Personal Data Protection Bill in Pakistan: it’s important to get it right!

We welcome the effort by the Pakistani Ministry of Information Technology and Telecommunications to regulate the processing of personal data in Pakistan, and take measures to guarantee the right to privacy as guaranteed under Article 14(1) of the Constitution: “[t]he dignity of man and, subject to law, the privacy of home, shall be inviolable.”

This legislative development is crucial and timely as Pakistan continues to embrace innovative governance initiatives and deploy data-intensive systems which have taken the form of a biometric national identity system known as NADRA, a biometric verification voter system, biometric SIM card registration as well as smart city projects such as the Punjab Safe City project, in Islamabad and Lahore in 2016, amongst others.

To find out more about privacy and data protection in Pakistan please refer to our ‘ State of Privacy’ and ‘State of Surveillance’ briefings.

Whilst data protection is only one piece of the puzzle which must be complemented by other legal safeguards to regulate any activities which include the processing of personal data as well as respect for rule of law and protection of international human rights standards, a comprehensive data protection framework constitutes a foundational mechanism for individuals to exercise their right to privacy.

Working with its partner the Digital Rights Foundation, Privacy International has presented to the Pakistani Ministry of Information Technology and Telecommunications an initial analysis of the Personal Data Protection Bill presented for consultation. While comprehensive in some respects, the Personal Data Protection Bill has a number of significant shortcomings.

We recommend that to effectively protect privacy and meet internationally recognised data protection standards, full consideration must be given to the areas of concern and improvements presented below and developed in more detail in our submission under each Part of the Bill:

  1. To include public bodies and government-held personal data: The scope of the law should not be restricted to commercial transactions;
  2. Expanding the definition of “personal data”: As a central component of the law, the definition of personal data must be reviewed to encompass all personal data held by both private and public bodies without the caveat of “commercial transactions” attached to it;
  3. Define the scope of the Act clearly: It is essential for the law to clearly define its material and territorial scope to ensure that the rights of data subjects are protected regardless of where their data is processed or held;
  4. Definition of consent: Given that consent of the data subject is one of the major grounds for processing of personal data, it is important that consent be defined clearly in section two, and that the definition adopted ensures that consent must be explicit, free, informed, proactive and specific;
  5. The definition of “sensitive personal data”: Biometric and genetic personal data must be included within the definition of sensitive personal data. This is particularly relevant in Pakistan where various biometric data-intensive systems have been deployed;
  6. Safeguards against mass surveillance: Data processing by law enforcement agencies and investigative and intelligence bodies must be included within the scope of the law to ensure those activities are regulated. These authorities should be subject to data protection obligations as well as the standards of necessity and proportionality enshrined in international human rights law;
  7. International data sharing: Data processing and sharing activities by Pakistani data controllers and foreign entities must be regulated by this Bill and higher standards should be in place to govern such transfers;
  8. Limit broad powers given to the Federal Government to make exemptions: Exemptions to the Act should be limited and we recommend that the Bill be amended to limit broad discretionary powers awarded to the Federal Government, and to ensure that any deviations from the Act be subject to an open, inclusive and transparent legislative process.

We look forward to informing the next steps of the consultative process opened by the Pakistani Ministry of Information Technology and Telecommunications in the hope that the process will be inclusive, transparent and well-defined.

To find out more about our work in this area, please visit our website: