Media Matters for Democracy submits recommendations on data protection and privacy to the IT minister

November 17, 2018: Media Matters for Democracy hosted a multi-stakeholder consultation with the representative of service providers, policy makers, civil society groups, and the legal fraternity to finalize recommendations on data protection and privacy.

The consultation meeting was facilitated and hosted by Media Matters for Democracy to further its advocacy on data protection law, and improve the privacy practices in Pakistan. The consultation was attended by various members of telecommunication companies, the representatives of the Ministry of Information and Technology, civil society leaders, and prominent lawyers.

The members present at the consultation discussed various aspects of the data protection and privacy and implications on the citizens at-large.

The recommendations presented at the multi-stakeholder consultation were compiled and sent to the Federal Minister of Information Technology and Telecommunication.


Federal Minister for Information Technology and Telecommunication

Khalid Maqbool Siddiqui

Subject: Recommendations on Personal Data Protection Bill 2018

Mister Minister,

We welcome the Ministry’s invitation for public inputs on the Personal Data Protection Bill. We are hopeful that the Ministry’s effort to take a consultative approach towards this legislation will help create a strong law that is able to protect the rights of citizens of Pakistan and enable a strong data protection regime.

In response to the invitation for input and feedback, Media Matters for Democracy, along with other allied groups and stakeholders, seeks to submit the following recommendations for amendments and additions in the draft Bill.

  • The statute should not carry a criminal liability. This will result in overlaps with other criminal laws such as the Prevention of Electronic Crimes Act (PECA) and the Pakistan Penal Code (PPC). Instead, compensation in the form of damages should be awarded to the aggrieved party.
  • The definitions of some terms need to be revisited as per the GDPR and international standards, in order to make them unambiguous. These include:
  • “Sensitive personal data” – Article 2(n)
  • “Commercial transactions” – Article 2(b)
  • “Journalistic activities” – Article 3(5)(b)
  • “Third-party” – Mentioned throughout the act.
  • Article 3(5)( c) is unclear and contradictory as to what the status of a government entity would be under this act. It needs to be made clear whether the law would extend to state entities involved in commercial transactions ( for instance, NADRA) or not.
  • The act must contain a provision that places a responsibility on the corporations to inform the state and the data subjects in case of any personal breaches of data/information that may take place.
  • The act must address the issue of third-party data breaches. This includes breaches by/ inside international corporations such as Facebook, etc.
  • The Commission established under the Act must have internal checks and balances, to ensure smooth and effective operation. It must also monitor recent developments in terms of data protection and data breaches, so as to keep the rules and regulations up to date. For this purpose, a body of experts should be formed, which should include experts on digital forensics.
  • The Commission’s investigative body should be separate from the FIA since the Authority is already too overburdened. A new body should be formed under the Commission for this purpose.
  • The act should provide for a specific time-period for data retention. This would restrict the corporations from retaining data for indefinite periods. The time frame should vary for corporations according to the nature of their activities and the purpose for which the data is being retained in the first place.
  • The act should ensure that all its provisions are in line with the General Data Protection Regulation (GDPR). In addition to this, a specific requirement should be present for the corporations through which they must be obliged to draw up their privacy policy according to the rules laid down in GDPR.
  • The act must mandate awareness-raising sessions, through which data subjects and data retainers may be educated regarding the basic technicalities of data retention and the implications in case of a breach.


The members of the consultation on data protection and privacy.