Loading...
PECA 2016, PDPB, data localization, cross-border transfers & sectoral data rules
| Aspect | Pakistan (Current) | Digital Nation Bill 2025 | GDPR (EU) | PDPA (Singapore) | Reference |
|---|---|---|---|---|---|
| Comprehensive DPA | No (partial PECA 2016) | Yes (proposed) | Yes (2018) | Yes (2012) | |
| Data Subject Rights | Limited | Proposed: access, correction, deletion | Full rights | Full rights | |
| Consent Requirements | Not codified | Proposed explicit consent | Explicit consent required | Consent or legitimate interest | |
| Data Localization | Partial (telecom/banking) | Proposed for sensitive data | Not required | Not required | |
| Breach Notification | Not required | Proposed 72-hour notification | 72 hours mandatory | As soon as practicable | |
| DPO Requirement | Not required | Proposed for large processors | Mandatory for certain orgs | Mandatory for certain orgs | |
| Cross-Border Transfer | Not regulated | Proposed restrictions | Adequacy or safeguards | Comparable protection | |
| Maximum Penalty | PECA penalties | TBD in Bill | €20M or 4% global turnover | S$1M or 10% turnover | |
| Enforcement Authority | Multiple (FIA, PTA, SBP) | Proposed: Pakistan Digital Authority | Data Protection Authority | PDPC |
| Law/Regulation | Authority | Scope | Data Protection Provisions | Status | Reference |
|---|---|---|---|---|---|
| PECA 2016 | MoITT | Electronic crimes | Unauthorised access penalties | Active | |
| Telecom Act 1996 | PTA | Telecom sector | Critical Telecom Data Regulations (2020) | Active | |
| SBP Cyber Shield | SBP | Banking/financial | Customer data protection for banks | Active (Mar 2026) | |
| NADRA Act | NADRA | Citizen biometric data | Strict data protection for biometrics | Active | |
| Companies Act 2017 | SECP | Corporate data | Director/shareholder data confidentiality | Active | |
| Consumer Protection Acts | Provincial | Consumer data | Basic consumer data rights | Active (provincial) | |
| Right to Information Laws | Federal/Provincial | Government data | Citizen access to govt data | Active | |
| Digital Nation Pakistan Bill 2025 | MoITT/Pakistan Digital Authority | Comprehensive | Full data protection framework | Passed both Houses |
| Section | Offense | Penalty |
|---|---|---|
| §3 | Unauthorized access to information systems | Up to 3 months imprisonment or PKR 50,000 fine or both |
| §4 | Unauthorized copying of data | Up to 6 months imprisonment |
| §5 | Interference with information system | Up to 2 years + PKR 500,000 fine |
| §7 | Unauthorized access to critical infrastructure | Up to 5 years imprisonment |
| §8 | Electronic fraud | Up to 7 years imprisonment + fine |
| §9 | Unauthorized issuance of SIM cards | Up to 3 years + fine |
| §10 | Spamming | Up to 1 month + PKR 50,000 fine |
| §10A | Cyber terrorism | Up to 14 years imprisonment + fine |
| §21 | Online defamation (2025 amendment) | Strengthened → fine and/or imprisonment |
| §42-43 | International cooperation | Mutual legal assistance framework |
| Penalties as per PECA 2016 with 2025 amendments | ||
Sources: NA Document | Dawn Coverage
| Provision | Details |
|---|---|
| Data Subject Rights | Access, correction, deletion, portability |
| Data Controller Obligations | Lawful basis, consent, purpose limitation |
| Consent Requirements | Explicit consent for processing personal data |
| Cross-Border Transfers | Requires government approval or adequacy finding |
| Data Localization | Mandatory for sensitive personal data |
| Data Protection Authority | New regulatory body to be established |
| Maximum Penalties | Up to PKR 500 million for violations (per PDPB Draft §36) |
| Breach Notification | Required within 72 hours of discovery |
Action: Begin GDPR-aligned preparation proactively. Monitor Parliamentary proceedings.
| Sector | Requirement | Authority | Scope |
|---|---|---|---|
| Banking/Financial | Mandatory → all financial data in Pakistan | SBP | BPRD Circular 03/2020 |
| Telecom | Mandatory — CDRs, subscriber data in Pakistan | PTA | PTA Registration Rules 2000 |
| Government | Mandatory → all government data in Pakistan | MoITT/NITB | Data classification policy |
| Healthcare | Recommended — patient records in Pakistan | Provincial Depts | Draft Digital Health Policy |
| E-commerce | Partial — payment data in Pakistan | SBP/FBR | E-Payment Guidelines |
| Education | No strict requirement | ✓ | ✓ |
| General Private | No strict requirement (may change with PDPB) | ✓ | ✓ |
| As of Tax Year 2025 — subject to change with PDPB enactment | |||
| Circular | Subject | Applicability |
|---|---|---|
| BPRD Circular 14/2021 | Framework for Digital Lending | Banks/DFIs/Fintech |
| BPRD Circular 03/2020 | Cloud Computing Guidelines | Banks/DFIs |
| BPRD Circular 07/2018 | Information Security | Banks/DFIs |
| E-Payment Circulars | Electronic Payment Schemes | PSOs/PSPs |
| Scenario | Status | Basis |
|---|---|---|
| Pakistani banking/fintech data on intl servers | PROHIBITED | SBP Cloud Guidelines |
| Government client data abroad | PROHIBITED | MoITT/NITB Policy |
| Telecom subscriber data abroad | PROHIBITED | PTA Regulations |
| General international client data | ALLOWED | No restriction |
| After PDPB enactment | DTIAs required | Draft PDPB provisions |
| PECA 2016 does not explicitly regulate cross-border transfers | ||
Pakistan currently lacks a comprehensive Data Protection Authority, though the Digital Nation Pakistan Bill 2025 (passed both Houses) is expected to establish one. The Pakistan Digital Authority has been created under this framework with PDA Chairperson (verify current appointment) as Chair.
Existing protections: PECA 2016 covers unauthorized data access, PTA regulates telecom data localization, and SBP Cyber Shield protects banking data. However, comprehensive data subject rights (access, correction, deletion) are not yet codified.
PSEB offers a GDPR Compliance Certification program for IT companies handling EU data.
While a general data protection law is pending, the financial sector has mandatory SBP data security requirements:
| Requirement | Source | Applies To |
|---|---|---|
| Technology risk governance at board level; Head of IT + Head of InfoSec mandatory | PSD C4/2025 — Tech Risk Framework | EMIs, PSOs, PSPs |
| Cyber resilience program aligned with Cyber Shield strategy (2025-2030) | CRMD CL01/2026 — Cyber Shield | All SBP-regulated entities |
| NADRA biometric verification at digital onboarding; device fingerprinting; 2-hour cool-off on device switch | PSD C4/2025 — Sec.7 | EMIs, PSOs, PSPs |
| Cloud outsourcing per SBP framework; 7-day advance notice for material outsourcing; SBP approval for offshore | PSD C4/2025 — Sec.8 | EMIs, PSOs, PSPs |
| Security of internet banking — encryption, two-factor auth, session management | PSD C3/2015 — Internet Banking Security | All banks |
| Mobile app security — secure coding, VAPT, certificate pinning, runtime integrity | PSD CL6/2022 — Mobile App Security | Banks, EMIs |
| Payment card security — PCI DSS compliance, EMV, tokenization | PSD C5/2016 — Payment Card Security | All card-issuing banks |
| 30-minute fraud dispute SLA; PI liable for delayed alerts and unavailable complaint channels | PSD C4/2025 — Sec.7C | EMIs, PSOs, PSPs |
The Final Draft Personal Data Protection Bill (May 2023) is Pakistan's most comprehensive data protection legislation. Key provisions:
| Provision | Details | IT Company Compliance |
|---|---|---|
| Personal Data Protection Commission | Independent regulatory body to oversee data protection enforcement | Registration and reporting obligations to the Commission |
| Data Controller/Processor Distinction | Clear legal distinction between data controllers and data processors | IT companies must identify their role — most SaaS providers are data processors |
| Consent Requirements | Explicit, informed consent required for data collection and processing | Implement consent management systems and privacy notices |
| Data Subject Rights | Right to access, rectification, erasure, data portability, and objection | API endpoints and processes for data subject request handling |
| Cross-Border Transfers | Restrictions on transfer of personal data outside Pakistan without adequate protection | Review cloud hosting and data processing locations for compliance |
| Data Breach Notification | Mandatory notification to Commission and affected data subjects within 72 hours | Implement breach detection and notification protocols |
| Data Protection Impact Assessment | Required for high-risk processing activities | Conduct DPIAs for AI/ML systems, profiling, large-scale processing |
| PENALTIES | Significant fines for non-compliance (up to 2% of annual turnover) | Compliance programs and DPO appointment essential |
Sources: PDPB 2023 (PDF) | PDPB 2021 Draft (PDF) (Federal)