1. Relevant Legislation and Competent Authorities
1.1 What is the principal data protection legislation?
The legislation on data protection is in draft/Bill stage and yet to be passed by Parliament. Its title is the Personal Data Protection Bill, 2020 (“the Bill”).
1.2 Is there any other general legislation that impacts data protection?
The Prevention of Electronic Crimes Act, 2016 also contains certain significant provisions about data protection.
1.3 Is there any sector-specific legislation that impacts data protection?
Within the banking sector, the Payment Systems and Electronic Funds Transfers Act, 2007 provides for the secrecy of financial institutions’ customer information; violation is punishable with imprisonment or a financial fine, or both. For the telecoms industry, the Telecom Consumer Protection Regulations, 2009 confer on subscribers of telecoms operators the right to lodge complaints for any illegal practices with the Pakistan Telecommunication Authority, “illegal practices” being a broad term which includes, inter alia, illegal use of personal data of subscribers.
1.4 What authority(ies) are responsible for data protection?
Under the Bill, the proposed Personal Data Protection Authority of Pakistan would primarily be responsible for data protection.
2.1 Please provide the key definitions used in the relevant legislation:
“personal data” means any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data.
Provided that anonymized, encrypted or pseudonymized data which is incapable of identifying an individual is not personal data.