The Constitution of Pakistan, under its Article 14, has recognised the right to privacy as a fundamental right; in this regard, the Ministry of Information and Technology has developed a draft Personal Data Protection Bill, 2023 (the “Draft Bill”). The Draft Bill has passed the consultation stage but is yet to be passed by both houses of the parliament. The Draft Bill largely follows the General Data Protection Regulation (GDPR) of the European Union.

Pakistan is also a signatory to the International Covenant on Civil and Political Rights (ICCPR), which also demands that signatory states protect the privacy of individuals.

Sector-specific laws or regulations are enforced in Pakistan, specifically governing privacy of customers/individuals in the respective sectors.

The Pakistan Telecommunication Authority (PTA), under the Pakistan Telecommunication (Re-organization) Act, 1996, has issued the Protection from Spam, Unsolicited, Fraudulent and Obnoxious Communication Regulations, 2009. These are applicable to all telecoms operators as regards ensuring and protecting the interest of telecoms consumers by preventing them from spam, fraudulent, unsolicited and obnoxious communication. The Prevention of Electronic Crimes Act, 2016 (PECA) tackles cybercrimes and provides protection against electronic crimes and prevention against fraud by the use of personal or digital data. It aims to protect the personal aspect, privacy and security of electronic data.

The Banking Companies Ordinance, 1962 governs the banking sector in Pakistan. It requires that banks not disclose any information pertaining to consumers’ data except where required under the law or for an appropriate purpose. Similarly, the Payment Systems and Electronic Fund Transfers Act, 2007 (the “Electronic Fund Transfers Act”) regulates electronic fund transfers and consumer protection, secrecy and privacy.

The Credit Bureaus Act, 2015, and the regulations made thereunder, govern the unauthorised access or disclosure of credit information.

The right of Access to Information Act, 2017 governs the general public’s right to access information; however, no such information will be provided that jeopardises the privacy of an identifiable individual. In view of said Act, the Pakistan Information Commission in Appeal No 1080-05-2021 decided that an appellant seeking information relevant to a housing society should be provided with the requested information, after removing the information touching on the privacy of other members. In its E-Commerce Policy of Pakistan (2019) and elsewhere, the Ministry of Commerce has adopted data protection as one of its policy initiatives.

Under the Draft Bill, the National Commission for Personal Data Protection (NCPDP) shall be established for regulation and for implementation of the Draft Bill. It will be an autonomous body under the control of the federal government, where individuals’ grievances shall be addressed. For the purpose of complaints, the NCPDP shall be deemed a civil court, having the same powers as are vested in a civil court under the Code of Civil Procedure, 1908.

The NCPDP is empowered to call for information from the data controller or from the data processor as may be reasonably required for effective discharge of its functions. Under the Draft Bill, the NCPDP is empowered to formulate a compliance framework regarding data audits.

As regards the banking sector, the State Bank Of Pakistan (SBP) – Pakistan’s central bank – is regulator and has the powers to call for any information related to the business of banks. The SBP has issued regulations and guidance that are to be followed by banks; non-compliance entails penal action by the SBP.

The PTA is the regulator for the telecoms sector. It monitors and enforces rules and regulations; non-compliance entails imposition of penalties under the Pakistan Telecommunication (Re-organization) Act, 1996.

The Federal Investigation Agency (FIA) is the investigating agency under the PECA. The FIA and its authorised officers are empowered to investigate an offence under the PECA in accordance with the Code of Criminal Procedure, 1908.

Administrative proceedings under the Draft Bill can be initiated with the filing of a complaint, against any:

• violation of personal data protection rights;
• misconduct of any data controller or data processor;
• breach of a data subject’s consent to process data; or
• breach of a data controller’s obligations.

The complaint should be filed in a simple written format, and the complainant must certify that they had not already or concurrently filed any application, complaint or suit before any other forum or court.

Any individual whose identity information will be obtained, possessed or distributed or is being used without any authorisation may file a complaint with the FIA; if the victim requires blocking access to identifiable information or destroying such information, they may approach the PTA, as established under the Pakistan Telecommunication (Re-organization) Act 1996.

Any malpractice carried out by a bank with respect to the secrecy of customers’ data may be challenged before the banking muhtasib (banking ombudsman).

Once an investigation is initiated and the relevant law is applied, administrative fines are imposed in accordance with the provisions of the respective laws that define the offence and prescribe the corresponding fines or penalties.

As of January 2025, there are no publicly reported cases of administrative fines having been issued in Pakistan specifically for breaches of individual privacy rights. The Draft Bill, however, provides for fines of up to USD2 million for unlawful processing of personal data.

In 2023, under the Digital Pakistan Vision, the Ministry of Information Technology and Telecommunication issued the Draft National Artificial Intelligence Policy (the “Policy”). In order to accelerate socio-economic adoption, this policy looks towards adapting legal and regulatory frameworks needed to ensure safe and secure data-sharing mechanisms, considering international best practices.

In September 2024, the Regulation of Artificial Intelligence Act, 2024 was introduced in the Senate of Pakistan, aiming to regulate artificial intelligence (AI) in the country – though this is yet to be passed. The draft of this Act is pending with the standing committee on information technology and telecommunication.

The Policy aims to establish an Al Regulatory Directorate (ARD) under the NCPDP; this is to be established under the PDPL Draft Bill 2023. The ARD shall monitor technological development and commercial practices from a data privacy perspective. The ARD shall be responsible for the following:

• encouraging innovation in personal data protection through research and regulatory measures;
• assessing AI-driven automated functions and data processing;
• implementing policies and regulatory best practices with stakeholder consultation;
• using a sandbox approach to regulate unique AI algorithms and programs;
• defining regulatory functions for digital trust at the data creation and processing levels;
• monitoring AI-driven operations, especially AI agents acting as data controllers/processors that may affect the rules and regulations under the PDPA;
• providing advisory services for compliance with PDPA regulations;
• addressing direct issues (eg, AI in healthcare), indirect issues (eg, intellectual property) and relevant AI applications in sectors such as education and urban planning;
• creating guidelines for data sharing, emphasising obligations for receivers and elevating government policies to mandatory standards;
• regulating data-sharing agreements at an international level;
• incentivising AI adoption among local businesses and supporting AI-based start-ups via funds and incubation centres;
• ensuring fairness, data privacy, ethical control and algorithmic accountability;
• guaranteeing user rights for managing their data used in AI systems; and
• defining clear responsibilities among users, deploying organisations and manufacturers.

As the Draft Bill has not become law, no litigation has been forthcoming with respect to data privacy. However, the subject of privacy has been discussed in various cases, and certain principles have been set forth considering the fundamental right to privacy enshrined in the Constitution.

International developments have had no such impact on domestic litigation, owing to the non-existence of a law devoted to personal data privacy.

In Muhammad Rahmatullah v The State (2024 PCr.lj 1), while deciding an appeal against a bail petition, the Lahore High Court looked into the infringement of the privacy of the appellant/accused. The Court held that extracting the information from the accused’s mobile without his consent went against the constitutional guarantee of right to privacy. The Court held that, if the accused was not ready to provide such consent, at least permission from the magistrate should have been received. The Court further noted that “as a fundamental Constitutional right, the right to privacy is meant to take precedence over other inconsistent provisions of domestic law”.

A collective redress mechanism has not been provided for in the Draft Bill.

Currently, Pakistan does not have a specific, standalone regulation dedicated exclusively to governing the use of Internet of Things (IOT) services. However, the regulatory landscape indirectly addresses aspects of IOT services through broader frameworks that focus on data protection, cybersecurity and telecommunications.

Under the Draft Bill, data controllers and processors are to abide by the following obligations while they process personal data:

• obtaining consent for personal data processing;
• a notice to the data subject of the personal data processing;
• securing personal data;
• non-disclosure of personal data;
• a data retention policy;
• protecting data integrity;
• keeping a record of personal data processing; and
• serving a personal data breach notification.

The following rights are vested with data subjects under the Draft Bill:

• right to access;
• right to correction;
• right to withdrawal of consent;
• right to prevent processing likely to cause damage or distress;
• right to erasure;
• right to nominate in the event of death or disability;
• right to redressal for grievance; and
• right to data portability and automated processing.

The PTA has issued guidelines for the deployment of advanced technologies such as 5G, which are critical for IOT scalability.

The Pakistan Telecommunication (Re-organization) Act, 1996 regulates the telecommunications sector, which provides the infrastructure for IOT services.

The PECA ensures that IOT devices and networks are protected against hacking, data breaches and unauthorised access.

Data regulation encompasses the legal and policy frameworks that govern the use, storage, transfer and management of data across various sectors. In contrast, data protection requirements are focused on safeguarding individuals’ personal and sensitive information from misuse, upholding privacy rights and ensuring accountability for data controllers and processors.

The interplay between these domains is rooted in the necessity to align data regulation frameworks with data protection principles rather than allowing them to conflict.

Regulatory bodies such as the PTA and the SBP monitor compliance with data regulations within their domains.

The NCPDP, once operational, will oversee compliance with the Draft Bill, impose penalties for violations and manage grievances.

Please see 3.1 Objectives and Scope of Data Regulation.

The Draft Bill provides for the establishment of the NCPDP. The NCPDP shall be responsible for:

• protecting the interests of individuals;
• enforcing protection of personal data;
• preventing any misuse of personal data;
• promoting awareness of data protection; and
• addressing complaints.

See further details in 1.2 Regulators.

The Draft Bill does not specifically address requirements regarding the use of cookies; however, it has laid down the basic principles for processing, such as purpose specification, limitation, lawfulness, transparency, data retention, etc. These needs to be followed by data controllers and processors while using cookies.

The Protection from Spam, Unsolicited, Fraudulent and Obnoxious Communication Regulations, 2009 require all operators (holding a licence from the PTA) to establish a standard operating procedure (duly approved by the PTA) to control spamming.

Similarly, all operators are required to develop a standard operating procedure for controlling unsolicited calls. The operators are also required to establish a consolidated “Do Not Call Register” in connection with controlling unsolicited calls. The operators are further required to ensure registration of telemarketers.

The Draft Bill provides that data subjects must not be subjected to automated decision-making, including profiling that presents significant harm to data subjects.

Pakistan has no specific law concerning workplace privacy. The Draft Bill provides that sensitive personal data may be processed by a data controller for the purposes of exercising or performing any right or obligation conferred or imposed by law on the data controller in connection with employment.

The Public Interest Disclosures Act, 2017 governs the mechanism for public interest disclosures and protection of persons making such disclosures (related to the prevention of corruption in public sector organisations). Anonymous or pseudonymous disclosures are not considered under said Act. The identity of the complainant is to be protected unless required otherwise. The Act provides protection to the complainant against any victimisation on the ground that they made a disclosure. A complainant is considered victimised if they are:

• dismissed;
• suspended;
• denied promotion;
• demoted;
• made redundant;
• harassed;
• intimated;
• threatened with any of the above matters; or
• subjected to discriminatory or other adverse measures by their employer or by a fellow employee.

Said Act also provides for due protection of the complainant, witness or any other person rendering assistance for an inquiry.

The Securities and Exchange Commission of Pakistan (SECP) has issued the Listed Companies (Code of Corporate Governance) Regulations, 2019 (the “Code”). The Code requires that listed companies’ boards of directors maintain a whistle-blowing policy, by establishing a mechanism to receive and handle complaints in a fair and transparent manner while providing protection to the complainant against victimisation. The Code requires that the chief executive officer of a listed company place “reports on/synopsis of issues and information pursued under the whistle-blowing policy, clearly disclosing how such matters were dealt with and finally resolved or cancelled”, before the board of directors or before the committee of the board of directors.

Matters pertaining to the role of labour organisations, e-discovery issues, use of digital loss-prevention technologies and scanning/blocking websites at a workplace are not dealt with under the Draft Bill or under any other law.

In the course of asset deals, personal and sensitive data of individuals involved in the transaction may be processed or exchanged. The buyer must obtain consent from data subjects for processing their personal data, such as names, addresses, identification documents and biometric information (eg, fingerprints), solely for purposes related to negotiating, drafting and concluding the deal.

The collection of personal data must be limited to what is strictly necessary for the transaction, and its disclosure should be restricted to parties directly involved, such as legal advisers, auditors or regulatory bodies, and only when essential. Data subjects must be transparently informed about the collection, purpose and any sharing of their personal data. Furthermore, if personal data is transferred across borders, the buyer, processor or controller must ensure that the receiving country has adequate data protection measures in place to safeguard the privacy and security of the data.

Under the Draft Bill, the transfer of personal data outside Pakistan is only permissible in the following cases:

• equivalent protection;
• explicit consent of the data subject; and
• under a framework to be devised by the NCPDP.

In the absence of an adequate data protection legal regime, the NCPDP may allow for the transfer of personal data outside Pakistan in the following cases:

• for a binding contract/agreement;
• with explicit consent of the data subject that does not conflict with the public interest or national security of Pakistan;
• when international co-operation is required under relevant international obligations; and
• any further conditions specified by the NCPDP.

It should be noted that critical personal data is not allowed to be transferred outside Pakistan.

Under the Draft Bill, the NCPDP is required to devise a mechanism for keeping some components of sensitive personal data within Pakistan (ie, data localisation).

The NCPDP shall also devise a mechanism for sharing sensitive personal data with the government of Pakistan, provided that the data relates to public order or national security and is required within the parameters of applicable law.

Under the Draft Bill, one permissible mode of cross-border transfer of personal data is a “mechanism to be devised by the NCPDP”. On establishment of the NCPDP, said mechanism may contain any approval requirements for all or any class of personal data.

The Draft Bill provides that critical personal data is only to be kept within Pakistan.

There are no blocking statutes related to data privacy or otherwise.

No such developments have been noted.