Data Protection 2019

Author:Mr Saifullah Khan and Saeed Hasan Khan
Profession:Hamdan AlShamsi Lawyers & Legal Consultants


1.1 What is the principal data protection legislation?

The legislation on data protection is in draft/Bill stage and yet to be passed by the Parliament. Its title is the Personal Data Protection Bill 2018 ("the Bill").

1.2 Is there any other general legislation that impacts data protection?

The Prevention of Electronic Crimes Act, 2016 also contains certain significant provisions about data protection.

1.3 Is there any sector-specific legislation that impacts data protection?

Within the banking sector, the Payment Systems and Electronic Funds Transfers Act, 2007 provides for the secrecy of financial institutions' customer information; violation is punishable with imprisonment or a financial fine, or both. For the telecoms industry, the Telecom Consumers Protection Regulations, 2009 confers on subscribers of telecoms operators the right to lodge complaints for any illegal practices with the Pakistan Telecommunication Authority, "illegal practices" being a broad term which includes, inter alia, illegal use of personal data of subscribers.

1.4 What authority(ies) are responsible for data protection?

Under the Bill, the proposed National Commission for Personal Data Protection would primarily be responsible for data protection.


2.1 Please provide the key definitions used in the relevant legislation:

"Personal Data"

"Personal data" means any information in respect of commercial transactions, which:

is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; is recorded with the intention that it should wholly or partly be processed by means of such equipment; or is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data and expression of opinion about the data subject.


"Processing", in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including:

the organisation, adaptation or alteration of personal data; the retrieval, consultation or use of personal data; and the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or the...

To continue reading