The legal framework for data privacy in Pakistan is evolving. The key pieces of legislation are:

•    Article 14 of the Constitution of the Islamic Republic of Pakistan, 1973 (the “Constitution”): Article 14 provides that "the dignity of man and, subject to law, the privacy of home, shall be inviolable". This right is not absolute and is subject to limitations imposed by law. 
•    The Personal Data Protection Bill, 2023 (“PDPB”): This is poised to be Pakistan's first dedicated and comprehensive data protection law. Although it is currently a bill, it has received Cabinet approval and is awaiting enactment by Parliament. It is designed to regulate the collection, processing, use and disclosure of personal data.
•    The Prevention of Electronic Crimes Act, 2016 (“PECA”): While not exclusively a data privacy law, PECA is relevant as it criminalises various electronic crimes, including unauthorised access to data, data damage and cyber-terrorism.

Since the PDPB has not yet been enacted into law, there are no key decisions interpreting its provisions. However, PECA has been actively applied and interpreted in Pakistan. While there is no single "landmark" ruling that has fundamentally reshaped the entire law, a consistent body of case law has emerged from various High Courts and Special Courts. These cases have primarily focused on:
•    Cyber Stalking (Section 24 of PECA): The Federal Investigation Agency (FIA) has initiated numerous investigations and prosecutions under this section. Courts have adjudicated cases involving online harassment, threats, and the non-consensual distribution of images, often granting bail based on the specific evidence presented and the nature of the alleged offence.
•    Spoofing (Section 26 of PECA): There have been several cases where individuals have been prosecuted for creating fake social media profiles or websites to impersonate others and cause harm, leading to convictions under this section.
•    Unauthorised Access to Information Systems (Sections 3, 4 and 5 of PECA): Courts have heard cases (such as the Criminal Acquittal Appeal No. S-03 of 2022, High Court of Sindh, Circuit Court, Hyderabad) related to hacking and unauthorised data access, establishing precedents for how electronic evidence is handled and what constitutes a violation under these sections.

Under the PDPB: 
•    Personal data is defined as any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or other information in the possession of a data controller and/or data processor. This includes any sensitive or critical personal data. Anonymised or pseudonymised data that cannot be used to identify an individual is excluded.
•    Sensitive personal data is defined as personal data relating to:
o    Financial information (excluding identification numbers and payment instrument data).
o    Health data (physical, behavioral, psychological, and mental health conditions, or medical records).
o    Computerised National Identity Card (CNIC) or passport.
o    Biometric data.
o    Genetic data.
o    Religious beliefs.
o    Criminal records.
o    Political affiliations.
o    Caste or tribe.
o    An individual's ethnicity.

The PDPB outlines several mechanisms for data protection:
•    International Security Standards: Section 9 of the bill mandates the National Commission for Personal Data Protection (“NCPDP”) to establish international standards for data controllers and processors to safeguard personal data.
•    Grounds for Processing: The PDPB specifies legal grounds for processing personal data, with a strong emphasis on obtaining consent from the data subject. Personal data may be collected for specified, explicit and legitimate purposes. Such data may not be processed further in a way that is incompatible with the aforementioned purposes and is required to be adequate, relevant, and limited to the purposes for which the data is processed. 
•    Consent and Notice: Data controllers are required to provide clear notice to data subjects about the collection and use of their data and obtain their consent before processing.
•    Data Retention and Non-Disclosure: The PDPB includes provisions on data retention limitations and prohibits the unauthorised disclosure of personal data.
•    Record-Keeping: Data controllers are obligated to maintain comprehensive records of all data processing activities, notices and requests.

Under the PDPB, privacy obligations apply to both data controllers and data processors. The PDPB has extraterritorial application, meaning it applies to any data controller or processor that is established, present, or registered in Pakistan, or that processes the personal data of Pakistani citizens. 

Data processing, as defined in Section 2(cc) of the PDPB, refers to any operation or set of operations performed on personal data, whether by automated means or not such as collection, recording, organisation, structuring and storage, adaptation or alteration, retrieval, consultation and use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

The PDPB establishes several key principles for personal data processing:
•    Lawfulness and Fairness: Personal data must be collected, processed, and disclosed lawfully, and fairly.
•    Purpose Limitation: Personal data should be collected for specified, explicit, and legitimate purposes. It may not be further processed in a manner incompatible with those purposes.
•    Data Minimisation: The personal data collected should be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
•    Accuracy: Personal data must be accurate, complete, not misleading and, where necessary, kept up to date. 
•    Accountability: The data controller is responsible for and must be able to demonstrate compliance with these principles.
•    Processing children’s personal data: The data of every child must be processed in a manner that protects the rights and interests of a child

The processing of personal data is regulated under the PDPB through several requirements:
•    Lawful and Fair Processing: Personal data must be collected, processed, and disclosed in compliance with the Act.
•    Registration: Data controllers and processors are required to register with the NCPDP. 
•    Appointment of a Data Protection Officer (DPO): Significant data controllers or processors must appoint a DPO to oversee data protection compliance.
•    Consent:
o    Data controllers must obtain free, specific, informed, and unambiguous consent from the data subject before processing their data.
o    The burden of proof for establishing consent lies with the data controller.
o    Data subjects have the right to withdraw consent at any time.
•    Notice to Data Subjects: Data controllers must provide clear and comprehensive notice to data subjects about the collection and use of their personal data, including the types of data collected, the legal basis for processing, and any intended cross-border transfers.
•    Processing of Sensitive and Critical Personal Data: The processing of sensitive or critical personal data requires explicit consent, with limited exceptions for legal obligations, medical emergencies, or matters of public interest.

The PDPB addresses these as follows:
•    Storage and security : A data controller or processor must, when collecting or processing personal data, take practical measures to protect the personal data by considering the nature of the personal data and the harm that may result from such loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction, by giving due regard to: (a) the place or location where the personal data is stored; (b) any security measures incorporated into any equipment in which the personal data is stored; (c) the measures taken for ensuring the reliability, integrity, and competence of personnel having access to the personal data; and (d) the measures taken for ensuring the secure transfer of personal data
•    Retention: Personal data must not be kept longer than necessary for its intended purpose or as required by law. Data controllers are responsible for the secure destruction or permanent deletion of data that is no longer needed.

The PDPB grants data subjects several rights, including: 
•    Right to Access: The right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data. 
•    Right to Correction: The right to obtain the rectification of inaccurate personal data. 
•    Right to Erasure (Right to be Forgotten): The right to have personal data erased without undue delay under certain conditions. 
•    Right to Withdraw Consent: The right to withdraw consent to the processing of personal data at any time.
•    Right to Prevent Processing: The right to object to the processing of personal data that is likely to cause damage or distress.
•    Right to Nominate: The right to nominate an individual to act on their behalf in case of death or disability.
•    Right to Redressal of Grievance: The right to file a complaint with the data controller and, if not satisfied, with the NCPDP.
•    Right to Data Portability: The right to receive personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
•    Right Not to be Subject to Automated Decision-Making: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

Under the PDPB, consent from the data subject must be:
•    Freely given, specific, informed and unambiguous.
•    The data controller bears the burden of proof to demonstrate that consent was obtained.
•    Data subjects have the right to withdraw consent at any time.
•    Upon withdrawal of consent, the data controller must cease processing the data, unless there is another legal basis for processing.

A data controller may process personal data without consent under specific circumstances such as: to perform a contract, comply with a legal duty, or protect vital interests.

The PDPB allows for a "first collection" of personal data where notice and consent are required. A "subsequent collection" from the same individual for the same purpose within 12 months may not require repeating the notice and consent process, provided the circumstances and purpose of use have not changed.

The PDPB also provides for exemptions from certain provisions for specific purposes, including:
•    Personal Use: Data processed by an individual for personal, family, or household purposes.
•    Legal & Public Interest: Data processed for criminal law enforcement, court orders, tax collection, regulatory functions, health, research (if anonymised) and journalism (in the public interest).

Yes, the PDPB regulates cross-border data transfers:

•    Personal data (excluding critical data) can be transferred outside Pakistan if the destination country has similar data protection laws, the processing complies with the Act, and the data subject has given explicit consent. 
•    Critical personal data must be processed only on servers or infrastructure located within Pakistan.

Under Section 2(cc) of the PDPB, a data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Yes, the PDPB mandates data breach notifications. While at present there is no overarching requirement to report data breaches under PECA, the PDPB will change this. 

•    A data controller must notify the NCPDP and the affected data subject of a personal data breach without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject. 
•    The notification must include a description of the breach, the likely consequences, and the measures taken or proposed to be taken to address the breach.
•    Data processors must notify the data controller and the NCPDP upon discovering a breach. 

The primary privacy regulator will be the NCPDP, to be established under the PDPB.
•    Formation: The Federal Government will establish the NCPDP within six months of the PDPB’s commencement.
•    Structure: It will be an autonomous statutory body with its headquarters in Islamabad.
•    Powers: The NCPDP will have, inter alia, the power to sue and be sued, enter into contracts and own property. 

It is also important to recognise other key regulatory bodies whose mandates intersect with data privacy, including the following:
•    Federal Investigation Agency (FIA) / National Cyber Crime Investigation Agency (NCCIA): The primary law enforcement body for investigating and prosecuting offences under PECA.
•    Pakistan Telecommunication Authority (PTA): Regulates the telecommunications sector and enforces specific data-related obligations on its licensees.
•    State Bank of Pakistan (SBP): Enforces data protection and cybersecurity standards within the financial sector.
•    Social Media Regulatory Authority (SMRA): A new body established under the 2025 PECA amendments to oversee content on social media platforms.

The PDPB proposes significant fines for violations: 
•    Violations of the Act can result in a fine of up to $125,000 which can increase to $250,000 for repeated violations (or equivalent in PKR).
•    Violations involving sensitive personal data can lead to a fine of up to $500,000.
•    Violations involving critical personal data can result in a fine of up to $1,000,000.
•    Failure to implement adequate security measures can be fined up to $50,000. 
•    The NCPDP can issue notices and impose fines of up to $2,000,000 on data controllers/processors for non-compliance.
•    A legal person may be fined up to 1% of its annual gross revenue in Pakistan or $200,000, whichever is higher. 

PECA details offences and punishments for violations:

•    Unauthorised access to data or systems (Section 3) can lead to a fine of up to PKR 50,000, 3 months’ imprisonment, or both.
•    Unauthorised copying/transmission of data (Section 4) can lead to a fine of up to PKR 100,000, 6 months’ imprisonment, or both.
•    Interference with data or systems (Section 5) can lead to a fine of up to PKR 500,000, 2 years’ imprisonment, or both.
•    Access to critical infrastructure data (Section 6) can lead to a fine of up to PKR 1 million, 3 years’ imprisonment, or both.
•    Unauthorised use of identity information (Section 16) can lead to a fine of up to PKR 5 million, 3 years’ imprisonment, or both; the affected individual may request the authority to block, destroy, or secure their identity information.

Electronic marketing is regulated by PECA:

•    PECA (Section 25 - Spamming): Criminalises sending unsolicited marketing messages without the recipient's prior permission. Offenders can face imprisonment of up to 3 months or a fine of up to PKR 50,000, or both.  PECA also requires persons engaged in direct marketing to give recipients an option to opt-out from such marketing. 

Yes, various sectors have their own privacy and data protection requirements:
•    Telecommunications: Regulated by PTA under PECA and the Pakistan Telecommunication (Re-organisation) Act, 1996. 
•    Financial Sector: The State Bank of Pakistan (SBP) and the Securities and Exchange Commission of Pakistan (SECP) have issued directives on cybersecurity, customer due diligence and data confidentiality.
•    Healthcare Sector: Provincial healthcare commissions require the confidentiality of patient records.
•    E-commerce & IT Services: Regulated through PECA and policies from the Ministry of Information Technology and Telecommunication (MoITT).
•    Social Media & Content Platforms: The PECA amendments of 2025 have introduced the Social Media Protection and Regulatory Authority (SMPRA) to regulate online content.

The PDPB requires data controllers or processors identified as "significant" to appoint a Data Protection Officer (DPO) who is well-versed in data protection principles and risks.

The members of the NCPDP are required to have specialised knowledge in fields such as ICT (specialising in cybersecurity) and law.

Under the PDPB, data controllers must:
•    Take steps to ensure that personal data is accurate, complete and up-to-date.
•    Maintain records of all applications, notices, and requests related to data processing.
•    Regularly inform the NCPDP about the types of data they collect and how it is processed, with certain exceptions for occasional data collection that does not infringe on fundamental rights.

There are no prescribed requirements currently in place. Under the PDPB, the NCPDP is required to formulate a compliance framework for monitoring and enforcement in order to ensure transparency and accountability, subject to the measures including a DPIA.

The PDPB defines a "third party" as any person other than the data subject, controller, processor, or a person under the direct control of the controller.
•    Data controllers must inform data subjects about the collection and use of their personal data, including when it is shared with a third party.
•    Personal data cannot be disclosed to a third party without the data subject's consent, except under specific circumstances outlined in the Act.

Similarly, there is a confidentiality requirement under Section 41 of PECA, which requires third-party vendors and service providers to handle personal data lawfully and in line with contractual obligations. 

As per PECA, anv person including a service provider while providing services under the terms of a lawful contract or otherwise in accordance with the law, or an authorized officer who has secured
access to any material or data containing personal information about another person, discloses such material to any other person, except when required by Iaw, without the consent of the person concerned or in breach of lawful contract with the intent lo cause or knowing that he is likely to cause harm, wrongful loss or gain to any person or compromise confidentiality of such material or data will be punished with imprisonment for a term which may extend to three years or with fine which may extend to one million rupees or with both, provided that the burden of proof of any defense taken by an accused service provider or an authorized officer that he was acting in good faith, will be on such a service provider or the authorized officer, as the case may be.

The PDPB proposes a robust enforcement framework:
•    Fines: As detailed in question 15, significant financial penalties can be imposed for various violations.
•    Complaints: Individuals can file complaints with the NCPDP for violations of personal data protection.
•    Enforcement Actions: If a data controller or processor fails to comply with the NCPDP's directives, enforcement action may be taken.
•    Appeals: Decisions of the NCPDP can be appealed to the High Court or a designated Tribunal.

PECA establishes an enforcement framework:

•    Fines and Imprisonment: As outlined question 15, PECA imposes significant penalties for cyber offences. The 2025 PECA amendments introduce stricter penalties for spreading false or fake information.
•    Complaints: Individuals can file complaints with the Social Media Protection and Regulatory Authority (SMPRA) or the National Cyber Crime Investigation Agency (NCCIA) regarding data misuse or online harms.
•    Enforcement Actions: NCCIA investigates and prosecutes PECA offences. SMPRA can issue takedown orders, fine platforms, and enforce compliance within 24 hours for content-related complaints.
•    Appeals: Decisions by the Social Media Protection Tribunal can be appealed to the Supreme Court within 60 days.

•    Under PDPB: 
o    Audit and Compliance: The NCPDP will have the authority to conduct regular audits, issue compliance reports, and require evidence of DPO appointments, DPIAs, and security measures. 
o    Registration: Data controllers and processors must register with the NCPDP within 6 months of the law’s enactment.
o    Record-Keeping: A data controller must keep and maintain a record of each application, notice, request, or any other information concerning the personal data that has been or is processed by him. 
•    Under PECA:
o    Telecom/Internet Service Providers: Section 32 of PECA requires the retention of traffic data for at least one year. The PTA may conduct audits for compliance.
o    Financial Institutions: The SBP's cybersecurity framework mandates real-time monitoring and reporting of suspicious activity.
o    Content Platforms (Post-PECA Amendments 2025): Are required to maintain logs of user activity and cooperate with audits by the SMPRA.

Yes, the data privacy landscape in Pakistan is undergoing significant changes:
•    PDPB: The bill was approved by the Cabinet in April 2023, but is yet to receive parliamentary assent. Thereafter, it is intended to be enforced within two years of its enactment. 
•    PECA Amendments (January 2025): These amendments established a social media protection and regulatory authority (SMPRA) to regulate online content and introduced stricter penalties for the dissemination of "fake or false information". 
•    Institutional Reforms:
o    National Cyber Crime Investigation Agency (NCCIA): In May 2024, the NCCIA was established, replacing the FIA's cyber-crime wing to lead investigations under PECA.
o    PKCERT (National CERT): Established in March 2024 to coordinate cybersecurity incident response.
o    National Intelligence Fusion and Threat Assessment Centre (NIFTAC): Formed in May 2025 under NACTA to centralise intelligence and counter-terrorism coordination, which may impact data sharing frameworks.