PERSONAL DATA PROTECTION BILL 2023 IS OUT ,FEATURING THE INCLUSION OF MECHNISM TO PROCESS CHILDREN’s PERSONAL DATA
S.U.KHAN ASSOCIATES CORPORATE & LEGAL CONSULTANTS
Providing legal services to clients in Pakistan & globally since 2004.
The ministry of Information & Technology on May 19, 2023 has released an amended draft of Personal Data Protection Bill. The Bill proposes obligations for data controllers, establish rights of data subjects, impose penalties in case of non- compliance of the law and propose establishment of relevant regulatory authority.
The bill has devised the mechanism to process, control, use and transfer personal data of individuals. The Bill would apply to any data controller or processor who are processing personal data while;
As per this Bill Data collected shall be explicit, specified and for legitimate purpose, the data controller/ processor whether operating digitally or non-digitally but are operational within the territory of Pakistan shall have to get registered with the Commission (National Commission for Personal Data Protection). The consent of the data subject (individual whose data is collected) shall be sought for the commencement of processing of personal data. Any data controller/processor having the status of “significant” shall have to appoint a data protection officer, who needs to be well versed in collection and processing of personal data along with the knowledge of risks associated with the processing. In case of data breach, the data controller shall have to send a written notice comprising of all the information as prescribed in the Bill.
The data processed shall not be retained longer than necessary and the authenticity of the data retained shall not be compromised, moreover data controller shall also keep a record of the data processed. The amended draft bill has embodied provisions safeguarding the children’s data. For the purpose of processing of personal data of the children the data processor shall verify the age of the child and shall obtain consent from his parents. No such data of children shall be processed that will pose risk to the children and neither will subject the children to the targeted advertisement. It has also devised criteria for Critical Personal Data which shall only be processed in a server(s) or digital infrastructure located within the territory of Pakistan and the Bill has also laid out the conditions for cross border data transfer.
The law has accrued certain rights to data subjects which includes; right to access data processed, right to erasure, right to correction of data, right to withdraw of consent, right to prevent processing likely to cause damage or distress, right to nominate, right to the redressal of grievance.
领英推荐
Within six months of the commencement of this Act, the Federal Government by a Gazetted notification, shall establish a Commission for this Act, which shall be called the National Commission for Personal Data Protection (NCPDP) of Pakistan, the commission shall be a statutory autonomous body that will work for the enforcement of this Act, will perform its functions as regulatory body, will issue policy directives and will receive and decide complaints of data subjects.
The amended draft bill has replaced the pecuniary fine in terms of PKR with American Dollars which will be imposed in case of violation. Anyone involved in processing or disseminating or disclosing of any personal data in violation of the provisions of this Act shall be punished with a fine up to 125,000 USD or an equivalent amount in Pakistani Rupees and in case of subsequent unlawful processing of personal data, the fine may be raised up to 250,000 USD or an equivalent amount in Pakistani Rupees.
?
It is hoped that this draft bill will be a finalized version and soon will be presented before the parliament.
The link of the draft bill can be find here.