The Federal Cabinet has given its approval to the “Personal Data Protection Bill, 2023,” with the primary objective of regulating the handling of personal data in Pakistan. The bill covers the entire spectrum of data-related activities, including collection, processing, use, disclosure, and transfer, and violations of its provisions may result in fines of up to $2 million or equivalent in Pakistani rupees.
To oversee the implementation of the bill, a National Commission for Personal Data Protection (NCPDP) will be established within six months from the commencement of the Act. With a strong focus on protecting individuals’ rights, freedoms, and dignity in data processing, the bill seeks to ensure that data controllers and processors register with the Commission, and personal data breaches are promptly reported to both the Commission and the affected data subjects.
For enhanced data security, critical personal data will be restricted to processing within Pakistan, while the transfer of non-critical personal data outside the country must meet certain criteria to ensure adequate data protection in the destination nation.
To enforce compliance, the bill stipulates penalties for various violations. These include fines of up to $125,000 for processing violations, up to $500,000 for sensitive data violations, and up to $1 million for critical data violations. Failure to adopt appropriate security measures or comply with Commission directives may also lead to fines.
Through this legislation, the government aims to build trust in the digital economy, safeguard individuals’ data privacy, and align with international data protection standards. Recognizing the transformative impact of technology across sectors, the bill seeks a balanced approach to harnessing data-driven opportunities while safeguarding against potential risks.