Cabinet clears much-awaited bill: Up to $2m fine on violation of personal data provisions

ISLAMABAD: A fine which may extend to $2 million or an equivalent amount in Pakistani rupees would be levied on those who process or cause to be processed, disseminate or disclose personal data in violation of any of the provisions of the “Personal Data Protection Bill, 2023”.

The Ministry of Information, Technology and Telecommunication had submitted the “Personal Data Protection Bill, 2023,” to federal cabinet which was approved on Wednesday.

The draft of the bill, a copy of which is available with Business Recorder, stated that “the Personal Data Protection Bill, 2023” is devised to regulate the collection, processing, use, disclosure, and transfer of personal data and additionally provides a data protection mechanism including the offences concerning the violation of data privacy rights of an individual.

Personal data protection bill finalised

Where a person collects, processes, stores, uses, and discloses data, it must respect the rights, freedoms, and dignity of an individual for matters connected therewith and ancillary thereto.

The federal government shall, by a Gazetted notification, establish a Commission for this Act, which shall be called the National Commission for Personal Data Protection (NCPDP) of Pakistan, within six months of the commencement of this Act.

It shall come into force not beyond two years from the date of its promulgation as the federal government may determine by notifying in the official gazette by providing at least three months’ advance notice from the effective date.

This bill is to lay out the modus operandi and ancillary details for the usage of personal data such as processing, collection, storage, and disclosure by government, organizations, and individuals for processing purposes because of necessary care, and obligations enunciated in this bill.

It nourishes the environment of fair practices in the digital economy by offering legal protections in online transactions and sharing of personal and sensitive information or data for personal, international e-commerce, and e-government services.

Keeping in view potential approaches, the Personal Data Protection Bill of 2023 will be enacted in line with a present patchwork of global and regional legislations on the protection of personal data to match common grounds and identify areas where different approaches tend to diverge.

Rapid technological advancement and enhanced use of internet services have digitised a wide range of economic, political, and social activities that are having a transformational impact on the way businesses were conducted, and the interaction of people amongst themselves, as well as with the government, enterprises, and other stakeholders.

The bill ensures to afford extra protection for children, concerning their data. Fostering trust online is a fundamental challenge to ensure that the opportunities emerging out of the economy can be fully leveraged.

As the global economy shifts to connected information space, its central component is personal data that drives online cross-border commercial activity, the flow of which may affect individuals, businesses, and government. This Bill ensures that any personal data shall be collected only by lawful, fair, and consensual means from an individual and must be used or disclosed for the purposes for which the data were collected or any other directly related purpose.

Grounds for processing personal data include; (1) Personal data shall be collected, processed, and disclosed by a data controller/data processor lawfully and fairly by complying with the provisions of this Act. (2) The personal data shall be collected for specified, explicit and legitimate purposes, which shall not be processed further that is incompatible with the aforementioned purposes and shall be adequate, relevant, and limited to the purposes for which the data is processed. (3) The data controller and/or data processor whether digitally or non-digitally operational within the territory of Pakistan shall register with the Commission in such manner as may be specified by the registration framework to be formulated by the Commission provided that the data controller and/ or data processor is already registered with any public body in that case, it shall only be required to intimate the Commission. (4) The data controller and/ or data processor identified as “significant” by the Commission shall be required to appoint a data protection officer, who is well-versed in the collection and processing of personal data and the risks associated with processing.

The personal data of any kind of a data subject shall not be processed unless the data controller seeks his consent before the commencement of the processing of the data or as prescribed under the provisions of this Act.

Given the national interest, the Commission shall prescribe the best international standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction.

In the event of a personal data breach, the data controller shall without undue delay and where reasonably possible, not beyond 72 hours of becoming aware of the personal data breach, must notify the Commission and the data subject except where the breach is unlikely to result in the infringement of rights and freedoms of the data subject.

Where personal data excluding critical personal data is required to be transferred to an entity/ entities or system located beyond the borders of Pakistan, which is not under the direct control of the Government of Pakistan, it shall be ensured that the country where the data is being transferred offers at least adequate personal data protection legal regime which is consistent to the protection provided under this Act and the data which is transferred shall be processed as per the provisions of this Act and, where applicable, the data subject shall give explicit consent. (2) Critical Personal Data shall only be processed in a server(s) or digital infrastructure located within the territory of Pakistan.

Whosoever processes or disseminates or discloses any personal data in violation of the provisions of this Act shall be punished with a fine up to 125,000 USD or an equivalent amount in Pakistani rupees and in case of subsequent unlawful processing of personal data, the fine may be raised up to 250,000 USD or an equivalent amount in Pakistani rupees.

In case, where the offence is committed under sub-section (1) and relates to sensitive personal data the offender may be punished with a fine of up to 500,000 USD or an equivalent amount in Pakistani Rupees. (3) In case, where the offence is committed under sub-section (1) and relates to critical personal data, the offender may be punished with a fine of up to 1,000,000 USD or an equivalent amount in Pakistani rupees or as the Commission deems appropriate.

Whosoever fails to adopt adequate security measures to ensure data security, as per the provisions laid down in this Act, Rules, and regulations, shall be punished with a fine of up to 50,000 USD or an equivalent amount in Pakistani Rupees. When an individual fails to comply with the orders of the Commission or the court when he is required to obey shall be punished with a fine of up to 50,000 USD or an equivalent amount in Pakistani rupees.

Copyright Business Recorder, 2023