The Law firm deals with different types of legislation accompanying illustrative documents. Sidekick provides accurate legal guidance.
A- There are currently no specific data protection laws in Pakistan, aside for constitutional rights of privacy, cyber-crime laws (prescribing criminal offences for unauthorized use, interference and hacking of electronic systems), PTA-imposed confidentiality obligations in the telecommunication industry, and SBP-imposed obligations on financial institutions for secrecy of client information. Therefore, data protection obligations are usually addressed contractually between the Parties. Nowadays, big business in Pakistan mostly follow and adopt the general principles of the EU General Data Protection Regulations (“GDPR”), as following the GDPR provides valuable business credibility (as the GDPR is the world-leader in data protection laws). However, other than big businesses, the large majority of businesses pay little attention to data protection and privacy concerns.
This trend will likely change when a proper law is passed in Pakistan. A Data Protection bill has been circulated by the Ministry of Information & Technology for review by industry stakeholders and has undergone several revisions since being first introduced in 2018. The e-Commerce Policy has further based several of its policy objectives as working in conjunction with the planned Bill, including enhancement of consumer protection and measures for secure transacting online.
The Bill generally follows the GDPR and establishes a data protection regulator having power to hear complaints and implement the law. The Bill provides several rights to a “data subject” as regards the processing of its data by “data processors” and “data controllers”. These rights include the right to: (a) access or copies of data; (b) correction of data and errors; (c) deletion of data (i.e., “be forgotten”); (d) objection to and ceasing of data processing; (e) withdraw consent for data processing. The Bill further requires data controllers to report data breaches to the regulator within 72 hours of becoming aware of the breach (with certain exceptions).
The Bill further requires formal notices of data processing to be sent to data subjects, while it imposes obligations for non-disclosure of “personal information”, data retention and information security and prescribes special procedures when “sensitive personal data” is involved (e.g., information such as age, gender, religion etc., which can be used to identify the data subject). Importantly, the Bill allows for cross-border transfer of data, which is a much-needed requirement for any jurisdiction seeking to capitalize on e-Commerce. Many businesses, IT platform and software (including from the telecommunication industry) are dependent on services outside of Pakistan, for which sending data outside Pakistan is required.
In the absence of domestic rules on cookies, it would be advisable to follow international best practices.