akistan lacks comprehensive data protection laws. The urgency of enacting such legislation has only grown in recent years. Despite various attempts to introduce a legal framework, including the tabling of the Personal Data Protection Bill, 2023, Pakistan still has no enacted law to regulate the collection, processing and use of personal data. This delay has significant implications for individuals, businesses and the state’s ability to engage with international markets. The lack of a robust data protection regime leaves citizens vulnerable to misuse of their personal information; exposes businesses to reputational and financial risks; and threatens the country’s ability to comply with international standards.

The Personal Data Protection Bill, 2023, was a much-needed attempt to fill the legislative void in Pakistan’s data privacy landscape. It proposed key provisions aimed at protecting personal data, including the definition of personal and sensitive data; requirements for obtaining informed consent from data subjects; and obligations on data controllers to ensure the security of the information they process. The bill also sought to establish a National Commission for Personal Data Protection responsible for monitoring compliance; investigating breaches; and imposing penalties on those who failed to adhere to the law. The bill also introduced mechanisms for regulating the transfer of personal data across borders, ensuring that any international data exchange met certain safeguards.

The bill has yet to be passed by the National Assembly. Legislation related to data protection, though important, has been sidelined in favour of more immediate political or economic issues. Also, there is no consensus among lawmakers and other stakeholders about the bill’s provisions. One point of contention is the balance between personal data protection and the government’s need for surveillance, especially in the context of national security and counter-terrorism efforts. Critics of the bill have argued that it could impose undue restrictions on the state’s ability to monitor communications and online activities, which they see as vital for maintaining internal security. On the other hand, privacy advocates assert that without sufficient safeguards, citizens remain exposed to unchecked state surveillance.

State surveillance has become an increasingly controversial issue in Pakistan, particularly as the government has expanded its use of digital technologies for intelligence gathering. The Prevention of Electronic Crimes Act 2016 already grants the state broad powers to monitor online communications in the name of cybersecurity and counterterrorism. This has led to concerns about the erosion of privacy rights and the potential misuse of surveillance tools. Without a robust data protection framework, there are few legal barriers preventing the government from accessing personal data without due process or oversight. The failure to enact the bill leaves these issues unresolved, allowing the state’s surveillance apparatus to operate in a legal grey zone.

The Personal Data Protection Bill, 2023, was a much-needed attempt to fill the legislative void in Pakistan’s data privacy landscape. It proposed key provisions aimed at protecting personal data, including the definition of personal and sensitive data, requirements for obtaining informed consent from data subjects, and obligations on data controllers to ensure the security of the information they process.

The lack of political will is also informed by the concerns of the business community. Certain sectors, particularly those that rely heavily on data collection and processing, have lobbied against the bill’s more stringent provisions, arguing that compliance would impose heavy costs. These businesses fear that the requirements for obtaining explicit consent from users, ensuring data security and facing penalties for breaches would significantly increase their operational expenses. In the absence of strong advocacy from civil society or the international community, these concerns have delayed the bill’s passage. Additionally, the bill’s stipulations on cross-border data transfers have raised concerns about its potential impact on international trade and investment. Pakistan’s economy is increasingly integrated with global markets, and the country is home to a growing number of tech startups and e-commerce platforms that rely on cross-border data flows. The bill’s provisions requiring that personal data be stored and processed within Pakistan, or only transferred to countries with adequate data protection laws, have been seen as potentially restrictive for businesses that depend on foreign partnerships or services. In the absence of clarity on how these provisions would be implemented, there has been resistance from industries that fear being cut off from international data networks.

The importance of enacting a comprehensive data protection law cannot be overstated. The current legal framework is inadequate. While the Prevention of Electronic Crimes Act criminalises certain actions, it does not provide comprehensive protections for personal data. In the absence of a specific data protection law, citizens and businesses alike are left vulnerable to data breaches, unauthorised use of personal information and privacy violations.

Recent incidents have illustrated the urgent need for stronger legal protections. In 2018, Pakistan witnessed one of its largest data breaches when the banking sector was hit by a cyber attack compromising the personal and financial data of thousands of account holders. This breach not only caused significant financial losses but also exposed the weaknesses in Pakistan’s cybersecurity infrastructure. The affected banks were slow to respond and many customers were left without adequate recourse to recover their losses. The incident highlighted the need for clear legal obligations on businesses to protect personal data and notify affected individuals in the event of a breach.

The absence of a comprehensive data protection law has raised concerns about how government agencies handle citizens’ data. The National Database and Registration Authority, which holds vast amounts of personal information on Pakistani citizens, has faced allegations of data leaks and unauthorised sharing of information with other state entities. Without strong legal safeguards, there is little recourse for individuals whose data has been misused by public authorities.

From an international perspective, Pakistan’s failure to enact data protection legislation puts the country at a disadvantage. Many countries, particularly those in the European Union under the General Data Protection Regulation, have strict requirements for how personal data is handled by foreign entities. Pakistan’s lack of a comparable law means that its businesses may struggle to engage with foreign markets that require robust data protection standards. For example, a Pakistani company providing services to EU citizens could face legal challenges under GDPR if it fails to meet the EU’s data protection standards. The passage of the 2023 bill could help Pakistan align with international norms and facilitate greater economic cooperation.

The delay in passing the bill reflects speaks of a broader failure to prioritise data privacy in a rapidly digitising world. It is essential that the government takes action to close this legislative gap. The stakes are too high to ignore.

The writer is an advocate of High Court, a founding partner at Lex Mercatoria and a visiting teacher at Bahria University’s Law Department. She can be reached at minahil.ali12 @yahoo.com