PECA 2016 Compliance Guide
Everything Pakistani IT companies need to know about the Prevention of Electronic Crimes Act.
Last updated: April 2026 | P@SHA Cloud & Digital Committee
What is PECA 2016?
The Prevention of Electronic Crimes Act, 2016 (PECA) is Pakistan's primary cybercrime legislation. It defines offenses related to electronic systems, data, and online content, and establishes investigation and prosecution mechanisms.
⚠️ Important: PECA is a criminal law. Violations can result in imprisonment. IT companies must ensure their operations, products, and employee conduct comply with PECA provisions.
Key Facts
| Enacted | August 2016 |
|---|
| Administered by | FIA (Federal Investigation Agency) Cyber Crime Wing |
|---|
| Amendments | 2025 (major), 2022 (minor) |
|---|
| Latest Amendment | PECA Amendment Act 2025 |
|---|
| Related Laws | ITO 2001, Sales Tax Act 1990, AML Act 2010 |
|---|
Key Sections & Penalties
| Section | Offense | Max Penalty |
|---|
| §3 | Unauthorized access to information system | 2 years + PKR 1M fine |
| §3A | Unauthorized access to critical infrastructure | 3 years + PKR 5M fine |
| §4 | Unauthorized copying of data | 2 years + PKR 500K fine |
| §5 | Interference with information system | 2 years + PKR 500K fine |
| §6 | Glitch terrorism (critical infrastructure damage) | 14 years + unlimited fine |
| §7 | Electronic fraud | 7 years + PKR 5M fine |
| §8 | Unauthorized use of identity information | 3 years + PKR 500K fine |
| §9 | Offenses against modesty (online harassment) | 1 year + PKR 100K fine |
| §10 | Cyber stalking | 1 year + PKR 100K fine |
| §11 | Offenses against dignity of natural person | 1 year + PKR 100K fine |
| §14 | Spamming | 1 month + PKR 50K fine |
| §16 | Electronic forgery | 3 years + PKR 500K fine |
| §17 | Tampering with communication | 3 years + PKR 500K fine |
| §20 | Offenses relating to online content (removal orders) | PKR 500K per day |
| §21 | Unauthorized encryption | 6 months + PKR 100K fine |
| §29 | Retaining stolen data | 1 year + PKR 100K fine |
| §30 | Making, obtaining or supplying device for offense | 6 months + PKR 100K fine |
Online Content (§20)
PECA §20 allows authorities to issue removal or blocking orders for online content. Platforms and service providers must comply within specified timeframes.
- Removal notice: Content must be removed within 24 hours (2025 amendment)
- Blocking order: PTA can direct ISPs to block access
- Non-compliance: Fine up to PKR 500,000 per day
- Appeal: Available within 30 days to PTA
PECA Compliance for IT Companies
As a Software Developer
- Don't build tools that facilitate unauthorized access (§3)
- Don't include data exfiltration in software (§4)
- Implement proper authentication — don't create backdoor access
- Don't build applications for harassment/stalking (§9-11)
- Include privacy-by-design principles
As a Service Provider
- Comply with content removal/blocking orders within timeframes (§20)
- Maintain traffic data and logs as required
- Report suspected criminal activity to FIA
- Don't facilitate electronic fraud (§7)
- Implement AML/KYC for payment services
As a Hosting Provider
- Know your customer (KYC) requirements
- Respond to abuse complaints within 48 hours
- Maintain server access logs (minimum 90 days)
- Cooperate with FIA investigations (§42 — investigation powers)
- Implement data retention as per PTA regulations
As an Employer
- Employees must sign IT usage policies covering PECA
- Monitor employee use of company systems (with disclosure)
- Don't access employee personal data without authorization (§4)
- Implement whistleblower mechanisms
- Train staff on PECA obligations
FIA Investigation Process
FIA Cyber Crime Wing Powers (§41-43)
- Arrest without warrant for cognizable offenses
- Search & seizure of devices, data, records
- Interception of electronic communications (with court order)
- Data preservation orders to service providers
- Access to systems for forensic investigation
If You Receive an FIA Notice
- Don't panic — many notices are routine inquiries
- Engage a lawyer specializing in cybercrime (contact P@SHA for referrals)
- Preserve evidence — don't delete logs, emails, or data
- Document everything — keep records of all communications
- Cooperate within legal bounds — provide requested information
- Know your rights — you have rights under PECA and the Constitution
FIA Cyber Crime Reporting
Online Complaint: crime.fia.gov.pk
Helpline: 1991
Email: complaint@fia.gov.pk
Headquarters: FIA Headquarters, Islamabad
Regional Offices: Karachi, Lahore, Quetta, Peshawar
2025 Amendments
PECA was significantly amended in 2025. Key changes:
| Change | Previous | New (2025) |
|---|
| Online content removal timeline |
No specific timeline |
24 hours from notice |
| Data breach notification |
Not required |
Mandatory notification to FIA within 72 hours |
| Enhanced penalties for critical infrastructure |
§3A: 3 years |
§3A: 5 years + increased fine |
| Corporate liability |
Primarily individual |
Corporate officers can be held liable |
| Social media regulation |
Limited |
New provisions for social media companies |
| Terrorism financing |
§6 only |
New provisions aligned with FATF |
⚠️ Note: The exact text of the 2025 amendments should be verified with the gazette notification. Contact P@SHA or a legal expert for the current official text.
Personal Data Protection Bill (PDPB)
Pakistan's PDPB has been in draft since 2023-2024. When enacted, it will significantly impact IT companies:
Expected Key Provisions
- Consent-based processing: Explicit consent for data collection
- Data minimization: Collect only what's necessary
- Purpose limitation: Use data only for stated purposes
- Cross-border transfer restrictions: Data localization requirements
- Data Protection Officer: Mandatory for companies above threshold
- Breach notification: 72-hour notification to authority and affected persons
- Right to erasure: Individuals can request data deletion
- Data portability: Right to transfer data between providers
What IT Companies Should Do NOW
- Start implementing data protection policies (even before enactment)
- Appoint a Data Protection Officer
- Map all personal data flows in your systems
- Implement consent management in your applications
- Review cross-border data transfers
- Train development teams on privacy-by-design
FAQ
Yes, under §42 FIA can seize devices and data relevant to an investigation. They need a warrant for some actions but can seize without warrant in certain circumstances (e.g., if data is at risk of being destroyed). Maintain offsite backups.
Using a VPN is not explicitly illegal under PECA. However, PTA has issued directives about unauthorized VPN usage. For business purposes, use registered/legitimate VPN services and inform PTA if required. §21 (unauthorized encryption) has been used in some cases but primarily targets encrypted communications used for criminal purposes.
Under the 2025 amendments, you must notify FIA within 72 hours. Also notify affected clients per your contractual obligations. Document everything. Engage cybersecurity experts for investigation. Your liability depends on whether reasonable security measures were in place.
📋 Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Consult a qualified lawyer for specific PECA compliance questions.