Data Protection in Pakistan

Under the Constitution of Pakistan, 1973, the right to privacy is a fundamental right. Article 14 (1) of the Constitution provides that the “dignity of man, and subject to law, the privacy of home, shall be inviolable.” The reference to “privacy of home” has been interpreted expansively by the superior courts of Pakistan, and the protections offered by Article 14 have been held to extend to communications and data. [1]

However, Pakistan does not have one consolidated statute – a special law, that regulates the collection, retention, handling, processing, transfer and transmission of data, including personal data. The collection, handling and transfer of data remains largely unregulated except for restrictions and guidelines that apply only to specific sectors/industries.

Data obtained by various entities from citizens, including retail customers, for the provision of various goods and services, is often protected by the terms of their contractual arrangement. This offers limited options of redressal in case of the unauthorised use of one’s personal data.

Various laws and policies, limited in their scope and application, restrict the unauthorised access, retention, transfer and transmission of various types of data.

For instance, the controversial Prevention of Electronic Crimes Act, 2016 (Act XL of 2016 – “PECA”) contains provisions, among other things, relating to protection of data and information systems. PECA covers unauthorised access to data or information systems, electronic forgery, unauthorised interception or use of identity information and confidentiality of information.

Penalties prescribed in PECA include imprisonment and fines. For instance, section 4 of PECA provides that unauthorised copying or transmission of data, with dishonest intention, shall be punishable with imprisonment for a term which may extend to six months or fine up to PKR 100,000 or both.

The Federal Investigation Agency (the “FIA”) has been designated as the investigating agency under PECA and FIA’s Cyber Crime Wing [2] and is the forum for complaints for citizens in the event that their data has been accessed or transmitted without authorisation, in violation of PECA. [3]

It is important to note that prior authorisation of the data subject is critical to ensure that the respective interaction with data is not considered as an infringement of PECA.

The requirement to obtain authorisation to access data was also provided for in the Electronic Transactions Ordinance, 2002 (Ordinance No. LI of 2002 – the “ETO”). The ETO is a statute that deals primarily with the recognition of records, information, communications and transactions in electronic form and provides for the accreditation and certification of service providers.

Previously, the ETO prescribed penalties for the unauthorised access of any information system, irrespective of whether this was done with an intent to acquire information or gain knowledge of the data contained in the information system.

The ETO also prohibited the unauthorised commission of any act with the intent to alter, modify, delete, remove, generate or transmit any information, through an information system. However, as these offences were later included in PECA, they were omitted from the ETO by PECA.

In addition to the ETO, the Pakistan Telecommunication (Re-organisation) Act, 1996 (Act No. XVII of 1996 – “PTRA”) prohibits, among other things, unauthorised transmission through a telecommunication system or telecommunication service, of any intelligence [4] which he knows or has reason to believe is false, fabricated, indecent or obscene.

It is important to note that even when the necessary authorisation is obtained under PECA and PTRA, the handling and transfer of data may be caught by the provisions of the colonial era Official Secrets Act, 1923 (Act No. XIX of 1923 – the “OSA”). The OSA prohibits the communication of any State secret, official code, password, document, prohibited location data or information, which can be directly or indirectly useful to an enemy of Pakistan, and can compromise the safety or security of Pakistan. [5]

INDUSTRY-SPECIFIC FRAMEWORKS / REGULATIONS

Industry-specific frameworks/regulations that govern the handling of specific kinds of data are often provided by industry-specific regulators such as the State Bank of Pakistan (the “SBP”), which notified the Enterprise Technology Governance and Risk Management Framework for Financial Institutions, 2017, and the Framework for Risk Management in Outsourcing Arrangements by Financial Institutions, 2019.

These frameworks, issued by the SBP, apply to banks and financial institutions and licensees whose activities are regulated by it. They provide compliance guidelines for financial institutions with respect to, among other things, the types of information technology that such institutions can use, internal and external approvals required for the commission of certain acts with respect to data, and responsibilities and obligations of the financial institutions as they obtain, process or transmit data.

Similarly, public sector entities (entities wholly or partially owned by the Government of Pakistan) are required to comply with additional restrictions in respect of their Cloud computing services as stipulated in the Pakistan First Cloud Policy, 2022 (the “Cloud Policy”).

In an attempt to prevent the unauthorised transmission of data outside the country, the Cloud Policy provides that certain types of cloud infrastructure, such as that exclusively provisioned for use by public sector entities, may not be located/hosted outside Pakistan.

The examples mentioned above show that the provisions of PECA, PTRA, OSA and industry-specific frameworks to regulate the access, handling and transfer of data in various industries are inadequate and do not extend to data obtained, retained and transferred by many other entities. Thus, there is a real need for a comprehensive data protection law that protects the right to privacy granted by the Constitution and is in consonance with international data protection best practices.

PERSONAL DATA PROTECTION BILL, 2021

The draft Personal Data Protection Bill has been in the pipeline but it is yet to be enacted into law. [6] In contrast with the current limited industry-specific protections of data, the draft Bill is notably wide in its application. It will be applicable to any entity/individual who has control over personal data, any entity, operating in Pakistan that controls or processes data and any data subject in Pakistan.

The draft Bill seeks to provide more control to individuals over their personal data by, for example, requiring data controllers to inform data subjects, through a written notice, of the collection of their personal data and the source, purposes, duration, further processing of such data and information of the class of third parties who shall have access to the data. [7]

It further places an obligation on data controllers to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.

Once the draft Bill becomes law (and it may take a different shape as usually bills do), it will be the primary legislation governing the protection of personal data in Pakistan and will require significant changes in how various entities in Pakistan access, handle, process, transfer and transmit various types of data, including personal data.

For further details, please contact Mian Tariq Hassan – Partner (tariq.hassan@axislaw.pk) and Zara Shahid – Associate (zara.shahid@axislaw.pk).

This article does not constitute legal or professional advice and is not intended to and does not create or constitute an attorney-client relationship between the reader and Axis Law.

[1] Benazir Bhutto v. Federation of Pakistan [PLD 1998 SC 388].

[2] Further information can be obtained from the website of the FIA (https://www.fia.gov.pk/).

[3] “Cybercrime complaints topped 100,000 in 2021: FIA Chief”, Dawn, authored by Azfar-ul-Ashfaque 3 January 2022 (https://www.dawn.com/news/1667248).

“FIA: Cyber Crime increases 83%”, Daily Times, Web Desk, 22 September 2022 (https://dailytimes.com.pk/1001261/fia-cyber-crime-increases-83/).

“National Assembly panel calls for improving performance of FIA’s Cyber Crime Wing”, Dawn, authored by Abdul Rasheed Azad, 22 September 2022 (https://www.brecorder.com/news/40198904/na-panel-calls-for-improving-performance-of-fias-cyber-crime-wing).

[4] “Intelligence” has been defined in section 2(g) of the Pakistan Telecommunications (Re-organisation) Act, 1996 to mean “any speech, sound, data, signal, writing, image or video”.

[5] Section 5, Official Secrets Act, 1923 (Act No. XIX of 1923).

[6] In 2018 a consultation draft of the Personal Data Protection Bill was circulated by the Ministry of Information Technology for comments from stakeholders. However, the 2018 bill could not be enacted into law, after which, a revised version of the bill was circulated again as the draft Personal Data Protection Bill, 2021.

[7] It is important to note that India, one of Pakistan’s neighboring countries, has recently released, for public comments, the fourth draft of its data protection bill, the “Digital Personal Data Protection Bill, 2022”. The bill has been criticized for giving the government wide ranging powers and ensuring fewer safeguards.

“India: Data privacy rules in play under new draft bill” (https://www.dw.com/en/india-data-privacy-rules-in-play-under-new-draft-bill/a-63930891) Deutsche Well, authored by Murali Krishnan, dated 29 November 2022.

“A first look at the new data protection bill” (https://www.thehindu.com/sci-tech/technology/a-first-look-at-the-new-data-protection-bill/article66162209.ece) The Hindu, authored by Trishee Goyal, dated 20 November 2022.