Under the “Personal Data Protection Bill, 2023,” individuals who misuse or share personal data in violation of the provisions may face fines up to $2 million or its equivalent in Pakistani rupees.
The Ministry of Information, Technology, and Telecommunication submitted the bill to the Federal Cabinet, which is approved.
The bill is designed to govern how personal data is collected, processed, used, disclosed, and transferred. It also establishes a data protection mechanism to safeguard individuals’ privacy rights.
Overall, the bill aims to ensure that personal data is handled responsibly and protected from misuse or unauthorized disclosure.
When an individual collects, processes, stores, uses or discloses data, they must always respect the rights, freedoms, and dignity of the person whose data is involved. This applies to all matters related to data handling and any connected or associated activities.
To enforce this Act, the federal government will establish a Commission known as the National Commission for Personal Data Protection (NCPDP) of Pakistan. This Commission will be set up within six months of the Act coming into effect.
The Act will be enforced within two years from its promulgation, as determined by the federal government. To ensure proper implementation, the government will provide at least three months’ advance notice through an official publication called the Official Gazette.
The main purpose of this bill is to establish guidelines and additional details regarding the proper usage of personal data, including its processing, collection, storage, and disclosure. It applies to government entities, organizations, and individuals, emphasizing the importance of handling personal data with necessary care and adhering to the obligations outlined in the Bill.
Moreover, the bill fosters a fair digital economy by providing legal protections for online transactions and the sharing of personal and sensitive information. This covers various aspects, including personal data used in international e-commerce and e-government services.
To ensure consistency and unity with global and regional data protection laws, the Personal Data Protection Bill of 2023 will be aligned with existing legislation while identifying areas where different approaches may diverge. This comprehensive approach aims to safeguard personal data effectively and promote responsible data practises in various sectors.
The rapid advancement of technology and increased internet usage have transformed various aspects of our lives, including how businesses operate and how people interact with each other and with government entities and companies.
The Personal Data Protection Bill places special emphasis on safeguarding children’s data, providing them with extra protection. Building trust online is crucial to fully utilize the opportunities arising from the digital economy.
In the evolving global economy, personal data plays a central role in online cross-border commercial activities, impacting individuals, businesses, and governments. This bill ensures that personal data is collected through lawful, fair, and consensual means and used or disclosed only for the purposes for which it was originally collected or directly related purposes. By adhering to these principles, the bill aims to create a secure and trustworthy environment for data usage in the digital era.
The grounds for processing personal data are as follows:
- Personal data must be collected, processed, and disclosed by a data controller or data processor in a lawful and fair manner, complying with the provisions of this Act.
- The collection of personal data should be done for specific, clear, and legitimate purposes. It should not be further processed in a manner that is incompatible with the original purposes. The data collected should be adequate, relevant, and limited to the intended purposes of the processing.
- Data controllers or data processors, whether operating digitally or non-digitally within Pakistan, must register with the Commission as per the specified registration framework. If they are already registered with any public body, they only need to inform the Commission about their registration.
- Data controllers or data processors identified as “significant” by the Commission must appoint a data protection officer who is knowledgeable about the collection and processing of personal data and understands the associated risks.
- Personal data of any data subject should not be processed without their consent, either obtained before starting the data processing or as prescribed under the provisions of this Act.
The Commission, in the interest of national security, will establish and recommend the best international standards to safeguard personal data from loss, misuse, unauthorized access, modification, disclosure, alteration, or destruction.
In the unfortunate event of a personal data breach, the data controller must promptly notify the Commission and the affected individual, ideally within 72 hours of becoming aware of the breach. However, if the breach is unlikely to harm the rights and freedoms of the data subject, this immediate notification may not be necessary.
When transferring personal data (excluding critical personal data) to entities or systems outside Pakistan and beyond the Government’s control, the receiving country must offer sufficient personal data protection, consistent with the safeguards provided under this Act. The data transferred must be processed in accordance with the provisions of this Act, and explicit consent from the data subject, where applicable, must be obtained.
Critical Personal Data can only be processed within the geographical boundaries of Pakistan and should not be moved outside its territory.
Any person found to be processing, disseminating, or disclosing personal data in violation of this Act will be subject to a fine of up to $125,000 USD or its equivalent in Pakistani rupees. In the case of repeat offenses, the fine may be increased up to $250,000 USD or its equivalent in Pakistani rupees.
If the offence falls under sub-section (1) and involves sensitive personal data, the perpetrator may face a fine of up to $500,000 USD or its equivalent in Pakistani Rupees.
If the offence falls under sub-section (1) and concerns critical personal data, the offender may be subject to a fine of up to $1,000,000 USD or its equivalent in Pakistani Rupees, or any other penalty deemed appropriate by the Commission.
Failure to implement adequate security measures to ensure data security, as per the provisions specified in this Act, Rules, and regulations, could result in a fine of up to $50,000 USD or its equivalent in Pakistani Rupees.
If an individual fails to comply with the orders of the Commission or the court, resulting in disobedience, they may be subject to a fine of up to $50,000 USD or its equivalent in Pakistani rupees.
In the case where a data controller or data processor violates any provision of this Act, the Rules, regulations, policies issued by the Federal Government, or any direction from the Commission or registration conditions, the Commission may issue a written notice within fifteen days, requesting an explanation for not following the enforcement order.
The notice mentioned in sub-section (2) will specify the nature of the violation and the necessary steps the licensee should take to rectify it. If the party fails to respond to the notice or doesn’t satisfy the Commission about the alleged contravention or cannot rectify it within the given timeframe, the Commission may issue a written order, furnishing the reasons for its decision. The Commission’s action can include:
- Imposing a fine of up to $2,000,000 USD or its equivalent in Pakistani rupees,
- Suspending or terminating the registration, and
- Imposing additional conditions as deemed appropriate.
In addition to the above penalties, the legal entity in question may be fined up to one percent of its annual gross revenue in Pakistan or $200,000 USD, whichever is higher, or an equivalent amount in Pakistani rupees, as assessed by the Commission.