MoIT Finalizes Draft for Personal Data Protection Bill 2020

The Ministry of Information Technology and Telecommunication has finalized the ‘Personal Data Protection Bill 2020’ aimed at realizing the goal of the full-scale adoption of e-government, increase users’ confidence, and protect users’ data from unauthorized access or usage.

This was confirmed by the Secretary Ministry of Information information and Telecommunications, Shoaib Ahmad Siddiqui.


Govt to Provide The Latest Version of e-Office for Provinces

He said that the draft bill is almost finalized and will be presented for the approval of the Cabinet very soon, adding that the legislation will facilitate users through the protection of their data.

The government has also proposed the constitution of a ‘Data Protection Authority’ to curb the misuse of data and to protect citizens’ personal information. However, the Secretary said that the Data Protection Authority has not been finalized yet.

The Ministry of Information Technology and Telecommunication had drafted the ‘Personal Data Protection Bill 2020’ and sought feedback from all its stakeholders while proposing a fine of up to Rs. 25 million for those who process or cause to be processed, disseminate, or discloses personal and sensitive data in violation of any of the provisions of the proposed legislation. The proposed legislation had been drafted in 2018 but was delayed numerous times.

The proposed legislation will govern the collection, processing, use, and disclosure of personal data; and will establish and make provisions for offenses related to the violation of individuals’ right to the privacy of data by collecting, obtaining, or processing personal data by any means.

It is also expedient to provide for the processing, obtaining, holding, usage, and disclosure of data while respecting the rights, freedom, and dignity of natural persons with special regard for their right to privacy, secrecy, and personal identities, and for matters connected therewith and ancillary thereto.

Furthermore, a data controller will not process personal data including the sensitive personal data of a data subject unless the subject has consented to the processing of the personal data.

If personal data is required to be transferred to any system beyond the territories of Pakistan or to a system that is not under the direct control of any of the governments of Pakistan, it will be ensured that the country where the data is being transferred offers personal data protection that is at least equivalent to the protections provided under this Act; and that the transferred data will be processed in accordance with this Act; and where applicable, consent to it is given by the data subject. Additionally, critical personal data will only be processed in a server or data center within Pakistan.

The proposed legislation states that the digitization of businesses and various public services employing modern computing technologies involves the processing of personal data. The growth of technological advancements has made the collection of personal data easier and has also enabled the processing of personal data in numerous ways that were not possible in the past.

Personal data is often being collected, processed, and even sold without the knowledge of the person in question. In some cases, such personal information is used for relatively less troublesome commercial purposes like targeted advertising. However, the data thus captured or generated can be misused in many ways like blackmail, behavior modification, phishing scams, etc.

To realize the goal of the full-scale adoption of e-government and the delivery of services to the people at their doorsteps, and to increase users’ confidence in the confidentiality and integrity of government databases, it is essential for users’ data to be fully protected from any unauthorized access or usage, and that they are provided remedies against the misuse of their personal data.

With the advent of 3G/4G in Pakistan, an accelerated increase in the use of broadband has led to an increasingly enhanced reliance on technology, calling for the protection of people’s data against misuse, and thus maintaining their fearless confidence in the use of new technologies.

Although Pakistan has sectoral arrangements/frameworks exist for the protection of data in addition to the Prevention of Electronic Crimes Act 2016 that deals with the crimes relating to unauthorized access to data, it is necessary to arrange for a comprehensive legal framework in line with the constitution and international best practices for personal data protection.


Govt to Launch Sialkot’s Largest Ever Development Project Worth Rs. 15 Billion

Protecting personal data is also crucial to the provision of legal certainty to businesses and public functionaries regarding the processing of personal data in their activities.

The desired legal framework will clarify the responsibilities of the data collectors and processors, and the rights and privileges of the data subjects along with institutional provisions for the regulation of activities related to the collections, storing, processing, and usage of personal data.

Within six months of the enforcement of this Act, the federal government will, by notification in the Official Gazette, establish the Personal Data Protection Authority of Pakistan to perform its functions.

This Authority will be a statutory corporate body having perpetual succession and a common seal; and may sue and be sued in its own name and; subject to and for the purposes of this Act, may enter into contracts and may acquire, purchase, take and hold moveable and immovable property of every description; and may convey, assign, surrender, charge, mortgage, reassign, transfer, or otherwise dispose of or deal with any moveable or immovable property or any interest vested in it; and will enjoy operational and administrative autonomy except as specifically provided for under this Act.

It will be responsible to protect the interest of the data subject and enforce the protection of personal data, prevent any misuse of personal data, promote awareness of data protection, and will entertain complaints under the Act.

Moreover, the Authority will be an autonomous body under the administrative control of the federal government, with its headquarters in Islamabad.