IT MINISTRY PROPOSES UP TO $250,000 FINE ON UNLAWFUL PROCESSING OF PERSONAL DATA
MINISTRY of Information Technology and Telecom has proposed up to $ 250,000 fine on unlawful processing of personal data. The Ministry of IT&T has finalised draft of the personal data protection bill 2023. According to draft, Ministry of IT&T has proposed up to $125,000 or an equivalent amount in Pakistani Rupees fine whosoever processes or disseminates or discloses any personal data in violation of the provisions of this Act.
The fine may be raised up to $250,000 or an equivalent amount in Pakistani Rupees, according to the document.
In addition, the IT Ministry has also proposed a fine of up to $50,000 or an equivalent amount in Pakistani Rupees whosoever fails to adopt adequate security measures to ensure data security.
The Personal Data Protection Bill, 2023 is devised to regulate the collection, processing, use, disclosure, and transfer of personal data and additionally provides a data protection mechanism including the offences concerning the violation of data privacy rights of an individual.
According to draft, the scope and applicability of data controller or a data processor will apply within the territory of Pakistan
In addition, where any data controller or a data processor whether digitally or non-digitally operational within Pakistan but incorporated in any other jurisdiction, carries out processing of personal data concerning any commercial or non-commercial activity including profiling data subjects within the territory of Pakistan.
Where a data controller and a data processor not having a physical presence within the territory of Pakistan carries out the processing of personal data in a territory where Pakistani law applies under public or private international law, the draft stated.
The draft further states that where a data controller or data processor collects personal data of a data subject within the territory of Pakistan including a foreign data subject who is physically present at the time of collection, and processing of personal data within the territory of Pakistan.
According to draft, Personal data shall be collected, processed, and disclosed by a data controller/data processor lawfully and fairly by complying with the provisions of this Act.
The data controller and/or data processor whether digitally or non-digitally operational within the territory of Pakistan shall register with the Commission in such manner as may be specified by the registration framework to be formulated by the Commission provided that the data controller and/or data processor is already registered with any public body in that case, it shall only be required to intimate the Commission.
The draft further states that Personal data without the consent of the data subject shall not be disclosed for any purpose other than the one for which the personal data was to be disclosed at the time of collection of the personal data.
The Federal government shall, by a Gazetted notification, establish a Commission for this Act, which shall be called the National Commission for Personal Data Protection (NCPDP) of Pakistan, within six months of the commencement
Given the national interest, the Commission shall prescribe the best international standards to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction.
A data controller or processor shall when collecting or processing personal data must take practical measures to protect the personal data as per the terms mentioned herein below by considering the nature of the personal data and the harm that may result from such loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction to the place or location where the personal data is stored; to any security measures incorporated into any equipment in which the personal data is stored.
In the event of a personal data breach, the data controller shall without undue delay and where reasonably possible, not beyond 72 hours of becoming aware of the personal data breach, must notify the Commission and the data subject except where the breach is unlikely to result in the infringement of rights and freedoms of the data subject.