Here’s What Pakistan’s Consumer Data Protection Framework Should Look Like

It’s worrisome to see Pakistan entering the digital age with a growing percentage of work being done online from banking, marketing, and management to technology outsourcing; without comprehensive legislation to address data protection and privacy.

In the absence of necessary laws, some of the companies are monetizing customer data without giving due consideration to the sensitivity of their personal, sensitive and traffic data knowing full well that it is a part of their essential business ethics and practices to develop a bond of trust with their customers.

Therefore, there have to be some ground rules for customer data collection, its storage, and usage including the monetization by the technology, telecom, OTTs, and internet companies. No control in terms of data protection can be catastrophic for companies against their reputation, goodwill, and business relationships.

It is, therefore, imperative for the government to promulgate the law on the Customer Data Protection at the earliest, so that all companies and their customers in Pakistan know their rights & obligations on customer data protection and their boundaries to monetize the customer data.

In this article, we recommend what should be included in the Customer Data Protection Law.

For the purpose of this article, we have just gone through the Customer Data Protection laws of countries, where the parent groups of Pakistani existing telecom companies are operating.


PTA to Record User Data from All Public Wi-Fi Hotspots

European Union has very comprehensive data protection laws followed by China and UAE respectively. A brief description of their existing laws is given below for your reference:

  EU UAE China Pakistan



The main legal source of data protection in EU is the Data Protection Act, which intends to protect personal data from processing and use by public authorities of the states and private bodies.  

Data Protection Regulations (‘DPR’).

Currently, there is not a comprehensive data protection law in the People’s Republic of China. Instead, rules relating to personal data protection are found across various laws and regulations. There is no comprehensive legislation regulating Customer Data Protection in Pakistan.

Definition of Personal Data

Personal data means any information relating to individuals who can be identified, even indirectly. Any data referring to an Identifiable Natural Person. Personal data means any electronic information which can enable identification of a citizen’s individual identity.  




Definition of Sensitive Personal Data

Personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life. Personal Data revealing racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership, and health or sex life. Personal information the leakage, illegal provision or abuse of which may harm personal/property safety and personal reputation or physical/mental health, or result in discrimination towards the data subject which may also include bank account information and transaction information etc.  



National Data Protection Authority


Yes Yes No
Data Protection Officers Yes No No No
Collection & Processing Consent Required Consent Required Clear consent No restriction


Transfer of Data

·Personal data may freely be transferred amongst the EU Member States.

·Personal/ sensitive data may be transferred to countries outside the EU, with customers consent in writing

·Under few other conditions, Personal data can be transferred outside EU.

·Personal Data may be transferred out of the UAE if the Recipient is in a jurisdiction that has laws that ensure an adequate level of protection for that Personal Data.

·In the absence of an adequate level of protection, consent of the data subject is required

·Consent required within China for transfer of data

·Personal information of Chinese citizens and “important data” collected by the operators to be kept within the borders of the China.

·Transfer of data to third parties not allowed.


·Trans-border customer data transfer is not allowed


Data Breach Notification

Data Protection Authority is required to be notified along with the subscriber without undue delay. CDP Authority must be informed of the incident as soon as reasonably practicable.

Electronic Marketing

Allowed with the prior informed consent (opt-in) from the recipient of the communication Clearly inform the subscriber for Electronic Marketing. Explicit consent to receive such messages from the customer  

Consent Required





Traffic Data

·Collection and processing of traffic and location data and the use of cookies is regulated.

·Traffic data can be retained for a period not longer than 6 months for billing and interconnection payments purposes

·Location data may only be processed if made anonymous or if the subscriber has given her/ his prior consent.

The law does not contain specific provisions relating to traffic data, however, the broad provisions are likely to apply. In addition, as UAE criminal law and the privacy principles laid out therein may apply. The law does not contain specific provisions relating to traffic data, however, the broad provisions are likely to apply. The Law Enforcement Agencies can get traffic data. The retention period is one year

Why CDP is Important for Customers and Telcos

There are multiple arguments as to why CDP is a burning issue for companies, specifically for telecom companies and citizens.

  • For telecom operators, data privacy and security is not a risk management issue, but a potential source of competitive advantage that may be a central component of brand-building and corporate reputation.
    Therefore cost incurred on customer data protection may be considered as an investment for building up the company’s reputation, goodwill and business relationships.
  • Telecom companies have access to the broadest and most sensitive customers’ information like current physical location, most called numbers, visited websites, sent/received messages (written or voice), social network contacts, frequency and type of changed device, access to passwords inserted in websites via mobile device, access codes to company’s VPNs/servers, colleagues’ phone numbers and contacts, files stored on device memory and read/unread messages and cookies.
    There is a possibility of following potential criminal acts in case of data breaches:

    • Blackmailing on personal relationships / behaviors / belongings / beliefs
    • Web-theft of
      • money
      • confidential information
    • Company secret leakages
    • Hacking
    • Direct calls onto colleagues’ phones for hire proposals
    • Track employees’ behavior at/outside work
  • Increasing customers’ concerns about own privacy and personal data handling as depicted in the largest ever survey conducted by Eurobarometer and the recent news about the customer data leakage by Facebook and Google. Below is the list of data, which is considered as personal data by the customers:

  • “Battlefield” for conflicting interests: Governments, Consumers, Companies:
Government’s Interests Telecom Operators’ Interest Consumers’ Interest
Ensure citizen’s privacy Access own clients’ personal data for marketing activities

·Own use

·Sale of lists to third parties

Defend rights to privacy
Protect public interest, security and criminal prosecution Purchase clients’ data from third parties for marketing activities Control of usage of personal data
Set standardized regulatory frameworks Ensure cost-efficient system compliance Be contacted only for very relevant issues/offers
  Protect own sensible data
  • The growth of cloud and web-based technology applications continuously opening new scenarios and issues
    • Large data volumes moved to 3rd party servers on the cloud
    • Lack of control on
    • how, where and by whom data is being processed at cloud
    • which laws apply and who is responsible for data at cloud
  • Users’ online behavior being tracked for various purposes e.g. targeted advertising
  • Mobile phone/internet users can be located through various technologies e.g. BTS data, GPS, manually on the internet.
  • The online used passwords can be saved.

Proposed Framework of Customer Data Protection in Pakistan

In order to take Pakistan into a safe digital era, the first step has to be the providing personal data protection and privacy to our customers.


Careem Hacked: Customer and Captain Data Leaked in a Massive Security Breach

In view of this, a framework for Customer Data Protection (below) is recommended for PTA, MoIT, GoP and above all the citizens of Pakistan for their consideration.


General provisions

Scope and Objectives 4

Collection & Processing

Ground Rules/Limits of data collection
Classification of data and definitions Define Customer Privacy Code regarding Customer Data processing
Principles 5

Data Enrichment and Profiling

Clear Policy on Data Enrichment and Profiling and its monetizing.
Specific data processing situations 6

Data transfer

Transfer of data to the third party

Rights of data subject

Transparency to the customers on the modalities of data collection, storage and usage Trans-border Transfer of data by way of appropriate safeguards
Customers’ Rectification of consent and its revoking right 7

Independent supervisory authorities

Independent status
Customers’ right to request for the access or updating of own personal data Duties and powers
Right to object on profiling 8

Traffic Data

Rules for traffic data sharing with the customer and third party including LEAs.

General obligations for companies

General obligations and provision to the customers a detailed Privacy Policy. Data retention period for billing purposes and LEAs’ requirements
Deployment of Customer Data Protection Team for Data security Audit of the provision of data by the Authority.
Impact assessment and prior authorization 9

Cloud and Web-Based Technology Applications

Rules for transfer of customer data to a local cloud
Conduct awareness sessions for the  employees on customer data protection Approval process for Trans-border Transfer of data on to a cloud by way of appropriate safeguards if allowed.
Develop and periodically update a Data Processing Operations Map. Recurring Risk Assessment on Customer Data on cloud
Perform a recurring Risk Assessment on Customer Data vs International Security best practices standard ISO27001/27002 concerning Information Security Awareness to the customers regarding risks involved in  sharing of their data and consents online
Adopt and formalize an internal procedure for Data Breach Management. 10

Remedies, liability and sanctions

Complaints and judicial remedies
Data Breach Notification Compensation, penalties and administrative sanctions
Ground Rules for Electronic Marketing Audit process

  • Conclusion :
    It’s Pakistan No One Can Follow the Rules : Including Politician & Foreign

  • close