The Ministry of Information Technology and Telecom in Pakistan has proposed a fine of up to$250,000 for the unlawful processing of personal data. The ministry has finalized the Personal Data Protection Bill 2023 draft, which aims to regulate the collection, processing, use, disclosure, and transfer of personal data while ensuring data protection.
Under the proposed legislation, individuals or entities found processing, disseminating, or disclosing personal data in violation of the provisions of the Act may face fines of up to$125,000. The fine amount may be doubled to$250,000 for more severe cases. Additionally, a fine of up to$50,000 has been suggested for those who fail to implement adequate security measures to safeguard data.
The bill establishes the National Commission for Personal Data Protection (NCPDP) of Pakistan, which will prescribe international standards for protecting personal data. Data controllers and processors, whether digitally or non-digitally operational in Pakistan, will be required to register with the Commission. Personal data can only be disclosed for the purpose for which it was collected, and data breaches must be reported to the Commission and the affected individuals within 72 hours unless the breach is deemed unlikely to infringe on individuals' rights and freedoms.
The proposed legislation aims to ensure the lawful and fair processing of personal data while safeguarding the privacy rights of individuals in Pakistan.