Practice Area
Artificial Intelligence
Pakistan has no AI-specific statute as of mid-2026, but businesses deploying AI here are not in a legal vacuum — contract, cybercrime, consumer, IP and confidentiality law all reach it now. We map existing Pakistani law onto AI systems so clients can build, buy and use them with their exposure understood.
The honest starting point for this page is what does not exist. As of mid-2026, Pakistan has no artificial intelligence statute, no AI regulator, and no reported body of AI case law. Federal policy work on AI has been under way through the IT ministry, and instruments have been developed and announced in stages [POLICY STATUS — TO BE VERIFIED BY REVIEWING LAWYER], but policy documents do not create enforceable obligations. A firm that implies otherwise is selling something. What we offer instead is the discipline this moment actually requires: mapping the law that does exist — and there is more of it than most businesses assume — onto the AI systems they are building, buying and quietly already using.
That existing law has real teeth. Contract law allocates AI failure between vendor and customer today, on whatever terms the parties signed or failed to sign. PECA 2016, amended in 2025, supplies offences and takedown machinery that reach synthetic content, identity misuse and false information. The Copyright Ordinance 1962 governs — uncertainly, but governs — the data AI is trained on and the question of who owns what it produces. Consumer protection statutes test the claims made for AI products. The Qanun-e-Shahadat Order 1984 decides whether AI-generated material can be proved in court and whether confidential and privileged matter fed into third-party tools remains protected. And for banks, funds and telecoms, sectoral regulators already condition AI deployment through technology and outsourcing rules that predate the AI conversation entirely.
In practice the work divides into three streams. For businesses using AI — the largest group, and growing whether or not management has decided anything — the work is governance and contracts: knowing what tools are in use, setting confidentiality rules that hold, and papering vendor relationships for a technology that is wrong some fraction of the time by design. For businesses building AI, it is the product's legal foundations: training-data rights, output terms, honest claims and an exposure account that survives due diligence. And for businesses harmed by AI — deepfakes, impersonation, synthetic fraud — it is response: preservation, takedown through the PECA machinery, and the complaint or claim that follows.
We are candid about uncertainty because in this field certainty is the red flag. Where Pakistani law gives a clear answer, we give it and date it. Where the answer is arguable, we say what the argument is and where we would stand. Where there is no answer — AI authorship, liability for autonomous decisions, the shape of the coming statute — we say that too, and we build contractual and governance positions that do not depend on the gap being filled kindly. Clients with retained arrangements receive dated updates as the position moves, because it will move.
Everything here is stated as of mid-2026. An AI-specific instrument, the data protection statute, or consequential subordinate legislation under the Digital Nation Pakistan Act 2025 could each change parts of this page with little notice. That is not a reason to wait — exposure under existing law is current — but it is a reason to date the advice, and we do.
When Businesses Need This
The moments this practice exists for.
- 01You are deploying an AI tool — a chatbot, a scoring model, a drafting assistant — into a live business process and no one has asked what happens legally when it is wrong.
- 02Your vendor contract for an AI product is silent on training data, output ownership, hallucination liability and what happens to the prompts your staff type in.
- 03Your team is pasting client, customer or employee data into public AI tools, and you suspect that breaches confidentiality obligations you have already signed.
- 04You are building an AI product on scraped or licensed data and need to know your position under Pakistani copyright and contract law before investors ask.
- 05A deepfake or AI-generated content targeting your business or executives is circulating, and you need it taken down and the makers pursued.
- 06A counterparty or regulator asks what your AI governance policy is, and the answer is that you do not have one.
- 07You advise or serve regulated clients — banks, insurers, professionals — and need to know whether their rules permit your AI-assisted workflow at all.
How It Works
The process, stage by stage.
1
Use-case inventory
We start by listing what AI is actually doing in the business — often more than management knows, because staff adopt tools on their own. Each use case is logged with the data it touches, the decisions it influences and the contracts and duties that sit behind both. The inventory, not the technology, determines the legal work.
2
Exposure mapping
For each use case we map the existing Pakistani law that reaches it — contractual and confidentiality duties, PECA offences, consumer and product liability principles, IP ownership, employment implications and any sectoral rules. The output states plainly where the law is settled, where it is arguable, and where nothing on point exists yet.
3
Contract work
We draft and negotiate the AI-specific documents — vendor and licensing agreements with warranties and liability terms that fit probabilistic systems, customer-facing terms that describe AI features honestly, and data provisions covering prompts, outputs and training use. Standard software paper does not fit AI, and we do not pretend it does.
4
Internal governance
We build the acceptable-use policy, the approval path for new AI tools, the confidentiality rules for prompts, and the human-review requirements for consequential decisions. Policies are written to be followed by non-lawyers and short enough to be read. Where clients face professional or sectoral duties, the policy is drafted against those first.
5
Incident and dispute response
When AI causes the problem — a harmful output, a deepfake, a data leak through a tool, a vendor failure — we run the response: preservation, takedown routes under PECA where they apply, regulator and counterparty engagement, and the dispute if one follows. The exposure map from stage two is what makes this fast.
6
Watch brief
Because Pakistani AI-specific regulation is anticipated but not enacted, retained clients receive dated updates when the position moves — policy instruments, draft legislation, sectoral guidance and relevant enforcement. Fee structure is by engagement letter. In this field the advice has a shelf life, and we say so on its face.
The Legal Framework
The law this work runs on.
- No AI-specific statute (position as of mid-2026)
- Pakistan has not enacted AI-specific legislation as of mid-2026. Federal policy work on artificial intelligence exists, including national AI policy instruments developed through the IT ministry [STATUS AND TEXT — TO BE VERIFIED BY REVIEWING LAWYER], but policy is not law. Advice therefore proceeds from statutes of general application, mapped onto AI facts.
- Prevention of Electronic Crimes Act, 2016 (as amended in 2025)
- PECA's offences — identity misuse, offences against dignity and modesty, and the false-information offence added by the 2025 amendment — are the closest thing Pakistan has to a deepfake and synthetic-content regime. Its content-restriction machinery is also the practical takedown route, exercised through the post-2025 authorities.
- Contract Act, 1872
- The workhorse. Liability for AI failures between businesses is overwhelmingly a matter of contract — warranties, indemnities, exclusions and their limits under the 1872 Act. Where the contract is silent on AI, the default rules were written for a different century, which is precisely why the drafting matters.
- Copyright Ordinance, 1962
- Governs ownership of software and content, and predates machine generation entirely. Whether AI-generated output attracts copyright, and who owns it, is unsettled in Pakistan; training on protected works raises infringement questions untested in our courts. We advise on positions, secure what contract can secure, and flag the rest honestly.
- Qanun-e-Shahadat Order, 1984
- Pakistan's evidence law, including its provisions on modern devices and on privileged professional communications. It shapes two AI questions — whether AI-generated material can be proved and relied on in proceedings, and whether feeding privileged or confidential matter into third-party AI tools endangers its protection. We treat the second as a live risk, not a theoretical one.
- Consumer protection statutes (provincial)
- Provincial consumer laws, including the Punjab Consumer Protection Act 2005, provide remedies for defective products and services and misleading claims — the frame under which AI products marketed to consumers, and exaggerated AI claims, will be tested. Businesses selling AI features owe accuracy in how they describe them.
- Draft personal data protection legislation
- The pending Personal Data Protection Bill — in draft lineage since 2018 and not in force as of mid-2026 [STATUS — TO BE VERIFIED BY REVIEWING LAWYER] — has included provisions relevant to automated processing in its drafts. AI systems built today should assume a statute of this shape arrives during their lifetime.
- Digital Nation Pakistan Act, 2025
- The institutional framework for Pakistan's digital transformation agenda is the most likely home for future AI governance instruments. Nothing under it regulates AI specifically as of mid-2026 [TO BE VERIFIED BY REVIEWING LAWYER]; we watch what issues under it.
- Sectoral regulation (SBP, SECP, PTA)
- Regulated businesses do not wait for an AI act — the State Bank's outsourcing and technology risk frameworks, SECP requirements and PTA rules already condition how banks, funds and telecoms may deploy AI systems and offshore data. For regulated clients the sectoral analysis comes first.
Statutory references are stated as of the page’s as-of date and flagged where verification is pending; the law moves, and the current position should be confirmed before relying on it.
Common Mistakes
The errors we see most — and their price.
- Assuming that because Pakistan has no AI act, AI use is unregulated — the general law reaches it now, and contracts reach it hardest.
- Letting staff put client, customer or employee data into public AI tools, breaching confidentiality agreements and professional duties the company signed long before AI existed.
- Signing an AI vendor contract on standard software terms, with no provision for training use of your data, output ownership or liability for wrong answers.
- Marketing a product as AI-powered with accuracy claims no one verified, and meeting the consumer protection and misrepresentation consequences later.
- Building a product on scraped data without a copyright and contract analysis, then facing the question for the first time in investor due diligence.
- Automating consequential decisions — credit, hiring, pricing — with no human review layer, so the first unfair outcome becomes a test case with your name on it.
- Treating deepfakes targeting the business as a PR problem only, and losing the evidence a PECA complaint would have needed.
- Writing an AI policy so long and defensive that staff ignore it, which is worse than none because it proves you knew.
Representative Scenarios
The shape of the work.
Illustrative scenarios, not case reports — composites drawn to show how matters of this kind run.
- —A professional services firm engaged us after discovering staff were drafting client documents in a public AI tool; we built the confidentiality-first usage policy and an approved-tool process, and renegotiated one client engagement letter that prohibited the practice outright. Illustrative.Illustrative
- —A fintech deploying an AI credit-scoring feature asked for an exposure map before launch; the design gained a human-review layer for declines and the vendor contract gained the indemnities it lacked. Illustrative.Illustrative
- —A listed company's executive was targeted by a deepfake video; we ran the takedown through the PECA machinery and preserved the evidence for the complaint that followed. Illustrative.Illustrative
- —A SaaS company adding AI features to its product retained us to rewrite its customer terms — output ownership, disclaimers that fit a probabilistic system, and honest AI claims — ahead of an enterprise sales push. Illustrative.Illustrative
Questions, Answered
What clients ask about artificial intelligence.
There is no AI-specific statute in force as of mid-2026. Policy work exists at the federal level [STATUS — TO BE VERIFIED BY REVIEWING LAWYER], but the law that actually governs AI use today is the general law — contract, PECA, copyright, consumer protection, evidence and sectoral rules. That law is enforceable now, which is the point businesses most often miss.
Between businesses, the contract decides — which is why AI vendor and customer agreements are the centre of this practice. Toward consumers and third parties, ordinary principles of consumer protection, misrepresentation and fault apply to the business that deployed the system; the machine is not a defendant. If your contracts are silent on AI failure, your exposure is whatever the default rules say, and they were not written with AI in mind.
Only within limits you have actually set. The legal risk is mostly confidentiality and privilege — data typed into a third-party tool may be processed offshore, retained, and used for training, which can breach NDAs, client engagement terms, professional duties and, for advocates, the protection of privileged communications under the Qanun-e-Shahadat Order 1984. The workable answer is an approved-tool list and clear rules on what never goes in, and we draft both.
Unsettled. The Copyright Ordinance 1962 was not drafted for machine-generated works, Pakistani courts have not resolved the question, and positions taken in other jurisdictions vary. What can be secured is contractual — clear terms with your vendors, staff and customers about who may use outputs and how. We secure that layer and are candid that the statutory layer is open.
There is no offence named for deepfakes, but PECA 2016 as amended in 2025 supplies the tools in most real cases — identity misuse, offences against dignity and modesty, and the false-information offence — alongside the content-blocking machinery for takedown. Speed matters: evidence preservation and a properly framed complaint in the first days determine what is achievable. We handle both.
The Qanun-e-Shahadat Order 1984 accommodates evidence produced through modern devices, but AI-generated material raises authenticity and reliability questions that Pakistani courts are only beginning to meet — both for parties relying on such material and for parties challenging suspected synthetic evidence. As of mid-2026 there is no settled framework, so the practical work is provenance and record-keeping done in advance.
A defensible data story — where training data came from and under what rights; contracts with vendors, staff and contractors that actually assign and licence what you think they do; customer terms that fit a probabilistic product; and an honest account of regulatory exposure in your markets, which for cross-border SaaS means foreign AI regulation as much as Pakistani law. Investor counsel will ask for exactly this list.
Yes, today. The State Bank's technology and outsourcing frameworks condition how banks and regulated institutions deploy systems and move data, and the SECP and PTA impose their own requirements in their sectors. For a regulated client, the sectoral analysis leads and the general law follows. An AI act, when it comes, will sit on top of these, not replace them.
Policy development is under way and draft instruments have circulated [POLICY DEVELOPMENTS — TO BE VERIFIED BY REVIEWING LAWYER], and the data protection bill may arrive first and matter more. But waiting is not a strategy: your exposure under existing law is current, and systems built with governance now will absorb a future statute cheaply. We build for the law in force and design for the law anticipated.
Who To Call
Related Insights
Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified
This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.
