Pakistan’s Federal Cabinet has given initial approval to the “Personal Data Protection Bill, 2023,” which aims to regulate the collection, processing, and use of personal data. The bill will create the National Commission for Personal Data Protection (NCPDP) within six months to enforce its provisions.
The bill focuses on protecting individuals’ rights and privacy, ensuri\\\\\\\\\ng data is collected lawfully and with explicit consent. Children’s data will have extra safeguards. All data controllers and processors in Pakistan must register with the NCPDP, and significant entities need to appoint a data protection officer.
In case of data breaches, controllers must notify the NCPDP and affected individuals within 72 hours. Cross-border data transfers will require adequate protection, and critical personal data will only be processed within Pakistan.
Violations of the bill can lead to fines ranging from $125,000 to $2 million, depending on the severity of the breach, and the NCPDP can issue notices and impose penalties, including registration suspension or termination. Organizations can face fines up to one percent of their annual gross revenue in Pakistan or $200,000, whichever is higher.
The bill aims to strengthen data protection in Pakistan’s digital economy, building public trust and fostering a secure digital ecosystem. It will come into force within two years of promulgation to give organizations time to comply with the regulations.
