In July this year Pakistan came very close to the implementation of its Data Protection Law. Since 2015 to date, the draft law debated upon by both the Houses was the fourth such draft and perhaps the most comprehensive one so far. It seemed that with the FATF appraisals due in October Pakistan would in fact implement its Data Protection Law which was one of the requirements which had been hinted by the FATF. However it would appear that at the last moment this law was once again put on the back burner.
The need for dedicated law on Data Protection has been felt in Pakistan for quite some time however it would be wrong to assume that there are no laws on Data Protection in Pakistan presently.
The Prevention of Electronic Crimes Act 2016
Section 4 of the Act provides that who so ever without authorization copies or transmits or causes to be transmitted any data may be imprisoned for 6 months or fined up to Rs.100,000 or both.
Section 14 of the Act provides that who so ever without authority obtains, sells, possesses, uses or transmits another person’s identity information without authorization shall be punished with a imprisonment term of up to 3 years or with a fine up to Rs. 5 million or both. The section further provides that any person whose information has been so transmitted can apply to the Pakistan Telecommunication Authority to prevent such transmission.
Section 38 of the Act considers personal information to be of a confidential nature and provides that the transmission of any such information with out authority is punishable by imprisonment of up to 3 years or fine up to Rs. 1 million or both.
The Electronic Transactions Ordinance 2002
Section 37 of the Ordinance provides that who so ever with out authority transmits or stores any information or into any information system shall be guilty of a crime under the Ordinance punishment of which can be imprisonment up to 7 years or a fine a up to Rs. 1 million or both. Information has been defined as including data and information system is defined as including a devise for storing data.
NADRA Ordinance 2000
Section 29 (b) of the NADRA Ordinance 2000 specifically prohibits any person from the unauthorized transmission of any data which comes under the purview of the NADRA Ordinance. Data regarding the CNIC details of clients would fall under the laws of the ordinance.
The Prevention of Electronic Crimes Act 2016, The Electronic Transactions Ordinance 2007 and the NADRA Ordinance 2000 all provide that unauthorized data shall not be transmitted or stored and the punishment for any one contravening these laws is rather severe. The laws however are silent on who shall give authorization for transmittal and storage of data. The fourth draft of the Data Protection Law contains more details on the authority for transmission and the storage of data.
Although a specific Data Protection Law may have been delayed yet again but it is important to note that the Pakistani Law does contain hidden provisions on Data Protection and the fact that the same are not provided under a direct law for Data Protection make them more harder to detect.
