The Personal Data Protection Bill (PDPB) of 2023 is Pakistan's proposed law to give you control over your personal information and hold organizations accountable for how they handle it. It's not a final passed law yet, but it's expected to be a game-changer for both individuals and businesses in Pakistan.
Pakistan is building a digital economy, and the rules for protecting people's data are changing dramatically. Businesses and organizations that collect or handle citizens' personal information can no longer just follow "good practices" if they feel like it—they will soon have to follow strict legal requirements. This note explains the main points of two important documents: the draft Personal Data Protection Bill (PDPB) from May 2023 (which isn't law yet), and the mandatory security rules issued in August 2025 by Pakistan's cyber emergency team, PKCERT (called the "PKCERT Advisory").
🛡️ Key Concepts in Simple Language:
Here’s what the PDPB is all about:
-
Your Data, Your Rules: The law recognizes that any piece of information that can be used to identify you (from your name, CNIC number, and address to your banking history and even your online browsing habits) is yours, and only you get to decide how it's used.
-
Yes Means Yes (Consent): Companies can't just assume they have your permission. They need your clear, informed, and unambiguous "yes" to collect and use your personal information. You can also say "no" or withdraw your permission at any time.
-
Special Protection for Your Secrets: Some information is so sensitive that the law gives it extra protection. This includes your bank details, health records, CNIC/passport numbers, biometric data (like fingerprints), religious beliefs, and political views.
-
Playing by the Rules: Companies that collect your data (Data Controllers) can't just do whatever they want. They must follow strict principles: they can only collect what they need for a specific purpose, keep it accurate, use it fairly, and not keep it forever.
-
Making Things Right: A new watchdog called the National Commission for Personal Data Protection (NCPDP) will be set up to enforce the law. If a company violates your data rights, the NCPDP can investigate, impose heavy fines, and take other action.
📋 How Your Digital Data is Protected
The PDPB creates a system of accountability, requiring businesses to implement specific measures to protect your personal information:
-
Your New Legal Rights: The law gives you powerful new rights over your data. You can:
-
Access your data: Know exactly what information a company holds about you.
-
Correct your data: Fix any wrong or incomplete information.
-
Erase your data: Request that a company delete your information when it's no longer needed.
-
Withdraw consent: Take back your permission for a company to use your data.
-
Port your data: Receive your data in a common format to transfer to another service provider.
-
-
Mandatory Security Measures: Companies will be legally required to implement strong security measures to prevent data breaches, hacking, or leaks.
-
Data Breach Rules: If a company suffers a data breach, they must notify the government and the affected customers as quickly as possible (within 72 hours).
-
Data Localization: For highly sensitive information classified as "critical personal data," it must be stored and processed on servers physically located within Pakistan. This is a key, and sometimes controversial, part of the law.
🌍 The Cross-Border Data Challenge
The PDPB has strict rules for transferring Pakistani citizens' data to other countries, which is a huge consideration for any business that uses global services.
-
The "Adequacy" Rule: You can only transfer personal data (excluding the highest-level "critical" data) to another country if that country has data protection laws that are considered "at least adequate" compared to Pakistan's standards.
-
The "Critical Data" Mandate: As mentioned, "critical personal data" must stay on servers within Pakistan, and its transfer outside the country is largely prohibited.
-
Explicit Consent for Transfers: Even if the destination country's laws are not deemed adequate, a transfer might still be possible if the individual gives their explicit, informed consent, or if a binding contract with specific safeguards is in place.
📈 Business Advantages of Embracing the PDPB
Instead of seeing the PDPB as just another regulation, smart Pakistani businesses can use it as a competitive advantage:
-
Build Trust, Attract Customers: By respecting customer data and being transparent about your practices, you build a strong brand reputation for trustworthiness, which is a powerful differentiator.
-
Gain a Global Edge: Proactive compliance with a law modeled on the GDPR positions you as a serious and reliable partner for international companies, especially those in Europe, for whom data security is a top requirement.
-
Prevent Costly Fines: The financial penalties for non-compliance are very high, including potential fines of up to $2 million for severe violations. Investing in compliance is a fraction of the cost of paying these fines.
-
Improve Operational Efficiency: The law's principles of data minimization (collect only what you need) and storage limitation (delete what you don't need) will force you to clean up messy data practices, leading to more efficient and cost-effective operations.
-
Get Ahead of the Curve: The law is coming, but it's not here yet. Companies that start preparing their policies, systems, and staff now will have a smooth, less disruptive transition compared to those who wait until the last minute.
🔎 What's the Current Status of the PDPB?
The bill has been a long time coming. Drafts have existed since as early as 2005, but a final version has yet to be passed by Parliament. The most recent draft was approved by the federal cabinet in 2023, but it has since stalled. It's important to note that as of April 2026, the PDPB is still not a law, and Pakistan continues to operate without a comprehensive data protection framework. However, many experts and businesses expect it to eventually be passed.
In the meantime, the current legal landscape relies on a patchwork of laws, including the constitutional right to privacy (Article 14) and the Prevention of Electronic Crimes Act (PECA) 2016, which offers limited protections.
Strategic Recommendations for improving the PDPB 2023
The Personal Data Protection Bill (PDPB) 2023 currently provides a foundational framework with 30 controls compared to the GDPR's 44, but several gaps remain before full alignment can be achieved. While the Bill includes core elements like mandatory data breach notifications (within 72 hours) and basic data subject rights, it requires strategic refinement in key areas to meet international standards.
Based on a detailed gap analysis of the PDPB 2023, here are the strategic recommendations to improve the law and bring it into alignment with the EU's General Data Protection Regulation (GDPR).
1. Grant True Independence to the Data Protection Authority
The PDPB's National Commission for Personal Data Protection (NCPDP) is currently placed under federal government control, which fundamentally compromises its ability to function as an independent regulator. Under the GDPR, Data Protection Authorities (DPAs) must be completely independent in carrying out their duties and exercising their powers. To rectify this, the NCPDP should be structured as a constitutionally independent body with its own budgetary autonomy. Its leadership should be appointed through a transparent, multi-stakeholder selection process with fixed, non-renewable terms to insulate it from political pressure. Additionally, the NCPDP must be granted robust enforcement powers, including the authority to conduct investigations, issue binding decisions, and impose administrative fines without seeking prior government approval.
2. Eliminate Administrative Fees for Data Subject Access Requests
The PDPB currently allows the NCPDP to impose administrative fees for individuals seeking to access their own personal data. This practice contradicts international standards and the GDPR, which generally mandates that information provided to data subjects should be free of charge. Such fees would create a significant barrier to exercising fundamental privacy rights, effectively pricing many citizens out of accessing their own information. The Bill should be revised to guarantee that the right to access is free of charge, with very limited exceptions only for manifestly unfounded or excessive requests.
3. Reform Data Localization Provisions with a Flexible Model
The PDPB's rigid requirement for "critical personal data" to be stored exclusively on servers within Pakistan is impractical due to the country's inadequate infrastructure and energy constraints, and it risks creating security vulnerabilities rather than mitigating them. This strict localization mandate has also drawn sharp criticism from global tech giants and would deter foreign investment while increasing operational costs for local businesses.
Instead of this rigid approach, Pakistan should adopt a GDPR-style flexible model that prioritizes protective measures over absolute data residency. The GDPR does not mandate data localization; rather, it permits transfers to third countries only if they provide an "adequate" level of protection. In the absence of an adequacy decision, transfers are allowed using Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). This approach ensures data protection without stifling cross-border data flows. Pakistan should adopt a similar hybrid model that focuses on implementing SCCs, BCRs, and robust contractual safeguards rather than imposing an outright ban on the transfer of critical data.
4. Clarify Ambiguous Definitions and Strengthen Legitimate Interests
The PDPB relies heavily on ambiguous terms such as "legitimate interest," "public interest," and "national interest" without providing clear definitions, creating significant scope for misuse by data controllers. While the GDPR includes a legitimate interests provision, it explicitly requires controllers to balance their interests against the fundamental rights and freedoms of the data subject. The PDPB currently lacks this critical caveat.
Furthermore, the Bill lacks clear guidelines on what constitutes "free and informed" consent, leaving it vulnerable to manipulation through dark patterns. To address these gaps, the PDPB should adopt GDPR-style balancing tests for legitimate interests processing, establish clear, enforceable standards for valid consent, and explicitly prohibit the use of dark patterns. The definitions of "sensitive personal data" and "critical personal data" should also be refined to be precise and narrow, preventing overbroad application that could negatively impact private companies.
5. Enhance Data Subject Rights and Breach Notification Provisions
While the PDPB includes basic data subject rights such as access, correction, and erasure, these provisions lack the clarity and specificity of their GDPR counterparts. The Bill's guidelines on data retention and erasure are not as strict as the GDPR's "right to be forgotten". Moreover, while the Bill mandates breach notification to both the NCPDP and affected individuals within 72 hours, the scope of exemptions and the practical implementation details remain unclear.
To align with global standards, the PDPB should strengthen data subject rights by providing clear, enforceable timeframes for compliance, requiring organizations to respond to access and erasure requests within 30 days, and mandating specific procedures for verifying the identity of requesters. The Bill should also include robust provisions for data portability, allowing individuals to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. Additionally, the breach notification framework must be clarified to define precisely which types of breaches require notification and to ensure that exemptions are narrowly construed.
6. Increase Penalties and Strengthen Enforcement Mechanisms
The financial penalties under the PDPB are significantly lower than GDPR standards. Under the GDPR, fines can reach up to €20 million or 4% of global annual turnover, whereas the PDPB's draft caps liabilities at amounts that are a fraction of that scale. A comparative analysis highlights this gap: GDPR would fine violators up to 4% of global turnover, whereas the PDPB would envisage fines of at most a few million dollars.
To ensure meaningful deterrence, the PDPB should adopt a tiered penalty structure based on the severity and nature of the violation. Maximum fines should be calculated as a percentage of global annual turnover for the most serious violations, such as unauthorized processing of sensitive data or failure to report a breach. This would create a strong incentive for compliance and align Pakistan's enforcement regime with international expectations. Additionally, the Bill should establish clear procedures for cross-border cooperation between the NCPDP and international data protection authorities, enabling joint investigations and enforcement actions.
7. Harmonize the PDPB with PKCERT's Mandatory Data Protection Measures
The PKCERT Advisory issued in August 2025 prescribes mandatory data protection measures for organizations handling Personally Identifiable Information (PII), including data classification, encryption, multi-factor authentication, secure data disposal, employee training, and continuous system monitoring. These measures apply to all public and private sector entities that collect, process, store, or transmit PII of Pakistani citizens.
To create a cohesive legal framework, the PDPB should explicitly reference and incorporate the PKCERT Advisory's technical security requirements as binding obligations. This would eliminate regulatory fragmentation and provide organizations with a single, unified set of compliance standards. The PDPB should also require that organizations maintain a data breach register, as currently mandated, and establish clear protocols for reporting incidents to both the NCPDP and PKCERT to ensure coordinated responses.
8. Expand Territorial Scope to Cover Foreign Entities
The PDPB currently has limited extraterritorial reach, which allows foreign entities processing the data of Pakistani citizens to operate outside its jurisdiction. This creates a significant enforcement gap and undermines the protection of citizen data. To align with GDPR's broad territorial scope, the PDPB should explicitly apply to any controller or processor established outside Pakistan that offers goods or services to data subjects in Pakistan or monitors their behavior within the country. This would ensure that international companies cannot evade compliance simply by operating from foreign jurisdictions.
9. Include Technical Expertise on the NCPDP
The current Bill does not provide for adequate technical representation on the NCPDP. Given the highly technical nature of data protection, including issues related to cybersecurity, encryption, and incident response, the Commission should include members with expertise in cybersecurity, information technology, and digital forensics. This would ensure that the NCPDP has the necessary technical competence to investigate breaches, evaluate security measures, and issue meaningful guidance to regulated entities.
10. Adopt a Graduated Compliance Timeline
Finally, the PDPB should recognize the diverse capabilities of organizations operating in Pakistan. Small and medium-sized enterprises (SMEs) may lack the resources to achieve immediate compliance with all provisions. A graduated compliance timeline, with extended deadlines for smaller entities and simplified requirements proportionate to their size and risk profile, would facilitate smoother implementation without compromising data protection standards for larger, higher-risk organizations.
