Briefing
Data, privacy, and the coming Pakistani data-protection regime: preparing now
Pakistan still has no general data-protection statute. The obligations that already bind you, the draft law waiting in the wings, and the work worth doing before it arrives.
8 July 2026 · 5 min read · The First Counsel
Draft — for lawyer review before publication
Pakistan is one of the larger economies still operating without a general data-protection law. That sentence is repeated so often that it breeds a dangerous conclusion: that personal data in Pakistan is unregulated. It is not. A patchwork of constitutional principle, criminal statute, and sectoral regulation already applies, foreign law reaches into Pakistani businesses through contracts and extraterritorial statutes, and a comprehensive bill has been through successive drafts and remains on the legislative agenda. This briefing maps the position as of July 2026 and sets out what a prudent business does before the statute lands.
The law that exists today
The starting point is constitutional. Article 14 of the Constitution protects the dignity of man and the privacy of the home, and the superior courts have treated informational privacy as falling within its shelter in a line of cases on surveillance and disclosure [CITATIONS — TO BE VERIFIED]. Article 14 does not give a customer a claim against a company in the way a data-protection statute would, but it shapes how courts read every other instrument, and it grounds writ petitions against state handling of personal information.
The criminal layer is the Prevention of Electronic Crimes Act 2016. PECA punishes unauthorised access to information systems and data, unauthorised copying and transmission of data, interference with systems, and the unauthorised use of identity information — the provision closest to a data-breach offence, which also allows an affected person to seek destruction of unlawfully held identity data [section numbers — TO BE VERIFIED BY REVIEWING LAWYER]. The 2025 amendment reorganised enforcement, replacing the FIA's cybercrime wing with the National Cyber Crime Investigation Agency and creating a new social-media regulatory authority [Prevention of Electronic Crimes (Amendment) Act 2025 — institutional details TO BE VERIFIED BY REVIEWING LAWYER]. For companies, PECA matters in two directions: it criminalises attacks on your systems, and it criminalises what your own employees may do with other people's data.
The sectoral layer is where day-to-day compliance actually lives. Banks operate under State Bank of Pakistan requirements on customer confidentiality, outsourcing, and the location and control of customer data [applicable SBP circulars and framework — TO BE VERIFIED BY REVIEWING LAWYER]. Telecom operators hold subscriber data under PTA licence conditions and regulations, and the Removal and Blocking of Unlawful Online Content Rules 2021 impose obligations on platforms [status of the 2021 Rules after the 2025 amendment — TO BE VERIFIED BY REVIEWING LAWYER]. NADRA's statute governs the country's largest identity database. None of this is a coherent regime, but each piece is enforceable now, and regulators have used them.
The draft statute
A Personal Data Protection Bill has circulated in successive versions since 2018, with substantial redrafts in 2021 and 2023. The drafts have converged on a recognisable architecture: a National Commission for Personal Data Protection; obligations on data controllers and processors; consent as the primary lawful basis with defined exceptions; data-subject rights of access, correction and erasure; breach-notification duties; restrictions on cross-border transfer; a localisation requirement for defined categories of critical personal data; and administrative penalties large enough to be board-level items [all features per the most recent public draft — TO BE VERIFIED BY REVIEWING LAWYER]. As of July 2026 the bill has not been enacted [status — TO BE VERIFIED BY REVIEWING LAWYER].
Two features of the drafts deserve early attention because they drive infrastructure, not paperwork. The first is localisation: if critical personal data must be kept in Pakistan, businesses running on foreign cloud regions will face migration decisions with long lead times. The second is cross-border transfer control: groups that move Pakistani customer or employee data to overseas affiliates as a matter of routine will need a lawful transfer mechanism, and the drafts leave the details to the future commission. Neither problem can be solved in the compliance window a new statute typically allows.
The law that already reaches you from abroad
For many Pakistani businesses the most demanding data-protection rules currently binding them are foreign. The EU GDPR applies to Pakistani companies that offer goods or services to persons in the EU or monitor their behaviour; UK GDPR operates similarly. Export-oriented technology and back-office businesses meet these regimes contractually as well: data-processing agreements imposed by foreign customers routinely require GDPR-grade security, breach notification within fixed hours, sub-processor controls, and audit rights. A Karachi software house with European clients is, in practical terms, already regulated — by contract, with damages and termination as the sanction. Treating the future Pakistani statute as the first compliance event misreads the present.
Preparing now
The work that pays off does not depend on the final text of the bill, because every serious data-protection regime demands the same foundations.
Know your data. A data map — what personal data you hold, where it sits, which systems and vendors touch it, and where it crosses borders — is the prerequisite for every later obligation, and it is the exercise companies most regret deferring.
Fix the contracts. Vendor and affiliate agreements should already contain confidentiality, security, breach-notification and return-or-destruction clauses. Retrofitting a vendor estate after a statute passes is slow; doing it now, on renewal cycles, is cheap.
Adopt retention discipline. Data you no longer hold cannot be breached, demanded, or regulated. Most Pakistani businesses keep everything forever. A retention schedule aligned with tax, corporate and employment record-keeping requirements reduces exposure immediately.
Build the breach playbook. PECA exposure, sectoral rules, and foreign contracts already make breach response a legal event, not only a technical one. Decide in advance who convenes, who preserves evidence, when counsel is engaged, and who is notified, so the first hours of an incident are execution rather than debate.
Assign ownership. The draft bills contemplate accountable officers. Appointing someone now — with a mandate and a budget — converts the eventual statute from a shock into a project.
What this means for you
Do not wait for the statute to be passed to begin; the foundations are regime-neutral and the lead times are real. Start with the data map and the vendor contracts, because they take longest. If you serve EU or UK customers, or sign data-processing agreements with foreign counterparties, treat those obligations as your current baseline and build once to that standard. If your architecture keeps Pakistani personal data on foreign infrastructure, model the localisation scenario now and know your migration cost before the law fixes your deadline. Put breach response on paper and rehearse it once. And have someone watch the bill: the compliance window in the final Act will be measured in months, and the businesses that meet it will be the ones that spent this period preparing while the law was still a draft.
