IT Ministry finalizes Pakistan’s first ever ‘Personal Data Protection Bill’

The Ministry of Information Technology and Telecommunications has finalized the “Personal Data Protection Bill, 2023,” which proposes a fine of up to $2 million or an equivalent amount in Pakistani Rupees for those who process or cause personal data to be processed, disseminated, or disclosed in violation of the proposed legislation.

According to the draught of the bill, the ‘Personal Data Protection Bill, 2023′ is designed to regulate the collection, processing, use, disclosure, and transfer of personal data and also provides a data protection mechanism including offences relating to an individual’s violation of data privacy rights.

When a person collects, processes, stores, uses, and discloses data, it must respect an individual’s rights, freedoms, and dignity for matters related to and ancillary to those activities.

Within six months of the commencement of this Act, the Federal Government shall establish a Commission for this Act, to be known as the National Commission for Personal Data Protection (NCPDP) of Pakistan, by Gazetted notification.

It shall take effect no later than two years from the date of its promulgation, as determined by the federal government by notifying in the Official Gazette with at least three months’ advance notice from the effective date.

Also Read: Dubai Unveils New a tourist spot Where It Rains All Year

This Bill is intended to lay out the procedure and ancillary details for the use of personal data such as processing, collection, storage, and disclosure by the government, organisations, and individuals for processing purposes in accordance with the necessary care and obligations enunciated in this Bill.

It fosters a culture of fairness in the digital economy by providing legal protections in online transactions and the sharing of personal and sensitive information or data for personal, international e-commerce, and e-government services.

With potential approaches in mind, the Personal Data Protection Bill of 2023 will be enacted in accordance with the current patchwork of global and regional legislations on the protection of personal data in order to match common grounds and identify areas where different approaches tend to diverge.

Rapid technological advancement and increased use of internet services have digitised a wide range of economic, political, and social activities, having a transformative impact on the way businesses are conducted and people interact with one another, as well as with the government, businesses, and other stakeholders.

The Bill ensures that children’s data is given additional protection. Fostering trust online is a fundamental challenge in order to fully capitalise on the opportunities emerging from the economy.

As the global economy shifts to a connected information space, personal data will be a central component driving online cross-border commercial activity, the flow of which may affect individuals, businesses, and governments.

This Bill requires that any personal data collected from an individual be obtained only through lawful, fair, and consensual means and be used or disclosed for the purposes for which the data were collected or any other directly related purpose.

Personal data processing grounds include:

• Personal data must be collected, processed, and disclosed lawfully and fairly by a data controller/data processor in accordance with the provisions of this Act.
• Personal data must be collected for specific, explicit, and legitimate purposes, and it must not be processed in any way that is incompatible with the aforementioned purposes. It must also be adequate, relevant, and limited to the purposes for which the data is processed.
• The data controller and/or data processor, whether digitally or non-digitally operational within Pakistani territory, shall register with the Commission in the manner specified by the registration framework to be formulated by the Commission, unless the data controller and/or data processor is already registered with any public body, in which case the data controller and/or data processor shall only be required to notify the Commission.
• The Commission will require the data controller and/or data processor identified as “significant” to appoint a data protection officer who is well-versed in the collection and processing of personal data, as well as the risks associated with processing.

Personal data of any type of data subject shall not be processed unless the data controller obtains his consent prior to the start of the processing or as prescribed by the provisions of this Act.

In light of the national interest, the Commission shall prescribe the best international standards for protecting personal data from loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction.

In the event of a personal data breach, the data controller must notify the Commission and the data subject without undue delay and, where reasonably possible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in an infringement of the data subject’s rights and freedoms.

Where personal data, excluding critical personal data, must be transferred to an entity/entities or system located outside Pakistan’s borders that is not directly controlled by the Government of Pakistan, data protection will be ensured by the other country.

It will be ensured that it provides at least adequate personal data protection legal regimes that are consistent with the protection provided under this Act, and the data transferred will be processed in accordance with the provisions of this Act, with the data subject’s explicit consent where applicable.

Critical Personal Data shall only be processed on servers or digital infrastructure located in Pakistan.

Whoever processes, disseminates, or discloses any personal data in violation of the provisions of this Act shall be fined up to 125,000 USD or an equivalent amount in Pakistani Rupees, and the fine may be increased to 250,000 USD or an equivalent amount in Pakistani Rupees in the case of subsequent unlawful processing of personal data.

If the offence is committed under subsection (1) and involves sensitive personal data, the offender may be fined up to 500,000 USD or an equivalent amount in Pakistani rupees.

In case, where the offense is committed under sub-section (1) and relates to critical personal data, the offender may be punished with a fine of up to 1,000,000 USD or an equivalent amount in Pakistani Rupees or as the Commission deems appropriate.

Whoever fails to implement adequate security measures to ensure data security in accordance with the provisions of this Act, Rules, and Regulations shall be fined up to 50,000 USD or an equivalent amount in Pakistani Rupees.

When an individual fails to comply with the Commission’s or a court’s orders when he is required to do so, he faces a fine of up to 50,000 USD or an equivalent amount in Pakistani rupees.

When a data controller and/or data processor violates any provision of this Act or the Rules or Regulations made thereunder, or any policy issued by the Federal Government, or any direction issued by the Commission, or any condition of registration, the Commission may, within fifteen days, require the data controller and/or data Processor to provide reasons for the non-issuance of the enforcement order.

The notice referred to in subsection (2) must specify the nature of the violation and the appropriate steps that the licensee must take to correct the violation.

Where anyone fails to:

• respond to the notice referred to in subsection (2);
• satisfy the Commission about the alleged contravention,
• remedy the contravention within the time allowed by the Commission may by a written order and furnishing reasons for that shall: – (i) levy fine which may extend to 2,000,000 USD or an equivalent amount in Pakistani Rupees; or (ii) suspend or terminate the registration and impose additional conditions.

Regardless of the foregoing, the legal person shall be fined not more than 1% of its annual gross revenue in Pakistan or 200,000 USD, whichever is greater, or an equivalent amount in Pakistani Rupees, as determined by the Commission.