Pakistan’s Personal Data Bill: Heavy Fine for Data Leaks

The “Personal Data Protection Bill, 2023,” proposed by the Ministry of Information, Technology, and Telecommunication in Pakistan, seeks to regulate the handling of personal data, ensuring its proper collection, processing, and disclosure while safeguarding individuals’ privacy rights. It establishes the National Commission for Personal Data Protection (NCPDP) to oversee the implementation and enforcement of data protection regulations.

The bill is set to take effect within two years of its promulgation, with a notice period of at least three months in advance. It emphasizes fair and lawful processing of personal data, with data controllers and processors required to register with the NCPDP. Significant entities must appoint a knowledgeable data protection officer.

Consent from data subjects is crucial for data processing, and measures to protect personal data from loss, unauthorized access, and alteration are mandated. In the case of data breaches, timely notifications to the Commission and affected individuals are required. Cross-border data transfers are permissible if adequate protection is ensured, and fines are imposed for non-compliance and violations of the Act.

The bill’s overarching goal is to create a trustworthy environment for digital interactions and transactions while preserving the rights and privacy of individuals. It acknowledges the global importance of personal data and aligns with international standards to ensure effective data protection and privacy in Pakistan’s digital landscape.