Data protection & privacy laws in Pakistan (2026)

The Personal Data Protection Bill (PDPB 2023, revised as a 2025 draft) was approved by Pakistan's Federal Cabinet and introduced in Parliament, but has not received parliamentary or presidential assent. It was returned to the Ministry of IT and Telecommunication after procedural objections regarding how it was introduced, stalling enactment as of May 2026.

The Bill proposes establishing a National Commission for Personal Data Protection of Pakistan as the dedicated national regulator. Until enactment, no single national supervisory authority exists; the SBP and PTA exercise sector-specific data oversight in finance and telecoms respectively.

Article 14(1) of Pakistan's Constitution renders the dignity of man and privacy of home inviolable. Superior courts have extended this protection to communications and data, providing an implicit constitutional basis for privacy rights in the absence of a dedicated statute.

The Prevention of Electronic Crimes Act 2016 (PECA), amended in 2025, currently serves as the principal legislation touching data protection, covering unauthorised access to personal data and confidentiality of information. The 2025 amendment expanded content regulation and government surveillance powers under Sections 31-32 but introduced no new data protection obligations.

The State Bank of Pakistan issues data-handling and IT compliance frameworks for banks and financial institutions, while the PTA regulates telecom network data and interception. These sector-specific regimes currently constitute the operative data governance framework for their respective industries.

The draft Bill contains broad carve-outs for 'national security,' 'public interest,' and 'legitimate interest,' and largely exempts state agencies from its obligations. Analysts at LUMS and Privacy International have flagged these provisions as enabling surveillance and undermining accountability, casting doubt on the Bill's adequacy even if enacted.