AGL 40.00 Decreased By ▼ -0.16 (-0.4%)
AIRLINK 129.53 Decreased By ▼ -2.20 (-1.67%)
BOP 6.68 Decreased By ▼ -0.01 (-0.15%)
CNERGY 4.63 Increased By ▲ 0.16 (3.58%)
DCL 8.94 Increased By ▲ 0.12 (1.36%)
DFML 41.69 Increased By ▲ 1.08 (2.66%)
DGKC 83.77 Decreased By ▼ -0.31 (-0.37%)
FCCL 32.77 Increased By ▲ 0.43 (1.33%)
FFBL 75.47 Increased By ▲ 6.86 (10%)
FFL 11.47 Increased By ▲ 0.12 (1.06%)
HUBC 110.55 Decreased By ▼ -1.21 (-1.08%)
HUMNL 14.56 Increased By ▲ 0.25 (1.75%)
KEL 5.39 Increased By ▲ 0.17 (3.26%)
KOSM 8.40 Decreased By ▼ -0.58 (-6.46%)
MLCF 39.79 Increased By ▲ 0.36 (0.91%)
NBP 60.29 No Change ▼ 0.00 (0%)
OGDC 199.66 Increased By ▲ 4.72 (2.42%)
PAEL 26.65 Decreased By ▼ -0.04 (-0.15%)
PIBTL 7.66 Increased By ▲ 0.18 (2.41%)
PPL 157.92 Increased By ▲ 2.15 (1.38%)
PRL 26.73 Increased By ▲ 0.05 (0.19%)
PTC 18.46 Increased By ▲ 0.16 (0.87%)
SEARL 82.44 Decreased By ▼ -0.58 (-0.7%)
TELE 8.31 Increased By ▲ 0.08 (0.97%)
TOMCL 34.51 Decreased By ▼ -0.04 (-0.12%)
TPLP 9.06 Increased By ▲ 0.25 (2.84%)
TREET 17.47 Increased By ▲ 0.77 (4.61%)
TRG 61.32 Decreased By ▼ -1.13 (-1.81%)
UNITY 27.43 Decreased By ▼ -0.01 (-0.04%)
WTL 1.38 Increased By ▲ 0.10 (7.81%)
BR100 10,407 Increased By 220 (2.16%)
BR30 31,713 Increased By 377.1 (1.2%)
KSE100 97,328 Increased By 1781.9 (1.86%)
KSE30 30,192 Increased By 614.4 (2.08%)

ISLAMABAD: The Ministry of Information, Technology and Telecommunication has finalised the “Personal Data Protection Bill, 2023”, proposing a fine which may extend to $2 million or an equivalent amount in Pakistani rupees for those who process or cause to be processed, disseminate or disclose personal data in violation of any of the provisions of the proposed legislation.

The draft of the bill, a copy of which is available with Business Recorder, stated that “the Personal Data Protection Bill, 2023” is devised to regulate the collection, processing, use, disclosure, and transfer of personal data and additionally provides a data protection mechanism including the offences concerning the violation of data privacy rights of an individual.

Where a person collects, processes, stores, uses, and discloses data, it must respect the rights, freedoms, and dignity of an individual for matters connected therewith and ancillary thereto.

Senate body informed: Global firms wary of investing in country due to absence of data protection law

The federal government shall, by a Gazetted notification, establish a Commission for this Act, which shall be called the National Commission for Personal Data Protection (NCPDP) of Pakistan, within six months of the commencement of this Act.

It shall come into force not beyond two years from the date of its promulgation as the federal government may determine by notifying in the Official Gazette by providing at least three months’ advance notice from the effective date.

This bill is to lay out the modus operandi and ancillary details for the usage of personal data such as processing, collection, storage, and disclosure by government, organizations, and individuals for processing purposes because of necessary care, and obligations enunciated in this Bill.

It nourishes the environment of fair practices in the digital economy by offering legal protections in online transactions and sharing of personal and sensitive information or data for personal, international e-commerce, and e-government services.

Keeping in view potential approaches, the Personal Data Protection Bill of 2023 will be enacted in line with a present patchwork of global and regional legislations on the protection of personal data to match common grounds and identify areas where different approaches tend to diverge.

Rapid technological advancement and enhanced use of internet services have digitised a wide range of economic, political, and social activities that are having a transformational impact on the way businesses were conducted, and the interaction of people amongst themselves, as well as with the government, enterprises, and other stakeholders.

The Bill ensures to afford extra protection for children, concerning their data. Fostering trust online is a fundamental challenge to ensure that the opportunities emerging out of the economy can be fully leveraged.

As the global economy shifts to connected information space, its central component is personal data that drives online cross-border commercial activity, the flow of which may affect individuals, businesses, and government. This Bill ensures that any personal data shall be collected only by lawful, fair, and consensual means from an individual and must be used or disclosed for the purposes for which the data were collected or any other directly related purpose.

Grounds for processing personal data include; (1) Personal data shall be collected, processed, and disclosed by a data controller/data processor lawfully and fairly by complying with the provisions of this Act. (2) The personal data shall be collected for specified, explicit and legitimate purposes, which shall not be processed further that is incompatible with the aforementioned purposes and shall be adequate, relevant, and limited to the purposes for which the data is processed. (3) The data controller and/ or data processor whether digitally or non-digitally operational within the territory of Pakistan shall register with the Commission in such manner as may be specified by the registration framework to be formulated by the Commission provided that the data controller and/ or data processor is already registered with any public body in that case, it shall only be required to intimate the Commission. (4) The data controller and/ or data processor identified as “significant” by the Commission shall be required to appoint a data protection officer, who is well versed in the collection and processing of personal data and the risks associated with processing.

The personal data of any kind of a data subject shall not be processed unless the data controller seeks his consent before the commencement of the processing of the data or as prescribed under the provisions of this Act.

Given the national interest, the Commission shall prescribe the best international standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction.

In the event of a personal data breach, the data controller shall without undue delay and where reasonably possible, not beyond 72 hours of becoming aware of the personal data breach, must notify the Commission and the data subject except where the breach is unlikely to result in the infringement of rights and freedoms of the data subject.

Where personal data excluding critical personal data is required to be transferred to an entity/ entities or system located beyond the borders of Pakistan, which is not under the direct control of the Government of Pakistan, it shall be ensured that the country where the data is being transferred offers at least adequate personal data protection legal regime which is consistent to the protection provided under this Act and the data which is transferred shall be processed as per the provisions of this Act and, where applicable, the data subject shall give explicit consent. (2) Critical Personal Data shall only be processed in a server(s) or digital infrastructure located within the territory of Pakistan.

Whosoever processes or disseminates or discloses any personal data in violation of the provisions of this Act shall be punished with a fine up to 125,000 USD or an equivalent amount in Pakistani rupees and in case of subsequent unlawful processing of personal data, the fine may be raised up to 250,000 USD or an equivalent amount in Pakistani rupees.

In case, where the offence is committed under sub-section (1) and relates to sensitive personal data the offender may be punished with a fine of up to 500,000 USD or an equivalent amount in Pakistani Rupees. (3) In case, where the offence is committed under sub-section (1) and relates to critical personal data, the offender may be punished with a fine of up to 1,000,000 USD or an equivalent amount in Pakistani rupees or as the Commission deems appropriate.

Whosoever fails to adopt adequate security measures to ensure data security, as per the provisions laid down in this Act, Rules, and regulations, shall be punished with a fine of up to 50,000 USD or an equivalent amount in Pakistani Rupees. When an individual fails to comply with the orders of the Commission or the court when he is required to obey shall be punished with a fine of up to 50,000 USD or an equivalent amount in Pakistani rupees.

Where a data controller and/ or data processor contravenes with any provision of this Act or the Rules or regulations made there-under or policy issued by the Federal Government, or any direction issued by the Commission or condition of the registration, the Commission may by a written notice within fifteen days require data controller and/ or data Processor reasons for the non-issuance of the enforcement order.

The notice referred to in sub-section (2) shall specify the nature of the contravention and adequate steps to be taken by the licensee for the redressal of the contravention.

Where anyone fails to: - (a) respond to the notice referred to in sub-section (2); or (b) satisfy the Commission about the alleged contravention; or (c) remedy the contravention within the time allowed by the Commission may by a written order and furnishing reasons for that shall: - (i) levy fine which may extend to 2,000,000 USD or an equivalent amount in Pakistani rupees; or (ii) suspend or terminate the registration and impose additional conditions.

Notwithstanding anything mentioned above, the legal person shall be punished with a fine not exceeding one per cent of its annual gross revenue in Pakistan or 200,000 USD whichever is higher or an equivalent amount in Pakistani rupees or as may be assessed by the Commission.

Copyright Business Recorder, 2023

Comments

Comments are closed.