In a world where data breaches are becoming a part of our daily lives, the Pakistani government has finally realized the importance of the legislation. The Ministry of Information Technology and Telecommunication has drafted Personal Data Protection Bill 2018.

The new bill proposes a maximum punishment of two years and a fine of Rs. 5 million on the unlawful processing of personal data. According to the Personal Data Protection Bill 2018, the Article 14 of the Constitution guarantees that “dignity of man, and subject to law, the privacy of the home, shall be inviolable. The Ministry is asking all stakeholders for recommendations on the proposed bill.

We live in the era of digitization where every company wants to store data of their customers which puts personal data at a very high risk. The personal data of people is often being collected, processed and even sold without the knowledge of the concerned person.

Prevention of Electronic Crimes Act, 2016 deals with the cybercrimes relating to unauthorized access to data and the new Personal Data Protection Bill 2018 will draw a framework to protect user data by mapping out the responsibilities of the data collectors and processors, the rights and privileges of the users and the institutional provisions for regulation of activities relating to the collections, storing, processing and usage of personal data.

Personal Data Protection Bill 2018 will include the following things:

Unlawful Processing of Personal Data

According to the proposed bill, anyone who processes or cause to be processed, disseminates or discloses personal data in violation of any of the provisions of the proposed legislation will be punished with a fine amounting to three million rupees.

In a case of subsequent unlawful processing of personal data, the guilty party may face imprisonment for one year with or without fine.

(2) In case the offense committed under sub-section (1) relates to sensitive data the offender may be punished with fine up to five million rupees.

Failure to Adopt Appropriate Data Security Measures

If anyone fails to adopt the security measures necessary to ensure the security of user’s data, violating the provisions of the Personal Data Protection Bill 2018 will be fined upto one million rupees.

Failure to comply with orders

If anyone fails to comply with the orders of the commission or the court will receive a fine of upto five hundred thousand rupees.

Corporate Liability

A person shall be held liable for a criminal offence committed on his instructions or for his benefit or lack of required supervision by any individual, acting either individually or as part of a group of persons, who has a leading position within it, based on a power of representation of the person; an authority to take decisions on behalf of the person; or an authority to exercise control within it.

The person shall be punished with fine not exceeding five million rupees. Provided that such punishment shall not absolve the criminal liability of the individual who has committed the offense.

This proposed Personal Data Protection Bill 2018 applies to

  • Any person who processes
  • Any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions.

Further a data controller shall not (a) in the case of personal data other than sensitive personal data, process personal data about a data subject unless the data subject has given his consent to the processing of the personal data; or (b) in the case of sensitive personal data, process sensitive personal data about a data subject except in accordance with section.

Notwithstanding paragraph (1)(a), a data controller may process personal data about a data subject if the processing is necessary:

  • For the performance of a contract to which the data subject is a party
  • For the taking of steps at the request of the data subject with a view to entering into a contract
  • For compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by a contract;
  • In order to protect the vital interests of the data subject; (e) for the administration of justice
  • For the exercise of any functions conferred on any person by or under any law.

Personal data shall not be processed unless

  • The personal data is processed for a lawful purpose directly related to an activity of the data controller
  • The processing of the personal data is necessary for or directly related to that purpose; and
  • The personal data is adequate but not excessive in relation to that purpose.

A data controller shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.

Right of access to personal data

  1. An individual is entitled to be informed by a data controller whether personal data of which that individual is the data subject is being processed by or on behalf of the data controller.
  2. A requestor may, upon payment of a prescribed fee, make a data access request in writing to the data controller— (a) for information of the data subject’s personal data that is being processed by or on behalf of the data controller; and (b) to have communicated to him a copy of the personal data in an intelligible form.
  3. A data access request for any information under sub-section (2) shall be treated as a single request, and a data access request for information under clause (a) )of sub-section (2) shall, in the absence of any indication to the contrary, be treated as extending also to such request under clause (b) of subsection (2)
  4. In the case of a data controller having separate entries in respect of personal data held for different purposes, a separate data access request shall be made for each separate entry
  5. Where a data controller does not hold the personal data, but controls the processing of the personal data in such a way as to prohibit the data controller who holds the personal data from complying, whether in whole or part, with the data access request under subsection (2) which relates to the personal data, the first mentioned data controller shall be deemed to hold the personal data and the provisions of this Act shall be construed accordingly

Commission for Personal Data Protection

Within six months of Personal Data Protection Bill 2018 coming into effect, the Federal Government will establish a Commission for Personal Data Protection (CPDP).

The Commission shall be a corporate body, having perpetual succession which can sue and be sued in its own name and shall enjoy operational and administrative autonomy, except as specifically provided for under this proposed legislation.

The Commission shall comprise of three Commissioners, to be appointed by the Prime Minister as follows:

  • One Commissioner shall be a person who has been or is qualified to be a judge of High Court
  • One Commissioner shall be a person having a master degree in computer sciences or telecommunications and fifteen years of experience in the field of information technology, telecommunications or computer sciences
  • One Commissioner shall be a person from civil society having a degree based on sixteen years of education from a recognized institution and fifteen years of experience in the field of mass communication, academics and civil rights.

The Commission shall be headed by a Chairman, nominated by the Federal Government from amongst the three Commissioners.

The Commissioners including Chairman will hold the office for the term of four years shall hold office for a term of four years and will not be eligible for re-appointment.