On 9 April 2020, Pakistan released its fourth draft of the Personal Data Protection Bill ("Bill").
- The territorial scope of the Bill is extremely wide and applies to any processor or controller as long as any part of the data processing chain occurs in Pakistan.
- The obligations for data controllers and processors are broadly similar to other international laws, including GDPR, with requirements around notice, consent, retention, disclosure, breach notification, and cross-border transfers.
- Similarly, data subjects’ rights are broadly aligned with those in other jurisdictions, and include the right to access and correct data, to withdraw consent, request for erasure of data, and to request a data controller to cease processing their data.
- However, there are certain aspects of the Bill that remain out of step with widely accepted privacy norms, including a potential data localization requirement and a requirement for mandatory licensing and registration of all data controllers and processors.
Who does the Bill apply to?
The extra-territorial application of the Bill is wider than most other privacy laws. The Bill applies to both local and foreign persons established both within and outside of Pakistan that process, and have control over or authorises the processing of personal data, and where any part of the data processing chain (including the controller, processor, data subject, intermediary etc.) is located in Pakistan.
Any person that is not registered or established in Pakistan must also nominate a representative in Pakistan.
What kinds of data are included?
The Bill covers three types of data: personal data, sensitive personal data, and critical personal data.
- Personal Data: This comprises any information relating directly or indirectly to a data subject, whether combined with other data or alone, that identifies a data subject.
- Sensitive personal data: This is defined non-exhaustively and includes a person's access credentials, financial information, health and medical records, passports and biometric data, ethnicity, and religion.
- Critical personal data: This is not currently defined but will be determined “by the Authority with the approval of the Federal Government”. Critical personal data must only be processed within Pakistan and cannot be transferred out of Pakistan, which means that a broad range of data could potentially be subject to a data localization requirement.
What are the key obligations of data processors and data controllers?
- Consent and Notice: Express consent must be obtained from the data subject before personal data can be collected and processed. Consent must be “unambiguous” and “a clear affirmative action”. An extensive written notice (outlining, amongst others, the types of personal data to be collected, the purpose(s) of collection, the legal basis relied on the process the personal data, the data subject's rights, and the categories of third parties to whom the personal data will be disclosed to) must be given to the data subjects at the time of collection.
- Sensitive Personal Data: Sensitive Personal Data may not be collected and processed unless it falls under an exemption such as for compliance with legal obligations; when it is necessary to protect the vital interests of the data subject or another person; or where the personal data was intentionally made public by the data subject.
- Retention of Data: Personal data must not be kept longer than necessary for the fulfilment of the purpose it was collected for. It is the responsibility of a data controller to take all reasonable steps to ensure that the data is destroyed or permanently deleted.
- Disclosure of Data: The data subject's consent is required for any disclosure of personal data to third parties other than those already notified to the data subject.
- Cross-border Transfers: Cross-border transfers are only permitted where the data controller can ensure that the country to which the data will be transferred to has the same level of data protection as provided under the Bill. Critical personal data cannot be transferred out of the country and must be processed in Pakistan. The regulator also has the power to impose data mirroring requirements, which would require a copy of any data transferred overseas to be stored in Pakistan.
- Protection of Data: Data controllers and processors must take practical steps to protect the personal data it processes and comply with any security standards prescribed by the regulator.
- Mandatory data breach notification: The regulator must be notified within 72 hours of the data processor or controller becoming aware of the breach.
Data subject rights
- Access and Correction of Data: A data subject must be granted access to his or her data within 30 days of making a request. The data subject is also entitled to request to correct data that is inaccurate, incomplete or misleading.
- Withdrawal of Consent: A data subject may withdraw his or her consent to the processing of his or her personal data and the data controller or data processor must cease to do so upon receipt of the notice.
- Erasure of Data: A data subject has the right that his or her personal data be erased where: (a) the purposes for which the personal data was originally collected have been exhausted; (b) he or she withdraws consent and there is no other legal ground for the processing; (c) he or she objects to the processing; (d) the personal data was unlawfully processed; or (e) such erasure is required to comply with a legal obligation.
- Ceasing to Process Data: A data subject is entitled to require a data controller to cease processing his or her personal data where such processing causes or is likely to cause unwarranted and substantial damage or distress to him or her, or to another person.
Potential registration and licensing framework
The Bill empowers the regulator to implement a mandatory registration and licensing framework for data controllers and data processors.
Sanctions and penalties
- Fines: The fines for non-compliance under the Bill are generally higher than in previous drafts, with a maximum fine of 2.5 million rupees (approx. USD 15,500) imposed for failures to comply with orders from the regulator or the court, and maximum fines of between 5 to 25 million rupees for various other breaches under the Bill.
- Criminal Liability: Failure to cease processing personal data once a data subject withdraws consent is a criminal offence that may result in imprisonment.
- Corporate Liability: Corporations will also be liable for the actions of employees, executives and other personnel acting on its behalf and subject to further fines of up to 1% of its annual gross revenue in Pakistan or 30 million rupees (approx. USD 180,000), whichever is higher.
Despite being the fourth draft of the Bill, there is still some room for further clarity in many areas of the drafting. Recent news reports also mention significant pushback from organisations in Pakistan on the lack of governmental accountability in the Bill. The ability of the government to grant exemptions to any data controller or class of data controllers at its discretion, and the fact that individuals working for the regulator would be considered public servants, despite having oversight of the Federal Government and its agencies, have been cited as examples of this.
The Bill is expected to undergo further refinements following the conclusion of the latest public consultation period.
This article is produced by our Singapore office, Bird & Bird ATMD LLP, and does not constitute legal advice. It is intended to provide general information only. Please contact our lawyers if you have any specific queries.