A new Personal Data Protection Bill 2018 Draft (the “Bill”) has been proposed by the Ministry of Information Technology and Telecommunication (“MOITT”) of Pakistan. With this Bill, Pakistan may soon join the wave of new data protection laws that have been drafted or passed since Europe’s General Data Protection Regulation (GDPR). If passed, the Bill will give organizations one to two years from its promulgation date to prepare for compliance depending on the choice of the Federal Government. Currently, the Bill is still open for consultation at http://www.moitt.gov.pk/frmDetails.aspx
A new enforcement body, the National Commission for Personal Data Protection (NCPDP), will be established under the Bill. NCPDP will receive and decide complaints from individuals, as well as engage, support, guide, facilitate, train and persuade data controllers, data processors to ensure protection of personal data.
The current draft of the Bill has 25 pages with requirements and individual rights similar to the GDPR.
Consent is required for processing
Similar to the GDPR, consent will be required for processing personal data. In addition, alternative conditions can be used for processing personal data including necessary for (1) the performance of a contract or (2) entering into a contract; (3) compliance with legal obligation; (4) protecting vital interests of data subject; (5) the administration of justice; or (6) the exercise of any functions conferred on any person by or under any law.
**Explicit consent will be required for processing sensitive personal data
Notice to the data subject
The Bill will require a data controller to notify a data subject in writing when collecting personal information regarding the purpose of processing, the specific personal information being processed as well as data subject rights, etc. However, the Bill does not include a security breach notification requirement, which is a requirement featured under the GDPR. It would provide more protection for personal data if such requirement could be included in the finalized version.
A data controller shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. In addition, a data controller shall ensure its data processor has sufficient technical and organizational security measures. This requirement is similar to the security of processing requirement under the GDPR.
Record to be kept by data controller
A data controller shall keep and maintain a record of any application, notice, request or any other information relating to personal data that has been or is being processed by such data controller. This is different from the GDPR, which obligates both data controller and processor, where such obligation is only on data controller under the Pakistan Data Protection Bill.
Rights of data subjects:
Right of access to personal data
A data subject will be entitled to request in writing for a copy of his or her personal data. The copy should be provided in an intelligible form. The GDPR provides similar right to access and right to data portability.
**A data subject may be required to pay a prescribed fee for the information request.
Right to correct personal data
A data subject may make a data correction request in writing to the data controller, and necessary correction shall be made by the controller. This is similar to the GDPR right to ratification.
Withdrawal of consent to process personal data
A data subject may, by notice in writing, withdraw consent to the processing of his or her personal data. Upon receiving the notice, the data controller shall cease the processing. Under the GDPR, data subjects have the similar right to object.
Right to prevent processing likely to cause damages or distress
A data subject may deliver to data controller “data subject notice” in writing to let the data controller:
- cease the processing of or processing for a specified purpose or in a specified manner; or
- not begin the processing of or processing for a specified purpose or in a specified manner
If the processing of personal data for a certain purpose is causing or likely causing substantial damage or distress to the data subject or another person and the damage is or would be unwarranted. This is similar to the right to restriction of processing under the GDPR.
Right to erasure
Data subject will be entitled to request an erasure of his or her personal data held by the data controller when meeting conditions set in the Bill, which is a similar right provided under the GDPR.
Rights of foreign data subjects
Foreign data subject shall have all his or her rights, if any provided under the laws of the country or territory where the foreign data has been collected or data subject resides in so far as consistent with this Bill. However, different from the GDPR, foreign data subjects only have the right against data controller under the Pakistan Data Protection Bill.
Enforcement is also an important consideration. Under the Bill, an individual may bring complaints to NCPDP, or to court for prosecution if dissatisfied with a NCPDP decision. There is also a maximum fine of up to 5 million Rupees (40,580 USD) on unlawful processing of personal data and misuse of someone’s personal information gathered online.
How OneTrust Helps
As the global privacy landscape continues to evolve and change, OneTrust’s Privacy Team tracks and researches international developments in data protection law and makes that information available in a way that allows you to easily operationalize your privacy program. Research from OneTrust’s Privacy Team is built into the software, giving customers the most up-to-date information to make smart decisions quickly. Each week, OneTrust’s Last Week in Privacy series from the Privacy Team provides the top international privacy industry news updates and new regulations. In addition, OneTrust’s Privacy Team provides insight on data protection laws in California, Canada, India and Brazil.