Personal Data Protection Bill, 2023: Pakistan Introduces Fines up to $2 Million for Data Leaks

The “Personal Data Protection Bill, 2023” in Pakistan introduces stringent penalties for mishandling personal data, aiming to protect individuals’ privacy and data rights. The bill, recently approved by the Federal Cabinet, outlines fines and consequences for processing or disclosing personal data in violation of its provisions.

Fines and Penalties:

1. Fine up to $2 Million: Any individual or organization found processing, disseminating, or disclosing personal data in contravention of the bill may face a fine of up to $2 million or an equivalent amount in Pakistani rupees.
2. Data Controller and Processor Obligations: Data controllers and processors must adhere to specific requirements laid out in the bill. They are mandated to respect individuals’ rights, freedoms, and dignity while processing, collecting, and disclosing data.
3. Establishment of National Commission: The bill stipulates the creation of the National Commission for Personal Data Protection (NCPDP) within six months of the act’s commencement. The NCPDP will oversee the implementation and enforcement of the personal data protection regulations.
4. Timeframe and Enforcement: The bill will come into effect not later than two years from its promulgation, as determined by the federal government. The Commission will notify the effective date at least three months in advance.
5. Protection for Children’s Data: The bill emphasizes extra protection for children’s data, ensuring their privacy rights are safeguarded.
6. International Standards and Data Breach Reporting: The Commission will prescribe international standards for personal data protection to prevent unauthorized access, modification, or disclosure. In case of a data breach, data controllers must notify the Commission and the affected data subjects within 72 hours.
7. Transfer of Personal Data: Personal data can only be transferred to entities or systems located outside Pakistan if they offer adequate data protection in line with this Act. Critical personal data must remain within Pakistan’s territory.
8. Graduated Fines: The bill outlines escalating fines based on the type of data involved in the violation:
   • For non-sensitive personal data violations: Fine up to $125,000 or an equivalent amount in Pakistani rupees, with subsequent violations possibly resulting in fines up to $250,000.
   • For sensitive personal data violations: Fine up to $500,000 or an equivalent amount in Pakistani rupees.
   • For critical personal data violations: Fine up to $1,000,000 or an equivalent amount in Pakistani rupees.
9. Non-Compliance with Security Measures: Failure to adopt adequate security measures for data protection may result in a fine up to $50,000 or an equivalent amount in Pakistani rupees.
10. Non-Compliance with Commission’s Orders: Individuals who fail to comply with the Commission’s orders may face a fine up to $50,000 or an equivalent amount in Pakistani rupees.
11. Contravention of Provisions: In case of contravention of the Act, the Commission may issue a written notice to the data controller or processor, specifying the violation and necessary actions. Failure to respond to the notice or rectify the contravention may result in fines, suspension, or termination of registration.

The “Personal Data Protection Bill, 2023” aims to strengthen data privacy and security, instilling confidence in individuals, organizations, and businesses operating in the digital economy. As Pakistan advances in the digital age, the bill sets a robust framework for the responsible use and protection of personal data.