outweighing inconsistent domestic laws.
  • In June 2024, Justice Babar Sattar of the Islamabad High Court issued an injunction preventing telecoms companies from sharing call records, messages and internet data with intelligence and law enforcement agencies unless authorised under:
    • the Telegraph Act;
    • the Telecommunication Act;
    • the Fair Trial Act; or
    • the PECA.
  • This decision temporarily halted the Pakistan Telecommunication Authority-mandated Lawful Intercept Management System mass surveillance programme.
  • A joint investigation team reported that sensitive personal data of approximately 2.7 million Pakistani citizens was leaked from the National Database and Registration Authority between 2019 and 2023 and circulated internationally. This incident highlighted the urgent need for robust data protection legislation.

While Pakistan lacks dedicated data protection enforcement bodies or data privacy litigation, these judicial rulings underscore the growing concerns around privacy rights and surveillance. They have spurred legislative attention and reinforced judicially recognised constitutional protections under Article 14.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Pakistan's data privacy landscape is in a state of transition, with increasing awareness and legal attention focused on the protection of personal information. The main anticipated development is the draft Personal Data Protection Bill, 2023, which is expected to be enacted within the next 12 months. Once passed, the law will:

  • introduce a comprehensive regulatory framework for the collection, use, storage and transfer of personal data; and
  • establish the National Commission for Personal Data Protection as the central enforcement authority.

Currently, data privacy protections are derived from general constitutional provisions – in particular:

  • the right to privacy under Article 14; and
  • sector-specific regulations, such as those under:
    • the Prevention of Electronic Crimes Act 2016; and
    • the telecoms laws.

However, these laws offer only fragmented and limited coverage.

Key trends include:

  • increased judicial scrutiny of unlawful surveillance and data misuse;
  • rising public concern over data breaches (especially involving government databases);
  • growing demand for corporate accountability in digital practices; and
  • the adoption of internal data governance policies by companies and organisations in anticipation of stricter legal obligations.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Companies should not assume that since Pakistan does not have a dedicated data protection law, the data protection and privacy requirements that apply in other jurisdictions are simply inapplicable in Pakistan. The Prevention of Electronic Crimes Act (PECA) 2016 – a law that predominantly deals with cybercrime – also contains provisions which can fall within the ambit of data protection and privacy. As the PECA prohibits the unauthorised use of data, companies should utilise detailed and well-drafted consent forms on the use and processing of data. Legal advice is essential when handling matters regarding data protection and privacy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Yousaf Amanat
Yousaf Amanat
Photo of Sahar Riaz
Sahar Riaz
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More