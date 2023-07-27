A fine which may extend to $2 million or an equivalent amount in Pakistani rupees would be levied on those who process or cause to be processed, disseminate, or disclose personal data in violation of any of the provisions of the “Personal Data Protection Bill, 2023”.
The government’s “Personal Data Protection Bill, 2023” was presented to the Federal Cabinet by the Ministry of Information, Technology, and Telecommunication and got approved on Wednesday.
The draft bill aims to control how personal data is collected, processed, used, disclosed, and transferred. It wants to protect individuals’ data privacy rights and address any violations of those rights.
Anyone handling data must respect the rights, freedoms, and dignity of individuals regarding their data.
To oversee this, the government will create the National Commission for Personal Data Protection (NCPDP) within six months of enacting the Act. The Act will become effective no later than two years from its approval, with at least three months’ notice given.
The bill’s main goal is to establish rules and guidelines for handling personal data by the government, organizations, and individuals. It wants to ensure that personal information is treated with care and responsibility.
The ultimate aim is to create a safe and fair digital environment for online transactions and the sharing of personal and sensitive information. It also aims to provide legal protections for personal data used in international e-commerce and e-government services.
The bill will consider existing global and regional legislation on personal data protection to find common ground and address differences.
Rapid technological advancement and enhanced use of internet services have digitized a wide range of economic, political, and social activities that are having a transformational impact on the way businesses were conducted, and the interaction of people amongst themselves, as well as with the government, enterprises, and other stakeholders.
The Bill ensures to afford extra protection for children, concerning their data. Fostering trust online is a fundamental challenge to ensure that the opportunities emerging out of the economy can be fully leveraged.
As the global economy shifts to connected information space, its central component is personal data that drives online cross-border commercial activity, the flow of which may affect individuals, businesses, and government. This Bill ensures that any personal data shall be collected only by lawful, fair, and consensual means from an individual and must be used or disclosed for the purposes for which the data were collected or any other directly related purpose.
Grounds for processing personal data include;
- Personal data shall be collected, processed, and disclosed by a data controller/data processor lawfully and fairly by complying with the provisions of this Act.
- The personal data shall be collected for specified, explicit and legitimate purposes, which shall not be processed further that is incompatible with the aforementioned purposes and shall be adequate, relevant, and limited to the purposes for which the data is processed.
- The data controller and/ or data processor whether digitally or non-digitally operational within the territory of Pakistan shall register with the Commission in such manner as may be specified by the registration framework to be formulated by the Commission provided that the data controller and/ or data processor is already registered with any public body in that case, it shall only be required to intimate the Commission.
- The data controller and/ or data processor identified as “significant” by the Commission shall be required to appoint a data protection officer, who is well-versed in the collection and processing of personal data and the risks associated with processing.
The personal data of any kind of data subject shall not be processed unless the data controller seeks his consent before the commencement of the processing of the data or as prescribed under the provisions of this Act.
Given the national interest, the Commission shall prescribe the best international standards to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction.
In the event of a personal data breach, the data controller shall without undue delay and where reasonably possible, not beyond 72 hours of becoming aware of the personal data breach, must notify the Commission and the data subject except where the breach is unlikely to result in the infringement of rights and freedoms of the data subject.
- Where personal data excluding critical personal data is required to be transferred to an entity/entities or system located beyond the borders of Pakistan, which is not under the direct control of the Government of Pakistan, it shall be ensured that the country where the data is being transferred offers at least adequate personal data protection legal regime which is consistent to the protection provided under this Act and the data which is transferred shall be processed as per the provisions of this Act and, where applicable, the data subject shall give explicit consent.
- Critical Personal Data shall only be processed in a server(s) or digital infrastructure located within the territory of Pakistan.
Whosoever processes or disseminates or discloses any personal data in violation of the provisions of this Act shall be punished with a fine up to 125,000 USD or an equivalent amount in Pakistani rupees and in case of subsequent unlawful processing of personal data, the fine may be raised up to 250,000 USD or an equivalent amount in Pakistani rupees.
In case, where the offence is committed under sub-section (1) and relates to sensitive personal data the offender may be punished with a fine of up to 500,000 USD or an equivalent amount in Pakistani Rupees.
- In case, where the offense is committed under sub-section (1) and relates to critical personal data, the offender may be punished with a fine of up to 1,000,000 USD or an equivalent amount in Pakistani rupees or as the Commission deems appropriate.
If someone doesn’t take proper security measures to protect data, as specified in this Act, Rules, and regulations, they can be fined up to $50,000 USD or the equivalent in Pakistani Rupees.
If an individual disobeys the orders of the Commission or court, they can also be fined up to $50,000 USD or the equivalent in Pakistani Rupees.
If a data controller or data processor violates any provision in this Act, Rules, or regulations, or any government policy or Commission’s direction, they may receive a written notice within fifteen days asking for an explanation for not following the enforcement order.
The notice referred to in sub-section (2) shall specify the nature of the contravention and adequate steps to be taken by the licensee for the redressal of the contravention. Where anyone fails to respond to the notice referred to in subsection (2) or fails to satisfy the Commission about the alleged contravention, or is unable to remedy the contravention within the time allowed by the Commission may by a written order and furnishing reasons for that shall:
- levy fine which may extend to 2,000,000 USD or an equivalent amount in Pakistani rupees; or
- suspend or terminate the registration and impose additional conditions.
Notwithstanding anything mentioned above, the legal person shall be punished with a fine not exceeding one percent of its annual gross revenue in Pakistan or 200,000 USD whichever is higher or an equivalent amount in Pakistani rupees or as may be assessed by the Commission.
