Pakistan’s tax transformation and unsettled question of data security

Very recently a news item has rattled Pakistan’s business and tax world. According to this news item (not denied), FBR will now have access to the people’s internet, call data and other social media accounts in tax cases.

This might cause a blow to the Government and FBR’s aggressive tax transformation plan having Digitalization as a core component. In a bid to transaction control and Digital Reporting Requirement, e-Invoicing or digital invoicing has been made mandatory for POS mainly on B2C categories bypassing the essential B2G and B2B segments.

In the process of data capturing, tax payers are worried about the protection of their personal data as there is no legally binding ‘Data Protection Regime’ in Pakistan. Country’s tax laws place onerous obligations upon taxpayers but give them very few rights. Country’s tax authorities loath issuing any ‘Charter of Right’ for the taxpayers as is done by all civilized nations.

Pakistan’s tax landscape is in the midst of a radical overhaul. The government and the FBR are pushing an aggressive digitalization agenda, with e-Invoicing at the forefront. The initiative, designed to broaden the tax base and curb evasion, is a critical step towards modernizing the economy. However, its implementation, particularly the focus on B2C transactions and the absence of a data protection framework, has sparked a silent but significant concern among taxpayers: the security of their personal information.

The digitalization move is a calculated one. By targeting B2C transactions, the FBR aims to capture a vast stream of retail data, which has historically been difficult to track. While this approach bypasses the B2B segment for now, it lays the groundwork for a comprehensive digital reporting system. The objective is clear: to create an unassailable digital trail of transactions, making it harder for businesses to under-report sales and evade taxes and at the same time securing data for the future audits.

Yet, this digital leap comes with a profound risk. As tax authorities capture and store an unprecedented volume of transactional data, including customer details, the lack of a robust data protection regime in Pakistan becomes a glaring vulnerability. Taxpayers are being asked to trust the system with sensitive personal and commercial data without the legal safeguards that are standard in many other countries. In a world where data breaches are common and cyber threats are increasingly sophisticated this is a legitimate worry.

The current situation presents a classic “chicken-and-egg” problem. The FBR argues that digitalization is a prerequisite for economic stability and growth. Taxpayers, on the other hand, question whether this progress should come at the cost of their privacy. The absence of a dedicated data protection law means there are no clear rules on how data can be collected, stored, used, or who is held accountable in the event of a breach. There is no legal recourse for individuals whose data is compromised, and this lack of a safety net erodes trust.

There is a risk that this data could be used for purposes beyond tax collection, such as surveillance or political targeting. Without strict regulations and oversight, the collected information could be misused, leading to a chilling effect on citizens who may fear that their private financial activities are being constantly monitored.

Centralizing vast amounts of personal and financial data in FBR’s systems creates a huge target for cyber attacks. A data breach could expose the sensitive information of millions of citizens to malicious actors. The lack of public information on the FBR’s cyber security protocols and its history of data-handling issues, as highlighted by a Federal Tax Ombudsman (FTO) inquiry, further exacerbates these security concerns.

While FBR’s tax transformation plan is a necessary and commendable step towards a modern, transparent economy, it is incomplete without a parallel commitment to data privacy. The effectiveness of e-Invoicing and digital reporting hinges on the cooperation of taxpayers.

This cooperation will only be sustained if the government can demonstrate a serious commitment to protecting their data. Passing a comprehensive ‘Data Protection Bill’ and introducing a ‘Taxpayer’s Charter of Rights’ is not an obstacle to progress; it is an essential component of it.

To make the tax transformation a true success, it must address the privacy predicament head-on. Without a legal framework that holds institutions accountable for data security, the digitalization drive risks alienating the very public it seeks to bring into the tax net. The path forward is clear: Pakistan must not only embrace technological innovation but also establish the legal and regulatory infrastructure needed to protect its citizens in the digital age.

The price of progress must not be the erosion of personal privacy.

Copyright Business Recorder, 2025