General Legal Framework
Pakistan currently does not have any general laws imposing limitations on the entrusting of processes or data to the cloud. The Ministry of Information Technology and Telecommunication (the MOITT) is in the process of seeking comments from stakeholders on a consultation draft (v.09.04.2020) of a personal data protection bill (PDP Bill) before it is tabled in parliament. If enacted, the PDP Bill will require that personal data is not transferred to any system located outside Pakistan or not under the direct control of the federal or provincial governments of Pakistan, unless it is ensured that the country where the data is transferred offers personal data protection at least equivalent to that under the PDP Bill. Such data shall have to be processed in accordance with the PDP Bill and, where applicable, consent must be given by the data subject.
Industries with Greater Regulation
The regulator for the banking sector in Pakistan is the State Bank of Pakistan (SBP). Pursuant to BPRD Circular No 05 of 2017, the SBP has notified a framework titled the Enterprise Technology Governance and Risk Management Framework for implementation by financial institutions (FIs) by 30 June 2018, which was amended by BPRD Circular No 06 of 2019 and BPRD Circular No 04 of 2020. The framework is required to be integrated with the FI's overall enterprise risk management programme to identify, measure, monitor and control technology risks. However, the framework is not “one-size-fits-all” and its implementation needs to be risk-based and commensurate with the size, nature and types of products/services offered and the complexity of the technology operations of individual FIs. FIs are required to exercise sound judgment in determining the applicable provisions relevant to their technology risk profile while implementing this framework.
The SBP framework set out process and requirements relating to (i) permissible cloud outsourcing arrangements; and (ii) internal controls in cloud outsourcing arrangements.
Permissible cloud outsourcing arrangements
The framework provides, inter alia, that, subject to the policy approved by the board of the FI, FIs can take advantage of all types of cloud service models – including software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) – from domestic and offshore cloud service providers (CSPs), keeping in view that:
Internal controls in cloud outsourcing arrangements
While entering into outsourcing arrangement with CSP(s), an FI shall ensure that:
Subcontracting shall be allowed in outsourcing arrangements with CSPs provided they shall comply with all relevant laws and the SBP’s regulations.
FIs shall ensure that their internal/ external auditors and SBP have the right to conduct audit and on-site inspection of the CSP or its subcontractor. Furthermore, there should be no restriction on visits by audit or SBP staff. Where audits cannot be conducted for any valid reason, FIs may rely on internationally recognised third party certifications and reports made available by CSPs. However, such reliance is required to be supported by an adequate understanding and review of the scope, the methodology applied therein and the ability of third parties and CSPs to clarify matters relating to the audit. These reports must be shared with the SBP as and when required.
The Framework for Risk Management in Outsourcing Arrangements by Financial Institutions, notified by BPRD Circular No 06 of 2019, provides, inter alia, that any outsourcing arrangement outside Pakistan, excluding group outsourcing shall require the SBP’s prior approval.
Group outsourcing is defined as an arrangement where financial institutions, including foreign banks’ branches, enter outsourcing arrangements including technological support services from their parent institutions/subsidiaries/head offices or other branches of foreign banks/related group entities formulated for providing specialised services to group companies inside or outside Pakistan.
Other regulated sectors
Some regulated industries, such as telecommunications, are subject to additional data protection requirements. However, such requirements do not specifically place limits on entrusting data and processes to the cloud.
Processing of Personal Data in the Context of the Cloud
While there is currently no general legal framework to address the processing of personal data in the context of the cloud, the PDP Bill does contain provisions which would become relevant, once the same is promulgated.
Since the PDP Bill aims to regulate the processing of personal data, cloud service providers will be required to comply with the provisions thereunder; personal data stored on a cloud may only be processed with the consent of the data subject unless the processing is necessary:
Furthermore, personal data shall not be processed unless:
The PDP Bill also provides that critical personal data shall only be processed in a server or data centre located in Pakistan. Personal data, other than that categorised as critical personal data, may be transferred outside the territory of Pakistan under a framework (on conditions) to be devised, and a mechanism for keeping a copy of personal data in Pakistan, which is also to be devised by the Personal Data Protection Authority (which shall be established within six months of the promulgation of the PDP Bill into law).
Additional Compliance Requirements
A person providing cloud computing and/or hosting services may fall within the definition of a "service provider" in terms of the Prevention of Electronic Crimes Act 2016 (PECA) and the Removal and Blocking of Unlawful Online (Procedure, Oversight and Safeguards), Rules 2020 (RBUO Rules) once it has more than half a million users in Pakistan.
The RBUO Rules have been notified under the PECA and provide, inter alia, that any service provider or social media company, which has more than half million users in Pakistan or is in the list of service providers or social media companies specially notified by the Pakistan Telecommunication Authority (PTA), from time to time, shall:
The following definitions apply to the foregoing.
While blockchain companies have started to emerge in Pakistan, and the government has acknowledged the potential of blockchain technology, currently, there is no regulatory framework in place to govern the use of such technology and related services in Pakistan.
In recent news, a leading microfinance bank in Pakistan, in partnership with a Malaysian entity, has introduced Pakistan’s first blockchain-based cross-border remittance service, powered by industry-leading blockchain technology.
Risks and Liability
The general risks associated with the use of blockchain technology are cybersecurity, privacy (including the protection of personal data) and relevant operating standards. However, given the lack of a legal framework for blockchain technology, the entities involved must carefully assess issues of risk and liability, depending on the specific blockchain solutions or applications in question and the structure of the blockchain, and make provision for this under contract.
Under BPRD Circular No 03 of 2018, the SBP has prohibited the banks and financial institutions it regulates from dealing with cryptocurrencies, which are an application of blockchain technology. However, a constitutional petition has been filed in the High Court of Sindh, seeking issuance of a direction of appropriate nature so as to nullify the Circular.
While blockchain as a software or database can be registered as an intellectual property under the Copyright Ordinance 1962, intellectual property challenges relating to trade marks, copyrights and patents would be the same as for other electronic and physical business activities, as no specific provisions relating to such technology have been introduced within statute or by way of delegated legislation.
As stated in 1 Cloud Computing, there is currently no generally applicable data protection legislation in Pakistan. When the PDP Bill is promulgated, the primary issue, with regard to blockchain and distributed ledger technology, will be to determine who is to be treated as the data controller and the data processor. Given the nature of the technology used for such applications, a blockchain may be distributed over several nodes/servers across various geographic locations.
Because of how blockchain technology operates (data, once entered, cannot be changed), in some cases, it may be difficult to determine the legal basis for the processing of personal data, resulting in the potential use of the data for a different purpose than the original one.
Additionally, it may be technically, organisationally and even legally difficult for data subjects to exercise their rights (eg, the right to delete or rectify data), and this may also lead to potential problems in terms of cross-border transfers of personal data.
Pakistan does not have any specific service levels applicable to blockchain technology. These levels will have to be based on how relevant parties negotiate the contractual framework for the implementation and/or utilisation of the blockchain service.
Pakistan does not have any laws to regulate blockchain technology. However, since this type of technology is designed to operate over the internet, and because a blockchain is distributed to multiple nodes that may be physically located at various global geographic locations, and potentially spread out across several jurisdictions, in the event of disputes, it is certain to raise potential choice of law and jurisdictional issues. Contractual frameworks should address choice of law and jurisdiction along with the dispute resolution process.
Technologies such as artificial intelligence and machine learning, which are at the cutting-edge of computing, have had limited practical application until recently, but have come to pervade daily life in a short span of time, and are galvanising a technological paradigm shift. Business analytics and big data are transforming the way businesses and governments operate. Competing on analytics is the new norm where competitive advantage is defined by turning proprietary and other data sets into insights using advanced algorithms. The advances in big data analytics, machine learning and the use of artificial intelligence in relation thereto, may present a great opportunity for Pakistan.
However, there is no specific regulatory framework that addresses the implementation and/or regulation of big data, machine learning and artificial intelligence, which may be the biggest challenge relating to the implementation of these technologies.
A system or product utilising big data, machine learning and/or artificial intelligence technology is presently treated at par with any other system or product of a similar nature.
While internet of things (IOT) projects and services are not subject to specific requirements and do not require a special authorisation, there are certain telecommunications standards which may become relevant depending on the type of device(s) to be used and/or service(s) whose provision is contemplated.
The regulator for the telecommunications sector in Pakistan is the PTA, which was created pursuant to the Pakistan Telecommunication (Reorganisation) Act 1996 (PTA Act). Every licence granted by the PTA to its licensee may, inter alia, contain:
Devices which utilise radioelectric spectrum to transmit and/or receive information require a type-approval from the PTA, before they can be connected to a public-switched network (further details of this are provided in 8 Scope of Telecommunications Regime).
Machine-to-Machine Communications and Data Protection
Pakistan does not have a legal framework that specifically regulates machine-to-machine communications. While sector-specific regulators enforce data protection requirements as part of the law and the terms of the licences granted thereunder, the PECA criminalises the misuse of personal data without consent, and it is therefore important that machine-to-machine communications do not result in the commitment of offences under the PECA. These offences include:
The transmission of encrypted data on a public-switched network as traffic is not permitted under the applicable laws. Non-standard protocols of communication, including encryption, cannot be undertaken without prior approval of the PTA. Prior approval of the PTA is required for use of a non-standard mode of communication including virtual private networks (VPN) and non-standard protocols which include encrypted messages. The use of any non-standard of communication, including all mechanisms by means of which communications become hidden or modified to the extent that they cannot be monitored, is a violation of applicable laws.
Agreements for provision of IT services are not specifically regulated under Pakistan law, and are therefore subject to be governed according to the volition of the parties in terms of the Contract Act 1872, and are generally reflective of best practices in the sector. This provides parties with the possibility to reflect their interest and will in their legal relationship. A contract, however, may not be contrary to the law in force, and parties may be required to comply with certain obligations, which may result from sector-specific regulations.
Please also refer to the Banking sector and the Processing of Personal Data in the Context of the Cloud sections in 1 Cloud Computing.
Foreign Exchange Controls
One of the greatest challenges that local organisations encounter in terms of entering into IT service agreement(s) with non-residents, is in seeking an exemption from the SBP, in connection with the restriction imposed on outward payments to non-residents under the Foreign Exchange Regulation Act 1947 (FERA). This can lead to disputes and litigation, the resolution of which can become time consuming.
However, the SBP has extended a general exemption to the restriction contained in the FERA, whereby scheduled banks have been given a general permission to release foreign exchange up to a maximum of USD100,000 (or its equivalent in other currencies) per invoice for private sector companies incorporated in Pakistan, and those branches of foreign companies which are operating in Pakistan with the permission of the Board of Investment. This exemption applies when such companies/branches are undertaking permissible business/commercial activities, paying local taxes and periodically repatriating their profits abroad (subject to compliance with relevant provisions of applicable law). After satisfying themselves of the genuineness of the requests, and after deducting all applicable taxes, the SBP allows the above-mentioned payments for charges on account of utilisation of IT services such as:
The above remittances may only be made through a bank designated by the remitters for that purpose to the SBP. Such applications are required to be submitted through a scheduled bank along with:
Core Rules Regarding Data Protection
Currently there is no generally applicable data protection legislation in Pakistan. The PDP Bill, if and when enacted, shall provide for and regulate the processing of personal data. The PECA criminalises the misuse of personal data (including personal data processed by a third party in its capacity as a service provider) without consent. Industry-specific regulators have data protection requirements, which have been imposed by legislation and in licences granted by them.
The Pakistan Telecom Rules 2000 (PTA Rules) provide, inter alia, that a licence issued by the PTA shall be subject to the PTA Act and the PTA Rules.
Appendix B to the PTA Rules contains general conditions that apply to all licences pursuant to which licensed services are to be provided (the General Conditions). Furthermore, the licence and licensed services shall be subject to the conditions as specified in the Schedule 2 annexed to the General Conditions. Pursuant thereto, all licensees of PTA are required to ensure that employees who obtain, in the course of their employment, information about customers of the licensee or other customer’s business (customer information), shall observe the code of practice on the confidentiality of customer information. The confidentiality code is required to be prepared by the licensees in consultation with the PTA and shall (i) specify the persons to whom customer information may be disclosed without the prior consent of that customer, and (ii) regulate the customer information which may be disclosed without prior consent of that customer.
The SBP requires all banks and FIs to maintain confidentiality of customer information. The Payment Systems and Electronic Fund Transfers Act 2007 (PSEFT) regulates payment systems and electronic fund transfers in Pakistan, and provides standards for protection of consumers and participants. Pursuant thereto, a financial institution is not permitted to, except as otherwise required by law, divulge any information relating to an electronic fund transfer, affairs or account of its customer, except in circumstances in which, according to the practice and usage customary among bankers, it is necessary or appropriate for a financial institution to divulge such information, or the consumer has given consent in respect thereof. Additionally, no person other than an officer or agent appointed by the FI that maintains the account of a consumer may have access through an electronic terminal to information relating to electronic fund transfer, the affairs, or the account of the consumer. The rules governing the operation of individual accounts will be applicable to electronic fund transfers in relation to disclosure of information to third parties.
The Regulations for Payment Card Security, issued under the PSEFT and as notified by the SBP (vide the PSD Circular No 05 of 2016), provide, inter alia, that:
The PSEFT provides that any FI that wilfully fails to comply with any provision of the PSEFT – or rules, circulars, directions, orders or by-laws issued under the PSEFT – or any provision thereof, shall be liable to pay fine to the SBP which may extend to PKR1 million (approximately.USD6,250). In case of a failure to pay the fine, the SBP may suspend or revoke the licence of the service provider or FI concerned, as the case may be. If any amount of fine remains unpaid, it may be recovered as arrears of land revenue.
Distinction between Companies/Individuals
Current legislation does not make a distinction between companies and individuals. The PDP Bill, if and when enacted, will provide protection of personal data only for individuals, whose consent will be required in order for data controllers to process their data.
General Processing of Data
The PDP Bill, if and when enacted, will provide, inter alia, that a data controller shall not process personal data including sensitive personal data of a data subject unless the data subject has given their consent to the processing of that personal data. Notwithstanding the above, a data controller may process personal data relating to a data subject if the processing is necessary:
However, personal data shall not be processed unless:
The key items relating to processing of personal data are:
The PDP Bill, if and when enacted, seeks to establish an authority called the Personal Data Protection Authority, which once established, will have the power to, inter alia, seek information from data controllers in respect of data processing and impose penalties for non-compliance and non-observance of data security practices, and to order a data controller to take such reasonable measures as it may deem necessary to remedy an applicant for any failure to implement the provisions of the PDP Bill once promulgated. Anyone who processes or cause to be processed, disseminates or discloses personal data in violation of any of the provisions of the PDP Bill shall be punished with a fine up to PKR15 million (approximately USD93,750) and in case of a subsequent unlawful processing of personal data and offence in relation to sensitive date, the fine may be raised up to PKR25 million (approximately USD156,250).
Processing of personal data
The PDP Bill, if and when enacted, will confer on data subjects, among others:
Personal data processed by an individual only for the purposes of that individual's personal, family or household affairs, including recreational purposes, shall be exempt from the provisions of the PDP Bill. Personal data is also exempt from the provisions of the PDP Bill if it is processed:
There is no specific legislation to address the use by employees of company computer resources. These matters are required to be addressed in the employment agreement(s) between the employer and the employee.
The PTA Act and the rules and regulations framed thereunder (the PTA Laws) provide a framework to regulate the operation of telecommunications systems and the provision of telecommunications services. The PTA Act provides that no person shall establish, maintain or operate any telecommunication system or provide any telecommunication service unless they have obtained a licence under the PTA Act.
For purposes of the foregoing:
Network and Service Provider Obligations
The definitions of the above-mentioned activities are very broad; therefore, the PTA Act could apply to a wide range of entities and services.
The PTA is also responsible for dealing with applications relating to the use of radio-spectrum frequency through its Frequency Allocation Board (FAB), which has the exclusive authority to allocate and assign portions of the radio frequency spectrum to the government, providers of telecommunications services and telecommunication systems, radio and television broadcasting operations, public and private wireless operators, and others.
Terminal equipment/type approval
An approval by the PTA shall be required before any terminal equipment can directly or indirectly be connected to a public switched network. The PTA may impose certain conditions on the approval, including conditions limiting its connection to specified types of telecommunication systems. The technical standards for terminal equipment and the procedure for approving test equipment, testing any terminal equipment and certifying that it complies with the relevant technical standards has been provided in the Type Approval Technical Standards Regulations 2019.
A type approval granted by the PTA signifies that particular telecommunication equipment is approved for general sale and is suitable to connect with a specific public telecommunication network.
The following categories of equipment require prior type approval from the PTA:
The following types of equipment are exempted from type approval:
A non-refundable processing fee of PKR5,000 per application for locally manufactured terminal equipment and USD100 per case for foreign manufactured terminal equipment is charged by the PTA for all new cases, amendment in issued certificate and for issuance of duplicate certificates.
Given that Transmission of encrypted data on the network as traffic is not permitted under the applicable laws, non-standard protocols of communication, including encryption, cannot be undertaken without prior approval of the PTA. Operators are required to obtain prior approval of the PTA if they use a non-standard mode of communication including VPNs and non-standard protocols which include encrypted messages. Furthermore, the use of any non-standard of communication, including all mechanisms by means of which communications become hidden or modified to the extent that they cannot be monitored, is a violation of applicable laws. While it is mandatory for service providers to provide local enforcement agencies with decryption and interception abilities for encrypted services, regulation relating to messaging and VoIP is highly topical.
The Pakistan Electronic Media Regulatory Authority (PEMRA) established under the Pakistan Electronic Media Regulatory Authority Ordinance, 2002 (PEMRA Ordinance) has the mandate to regulate the establishment and operation of all broadcast media and distribution services in Pakistan, established for the purpose of international, national, provincial, district, local or special target audience broadcasting. PEMRA regulates the distribution of foreign and local TV and radio channels in Pakistan.
For the purposes of the foregoing:
Operating broadcast media or providing distribution services can only be undertaken once a licence therefor has been obtained from PEMRA. Applications are decided, subject to clearance from the Ministry of Interior and frequency allocation by the Frequency Allocation Board (FAB) in relevant cases. PEMRA issues licences for broadcast media and distribution services for:
PEMRA may also grant permission to a distribution service licensee for the running of an in-house distribution channel subject to such terms and conditions as PEMRA may prescribe, provided that only Pakistani content shall be distributed on such channel.
A licence granted by PEMRA under the PEMRA Ordinance shall be valid for a period of five, ten or fifteen years subject to payment of the annual fee prescribed from time to time. PEMRA may renew a licence on such terms and conditions as may be prescribed and in case of refusal to renew a licence reasons shall be recorded in writing. Subject to the terms and conditions of the licence granted by PEMRA, a licensee shall not sell, transfer or assign any of the rights conferred by the licence without prior written permission of PEMRA.
The PEMRA shall process each application in accordance with prescribed criteria and shall hold public hearings in the respective provincial capitals of each province, or as the case may be, in Islamabad, before granting or refusing the licence.
Every application form shall be accompanied by a non-refundable application processing fee as set out in Schedule-B of the Pakistan Electronic Media Regulatory Authority Rules 2009 (PEMRA Rules). Applications for the grant of a licence shall, in the first instance, be shortlisted by considering their:
PEMRA shall not grant a licence to:
Foreign Programmes and Local Content Requirement
Licensees of PEMRA, pursuant to the terms of their licence, are required to carry all channels of the National Broadcaster and all licensed satellite TV and foreign satellite TV channels having landing rights permission from PEMRA. Such licensees, under all circumstances, shall provide the "basic service", which includes a bouquet of satellite TV channels as determined by PEMRA, comprising channels with religious, educational, informational, news and entertainment content. A licensee shall be restricted to carry or relay only those foreign satellite TV channels that have obtained necessary landing rights permission of PEMRA for "landing" into Pakistani territory. A licensee may not discriminate against any licensed TV channel or landing rights permission holder in offering its broadcast or distribution platform.
Licensees of PEMRA, pursuant to the terms of their licence, are required to offer at least one basic service package (this means the free-to-air television channels of the national broadcasters, non-commercial educational and health-related TV channels licensed by PEMRA and such other free-to-air television channels as determined by PEMRA to be distributed by a distribution service licensee to its subscribers against a fixed minimum monthly subscription fee) that includes the must-carry channels (this means the channels of national broadcasters, non-commercial educational channels licensed by PEMRA and such other free to air television channels as determined by PEMRA to be distributed by the distribution networks including IPTV networks to its subscribers), for which it does not charge a subscription fee at a rate higher than the maximum fee prescribed by PEMRA.
PEMRA has issued a notification whereby the airing of Indian content has been banned. Further, airing programmes that are a production of international entities requires prior approval from PEMRA. PEMRA has also prohibited the broadcast media or distribution service operator from broadcasting or rebroadcasting or distributing any programme or advertisement if PEMRA is of the opinion that such programme or advertisement is:
Online Content/Internet-Based Platforms
PEMRA regulates the traditional distribution platforms, whereas the PTA, in addition to PEMRA, jointly regulates internet-based platforms.
PEMRA has provided, on its website, Consultation Paper No Web&OTT/1- 2020 in relation to regulating web TV and over-the-top (OTT) TV;, however, there is no specific legal framework to regulate such content, except for the RBUO Rules which allow the PTA to block certain online content and/or the entire online system, if such content is not removed by the service provider or social media company. Please see 1 Cloud Computing (Additional Compliance Requirements) for further detail.
While there is no general legal requirement for the mandatory use of encryption techniques on electronic communications and documents, encryption as a cryptographic process of encoding information for confidentiality, integrity and authenticity purposes is subject to the provisions of the Electronic Transactions Ordinance 2002 (ETO). The Certification Council created pursuant to the ETO has the power to grant accreditation to service providers including, inter alia, cryptography services.
The transmission of encrypted data on a public-switched network as traffic is not permitted under the applicable laws. Non-standard protocols of communication, including encryption, cannot be undertaken without prior approval of the PTA. Prior approval of the PTA is required for use of a non-standard mode of communication, including VPNs and non-standard protocols, which include encrypted messages. The use of any non-standard of communication, including all mechanisms by means of which communications become hidden or modified to the extent that they cannot be monitored, is a violation of applicable laws.
The use of encryption does not exempt legal entities from applicable laws. However, it may be noted that after the promulgation of the PDP Bill, data controllers and/or data processors will be required to implement necessary safeguards so as to ensure protection of personal data of data subjects.
While sector-specific regulators have data protection requirements as part of the law and the terms of the licences granted thereunder – such as the SBP requiring that as part of their cloud outsourcing arrangements, FI(s)’ data is encrypted at database level, storage level and during network transmission and shall be logically segregated from other data held by the CSPs – the PECA criminalises the misuse of personal data without consent. Please refer to 4 Legal Considerations for Internet of Things Projects for further discussion.
Through a press release dated 20 March 2020, which was subsequently amended vide a press release dated 25 March 2020, the PTA issued an advisory notice to its licensees directing them to remain fully prepared for provision of uninterrupted telecom services to their consumers. It was also directed that necessary resources should remain available at all levels for the smooth functioning of voice/data services and networks, except for customer support centres, franchises and other outlets, which may operate only with essential support staff.
The advisory notice also directs operators to advise their support staff to adopt necessary preventive measures against the spread of COVID-19, for themselves and for customers.
The federal and provincial government authorities have also been requested to allow communication services providers, customer support centres, franchises, and retailers to remain open during lockdown for provision of uninterrupted services and support.