The Constitution of Pakistan, under Article 14, recognises the right to privacy as a fundamental right. In this context, the Ministry of Information Technology and Telecommunication has prepared a draft Personal Data Protection Bill, 2023 (the “Draft Bill”). Although the Draft Bill has completed the consultation stage, it has yet to be passed by both houses of the Parliament. Its framework largely mirrors the European Union’s General Data Protection Regulation (GDPR).

Pakistan is also a signatory to the International Covenant on Civil and Political Rights (ICCPR), which also demands that signatory states protect the privacy of individuals.

Sector-specific laws or regulations are enforced in Pakistan, specifically governing privacy of customers/individuals in the respective sectors.

The Pakistan Telecommunication Authority (PTA), under the Pakistan Telecommunication (Re-Organization) Act, 1996, issued the Protection from Spam, Unsolicited, Fraudulent and Obnoxious Communication Regulations, 2009. These regulations apply to all telecommunications operators and are designed to safeguard consumers from spam, fraudulent, unsolicited and obnoxious communications. The Prevention of Electronic Crimes Act, 2016 (PECA), addresses cybercrime, offering protection against electronic offences and fraud involving personal or digital data, and seeks to protect the integrity, privacy and security of electronic data.

The Banking Companies Ordinance, 1962, governs the banking sector in Pakistan. It requires that banks not disclose any information pertaining to consumers’ data except where required under the law or for an appropriate purpose. Similarly, the Payment Systems and Electronic Fund Transfers Act, 2007 (the “Electronic Fund Transfers Act”), regulates electronic fund transfers and consumer protection, secrecy and privacy.

The Credit Bureaus Act, 2015, and the regulations made thereunder govern the unauthorised access or disclosure of credit information.

The Right of Access to Information Act, 2017, governs the general public’s right to access information; however, no such information will be provided that jeopardises the privacy of an identifiable individual. In Appeal No 1080-05-2021, the Pakistan Information Commission held that an appellant seeking information concerning a housing society was entitled to receive the requested material, provided that any information affecting the privacy of other members was redacted. In its E-Commerce Policy of Pakistan (2019) and elsewhere, the Ministry of Commerce has adopted data protection as one of its policy initiatives.

With regard to the extraterritorial scope of the Draft Bill, it provides that personal data must not be transferred to any unauthorised person. Critical personal data may only be processed on servers located within Pakistan, while the Commission is tasked with devising a mechanism for the transfer of sensitive personal data. Where personal data, other than critical or sensitive personal data, is to be transferred outside Pakistan, the receiving country must have an adequate legal framework for personal data protection. In the absence of such adequacy, the Commission may authorise the transfer subject to specified safeguards, including:

• binding contractual arrangements;
• the explicit consent of the data subject provided such consent does not conflict with Pakistan’s public interest or national security;
• transfers necessary for international co-operation pursuant to applicable international obligations; and
• any additional conditions prescribed by the Commission.

Grounds for Processing Personal Data

• Lawful and Fair Processing: Personal data must be processed in a lawful, transparent, and fair manner, in compliance with the Act.
• Purpose Limitation and Legitimate Purpose: Data may only be collected for specified, explicit, and legitimate purposes and must not be further processed in a way that is incompatible with those purposes.
• Data Minimisation: The data collected must be adequate, relevant, and limited to what is necessary to achieve the stated processing purpose.
• Regulatory Registration: Data controllers and processors operating in Pakistan must register with the Commission in the prescribed manner or notify the Commission if already registered with another public authority.
• Appointment of Data Protection Officer: Data controllers or processors classified as “significant” by the Commission must appoint a data protection officer with adequate knowledge of personal data processing and related risks.

Rights of Data Subjects

The Draft Bill provides the following rights to data subjects:

• Right to Access: A data subject has the right of access to their personal data and may obtain confirmation from a data controller as to whether their personal data is being processed or has been processed.
• Right to Correction: A data subject may make a data correction request in writing to a data controller or data processor.
• Right to Withdraw Consent: A data subject may withdraw his/her consent by giving a written notice.
• Right to Prevent Processing Likely to Cause Damage or Distress: A data subject has the right to prevent the processing, subject to certain conditions, by providing a data subject notice.
• Right to Erasure: A data subject has the right to request that the data controller erase his/her personal data without undue delay.
• Right to Nominate: A data subject has the right to nominate anyone to exercise his/her rights in the event of death or disability.
• Right to Redressal of Grievance: A data subject may file a complaint with the data controller, and in case where a data controller fails to resolve his/her grievance, the data subject may file a compliant with the Commission.
• Right to Data Portability and Automated Processing: A data subject shall have the right to receive his/her personal data from the data controller in a proper form, and the right not to be subject to a decision based solely on automated processing.

Compliance “To Dos”

As Pakistan’s Personal Data Protection Bill is still in draft form, its provisions do not yet offer a complete or enforceable compliance framework. In this interim period, it is prudent for organisations to align their data protection practices not only with the principles reflected in the Draft Bill, but also with established international best practices, particularly those embodied in the GDPR, to ensure a higher level of data protection, regulatory readiness, and future compliance once the law is enacted.

Under the Draft Bill, sensitive and critical personal data may only be processed on an exceptional basis. Generally, explicit consent of the data subject is required, provided such consent is not restricted by any other applicable law. In addition, processing is permitted only when one of the following conditions is met:

• where it is necessary for clearly defined purposes, including employment-related legal rights and obligations,
• for protection of vital interests where consent cannot reasonably be obtained;
• for medical purposes subject to confidentiality;
• for legal proceedings and legal advice;
• for the establishment or defence of legal rights;
• for administration of justice under court orders, or the exercise of functions conferred by law; and
• where the data has been deliberately made public by the data subject.

The Commission retains the power to impose additional conditions or restrict the application of certain grounds through orders published in the Gazette.

Children’s Personal Data Processing

Personal data relating to a child must be processed in a way that safeguards the child’s rights and best interests. Before processing such data, data controllers and processors are required to verify the child’s age and obtain consent from a parent or legally authorised guardian in accordance with rules prescribed by law. Children’s data must not be processed in a manner that may cause harm, and practices such as tracking, behavioural monitoring, or targeted advertising directed at children are prohibited. Limited exceptions may apply where processing is permitted for specific purposes prescribed under the Act.

As Pakistan does not currently have an effective, dedicated legal framework governing the processing of personal data for research and development purposes, no specific statutory conditions have been formally prescribed in this regard. Nevertheless, companies that provide products or services used by healthcare providers must exercise particular caution when handling personal data, whether in its original form or after anonymisation, and should adhere to internationally recognised best practices. In particular, organisations must ensure that any data relied upon for research or development is irreversibly anonymised, such that it can no longer be used to identify a patient, either directly or indirectly.

In 2023, under the Digital Pakistan Vision, the Ministry of Information Technology and Tele-communication issued the Draft National Artificial Intelligence Policy (the “Policy”). In order to accelerate socio-economic adoption, this policy looks towards adapting legal and regulatory frameworks needed to ensure safe and secure data-sharing mechanisms, considering international best practices.

In September 2024, the Regulation of Artificial Intelligence Act, 2024, was introduced in the Senate of Pakistan, aiming to regulate artificial intelligence (AI) in the country – though this is yet to be passed. The draft of this Act is presently under consideration by the Standing Committee on Information Technology and Telecommunication.

In the event of a personal data breach, where the breach is likely to result in any risk to the rights of the data subjects, the data controller must notify the Commission and the affected data subject without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach.

The data breach notification must include the following:

• a description of the nature of the personal data breach;
• the name and details of the data protection officer;
• the consequences of the personal data breach; and
• the measures adopted or suggested by the data controller to address the personal data breach.

In addition, data controllers need to maintain a record of any personal data breaches that have occurred.

As Pakistan does not yet have an operative data protection law in force, there is currently no active supervisory authority conducting investigations into personal data breaches. However, the proposed National Commission for Personal Data Protection would be empowered to investigate such breaches once established.

The Draft Bill provides for the establishment of the National Commission for Personal Data Protection (NCPDP). The NCPDP shall be responsible for:

• protecting the interests of individuals;
• enforcing protection of personal data;
• preventing any misuse of personal data;
• promoting awareness of data protection; and
• addressing complaints.

Administrative proceedings under the Draft Bill can be initiated with the filing of a complaint against any:

• violation of personal data protection rights;
• misconduct of any data controller or data processor;
• breach of a data subject’s consent to process data; or
• breach of a data controller’s obligations.

The complaint must be filed in a simple written format, and the complainant must certify that they have not already or concurrently filed any application, complaint or suit before any other forum or court.

An individual whose identity information has been obtained, possessed, distributed or used without authorisation may file a complaint with the Federal Investigation Agency (FIA). Where the victim seeks to block access to identifiable information or secure its destruction, they may approach the Pakistan Telecommunication Authority (PTA), established under the Pakistan Telecommunication (Re-Organization) Act 1996.

Any malpractice carried out by a bank with respect to the secrecy of customers’ data may be challenged before the banking muhtasib (banking ombudsman).

Once an investigation is initiated and the relevant law is applied, administrative fines are imposed in accordance with the provisions of the respective laws that define the offence and prescribe the corresponding fines or penalties.

As of January 2026, there are no publicly reported cases of administrative fines having been issued in Pakistan specifically for breaches of individual privacy rights. The Draft Bill, however, provides for fines of up to USD2 million for unlawful processing of personal data.

No enforcement trends have been recorded.

The absence of a data protection law has resulted in a corresponding absence of dedicated privacy litigation in Pakistan.

There is no applicable information in this jurisdiction.

The Draft Bill does not provide for any collective redress mechanism.

Currently, Pakistan does not have a specific, standalone regulation dedicated exclusively to governing the use of internet of things (IOT) services.

The interplay between these domains is rooted in the necessity to align data regulation frameworks with data protection principles rather than allowing them to conflict.

Regulatory bodies such as the PTA and the SBP monitor compliance with data regulations within their domains.

The NCPDP, once operational, will oversee compliance with the Draft Bill, impose penalties for violations and manage grievances.

There is no applicable information in this jurisdiction.

There is no applicable information in this jurisdiction.

The Draft Bill does not specifically address requirements regarding the use of cookies; however, it has laid down the basic principles for processing, such as purpose specification, limitation, lawfulness, transparency, data retention, etc. These need to be followed by data controllers and processors while using cookies.

The Protection from Spam, Unsolicited, Fraudulent and Obnoxious Communication Regulations, 2009, require all operators (holding a licence from the PTA) to establish a standard operating procedure (duly approved by the PTA) to control spamming.

Similarly, all operators are required to develop a standard operating procedure for controlling unsolicited calls. The operators are also required to establish a consolidated “Do Not Call Register” in connection with controlling unsolicited calls. The operators are further required to ensure registration of telemarketers.

The Draft Bill provides that data subjects must not be subjected to automated decision-making, including profiling that presents significant harm to data subjects.

Pakistan has no specific law concerning workplace privacy. The Draft Bill provides that sensitive personal data may be processed by a data controller for the purposes of exercising or performing any right or obligation conferred or imposed by law on the data controller in connection with employment.

The Public Interest Disclosures Act, 2017, governs the mechanism for public interest disclosures and protection of persons making such disclosures (related to the prevention of corruption in public sector organisations). Anonymous or pseudonymous disclosures are not considered under said Act. The identity of the complainant is to be protected unless required otherwise. The Act provides protection to the complainant against any victimisation on the ground that they made a disclosure. A complainant is considered victimised if they are:

• dismissed;
• suspended;
• denied promotion;
• demoted;
• made redundant;
• harassed;
• intimated;
• threatened with any of the above matters; or
• subjected to discriminatory or other adverse measures by their employer or by a fellow employee.

Said Act also provides for due protection of the complainant, witness or any other person rendering assistance in an inquiry.

The Securities and Exchange Commission of Pakistan (SECP) has issued the Listed Companies (Code of Corporate Governance) Regulations, 2019 (the “Code”). The Code requires that listed companies’ boards of directors maintain a whistle-blowing policy, by establishing a mechanism to receive and handle complaints in a fair and transparent manner while providing protection to the complainant against victimisation. The Code requires that the chief executive officer of a listed company place “reports on/synopsis of issues and information pursued under the whistle-blowing policy, clearly disclosing how such matters were dealt with and finally resolved or cancelled”, before the board of directors or before the committee of the board of directors.

Matters pertaining to the role of labour organisations, e-discovery issues, use of digital loss-prevention technologies and scanning/blocking websites at a workplace are not dealt with under the Draft Bill or under any other law.

No regulatory framework is available governing data protection in M&A.

Under the Draft Bill, the transfer of personal data outside Pakistan is only permissible in the following cases:

• equivalent protection;
• explicit consent of the data subject; and
• under a framework to be devised by the NCPDP.

In the absence of an adequate data protection legal regime, the NCPDP may allow for the transfer of personal data outside Pakistan in the following cases:

• for a binding contract/agreement;
• with the explicit consent of the data subject provided it does not conflict with the public interest or national security of Pakistan;
• when international co-operation is required under relevant international obligations; and
• subject to any further conditions specified by the NCPDP.

It should be noted that critical personal data is not allowed to be transferred outside Pakistan.

Under the Draft Bill, the NCPDP is required to devise a mechanism for keeping some components of sensitive personal data within Pakistan (ie, data localisation).

The NCPDP shall also devise a mechanism for sharing sensitive personal data with the government of Pakistan, provided that the data relates to public order or national security and is required within the parameters of applicable law.

Under the Draft Bill, one of the permissible mode of cross-border transfer of personal data is a “mechanism to be devised by the NCPDP”. On establishment of the NCPDP, said mechanism may contain any approval requirements for all or any class of personal data.

The Draft Bill provides that critical personal data must be kept within Pakistan.

There are no blocking statutes related to data privacy or otherwise.

No such developments have been noted.