Article 14 of Pakistan’s Constitution provides “[t]he dignity of man and, subject to law, the privacy of home, shall be inviolable.” On April 9, 2020 Pakistan’s Ministry of Information Technology and Telecommunication released its fourth draft of the Personal Data Protection Bill 2020 (“PDPB”). The public consultation period for the fourth draft of the PDPB ended on May 15, 2020. There are many areas that require further negotiation and resolution, but there are noteworthy policy items within this proposal.
The PDPB lays out obligations for data controllers and processors in a manner similar to the GDPR with requirements related to consent, disclosure, notice, retention, incident notification, and cross-border transfers. The bill also proposes three classes of data: personal data, sensitive personal data, and critical personal data. Further the PDPB would require a local representative if the entity is not registered or established in Pakistan, just as Article 27 of the GDPR specifies that a representative must be established in one of the Member States where the relevant data subjects are located when entities are controllers or processors not established in the territory. The consumer rights proposed in the PDPB broadly aligns with the GDPR as well, including the rights to: (1) access (2) correction, (3) withdraw consent, (4) erasure, and (5) terminate the processing of their data.
Like the laws of China, Russia, and Saudi Arabia, PDPB would require entities to localize data. As we discussed in relation to the Indian Personal Data Protection Bill, data localization is a polarizing issue. In Chapter II, Section 14, the PDPB sets out that “[c]ritical personal data shall only be processed in a server or data centre located in Pakistan.” However, the proposal defers defining critical personal data as an item to be “classified by the Authority with the approval of the Federal Government.” The “Authority” refers to the Personal Data Protection Authority of Pakistan which would be formed and provided rulemaking authority to enforce the PDPB. That same provision also only allows personal data to be transferred outside of Pakistan when that other country offers at least the same level of personal data protection. Personal data is defined by Chapter 1, Section 2 of the PDPB to mean “any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data. Provided that anonymized, encrypted or pseudonymized data which is incapable of identifying an individual is not personal data.”
Chapter VI, Section 34 provides the Authority to devise registration mechanism for data controllers and data processors. The contours of what the licensing and registration mechanism would entail including the potential for any obligations or additional liability is not present in this proposal. As this draft makes clear, that may not become more apparent until there is an Authority in place.
The fourth draft of the PDPB provides some increases in fines for non-compliance from previous drafts. For example, the bill caps liabilities at 2.5 million rupees for failures to comply with regulator or court oders, regulator or the court, and maximum fines ranging between 5 and 25 million rupees for other PDPB violations. Entities would assume liability for employee actions, and fines can incur up the higher 1% of an entity’s annual gross revenue in Pakistan or 30 million rupees. There is also criminal liability involved when there is a failure to stop processing personal data after the consumer withdraws consent. Punishment can result in criminal convictions.
There are many areas of the PDPB that require clarification from Pakistan’s Ministry of Information Technology and Telecommunication. The fourth draft will not be the effective law, but it provides entities and consumers involved in commercial activity in South Asia a prism into what a Pakistani data protection and privacy law would look like.