The First Counsel

Briefing

Preparing for Pakistan's Data-Protection Law Before It Arrives

The Personal Data Protection Bill is still a draft — but most of the compliance work it will demand can be started, and largely finished, under the rules that bind you today.


12 July 2026 · 6 min read · The First Counsel

Draft — for lawyer review before publication

Every few months a client asks the same question: has the data-protection law passed yet? The answer, as of July 2026, is no. The Personal Data Protection Bill remains a draft — it has circulated in successive versions and has not been enacted [current legislative status — TO BE VERIFIED BY REVIEWING LAWYER]. But the question behind the question is the better one: what should we be doing while we wait? This briefing answers that. The short version is that waiting is a strategy with a known failure mode. When Pakistani statutes of this kind finally pass, the transition window tends to be short, and the obligations they impose take longer to build than the window allows.

A bill, not a law — and why that distinction is not a holiday

Drafts of a Personal Data Protection Bill have been published by the Ministry of Information Technology and Telecommunication in several rounds since 2018, with substantive consultation drafts in 2021 and 2023 [draft history and most recent version — TO BE VERIFIED BY REVIEWING LAWYER]. No version is in force. Nothing in this briefing should be read as describing current statutory obligations under that bill, because there are none.

What the drafts do reliably tell you is the shape of what is coming, because they have converged. Each recent version contemplates a supervisory commission; registration or accountability duties for those who control and process personal data; consent as the default lawful basis, with exceptions; rights for individuals to access and correct their data; mandatory breach notification; controls on sending personal data out of Pakistan; a localisation rule for a defined class of sensitive or critical data; and financial penalties set at levels that reach the board [all features per public drafts — TO BE VERIFIED BY REVIEWING LAWYER]. A business that builds toward that shape now will not have guessed wrong by much, whatever the final text says.

The obligations that already exist

The absence of a general statute does not mean personal data in Pakistan sits in a legal vacuum. Three layers of binding law already touch it, and each one is enforced.

The first layer is criminal. The Prevention of Electronic Crimes Act 2016 makes it an offence to access an information system or data without authorisation, to copy or transmit data without authorisation, to interfere with systems, and to use another person's identity information without consent [section numbers — TO BE VERIFIED BY REVIEWING LAWYER]. Since the 2025 amendments, these offences are investigated by the National Cyber Crime Investigation Agency, the successor to the FIA's Cybercrime Wing. PECA cuts in both directions for an employer: it is the statute you invoke when your database is stolen, and the statute invoked against you when your employee sells customer records.

The second layer is older and easy to forget. The Electronic Transactions Ordinance 2002 gives legal effect to electronic records and electronic signatures, which is what makes consent gathered through an app or a website capable of standing up at all, and it contains its own offence provision addressing violation of the privacy of information held in electronic form [section and scope — TO BE VERIFIED BY REVIEWING LAWYER]. Any consent architecture you build for the coming statute will rest on ETO foundations, so those foundations are worth checking now — particularly how your systems record who agreed to what, and when.

The third layer is sectoral. Banks and electronic-money institutions answer to the State Bank of Pakistan on customer confidentiality, outsourcing arrangements, and the handling and location of customer data [applicable circulars and frameworks — TO BE VERIFIED BY REVIEWING LAWYER]. Telecom licensees hold subscriber data under Pakistan Telecommunication Authority licence conditions and regulations. NADRA's governing statute controls the identity data that many verification products consume. If you operate in a regulated sector, you already have a data regulator; the new statute will add a second one, not a first.

There is also a contractual layer that behaves like law. Pakistani companies serving customers in the EU or the UK meet the GDPR through data-processing agreements whose breach clauses carry termination and indemnity consequences. For an export-facing business, those contracts are usually the strictest data rules it is subject to today, and they are a serviceable rehearsal for the statute.

The preparation that cannot be wasted

The test for acting now is simple: do only the work that keeps its value under any plausible final text. Six items pass that test.

Build the inventory first. You cannot notify a breach, answer an access request, or certify localisation for data you cannot locate. A defensible record of what personal data the business holds, in which systems, touched by which vendors, and crossing which borders is the foundation for every obligation in every draft — and it is the item with the longest lead time, because it requires cooperation from every department.

Trace your cross-border flows. Payroll processed on regional infrastructure, customer records in a foreign cloud region, analytics tools shipping identifiers abroad — each is a future transfer-control and localisation question. Knowing the flows now lets you price the migration scenario before a statute prices it for you.

Repair the vendor estate on the renewal cycle. Contracts with processors, cloud providers, and group affiliates should already carry confidentiality, security, breach-notification and deletion terms. Adding them at renewal costs almost nothing; renegotiating an entire estate inside a statutory transition window costs a great deal.

Stop keeping everything. Most Pakistani businesses retain data indefinitely because storage is cheap and deletion feels risky. Under a data-protection regime the calculus inverts. A retention schedule reconciled with tax, corporate and employment record-keeping periods reduces breach exposure immediately and shrinks the future compliance surface.

Write the breach playbook against current law. PECA, sectoral rules and foreign DPAs already make an incident a legal event. Decide now who convenes, when counsel is engaged to protect privilege over the forensic work, which contracts require notification within fixed hours, and whether and how to approach the NCCIA.

Name an owner. Every draft contemplates accountable officers. Appointing one now, with budget and a reporting line, turns enactment day into a project milestone instead of an emergency. Our data-privacy practice runs this exercise as a standing readiness programme rather than a one-off audit, because the bill's timetable is not in anyone's control — but the state of your files is.

Data-protection readiness checklist

  • Map every system, database and vendor that holds personal data, and name a business owner for each.
  • Record where each dataset is physically hosted and every border it crosses.
  • Identify data collected from individuals and confirm what they were told at collection.
  • Verify that electronic consent records are retrievable and attributable under the Electronic Transactions Ordinance 2002.
  • List all contracts with foreign customers containing data-processing obligations, with their notification deadlines.
  • Insert confidentiality, security, breach-notification and deletion clauses into vendor contracts at each renewal.
  • Adopt a written retention schedule reconciled with tax, corporate and employment record-keeping periods — then actually delete.
  • Draft a breach-response plan naming the convener, counsel, and every mandatory or contractual notification.
  • Assess your PECA exposure in both directions: protection of your systems, and misuse risks by your own staff.
  • Confirm sectoral obligations with your primary regulator (SBP, PTA, or other) [applicable instruments — TO BE VERIFIED].
  • Model the cost and timeline of relocating critical data to Pakistan if localisation is enacted.
  • Appoint an accountable data officer with budget and board access.
  • Assign someone to track the bill each quarter and report changes in its text.

What this means for you

Treat the bill's non-enactment as lead time, not exemption. The obligations most likely to hurt — localisation, transfer controls, breach notification — are infrastructure problems with long build times, and the statute's transition window will not be sized to your architecture. Start with the data inventory and the cross-border map, because everything else depends on them. Bring vendor contracts up to standard on the renewal cycle while it is cheap. Put the breach playbook on paper against the law that binds you today, since PECA and your customer contracts already make an incident a legal event. And resist the temptation to build to the minimum of the current draft: drafts harden, and the businesses that treat the strictest plausible version as the target will spend the transition window verifying, while the rest spend it building.

This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.

The position stated is as of 12 July 2026 and must be verified against current law.

Every matter begins with a first conversation.

Contact the Firm