Practice Area
Data Privacy
We advise companies that collect, hold and move personal data on the rules that govern it in Pakistan today and the statute expected to govern it next. The work runs from privacy programmes and consent architecture to cross-border transfers, vendor contracts and the sectoral regulators that already police data.
Pakistan is in the last stretch of the pre-statute era of data law. As of mid-2026 there is no enacted general data-protection statute; the draft Personal Data Protection Bill remains pending [STATUS — TO BE VERIFIED BY REVIEWING LAWYER]. That does not mean data is unregulated. PECA 2016 criminalises unauthorised access to systems and data. The Electronic Transactions Ordinance 2002 determines whether your electronic consents and records hold up. The State Bank and the PTA impose real data and outsourcing rules on the businesses they license. And every data-processing agreement a Pakistani company signs with a foreign customer imports obligations — often GDPR-grade ones — enforceable as ordinary contract.
Our data privacy practice works at that intersection. For most clients the engagement starts with a map: what personal data the business actually collects, where it sits, which vendors touch it, and where it crosses borders. The map is compared against three things — the law in force, the contracts already signed, and the recurring features of the draft legislation. The output is not a memo; it is a set of documents and decisions. A privacy policy that tells the truth. Consent flows that produce evidence. Vendor contracts that pass a customer's diligence. A breach plan with names and hours in it.
We are candid about the draft statute. It is not law, and we do not advise as if it were. But its drafts have consistently proposed consent requirements, breach notification, cross-border transfer rules and a supervisory authority, and businesses that build toward those features now will face a transition period; businesses that wait will face a deadline. The distinction between adjusting a programme and building one under enforcement pressure is, in our experience, the largest cost variable in this field.
The practice also carries the contentious end. Data disputes in Pakistan today arrive mostly as PECA matters — an employee who took a database, a competitor with your customer list, a breach that becomes a complaint against you rather than for you. Since the 2025 amendments to PECA, investigation sits with the National Cyber Crime Investigation Agency, an institution still settling its practice. We handle the complaint, the response and the parallel civil remedies, and because we also build privacy programmes, we know which documents will matter when a regulator or investigator asks for them.
Everything on this page is stated as of mid-2026 and will be revised as the legislative position changes. In this field especially, advice has a date on it.
When Businesses Need This
The moments this practice exists for.
- 01You are launching a product that collects personal data from Pakistani users and your privacy policy is either missing or copied from a foreign template that promises things you do not do.
- 02A foreign customer, partner or investor is asking whether you are "GDPR compliant" and you do not know what Pakistani law actually requires of you, or what you can honestly sign.
- 03You are moving customer data to cloud infrastructure outside Pakistan and need to know whether anything in your sector restricts the transfer or requires an approval first.
- 04A regulator — the State Bank, the PTA or SECP — has asked how you handle customer data, and your written policies do not match what your systems actually do.
- 05An employee has left with a customer database, or a breach has exposed user data, and you need to know what you must disclose, to whom, and what you can pursue.
- 06You are buying or investing in a data-heavy business and need its consents, transfers and vendor chain diligenced before signing.
- 07You want a privacy programme built now so that when the anticipated data-protection statute comes into force you adjust rather than rebuild.
How It Works
The process, stage by stage.
1
Data mapping
We start with what actually happens, not what the policy says. We inventory what personal data enters the business, where it is stored, who inside and outside the company touches it, and where it leaves — including analytics, support tooling and offshore cloud. Most privacy problems are discovered at this stage, not created later.
2
Gap review against current law
We measure the map against the law that applies to you today: PECA 2016, the Electronic Transactions Ordinance 2002, your sector's regulator, and the contractual promises you have already made to customers and partners. We also measure it against the recurring features of the draft data-protection legislation, so the gap list is future-facing rather than merely current.
3
Documentation build
We draft the privacy policy, consent language, internal data-handling policies and retention rules — written to describe what the business does, in plain language, rather than what a foreign template imagines. Where the business must change practice to keep a promise, we say so before the promise is published.
4
Transfers and vendors
We settle the cross-border transfer position, paper the processor and sub-processor chain with data-processing terms, and handle any sectoral approvals the architecture needs. For regulated businesses this includes the outsourcing and cloud expectations of their regulator.
5
Incident readiness
We prepare a breach-response plan that names who decides, who investigates, who notifies and within what time — matched to the notification commitments in your contracts and the reporting expectations of your regulator. A plan written during an incident is not a plan.
6
Standing counsel
Data law in Pakistan is about to change. We keep the programme current as the anticipated statute is enacted and subordinate legislation issues, and we date every piece of advice so you know what it assumed.
The Legal Framework
The law this work runs on.
- Prevention of Electronic Crimes Act, 2016
- PECA criminalises unauthorised access to information systems and data, unauthorised copying and interference — it is the statute under which a data-theft complaint is filed and, equally, the statute cited against companies when a breach is alleged. It was amended in 2025 and enforcement now sits with the National Cyber Crime Investigation Agency, the successor to the FIA Cybercrime Wing.
- Draft personal data protection legislation
- As of mid-2026 Pakistan has no enacted general data-protection statute; the draft Personal Data Protection Bill remains pending [STATUS — TO BE VERIFIED BY REVIEWING LAWYER]. Successive drafts have proposed consent requirements, breach notification, cross-border transfer restrictions and a supervisory authority, which is why we build programmes against those features now.
- Electronic Transactions Ordinance, 2002
- The ETO gives legal recognition to electronic records, documents and signatures. It is the reason consent gathered through a checkbox or click-through can be relied on — provided the flow is designed and evidenced properly.
- Constitution of Pakistan, Article 14
- Article 14 guarantees the dignity of man and the privacy of home, and Pakistani courts have drawn on it when privacy interests are litigated. It matters as the constitutional backdrop against which data practices are tested when there is no statute directly on point.
- State Bank of Pakistan frameworks
- Banks, EMIs and payment businesses answer to SBP rules on customer confidentiality, outsourcing and the use of cloud service providers, including SBP's framework on outsourcing to cloud [INSTRUMENT REFERENCE — TO BE VERIFIED BY REVIEWING LAWYER]. For a regulated business, these rules are the operative data law long before any general statute.
- Pakistan Telecommunication (Re-organization) Act, 1996 and PTA regulations
- Telecom licensees carry subscriber-data and infrastructure-security obligations under the PTA's regulatory regime, including the Critical Telecom Data and Infrastructure Security Regulations, 2020. Companies that ride on telecom infrastructure inherit parts of this regime through their contracts.
Statutory references are stated as of the page’s as-of date and flagged where verification is pending; the law moves, and the current position should be confirmed before relying on it.
Common Mistakes
The errors we see most — and their price.
- Publishing a GDPR-template privacy policy that promises rights and processes the business does not operate — the policy itself becomes the misrepresentation.
- Treating the absence of a general data-protection statute as the absence of data law, when PECA, the sectoral regulators and your own contracts already reach how you handle data.
- Signing customer data-processing agreements that commit to breach notification within hours the company has no process to meet.
- Moving regulated customer data to offshore cloud without checking whether your regulator required notice, approval or specific contract terms first.
- Collecting more data than the product needs, so that every later question — breach, diligence, regulator inquiry — is larger than it had to be.
- Leaving employee data, CCTV and biometric attendance systems out of the privacy programme entirely.
- Waiting for the statute to pass before building anything, then facing a statutory transition period with nothing in place.
Representative Scenarios
The shape of the work.
Illustrative scenarios, not case reports — composites drawn to show how matters of this kind run.
- —A payments startup had signed a data-processing agreement with a European partner committing to GDPR-grade obligations it could not meet. We rebuilt its consent flows, retention rules and sub-processor contracts so the commitments were ones the business actually kept.Illustrative
- —A healthcare group discovered a departing employee had copied patient records to a personal drive. We advised on the PECA complaint, the employment-law response and the disclosures owed to affected patients and institutional counterparties.Illustrative
- —A SaaS company hosting Pakistani enterprise data on foreign cloud was asked by a bank customer to evidence compliance with SBP outsourcing expectations. We papered the sub-processor chain, audit rights and data-location commitments the bank needed before renewal.Illustrative
- —An acquirer's diligence found that a target's user consents did not cover the advertising use its revenue depended on. We restructured the data warranties and indemnities, and the remediation cost was priced into the deal rather than discovered after it.Illustrative
Questions, Answered
What clients ask about data privacy.
Not a general one, as of mid-2026. The draft Personal Data Protection Bill has circulated for several years and remains pending [STATUS — TO BE VERIFIED BY REVIEWING LAWYER]. What exists today is a patchwork: PECA 2016 for unauthorised access and misuse, sectoral rules from SBP and the PTA, the Electronic Transactions Ordinance 2002, and whatever your own contracts promise.
No general statute currently mandates it, but consent is still the practical foundation. Your regulator may expect it, your foreign counterparties will demand it, the draft legislation is built on it, and a documented consent is your best answer when a complaint or claim arrives. We treat consent as the default and design exceptions deliberately.
For most unregulated businesses, yes, as of mid-2026 — there is no general localisation statute in force. Regulated businesses are different: banks, EMIs and payment providers face SBP outsourcing and cloud rules, and telecom licensees face PTA security regulations. Successive drafts of the data-protection bill have proposed transfer restrictions, so architecture decisions should assume some future constraint.
Today the mandatory notification obligations are mostly contractual and sectoral rather than general statutory ones — your customer DPAs, your regulator's rules, and any foreign law that reaches you. The decisions in the first days are what to preserve, whom to notify, and whether to involve the NCCIA. A pre-agreed response plan makes those decisions fast instead of improvised.
It can. GDPR reaches non-EU businesses that offer goods or services to people in the EU or monitor their behaviour, and it reaches you contractually whenever an EU customer makes you their processor. Many Pakistani companies are bound to GDPR standards through their contracts long before any EU regulator would notice them.
What data you collect, why, where it is stored, who it is shared with, how long you keep it, and how a user raises a complaint — described accurately for your business. A policy is evidence. It should be the true account of your practice, not an aspiration borrowed from a foreign company.
No date can be stated honestly; drafts have advanced and stalled repeatedly. The sensible course is to build the durable parts now — data mapping, consent, vendor contracts, breach response — because every draft has required them, and they already pay for themselves in customer and investor diligence.
If personal data flows to a vendor — cloud host, analytics tool, payroll processor, call centre — the contract should say what the vendor may do with it, what security it must maintain, and what happens on breach and exit. Without that, a vendor's failure is legally your failure, with no recourse.
Who To Call
Related Insights
Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified
This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.
