Knowledge Base

Are there any laws relating to data privacy and cookies?

A- There are currently no specific data protection laws in Pakistan, aside for constitutional rights of privacy, cyber-crime laws (prescribing criminal offences for unauthorized use, interference and hacking of electronic systems), PTA-imposed confidentiality obligations in the telecommunication industry, and SBP-imposed obligations on financial institutions for secrecy of client information. Therefore, data protection obligations are usually addressed contractually between the Parties. Nowadays, big business in Pakistan  mostly follow and adopt the general principles of the EU General Data Protection Regulations (“GDPR”), as following the GDPR provides valuable business credibility (as the GDPR is the world-leader in data protection laws). However, other than big businesses, the large majority of businesses pay little attention to data protection and privacy concerns.

 

This trend will likely change when a proper law is passed in Pakistan. A Data Protection bill has been circulated by the Ministry of Information & Technology for review by industry stakeholders and has undergone several revisions since being first introduced in 2018. The e-Commerce Policy has further based several of its policy objectives as working in conjunction with the planned Bill, including enhancement of consumer protection and measures for secure transacting online. 

 

The Bill generally follows the GDPR and establishes a data protection regulator having power to hear complaints and implement the law. The Bill provides several rights to a “data subject” as regards the processing of its data by “data processors” and “data controllers”. These rights include the right to: (a) access or copies of data; (b) correction of data and errors; (c) deletion of data (i.e., “be forgotten”); (d) objection to and ceasing of data processing; (e) withdraw consent for data processing. The Bill further requires data controllers to report data breaches to the regulator within 72 hours of becoming aware of the breach (with certain exceptions). 

 

The Bill further requires formal notices of data processing to be sent to data subjects, while it imposes obligations for non-disclosure of “personal information”, data retention and information security and prescribes special procedures when “sensitive personal data” is involved (e.g., information such as age, gender, religion etc., which can be used to identify the data subject). Importantly, the Bill allows for cross-border transfer of data, which is a much-needed requirement for any jurisdiction seeking to capitalize on e-Commerce. Many businesses, IT platform and software (including from the telecommunication industry) are dependent on services outside of Pakistan, for which sending data outside Pakistan is required. 

B- Cookies are small pieces of data stored by websites on a user’s computer / mobile device, which allows the website to “remember” the user’s actions and preferences over time and to improve and personalize content and advertising. The Personal Data Protection Bill does not expressly deal with regulation of cookies, unlike the GDPR which requires data controllers to have a comprehensive cookie policy. Still, it is advisable for websites to have a detailed cookie policy, detailing the reasons for their use, types of cookies used, and providing a user the means to modify their cookie preferences. If users do not agree with the use of cookies, the policy should state that the user may simply not use the site. In addition, the policy should state that cookies which are necessary for the operation of the website will automatically be used, while any “extra” types of cookies will require the user’s permission.

 

In the absence of domestic rules on cookies, it would be advisable to follow international best practices.