Pakistan’s DP Bill: DPA will have powers, but lacks independence
Organisations need to pay attention to the provisions on cross-border transfers and data localisation. By Graham Greenleaf.
Pakistan is the world’s fifth most populous country, with a population exceeding 210 million, and a rapidly expanding middle class. It is the most economically significant Asian country not to have a data privacy law. As a South Asian country and member State of SAARC (South Asian Area of Regional Cooperation), it is part of a sub-region which is in the midst of developing modern, GDPR-influenced data privacy laws, as can be seen the current Bills before the legislatures of India(1) and of Sri Lanka.(2) Pakistan has few privacy protections at present.(3)
Pakistan’s Ministry of Information Technology and Telecommunications (MOITT) released a new Personal Data Protection Bill 2020 (PDPB)(4) on 9 April 2020, the latest in a series of draft Bills on which consultations have been held since 2017. It called for submissions on the draft Bill, by 30 May 2020, stating that privacy of personal data was more relevant than ever in the current pandemic. (5) Pakistan pledged to enact data protection and privacy legislation as a part of Open Government Partnership commitments in 2017.(6) Pakistan’s Ministry of Commerce published a revised version of the country’s e-commerce policy(7) as recently as 13 November 2019, referring to a data protection law which would provide for data sovereignty and data localization and address issues relating to e-Commerce, including requiring all e-commerce platforms to make full disclosures regarding data protection provisions on their websites and apps. It appears that there may be some competition between Ministries for influence over the final shape of the legislation.