Skip to content

Pakistan – MITT releases final draft of the personal data protection bill

The Pakistan Ministry of Information Technology and Telecommunication (MITT) released a new draft of the Personal Data Protection Bill, 2023 (the PDPB) on 19 May 2023. The PDPB aims to regulate the collection, processing, use, disclosure and transfer of personal data, and also provides for offences concerning the violation of data privacy rights of individuals.

The PDPB has extra-territorial scope and applies to any data controller or data processor who:

  • processes or exercises control or authorises the processing of any personal data, provided that they are established, present or registered within the territory of Pakistan;
  •  whether “digitally or non-digitally operational” within Pakistan but incorporated in any other jurisdiction, carries out processing of personal data concerning any commercial or non-commercial activity including profiling data subjects within the territory of Pakistan;
  • while not having a physical presence within the territory of Pakistan, carries out the processing of personal data in a territory where Pakistani law applies under public or private international law; or
  • collects personal data of a data subject within the territory of Pakistan including a foreign data subject who is physically present at the time of collection, and processing of personal data within the territory of Pakistan.

Data controllers and data processors will be required to register with the National Commission for Personal Data Protection (NCPDP), which is to be set up within six months of the commencement of the PDPB.

In the event of a personal data breach, the data controller will be required to, within 72 hours of becoming aware of the breach, notify the NCPDP and the data subject, except where the breach is unlikely to result in the infringement of rights and freedoms of the data subject. Data processors will be required to follow the same data breach notification process, except that the data processor will only need to inform the data controller and the NCPDP. The data controller will also be required to maintain a data breach register.

Personal data of children under the age of 18 years must be processed taking into account the rights and interests of a child. Before processing any personal data relating to a child, the controller or processor shall verify the child’s age and seek parental consent. Tracking or behavioural monitoring of children or targeted advertising directed at children is prohibited.

Similar to the GDPR, the PDPB establishes grounds for data processing, including consent, contract, compliance with a legal obligation, protection of vital interests of data subject, compliance with a court order, legitimate interests of the data controller, public health or research in medical emergencies and exercise of any function conferred by law.

Unless manifestly made public by the data subject, processing of so-called sensitive and critical personal data requires obtaining data subject’s explicit consent or application of one of the exceptions, for instance if necessary for compliance with rights and obligations on controller related to employment, protection of vital interests of data subject or another person, for medical purposes by healthcare professionals, in connection with legal proceedings, establishing or exercising legal rights or obtaining legal advice. 

“Sensitive data” includes certain financial information, health data, digital national identity card or passport, biometric data, genetic data, data about religious beliefs, criminal records, political affiliations, ethnicity or belonging to a cast or tribe. “Critical personal data” is defined as personal data retained by the public service provider (unless these data are public), any data related to international obligations and any data identified by sector regulators or the NCPDP as critical. Sensitive and critical personal data are subject to greater protections. For example, critical personal data may only be processed in a server or digital infrastructure located within the territory of Pakistan.

The PDPB also sets out various data subjects’ rights, including: right to access, correction, and erasure, right to prevent processing likely to cause damage, right to redress of grievance (covering an obligation to register complaint with the controller and to complain to the NCPDP), data portability and not to be subject to a decision based solely on automated processing, including profiling.

International data transfers (other than for critical personal data) can be carried out based on an adequacy decision of the NCPDP, binding contract, explicit consent of data subject (that should not conflict with national security or public interest of Pakistan), international agreements or other conditions to be specified by the NCPDP.

The PDPB is available here


Related expertise