Constitution of Pakistan

Under the Constitution, subject to the laws of Pakistan, the “dignity of man” and privacy of “home” is a fundamental and inviolable right of every citizen of Pakistan. The courts have, over the years, broadly interpreted this fundamental right to extend beyond the privacy of the four walls of the home to wherever a person may live or work including the right to privacy in public places, personal information, as well as privacy of the body. 

Banking and financial services sector

The State Bank of Pakistan (SBP) is the regulator responsible for regulation of the banking and financial services sector of Pakistan. 

Under the Banking Companies Ordinance, 1962 (BCO), except as otherwise required by law, banks and financial institutions are prohibited from divulging any information relating to the affairs of their customers except in circumstances in which it is, in accordance with law, practice and usage customary amongst bankers, necessary or appropriate for a bank to divulge such information. 

The Payment Systems and Electronic Fund Transfers Act, 2007 (and the various rules and regulations framed thereunder) also regulate data privacy and confidentiality of consumers/customers. 

Telecommunications sector

The Pakistan Telecommunications Authority (PTA) regulates the telecom sector under the Pakistan Telecommunication (Re-organisation) Act, 1996 (“PTA Act”) and has issued the following rules and regulations thereunder, which include provisions relating to the privacy of telecoms consumers and the processing, use, disclosure and transfer of their data: 

• Pakistan Telecommunication Rules 2000 ("Telecom Rules"); 
• Critical Telecom Data and Infrastructure Security Regulations, 2020;
• Data Retention of Internet Extended to Public Wifi-Hotspots Regulations, 2018;
• Protection from Spam, Unsolicited, Fraudulent and Obnoxious Communication Regulations, 2009 ("Communication Regulations") (discussed further in Question 10, below);
• Regulations for Technical Implementation of Mobile Banking, 2016; and
• Subscribers Antecedents Verification Regulations, 2015.

Prevention of electronic crimes

In the absence of any law that directly pertains to data protection and privacy, the Prevention of Electronic Crimes Act, 2016 (PECA), though enacted for the purposes of preventing electronic crimes, is usually cited and considered as the primary legislation in respect of data protection in connection with the prevention of unauthorised access to information systems; their investigation, prosecution, trial and international co-operation in respect thereof.

PECA extends to the whole of Pakistan and applies to every citizen of Pakistan, and also to every other person present for the time being in Pakistan. It also applies to any act committed outside Pakistan if such act constitutes an offence under PECA and affects any person, property, information system, or data located in Pakistan.

PECA prohibits and criminalises: (i) unauthorised access to any information system or data; (ii) copying or otherwise transmission of data; and (iii) interference or damage to the whole or part of an information system, with dishonest intention. PECA further criminalises obtaining, selling, possessing, transmitting or using another person’s identity information without authorisation. 

Additionally, except as required by law, PECA prohibits the disclosure of data containing personal information when providing services under a lawful contract (or otherwise in accordance with the law) without the consent of the person concerned or in breach of lawful contract where the disclosure will cause or is likely to cause harm, wrongful loss or gain to any person, or compromise confidentiality of such material or data.

Right of Access to Information Act, 2017 (RAIC)

RAIC applies to all public bodies of the federal government and provides for the public’s right of access to information subject to reasonable restrictions imposed by law. Under RAIC, information is exempt from disclosure if its disclosure would involve the invasion of privacy of an identifiable individual, including a deceased individual, other than the applicant. The exemption does not apply where, inter alia: (i) the third party has consented to the disclosure of the information; or (ii) the person making the request is the guardian of the third party or the next of kin or the executor of the will of a deceased third party. 

Notwithstanding the above-cited piecemeal legislation, in keeping with the purpose and spirit of this article, except where deemed necessary, the sections below will only focus on the provisions of the Bill as currently approved by the federal government. 

The Bill applies to data controllers or data processors:

• that process or exercise control or authorise the processing of any personal data, provided that they are established/present/registered within Pakistan;
• that are incorporated in any other jurisdiction but operate within Pakistan digitally or non-digitally, and carry out processing of personal data concerning any commercial or non-commercial activity including profiling data subjects within Pakistan; 
• that do not have a physical presence within Pakistan but who carry out the processing of personal data in a territory where Pakistani law applies under public or private international law; and
• that collect personal data of a data subject within Pakistan including foreign data subjects that are physically present in Pakistan at the time of collection and processing of personal data within Pakistan, provided that in the case of foreign data subjects, the collection of the personal data is not in conflict with the privacy laws of the country where the controller is registered. 

Key definitions and concepts:

• Data controller means a person or the government who either alone or jointly has the authority to decide on the collection, obtaining, usage, or disclosure of personal data.
• Data processor means a person or the government who alone or in conjunction with other(s) processes data on behalf of the data controller. 
• Data subject means a natural person who is the subject of the personal data. 
• Foreign data subject means a data subject who is not a Pakistani national. 

Explanations of the terms “personal data” and “processing” are dealt with more appropriately in Questions 4 and 5, below. 

The Bill, once enacted, will apply to the whole of Pakistan.

The Bill will also apply to data controllers or data processors:

• that are incorporated in any other jurisdiction but operate within Pakistan digitally or non-digitally, and carry out processing of personal data concerning any commercial or non-commercial activity including profiling data subjects within Pakistan; 
• that do not have a physical presence within Pakistan but who carry out the processing of personal data in a territory where Pakistani law applies under public or private international law; and
• that collect personal data of a data subject within Pakistan including foreign data subjects that are physically present in Pakistan at the time of collection and processing of personal data within Pakistan, provided that in the case of foreign data subjects, the collection of the personal data is not in conflict with the privacy laws of the country where the controller is registered. 

The Bill regulates the collection, processing, use, disclosure and cross-border transfer of personal data, in each case, as discussed below. 

“Processing” is defined as any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal data processed by an individual only for that individual’s personal, family, or household affairs, including recreational purposes, is exempt from the provisions of the Bill. 

In addition to the exemptions expressly identified below, the Bill also grants certain general exemptions to the processing of personal data as regulated by the Bill, in the following circumstances:

• the prevention, detection, investigation, or prosecution of any criminal offence;
• the apprehension or prosecution of offenders;
• the enforcement of any legal right or claim; or
• the enforcement of any decree of court, tribunal, or for the performance of a judicial or quasi-judicial function.

Infrastructure providers whose infrastructure is used by the data controller and/or data processor and do not process the data can apply for exemptions as permitted by the Bill and any legislation framed thereunder. 

The Bill regulates the following types of data:

• Personal data. Defined as any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or other information in the possession of a data controller and/or data processor, including any sensitive or critical personal data. Anonymised or pseudonymised data which is incapable of identifying an individual is not considered personal data.
• Anonymised data. Personal data which has undergone the irreversible process of transforming or converting personal data to a form in which a data subject cannot be identified.
• Pseudonymised data. Personal data that has been processed in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. 
• Sensitive personal data. Any personal data relating to: 
  • financial information excluding identification number, credit card data, debit card data, account number or other payment instruments data (defined further in the Bill);
  • health data (physical, behavioural, psychological and mental health conditions or medical records) (defined further in the Bill); 
  • computerised national identity card or passport; 
  • biometric data (defined further in the Bill);
  • genetic data (defined further in the Bill);
  • religious beliefs;
  • criminal records;
  • political affiliates;
  • caste or tribe; or
  • ethnicity.
• Critical personal data. Defined as such personal data retained by the public service provider — excluding data open to the public — as well as data identified by sector regulators and classified by the Commission as “critical”, or any data related to international obligations (as defined under Part 1 of the Fourth Schedule of the Constitution of the Islamic Republic of Pakistan, 1973).

For the purposes of the Bill, the term “public service provider” means and includes any entity dealing with and having personal data while working under government. 

Sensitive and critical personal data (defined above) can only be processed under certain conditions specified in the Bill. The Commission has the power to exempt the application of certain conditions in certain cases or provide that, in certain cases, the specified conditions are not satisfied unless certain additional conditions are also satisfied.

Exemptions may also be granted for the processing provided that the processing is for:

• prevention, detection, investigation, or prosecution of any criminal offence; 
• apprehension or prosecution of offenders; 
• enforcement of any legal right or claim; or
• enforcement of any decree of a court, tribunal, or performance of a judicial or quasi-judicial function. 

Critical personal data can only be processed in a server(s) or digital infrastructure located within Pakistan.

Children’s personal data must be processed in such manner that protects the rights and interests of the child:

• processing likely to cause harm to the child is prohibited; 
• undertaking tracking or behavioural monitoring of children or targeted advertising directed at children is prohibited; and
• before processing, a controller or processor must verify the age of the child and seek the consent of the child’s parent or relevant person (as defined in the Bill) or authorised person (as defined in the Bill) having parental responsibility over the child to decide on the child’s behalf, in the prescribed manner. 

For the purposes of the Bill:

• a child means a person who has not attained the age of 18 years; and
• “harm” means any harm, whether physical or non-physical, including, without limitation, psychological, financial or reputational harm, or results in loss of employment or being subjected to blackmailing or extortion, under the circumstances, or withdrawal of any services and benefit due to an evaluative decision about the data subject.

The Bill specifies the following requirements for processing personal data:

• The data must be collected, processed and disclosed lawfully and fairly in accordance with the Bill. 
• The data must be collected for specified, explicit and legitimate purposes, and not be processed further in a manner that is incompatible with the aforesaid purpose and must be adequate, relevant and limited to the purposes for which the data is processed.
• The controller and/or processor operational in Pakistan, whether digitally or non-digitally, must register with the Commission (or intimate prior registration with a public body). 
• Consent of the data subject has been obtained prior to commencement of the collection or processing or as prescribed under the provisions of the Bill. 

“Consent” means “any freely given, specific, informed, and unambiguous indication of the data subject’s intention by which the data subject by a statement or by clear affirmative action, signifies agreement to the collecting, obtaining, and processing of personal data provided that it conforms with section 13 and 14 of the Contract Act, 1872 (”Contract Act”). 

As per the Contract Act, consent is deemed to be a situation when two or more people agree upon the same thing in the same sense, and to have been “freely” given when it is not caused by the following circumstances, in each case, as defined in the Contract Act:

• coercion; 
• undue influence; 
• fraud; 
• misrepresentation; or
• mistake. 

The consent must be a free, specific, informed and unambiguous indication of the data subject’s intentions signifying agreement to the processing for the specified purpose communicated to the data subject, and the burden of proof to establish that consent has been given is on the controller.

The requirement to obtain consent does not apply where the processing is necessary for:

• performance of a contract to which the data subject is a party; 
• taking steps at the request of the data subject to enter into a contract; 
• compliance with any legal obligation to which the controller is the subject, other than an obligation imposed by a contract; 
• treatment, public health, medical or research purposes or to respond to any medical emergency involving a threat to the life or the health of a data subject or any other individual; 
• protecting the vital interests (see definition in Question 6, above) of the data subject;
• compliance with any court order of competent jurisdiction;
• legitimate interests purposed by the data controller (for the purposes of the Bill, “legitimate interest” means anything permitted under the law); or
• the exercise of any functions conferred on any person by or under any law. 

In addition to the above, the processing of personal data for or in connection with the following purposes are exempt from the requirement to obtain consent of the data subject ("Additional Exemptions"):

• the assessment or collection of any tax or duty or imposition of any levy by the relevant authority; 
• circumstances prescribed under the rules to be framed by the Commission for specific purposes permitted under the Bill;
• preparing statistics or carrying out research provided that such personal data is not processed for any other purpose and that the resulting statistics or the results of the research are not made available in a form which identifies the data subject; 
• necessary for or in connection with any order or judgement of a court; 
• discharge of regulatory functions if the requirement to obtain consent would be likely to prejudice the proper discharge of those functions; 
• journalistic, literary or artistic purposes provided that: (a) the processing is undertaken for publication; (b) the data controller reasonably believes, taking into account the special importance of public interest in freedom of expression, the publication would be in the public interests; and (c) the processing is on grounds of national security interest of the State provided that the processing in this circumstance must be pursuant to an express authorisation issued by the Commission.

For the purposes of the Bill, the expression “journalistic purpose” means any activity intended towards the dissemination through print, electronic, or any other media that includes factual reports, analysis, opinions, views, or documentaries news regarding recent or current events.

Please also refer to Question 6, above, as regards the requirements that must be fulfilled (and their exemptions) when processing sensitive and critical personal data, and children’s data. 

The Bill imposes the following obligations when processing personal data:

• Appointment of a data protection officer by controllers and/or processors identified as “significant” by the Commission, who must be well-versed in the collection and processing of personal data and the risks associated with processing.

  For the purposes of the Bill, “significant” has been defined to mean “any data controller or processor which is sufficiently great or important to be worthy of attention by its sales revenue, profit, number of employees, market share, capital employed, or any other indicator such as number of users, type of data collected or a combination thereof that may constitute it as significant”.

• Give notice (including digitally) to the data subject providing the information specified in the Bill.

  The Additional Exemptions specified in Question 7, above, also apply to the above requirement(s).

• Non-disclosure of personal data without the consent of the data subject for any purpose other than those specified.

  Exemptions include where:

  • the data subject has consented to the disclosure
  • the disclosure is: (i) necessary for preventing or detecting a crime, or for investigations; or (ii) required or authorised by or under any law or by the order of a court
  • the controller acted in the reasonable belief that in law, the controller has the right to disclose the personal data to the other person;
  • the controller acted in the reasonable belief that they had the consent of the data subject if the data subject had known of the disclosure and the circumstances of such disclosure; or
  • the disclosure was justified in the interest of the public due to the circumstances determined by the Commission in advance of the disclosure.

The Additional Exemptions specified in Question 7, above, also apply to the above requirement(s).

• Adherence to security requirements notified by the Commission. Further, controllers or processors must take practical measures with regard to certain matters specified in the Bill to protect the personal data by considering the nature of the personal data and the harm that may result from such loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction.

  The Additional Exemptions specified in Question 7, above, also apply to the above requirement(s).

  Where processing is carried out on behalf of a data controller, the controller must ensure the processor’s compliance with technical and international standards of organisational security as may be prescribed by the Commission. Processors are independently liable to take steps to ensure compliance with the prescribed security standards.

• Data retention:

  • Personal data processed for any purpose cannot be kept longer than necessary for the fulfilment of that purpose, or as required by law.
  • Reasonable steps must be taken to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed, or as required by law.

  Exemptions include where the data is processed for journalistic, literary, or artistic purposes provided that:

  • the processing is undertaken for publication
  • the controller reasonably believes, taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest; and
  • the processing is on grounds of national security interest of the State provided that the processing in this circumstance must be pursuant to an express authorisation issued by the Commission.

• Data integrity: controllers must take adequate steps to ensure that the required personal data is accurate, complete, not misleading, and kept up to date concerning any direct or indirect purpose for which the data was collected and processed further.

  The exemptions applicable to the obligations for data retention also apply to the above requirement.

• Record keeping: controllers must:

  • keep and maintain a record of each application, notice, request, or any other information concerning the personal data that has been or is processed by the data controller;
  • apprise the Commission regularly about the type of data being collected, and the processing undertaken on the collective data.

  This obligation does not apply in situations where data collection is occasional unless the processing results in the infringement of the fundamental rights and freedoms of the data subject as set out in the Constitution.

• Notification of data breach to the Commission and the data subject, where reasonably possible, within the specified timeframe except where the breach is unlikely to result in the infringement of the rights and freedoms of the data subject. The notification must include the information specified in the Bill.

Processors are also obligated to follow the notification requirements upon becoming aware of a data breach provided that the processor is only obligated to inform the data controller and the Commission.

A “personal data breach” has been defined to mean a breach of security leading to the accidental or unlawful destruction, loss (as defined above), alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

In addition to the above, the Bill envisions, as a temporary measure, that all controllers and data must adopt necessary security measures within six months from the day on which the Bill comes into force.

The Bill extends to data subjects the following rights in relation to personal data:

• Right to be informed that personal data is being collected by or on behalf of the data controller. See above, Question 8 (Give notice to the data subject) for more details.

• Right to access personal data held by the controller (including being provided with a copy) and obtain confirmation whether personal data is being processed or has been processed by or on behalf of the data controller.

  Exemptions to the above right are where the data is processed for journalistic, literary, or artistic purposes provided that: (a) the processing is undertaken for publication; (b) the data controller reasonably believes, taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest; and (c) the processing is on grounds of national security interest of the State provided that the processing in this circumstance must be pursuant to an express authorisation issued by the Commission.

  A data controller may refuse to comply with an access request on certain grounds specified in the Bill.

• Right to request correction of personal data that is inaccurate, incomplete, misleading or not up to date and upon correction, be provided with a copy of the corrected data.

A data controller may refuse to comply with a data correction request on certain specified grounds which must be disclosed to the requestor and the Commission. 

• Right to withdraw consent to the processing of personal data which relates to the data subject at any point in time upon written notice to the data controller.

• Right to prevent processing of:

  • any personal data, or processing for a specified purpose or manner; or commence processing or processing for a specified purpose or specified manner, if the data subject believes that the processing or the purpose or manner of processing is causing or is likely to cause substantial damage or distress to the data subject or a relevant person; and the damage or distress is or would be unwarranted.

  Exceptions to the above are where:

  • the data subject has consented to the processing
  • the processing is necessary for:
    • the performance of a contract to which the data subject is a party
    • taking steps at the request of the data subject to enter a contract
    • compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by contract; or
    • to protect the vital interests (defined above) of the data subject; or
  • in such other cases as may be prescribed by the federal government on the recommendations of the Commission.

If a data subject is dissatisfied by the failure of the controller to comply with the notice, in whole or in part, the data subject has the right to submit a complaint to the Commission to require the controller’s compliance with the notice. If justified, the Commission may require the data controller to take such steps for complying with the notice.

• Right to request erasure of personal data in the following conditions:

  • the data is no longer necessary concerning the purpose for which it was collected or otherwise processed
  • withdrawal of consent on which the processing is based and where there is no other legal ground for the processing
  • the personal data has been unlawfully processed; or
  • the personal data must be erased for compliance with a legal obligation.

  Without prejudice to the rights of a natural person protected by the Bill, the obligation to erase the data will not apply to the extent that its processing is necessary for:

  • exercising the right of freedom of expression and information as set out in the Constitution
  • compliance with a legal obligation or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • reasons of public interest in the area of public health
  • archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • the establishment, exercise, or defence of legal claims.

• Right to nominate any other individual as may be prescribed, to exercise the rights of the data subject under the Bill in the event of the death or disability of the data subject.

  For the purposes of the Bill, “disability” has been defined to mean the inability to engage in any substantial gainful activity because of any medically determinable physical or mental impairment or which is perceived to exist (whether or not it exists), which can be expected to result in death, or which has lasted or can be expected to last for a continuous period of not less than 12 months.

• Right to file a complaint before the Commission against any violation of rights granted under the Bill, misconduct of any data controller, processor or their processes which involves:
  • a breach of the data subject’s consent to process data
  • a breach of obligations of the controller or processor in the performance of their functions under the Bill
  • provision of incomplete, misleading, or false information while taking consent of the data subject; or
  • any other matter relating to the protection of personal data.
• Right to redressal of complaint/grievance of a complaint. Where a controller fails to satisfy a data subject with a satisfactory response concerning the grievance or no response is received, a data subject has the right to register a complaint with the Commission.
• Right to data portability and to receive their data in a proper form that is easy to use and in machine-readable format and transmit that data to another controller or processor (where it is technically feasible) where explicit consent has been given, and the processing is carried out by automated means.

Exemptions to the above apply to the extent that processing is necessary for the performance of a task carried out in the public interest.

“Public interest” has been defined to mean any matter about the general welfare of the public that warrants recognition and protection, and a subject in which the public as a whole has a stake, especially an interest or common interest in conformity with laws of the land.

• Right to not be subjected to decisions based solely on automated processing including profiling which results in legal obligations or significantly harms the data subject, and to obtain specified information about automated decision-making including profiling, and human intervention, from the data controller.

  For the purposes of the Bill, “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to the data subject, in particular to analyse or predict aspects concerning that data subject’s attributes related to employment, social preferences, religious beliefs, economic situation, health, reliability, behaviour, location or movements.

  Exceptions to the above include where:

  • the data subject has explicitly consented to such processing;
  • the processing is necessary for the performance of a task carried out in the public interest (as defined above).

Communication Regulations 

The Communication Regulations apply to all operators in relation to ensuring and protecting the interest of telecom consumers by securing them from spam, fraudulent, unsolicited and obnoxious communication.

For the purposes of the Communication Regulations and the following section, the following definitions are relevant:

• “Operator” means a holder of a licence or registration granted by the PTA (definition also applies where referred to in the following paragraphs).
• “Spamming” is stated to have the meaning as assigned to it in PECA; that is, information that is harmful, fraudulent, misleading, illegal or unsolicited and transmitted to any person without permission of the recipient. Causing any information system to show information that is harmful, fraudulent, misleading or illegal for wrongful gain is also considered as spamming under the provisions of PECA. 
• “Do Not Call/SMS Register (DNCR or C-DNCR)” means a database, maintained centrally by the operators, containing the particulars of subscriber(s) who make a request not to receive unsolicited communication through any means including Application to Person (A2P), promotional/telemarketing SMSs and calls. 
• “Unsolicited communication” means the information which is sent for promotional and marketing purposes to persons who have not provided consent to receive such communication and whose particulars are recorded in the C-DNCR.
• “Unsolicited calls” means calls made to those numbers recorded in the DNCR.
• “Information” includes text, message, data, voice, sound, database, video, signals, software, computer programs, or any forms of intelligence as defined under the PTA Act and codes including object code and source code. 
• “Robocall” means a phone call that uses a computerised system to deliver a pre-recorded public awareness message. 
• “Telemarketer” means a natural and juristic person who is authorised by the PTA to disseminate messages/calls for the purpose of marketing of services, investment and goods to the public at large directly or through a third party.

All operators must: 

• have the prescribed procedures in place to effectively control spamming; 
• develop the prescribed procedures to control unsolicited communication;
• allow/enable transmission of information through robocalls only for the purposes of public awareness to consumers as required by the PTA or the Government of Pakistan;
• establish a DNCR/C-DNCR for the purposes of controlling the transmission of unsolicited communication and provide for subscribers to register/unregister (subscribe/unsubscribe) to/from the C-DNCR;
• ensure that the subscribers are well informed regarding the option for their consent or otherwise for entering their particulars in the C-DNCR at the time of subscription; and
• ensure the registration of telemarketers for the purpose of controlling unsolicited communication.

In the case where a subscriber opts in to receive marketing/promotional messages, the concerned person including institutions or organisations engaged in direct marketing/telemarketing must provide the option to the recipient to unsubscribe from such promotional or marketing messages, and all operators must ensure that all marketing/promotional messages must be received by subscribers within normal business hours. 

PECA

PECA also regulates spamming (defined above) which is considered to be an offence. 

For the purposes of PECA, “unsolicited information” is defined as information which is sent for commercial and marketing purposes against explicit rejection of the recipient and does not include marketing authorised under the law. 

Under PECA, a person, including an institution or an organisation engaged in direct marketing, must provide the option to the recipient of direct marketing to unsubscribe from such marketing. 

Controllers must inform a data subject regarding any cross-border transfer of personal data that the controller intends to carry out (if applicable). Where this is not possible, the notice must be provided by another controller that exercises control over the same personal data. 

The following conditions apply to the cross-border transfer of data:

• Personal data (other than critical personal data (defined above)) may be transferred outside Pakistan after fulfilling necessary explicit consent requirements under the Bill.
• Where personal data (excluding critical personal data) is required to be transferred to an entity (or entities) or system located beyond the borders of Pakistan not under the direct control of the Government of Pakistan, it must be ensured that the country to which the data is being transferred offers at least an adequate data protection regime which is consistent to the protection provided by the Bill and the data which is transferred must be processed as per the provisions of the Bill, and, where applicable, the data subject must give explicit consent to the same.
• Critical personal data (as defined above) can only be processed in a server(s) or digital infrastructure located within Pakistan. 

In the absence of an adequate data protection legal regime, the Commission may allow for the transfer of personal data outside Pakistan in the following cases:

• pursuant to a binding contract/agreement; 
• explicit consent of the data subject that does not conflict with the public interest or national security of Pakistan;
• international co-operation is required under relevant international obligations; and
• any further conditions specified by the Commission in this regard. 

In principle, the Commission is responsible for protecting the interest of data subjects and enforcing the protection of personal data, precluding any illegal activities, preventing misuse of personal data, promoting awareness of data protection and adjudicating on complaints under the Bill. For this purpose, the Commission has the power to take any action to carry out the purposes of the Bill and in particular, the following investigatory and enforcements powers to:

• Decide complaints or pass any order for which purpose the Commission is deemed to be a civil court and will have the same powers as are vested in such court under the Pakistan Code of Civil Procedure, 1908.
• Take prompt and appropriate action in response to a data security breach as per the provisions of the Bill. 
• Enact search and seizure while taking cognizance of a complaint. 
• Seek information from controllers concerning processing under the Bill and impose penalties for non-observance of data security practices and non-compliance with the provisions of the Bill.
• Call for information from a controller or processor to provide such information as may be reasonably required by the Commission to effectively discharge its functions.
• Prescribe increased penalties/fines after every three years (if deemed appropriate).
• Order a controller to take such reasonable measures to redress the grievance of an applicant in case of non-implementation of any provision of the Bill.
• Summon and enforce the attendance of witnesses and ensure their oral and written evidence under oath.

The Bill prescribes the following sanctions (upon conviction) and remedies: 

• Unlawful processing or dissemination of personal data in violation of the provisions of the Bill attracts a fine of up to USD 125,000 or an equivalent amount in Pakistani Rupees. Subsequently unlawful processing may attract an increased fine of up to USD 250,000 or an equivalent amount in Pakistani Rupees.

  If the offence relates to sensitive personal data (as defined above), the offender may be punished with a fine of up to USD 500,000 or an equivalent amount in Pakistani Rupees. 

  If the offence relates to critical personal data (as defined above), the fine may be up to USD 1,000,000 or an equivalent amount in Pakistani Rupees or as the Commission deems appropriate. 

• Continued processing of personal data after withdrawal of consent by the data subject, failure to adopt adequate data security measures to ensure data security as per the provisions of the Bill, and failure to comply with orders of the Commission or the court when required to obey, each attract a fine of up to USD 50,000 or an equivalent amount in Pakistani Rupees. 
• Contravention of the Bill or a policy issued by the federal government, or non-compliance of a direction issued by the Commission (including lack of response or remedying of the contravention) attracts a fine which may extend to USD 2,000,000 or an equivalent amount in Pakistani rupees, or suspension or termination of the registration of a data controller and/or processor.
• Corporate liability for violations of the provisions of the Bill attract a fine not exceeding 1% of annual gross revenue in Pakistan or USD 200,000, whichever is higher, or an equivalent amount in Pakistani Rupees or as may be assessed by the Commission. 
• Enforcement proceedings may be initiated by the Commission against data controllers or processors that fail to respond to the Commission or execute its orders pursuant to a complaint filed by a data subject in accordance with the provisions of the Bill (see “right to file complaint” at Question 9, above).