The First Counsel

Legal Notice

Data Privacy Standards

The principles the firm applies to personal information in everything it does — at home in Pakistan and wherever a matter reaches.

Last revised 12 July 2026 · Effective on publication

A law firm's stock-in-trade is other people's information. Clients hand over what they would tell no one else; opponents' affairs arrive through disclosure; witnesses, employees, and counterparties appear in files they never chose to be in. This document states the standards the firm applies to all of it — in Lahore, and wherever a matter reaches. It is published so that anyone who deals with the firm can see the rules the firm has set itself.

1. Purpose and application

1.1 This document ("these Standards") states the principles The First Counsel (the "firm") applies to personal information in everything it does. The firm's other privacy documents are applications of these Standards to particular contexts: the Privacy Policy applies them to the website at thefirstcounsel.com; the Client and Third Party Privacy Notice applies them to the practice of law. Where those documents are silent, these Standards fill the gap.

1.2 These Standards bind:

(a) every person who works at or for the firm — partners, consultants, associates, trainees, administrative staff, and contract personnel;

(b) every office the firm operates, now and in the future. The firm's office as at the effective date is at 8th Floor, Askari Corporate Towers, Lahore, Punjab, Pakistan; if the firm opens further offices, these Standards apply there from the first day; and

(c) all processing of personal information by or for the firm, in any medium — paper, electronic, or spoken — whether the information concerns a client, an opposing party, a witness, an employee, a job applicant, or a stranger to any matter.

1.3 What these Standards are, honestly stated. These Standards are a unilateral commitment. They have not been approved, certified, or endorsed by any regulator, in Pakistan or elsewhere. The firm does not hold Binding Corporate Rules, an approved code of conduct, an adequacy finding, or any comparable instrument under any foreign regime, and no approval mechanism of that kind presently exists in Pakistani law. The Standards derive their force from the firm's decision to publish them, to train against them, and to treat breaches of them as disciplinary matters (section 5).

1.4 The legal setting, as at the effective date. Pakistan has no comprehensive personal-data-protection statute in force. The instruments that do bear on the subject are Article 14(1) of the Constitution, from which the superior courts have drawn a privacy interest; the Prevention of Electronic Crimes Act, 2016 ("PECA"), which criminalises unauthorised access to information systems and data; and, for a law firm above all, the confidentiality obligations of advocates under the Legal Practitioners and Bar Councils Act, 1973 and the privilege recognised by Articles 9 and 12 of the Qanun-e-Shahadat Order, 1984. The firm applies the principles below as a matter of professional practice, drawing on the successive drafts of Pakistan's Personal Data Protection Bill and on internationally recognised data-protection principles. When comprehensive legislation comes into force, the firm will conform these Standards to it.

1.5 Effective date. These Standards take effect on [EFFECTIVE DATE — ON PUBLICATION] and are reviewed as section 8 provides.

2. The principles

The eight principles below are stated first in general terms and then in the terms that matter here: what each one means in the daily work of a law practice.

2.1 Lawfulness and fairness

2.1.1 The firm processes personal information only where there is a proper basis for doing so: the conduct of an engagement, compliance with a legal or professional obligation, the establishment or defence of legal rights, or another purpose these Standards or a published notice of the firm identifies.

2.1.2 In practice at this firm, lawfulness begins with provenance. Information enters the firm through client instructions, court process, disclosure, public registers, lawfully conducted due diligence, and correspondence. The firm does not obtain information by deception, pretext, unauthorised access, or purchase from data brokers, and it does not instruct others to do so on its behalf.

2.1.3 Fairness has a particular meaning in an adversarial profession. The firm routinely processes information about people whose interests are opposed to its clients' — that is the work, and it is fair. What fairness forbids is the covert and the collateral: processing a person could not reasonably anticipate given the firm's role in the matter, or the use of matter information for ends unconnected with any matter at all.

2.2 Purpose limitation

2.2.1 Information collected for a matter is used for that matter, and for the narrow ancillary purposes every matter carries: conflicts checking, engagement administration, billing, regulatory compliance, and the defence of the firm's own position if the engagement is later questioned.

2.2.2 Information obtained for one client is not used for the benefit of another. This is a conflicts rule before it is a privacy rule, and the older rule is the stricter one: the prohibition holds even where the second use would be harmless in data-protection terms.

2.2.3 Matter information is never used for marketing. The firm does not mine its files for business-development leads, does not add parties from its matters to mailing lists, and does not cite identifiable matter details in publicity without the client's informed written consent.

2.3 Data minimisation

2.3.1 The firm takes what the matter requires and declines the rest. Requests to clients for documents are scoped to the issues in the matter; diligence questionnaires ask for what the transaction needs.

2.3.2 Litigation and investigations pull in volume by nature — a disclosure exercise is not smaller because a privacy principle wishes it were. Minimisation at a law firm therefore operates at the edges of the exercise, not at its centre: framing requests no wider than the issues, resisting demands that overreach, and answering compelled disclosure no more broadly than the compulsion lawfully requires.

2.3.3 Within the firm, minimisation governs circulation. Matter information goes to the people staffed on the matter and to those with a supervisory or compliance need, and no further.

2.4 Accuracy

2.4.1 Records on which the firm or others rely — contact details, engagement records, billing records, conflicts entries — are kept accurate and are corrected when shown to be wrong.

2.4.2 Evidence is different, and the difference must be stated. A law firm holds documents because of what they are, including documents that are mistaken, misleading, or false; their evidential value can lie precisely in their inaccuracy. The accuracy principle at this firm means faithful preservation, correct attribution, and honest context. It does not mean editing the record, and no correction request will be honoured by altering a document held as evidence — a point the Client and Third Party Privacy Notice develops.

2.5 Storage limitation

2.5.1 Information is kept as long as the purpose for which it is held requires, and as long as law and professional prudence require — which for matter files is measured against the limitation periods of the Limitation Act, 1908, the possibility of revived or related proceedings, and the client's own interest in the file — and is then disposed of securely.

2.5.2 Some records are kept on a long horizon deliberately. Conflicts records persist for as long as the firm practises, because the duty they serve does not expire. The firm states such exceptions openly in its notices rather than professing shorter periods it does not observe.

2.6 Security

2.6.1 The firm applies technical and organisational measures proportionate to the sensitivity of what it holds: access controls and authentication on firm systems, encryption of devices and of information in transit, physical security at its premises, and supervision of paper files [SPECIFIC MEASURES — TO BE CONFIRMED BY THE FIRM].

2.6.2 Access within the firm follows need. Matters of particular sensitivity are staffed narrowly, and information barriers are erected where professional duty requires them.

2.6.3 Transmission matches sensitivity. Material whose exposure would cause serious harm is not sent by ordinary email where a more protected channel can be arranged, and the firm will arrange one at a client's request.

2.7 Confidentiality and privilege — the profession's older, stricter privacy law

2.7.1 Long before any data-protection statute existed anywhere, the legal profession operated under a privacy regime of unusual severity: the advocate's duty of confidence, and the privilege that protects client communications from compelled disclosure — in Pakistan, recognised by Articles 9 and 12 of the Qanun-e-Shahadat Order, 1984 and enforced through the professional obligations framed under the Legal Practitioners and Bar Councils Act, 1973. These Standards are built on that regime, not the other way around.

2.7.2 Where any principle in this document and the client's confidence point in different directions, the confidence prevails. No data-protection principle will be applied so as to erode privilege — for example, an access request by a third party will not be honoured at the expense of a client's protected communications.

2.7.3 Privilege belongs to the client, not to the firm. The firm asserts it wherever it applies, and waives it never, except on the client's informed instruction.

2.8 Accountability

2.8.1 The firm holds itself answerable for these Standards: a named partner is responsible for them (section 8), records are kept sufficient to show how information is handled, and breaches are treated as the professional matter they are.

2.8.2 Accountability is individual as well as institutional. Every person bound by these Standards is responsible for their own compliance, and seniority aggravates rather than excuses a breach.

3. Cross-border matters

3.1 The firm's matters cross borders in ordinary course: transactions with foreign parties, disputes with evidence abroad, arbitrations seated outside Pakistan, instructions passing to and from foreign counsel, and requests arriving through mutual legal assistance channels. Personal information travels with those matters.

3.2 As at the effective date, Pakistani law imposes no general transfer-mechanism or adequacy regime on personal data leaving the country. The firm nonetheless applies the following safeguards whenever personal information crosses a border in a matter:

(a) necessity. Information is transferred only where the matter requires it — to the arbitral tribunal, the foreign counsel, the counterparty, or the authority concerned — and only the information the recipient's role requires;

(b) engagement-terms protection. Where the firm instructs foreign counsel, experts, or other professionals abroad, the terms of instruction impose confidentiality obligations no weaker than the firm's own, and the recipient's local professional-secrecy obligations are weighed as part of selection;

(c) secure transmission. Cross-border transmission uses the channels section 2.6 describes, with heightened measures for material of heightened sensitivity;

(d) privilege preserved. Before transmitting privileged material abroad, the firm considers with the client whether and how privilege will be maintained under the law of the destination, and structures the transmission accordingly.

3.3 Requests from foreign authorities — whether arriving directly or through Pakistani authorities under mutual legal assistance arrangements — are treated as compelled-disclosure demands. The firm assesses lawfulness and scope, asserts privilege and confidentiality wherever they apply, discloses no more than is lawfully compelled, and informs the affected client where the law permits.

3.4 Drafts of the anticipated Pakistani legislation have proposed localisation duties and conditions on cross-border transfer. If enacted, those provisions will be complied with, and the firm will restructure its practices where compliance requires it.

4. Relationship to foreign regimes

4.1 Some of the firm's clients are themselves subject to foreign data-protection regimes — the GDPR and its United Kingdom counterpart above all — and instruct the firm on terms that require compatible handling. Where an engagement requires it, the firm will contract to apply GDPR-adjacent standards to the information processed in that engagement: processing confined to documented instructions, confidentiality undertakings from the personnel involved, stated security measures, notification of incidents to the client, and return or deletion of the information at the end of the matter, so far as professional retention duties allow.

4.2 The firm makes no claim it is not entitled to make. It is not established in the European Union or the United Kingdom, has no office there, has not appointed a representative under Article 27 GDPR [POSITION — TO BE CONFIRMED BY THE FIRM], holds no Binding Corporate Rules or approved certification, and does not represent that transfers to it satisfy any foreign transfer mechanism unless a specific contractual arrangement in a specific engagement says so.

4.3 If a foreign regime's requirement and a Pakistani legal or professional duty conflict in a matter, the firm will say so to the client at once and resolve the conflict candidly — by adjusting the scope of the engagement if necessary — rather than quietly complying with one and breaching the other.

5. Personnel obligations and training

5.1 Every person who joins the firm undertakes, in writing and as a condition of joining, to keep the firm's and its clients' information confidential and to handle personal information in accordance with these Standards. The undertaking survives departure from the firm.

5.2 Personnel receive training on these Standards on joining and thereafter at intervals the responsible partner sets [TRAINING CADENCE — TO BE CONFIRMED BY THE FIRM], with matter-specific instruction where an engagement raises particular requirements — a foreign regime, an information barrier, or unusually sensitive material.

5.3 A breach of these Standards is a disciplinary matter. Where the breach also touches an advocate's professional obligations, it is treated with the seriousness those obligations demand, and nothing in the firm's internal process displaces the jurisdiction of the bar councils.

5.4 No one at the firm may be instructed to act contrary to these Standards. An instruction to do so may be refused, and must be reported to the responsible partner.

6. Vendors and service providers

6.1 The firm uses service providers whose work necessarily touches personal information: IT and email infrastructure, document management, translation, couriers, e-discovery and data-room platforms where matters require them, and professional support services [CURRENT PROVIDERS — TO BE CONFIRMED BY THE FIRM].

6.2 Before engaging a provider that will process personal information, the firm satisfies itself of the provider's security and confidentiality practices, at a depth proportionate to the sensitivity of the information involved.

6.3 Providers act under contract or published terms that bind them to confidentiality, restrict processing to the firm's purposes, and forbid use of the information for the provider's own ends. A provider that will handle privileged material is told so and bound accordingly.

6.4 The firm does not authorise any provider to sell, rent, or trade information handled for the firm, in any circumstance.

7. Incident response

7.1 An incident is any event that exposes, alters, destroys, or removes from the firm's control personal information the firm holds, or that gives an unauthorised person access to it — whether by attack, accident, or error, and whether on the firm's systems or a provider's.

7.2 Identification. Every person bound by these Standards must report a suspected incident to the responsible partner immediately on becoming aware of it. Speed of internal reporting is treated as mitigation; concealment as aggravation.

7.3 Containment and assessment. The firm's first steps are to contain the incident and preserve evidence of it, and then to assess what information is affected, whose it is, and what harm its exposure could cause.

7.4 Notification. The firm commits, as at the effective date, to the following:

(a) a client whose matter information is affected will be informed without undue delay, and in any event within [NOTIFICATION TARGET — TO BE CONFIRMED BY THE FIRM] of the firm's assessment that the matter is affected;

(b) other persons whose information is affected will be informed where the incident creates a real risk of harm to them;

(c) any authority that a law in force in Pakistan requires the firm to notify will be notified within the time that law prescribes; and where the incident appears to involve an offence under PECA, the firm will consider a complaint to the designated investigative agency, in consultation with affected clients;

(d) when the anticipated legislation prescribes breach-notification duties and timelines, those duties will replace the bracketed commitments above.

7.5 Record and remediation. Every incident is recorded, and every incident ends with a written assessment of what allowed it and what has been changed as a result.

8. Governance

8.1 A partner of the firm is responsible for these Standards: for training, for the incident procedure, for vendor diligence, and for keeping the firm's published notices true. As at the effective date that partner is [PARTNER RESPONSIBLE — TO BE CONFIRMED BY THE FIRM].

8.2 These Standards are reviewed at least annually, and immediately upon: the enactment of comprehensive Pakistani data-protection legislation; a material change in the firm's practices, systems, or offices; or an incident whose assessment shows the Standards wanting.

8.3 Amendments take effect on publication with a new effective date. The current version is always the version published at thefirstcounsel.com.

9. Interaction with other notices

9.1 The Privacy Policy governs the website. The Client and Third Party Privacy Notice governs the practice of law. This document states the principles both apply. If a notice and these Standards differ, whichever affords the person concerned the greater protection prevails — except that nothing in any of these documents overrides an engagement letter, the professional obligations of advocates, or privilege, which prevail over all of them.

9.2 These Standards do not create contractual rights beyond those the general law confers. They are the firm's own rulebook, published so that it can be held to it.

10. Contact

10.1 Questions about these Standards should be addressed to:

The First Counsel Attention: [PARTNER RESPONSIBLE FOR DATA PROTECTION — TO BE CONFIRMED BY THE FIRM] 8th Floor, Askari Corporate Towers, Lahore, Punjab, Pakistan Email: [email protected] (subject line "Data Privacy Standards") Telephone: [TELEPHONE — TO BE CONFIRMED BY THE FIRM]

10.2 The firm will acknowledge correspondence under this section within 7 days and respond substantively within 30 days. Requests concerning particular information should be made under the Privacy Policy or the Client and Third Party Privacy Notice, whichever applies; this document supplies the principles, and those documents supply the procedure.

Questions about this document may be addressed to [email protected]. Where this document is translated, the English text prevails.

Every matter begins with a first conversation.

Contact the Firm