{"id":106534,"date":"2025-05-15T14:09:08","date_gmt":"2025-05-15T14:09:08","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=106534"},"modified":"2025-08-19T10:27:36","modified_gmt":"2025-08-19T10:27:36","slug":"pakistan-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/pakistan-data-protection-cybersecurity\/","title":{"rendered":"Pakistan: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-106534","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-pakistan"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">S.U.Khan Associates Corporate &amp; Legal Consultants<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/05\/SU-Khan.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">S.U.Khan Associates Corporate &amp; Legal Consultants<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/05\/SU-Khan.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Pakistan<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Privacy is a fundamental and inalienable right under the Constitution of Pakistan. Pakistan is in the process to develop a specific law on personal data protection. A draft bill (Personal Data Protection Act, 2023\/\u201dthe draft Bill\u201d) has been developed by the Ministry of Information Technology and Telecommunication. The draft Bill has been approved by the Federal Cabinet and will now be presented before the legislature (National Assembly and Senate of Pakistan) and thereafter will be promulgated as a law. The draft Bill is not sector-specific but is applicable on processing of personal data by any sector. The draft Bill is applicable when either of data controller, data processer or data subject is present in Pakistan. The draft Bill would also be applicable to those data controllers and data processers who are not incorporated in Pakistan but are digitally or non-digitally operational in Pakistan and are involved in commercial or non-commercial activity in Pakistan.<\/p>\n<p>The draft bill would also be applicable to any data controller or processor who collect the personal data of any data subject present within territory of Pakistan which also includes any foreigner who will be physically present in Pakistan. \u00a0The draft Bill would also be applicable on processing of personal data by data controllers and data processers who are not established in Pakistan but are in a place where Pakistan law is applicable due to private or public international law.<\/p>\n<p>On promulgation of the draft Bill as a law, a National Commission for Personal Data Protection of Pakistan (the Commission) is to be established by the Federal Government of Pakistan. The Commission will be a regulator and will enforce and implement the draft Bill.<\/p>\n<p>Apart from above, sectoral regulatory framework concerning data protection may be seen for banking and telecom sectors. State Bank of Pakistan (the SBP) and Pakistan Telecommunication Authority (the PTA) respectively are the regulators for banking and telecom sectors in Pakistan. The SBP and the PTA have developed certain regulations concerning the protection of their respective consumers including regulations for protection of personal data of the banking and telecom consumers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>It is expected that draft Bill will be presented before parliament to be promulgated as a law. E-safety Bill 2023 has also been approved by the cabinet in August 2023, which is to be presented before the legislature for approval and promulgation. The E-safety Bill aims to prevent crimes such as cyber bullying, online harassment and blackmailing. In addition to that in 2025, amendments have been made in Prevention of Electronic Crimes Act (PECA), where Section 26 A has been inserted which criminalizes the intentional dissemination of false and fake information, leading to potential imprisonment and fines, imprisonment may extend to 3 years while penalty may be imposed up to 2 million Rupees or both can be imposed.<\/p>\n<p>Furthermore, The Federal Government shall establish an investigative body known as the National Cyber Crime Investigation Agency (NCCIA), responsible for conducting inquiries, investigations, and prosecutions of offences outlined under this Act.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Data Controllers\/Data Processors, whether digitally\u00a0 or non- digitally operational within the territory of Pakistan are under obligation to register with the Commission. The Commission is to formulate a registration framework for data controllers and data processers. The law further provides exemptions for the data controllers and\/or data processors who are already registered with any public body, shall only be required to intimate to the established Commission.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How do the data protection laws in your jurisdiction define \u201cpersonal data,\u201d \u201cpersonal information,\u201d \u201cpersonally identifiable information\u201d or any equivalent term in such legislation (collectively, \u201cpersonal data\u201d)? Do such laws include a specific definition for special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction (e.g., \u201ccontroller\u201d, \u201cprocessor\u201d, \u201cdata subject\u201d, etc.)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>\u201c<strong>personal data<\/strong>\u201d means any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller and\/or data processor, including any sensitive or critical personal data. Provided that anonymized, or pseudonymized data which is incapable of identifying an individual is not personal data.<\/p>\n<p>\u201c<strong>sensitive personal data<\/strong>\u201d means and includes data relating to access control (username and\/or password), financial information such as bank account, credit card, debit card, or other payment instruments, computerized national identity card, passports, biometric data, and physical, behavioral, psychological, and mental health conditions, medical records, and any detail pertaining to an individual\u2019s ethnicity, religious beliefs, political affiliation, physical identifiable location, travelling details, pictorial or graphical still and motion forms, IP address and online identifier.<\/p>\n<p>\u201c<strong>critical personal data<\/strong>\u201d means such personal data retained by the public service provider- excluding data open to the public-as well as data identified by sector regulators and classified by the Commission as critical or any data related to international obligations.<\/p>\n<p>\u201c<strong>data subject<\/strong>\u201d means a natural person who is the subject of the personal data.<\/p>\n<p>\u201c<strong>data controller<\/strong>\u201d means a natural or legal person or the government, who either alone or jointly has the authority to make a decision on the collection, obtaining, usage or disclosure of personal data.<\/p>\n<p>\u201c<strong>data processor<\/strong>\u201d means a natural or legal person or the government who alone or in conjunction with other(s) processes data on behalf of the data controller.<\/p>\n<p>\u201c<strong>foreign data subject<\/strong>\u201d means a data subject who is not Pakistani national.<\/p>\n<p>\u201c<strong>processing<\/strong>\u201d means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.<\/p>\n<p>\u201c<strong>consent<\/strong>\u201d of the data subject means any freely given, specific, informed and unambiguous indication of the data subject\u2019s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the collecting, obtaining and processing of personal data relating to him or her.<\/p>\n<p>\u201c<strong>personal data breach<\/strong>\u201d means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill provides following general principles for processing of personal data:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Personal data be collected for specified, explicit and legitimate purpose<\/li>\n<li>Personal data is not to be processed in a manner incompatible with the purposes for which it was collected<\/li>\n<li>Personal data is to be adequate, relevant and limited to what is necessary in relation to the purpose for which it was collected<\/li>\n<li>Personal data is to be processed for a lawful purpose directly related to an activity of the data controller<\/li>\n<li>Processing of personal data is necessary or is directly related to that lawful purpose<\/li>\n<li>Personal data is adequate and not excessive in relation to that lawful purpose<\/li>\n<li>The data controllers and processors need to be registered with the Commission as specified.<\/li>\n<li>Those data controllers and processors who will fall within the category of the \u201cSignificant\u201d shall have to appoint a data protection officer.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As a general rule no personal data is to be processed without consent of the data subject. A separate consent is required form data subject for each purpose. The draft Bill provides following exceptions when personal data may be processed without consent of the data subject:<\/p>\n<ul style=\"padding-left: 0\">\n<li>When processing is necessary for the performance of a contract to which the data subject is a party<\/li>\n<li>When the processing is necessary to take steps at the request of the data subject to enter into a contract.<\/li>\n<li>When processing is necessary for compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by a contract<\/li>\n<li>When the processing is necessary for the treatment, public health, medical or research purposes or to respond to any medical emergency involving a threat to the life or health of a data subject or any other individual.<\/li>\n<li>When processing is necessary to protect the vital interests of the data subject<\/li>\n<li>When processing is necessary for the administration of justice pursuant to an order of the court of competent jurisdiction<\/li>\n<li>When processing is necessary for legitimate interests pursued by the data controller<\/li>\n<li>When processing is necessary for the exercise of any functions conferred on any person by or under any law<\/li>\n<\/ul>\n<p>The draft Bill does not speak about the form, content and administration of the consent. The definition of \u201cconsent\u201d as provided for in the draft Bill depicts the underlying concept based upon the principles of freely given, specific, informed and unambiguous indication of the data subject\u2019s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the collecting, obtaining and processing of personal data relating to him or her. So the form may not be as important but the substance should be met.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the draft Bill, sensitive personal data may only be processed in following situations:<\/p>\n<ul style=\"padding-left: 0\">\n<li>with the explicit consent of the data subject (when that consent is not restricted by any other applicable law)<\/li>\n<li>for the purposes of exercising or performing any right or obligation imposed by law on the data controller in connection with employment<\/li>\n<li>to protect the vital interests of the data subject<\/li>\n<li>for medical purposes<\/li>\n<li>in connection with any legal proceedings<\/li>\n<li>for obtaining legal advice (while ensuring its integrity and secrecy)<\/li>\n<li>for the purposes of establishing, exercising or defending legal rights<\/li>\n<li>processing is necessary for the administration of justice pursuant to orders of a court of competent jurisdiction<\/li>\n<li>for the exercise of any functions conferred on any person by or under any law<\/li>\n<li>where the information contained in the personal data is made public advertently by the data subject.<\/li>\n<\/ul>\n<p>It is to mention that Health Data is also included within the categories of sensitive personal data.<\/p>\n<p>The data controllers and processors, processing personal data of the Children firstly need to verify the age of the child and must sought for consent of his parents or relevant authorized person.<\/p>\n<p>There are no categories of personal data which are prohibited from collection under the draft Bill.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill is not applicable on an individual processing personal data only for the purposes of his personal, family, household and recreational purposes.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill does not require or recommend conducting risk assessment regarding personal data processing activities. However, the draft Bill empowers the Commission to formulate a compliance framework with regard to data protection impact assessment. It follows, that on promulgation of law and after establishment of the Commission, the Commission will frame rules with respect to data protection impact assessment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No such codes of practice has been issued.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The data controllers are to intimate the Commission on a regular basis the type of data they are collecting and processing. Procedural aspects for this reporting requirements are to be devised by the Commission.<\/p>\n<p>In addition, the data controller is to keep and maintain record of each application, notice, request or any other information relating to personal data that has been or is being processed by the data controller. The Commission is to determine the manner and form in which such a record is to be maintained. As the law, on the subject, has not been promulgated yet, practically such requirements are not being met.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend data retention and\/or data disposal policies and procedures? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill provides that personal data processed shall not be kept longer than is necessary for the fulfillment of the purpose or as required under the law. The draft Bill further mandates the data controller to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill does not place any mandatory requirement to consult with the Commission. However, one of the functions of the Commission under the draft Bill is to engage, support, guide, facilitate, train and persuade data controllers and data processers to ensure personal data protection. It follows that the Commission may contact data controllers\/data processors in furtherance of the objects of the draft Bill.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The data controllers and processors identified as significant by the commission shall be required to appoint a data protection officer. The draft Bill empowers the Commission to formulate a compliance framework with regard to responsibilities of data protection officer. It follows, that on promulgation of law and after establishment of the Commission, the Commission will frame rules with respect to appointment of data protection officer.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft law does not require or recommend employee training.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill provides that a data controller is to give a written notice to the data subject. The said notice is to inform the data subject following:<\/p>\n<ul style=\"padding-left: 0\">\n<li>That personal data of the data subject is being collected and a description of the personal data<\/li>\n<li>The legal basis for processing of personal data<\/li>\n<li>The time duration for which personal data is likely to be processed and retained<\/li>\n<li>The purpose for which personal data is being collected and further processed<\/li>\n<li>The information as to source of the personal data<\/li>\n<li>Information with respect to any cross-border transfer of personal data.<\/li>\n<li>The data subject\u2019s right to request access the data and to request correction and how to contact the data controller for any inquiries or complaints<\/li>\n<li>The class of third parties to whom data is disclosed or to be disclosed<\/li>\n<li>The choices and means data controller offer for restricting processing of personal data<\/li>\n<li>Whether it is obligatory or voluntary for the data subject to provide personal data and where it is obligatory the consequences for failure to provide personal data<\/li>\n<\/ul>\n<p>The said notice is to be given as soon as reasonably possible when:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The data subject is first asked by the data controller to provide personal data<\/li>\n<li>The data controller first collects the personal data<\/li>\n<li>Before the data controller uses personal data for a purpose other than the purpose for which personal data was collected<\/li>\n<li>Before the data controller discloses the personal data to a third party<\/li>\n<\/ul>\n<p>The said notice is to be given in Urdu and English languages with clear and readily accessible means to exercise choice by the data subject. \u00a0It can also be served digitally.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction draw any distinction between the responsibility of controllers and the processors of personal data? If so, what are the implications?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill distinguishes between the data controller and data processer (as defined at question 4). The data controller is to ensure that data processors undertake to adopt applicable technical and organizational security standards to protect the personal data. The draft Bill further requires that the data processer is independently liable to take steps to ensure compliance with the prescribed security standards.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill provides a right to the data subjects to not to be subjected to a decision solely based on automated processing including profiling. These terms have not been defined in the draft Bill. No further details\/restrictions are mentioned in the draft Bill.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on targeted advertising and\/or behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill does not discuss about cross-contextual behavioral advertising, except the right to the data subjects against the automated decision making and profiling, and right to object against direct marketing.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting the sale of personal data. How is the term \u201csale\u201d or such related terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The sale of personal information is not currently addressed in any law<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting telephone calls, text messaging, email communication, or direct marketing. How are these terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Pakistan Telecommunication Authority (the PTA) has issued \u201cProtection from Spam, Unsolicited, Fraudulent and Obnoxious Communication Regulations, 2009\u201d (the Regulations). The Regulations apply to all telecom operators licensed by the PTA to ensure and protect the interests of telecom consumers by preventing them from spam, fraudulent, unsolicited and obnoxious communication. A few important terms are defined by the Regulations as follows:<\/p>\n<p>\u201c<strong>Do Not Call Register (DNCR)<\/strong>\u201d means a database, maintained by the operators, containing the particulars of subscriber(s) who make a request for not receiving the unsolicited calls.<\/p>\n<p>\u201c<strong>Fraudulent Communication<\/strong>\u201d means the transmission of message\/statement which is false and misleading.<\/p>\n<p>\u201c<strong>Obnoxious Communication<\/strong>\u201d means the transmission of message\/statement with the intent to cause harassment or disturbance.<\/p>\n<p>\u201c<strong>Spamming<\/strong>\u201d means the transmission of harmful, fraudulent, misleading, illegal or unsolicited messages in bulk to any person without the express permission of the recipient, or causing any electronic system to show any such message or is being involved in falsified online user account registration or falsified domain name registration for commercial purpose.<\/p>\n<p>\u201c<strong>Telemarketer<\/strong>\u201d means a person who initiates a call for the purpose of marketing of services, investment and goods to public at large through telecommunications services.<\/p>\n<p>\u201c<strong>Unsolicited calls<\/strong>\u201d means calls made to those numbers recorded in the Do not call register.<\/p>\n<p>The Regulations require all operators to establish standard operating procedures to control spamming, fraudulent communication, unsolicited calls and obnoxious calls. The operators are also required to establish a \u201cDo Not Call Register\u201d in connection with controlling unsolicited calls. The Operators are also required to ensure registration of telemarketers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Biometric is included within the definition of \u201csensitive personal data\u201d and rules as explained at question 4 are applicable in relation thereto.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (\u201cAI\u201d).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Ministry of Information Technology and Telecommunication has prepared a draft of Pakistan National Artificial Intelligence Policy, 2023. The policy framework is envisaged to provide a complete AI-enabling ecosystem in Pakistan, covering all aspects of awareness, skill development, standardization, and ethical use.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill provides that personal data may be transferred outside Pakistan in following situations:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Equivalent protection<\/li>\n<li>Consent of the data subject<\/li>\n<li>Under a framework to be devised by the Commission<\/li>\n<\/ul>\n<p>Critical personal data is not allowed to be transferred outside Pakistan. Critical personal data shall only be processed in a server(s) or digital infrastructure located within the territory of Pakistan. The Commission is to devise a mechanism for keeping some components of sensitive personal data within Pakistan (data localization of some of the sensitive personal data).<\/p>\n<p>The Commission may allow for the transfer of personal data outside Pakistan in the following cases:<\/p>\n<ul style=\"padding-left: 0\">\n<li>In presence of Binding contract\/agreement.<\/li>\n<li>Where the data exporter has obtained the explicit consent of the data subject that does not conflict with the public interest or national security of Pakistan;<\/li>\n<li>Where International cooperation is required under relevant international obligations;<\/li>\n<li>Cross border data transfer shall be allowed with respect to any further conditions specified by the Commission.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Commission, considering the national interest, is to prescribe best international standards to protect personal data from any loss, misuse, modification, unauthorized or accidental access, disclosure, alteration or destruction. Data controllers and data processers are to take practical measures, while processing personal data, as prescribe by the Commission to protect the personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of  security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The term \u201cpersonal data breach\u201d is defined in the draft Bill as mentioned at question 4. The draft Bill requires the data controller to report a data breach to the Commission and to the data subject within 72 hours.\u00a0 The exception is where the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject. In case the notification is made beyond 72 hours, the notification is to state reasons for the delay.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill confers following rights to the data subjects, exercisable through submission of a request to data controller:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Right of access to personal data<\/li>\n<li>Right to correct personal data<\/li>\n<li>Right to withdrawal of consent<\/li>\n<li>Right to prevent processing likely to cause damage or distress<\/li>\n<li>Right to erasure<\/li>\n<li>Right to nominate<\/li>\n<li>Right to redressal of grievance<\/li>\n<li>Right to data portability and automated processing<\/li>\n<li>Right not to be subjected to a decision solely based on automated processing including profiling<\/li>\n<\/ul>\n<p>The draft Bill provides the instances where a data controller may refuse to comply with a request by data subject to have these rights, as follows:<\/p>\n<p><u>Right of Access to Personal Data<\/u><\/p>\n<ul style=\"padding-left: 0\">\n<li>The data controller is not supplied with such information as the data controller may reasonably require.<\/li>\n<li>The data controller cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information.<\/li>\n<li>Providing access may constitute a violation of an order of a court.<\/li>\n<li>Providing access may disclose confidential information relating to business of the data controller.<\/li>\n<li>The requested access is regulated by another law.<\/li>\n<\/ul>\n<p><u>Right to Correct Personal Data<\/u><\/p>\n<ul style=\"padding-left: 0\">\n<li>The data controller is not supplied with such information as the data controller may reasonably require.<\/li>\n<li>The data controller is not supplied with such information as it may reasonably require to ascertain in what way the personal data to which the data correction request relates is inaccurate, incomplete, misleading or not up-to-date.<\/li>\n<li>The data controller is not satisfied that the personal data to which the data correction request relates is inaccurate, incomplete, misleading or not up-to-date.<\/li>\n<li>The data controller is not satisfied that the correction which is the subject of the data correction request is accurate, complete, not misleading or up-to-date.<\/li>\n<li>Where any other data controller controls the processing of the personal data to which the data correction request relates in such a way as to prohibit the first-mentioned data controller from complying, whether in whole or in part, with the data correction request.<\/li>\n<\/ul>\n<p><u>Right to Prevent Processing Likely to Cause Damage or Distress<\/u><\/p>\n<ul style=\"padding-left: 0\">\n<li>Where the data subject has given his consent.<\/li>\n<li>Where the processing of personal data is necessary:\n<ol style=\"padding-left: 5\" type=\"a\">\n<li>for the performance of a contract to which the data subject is a party.<\/li>\n<li>for the taking of steps at the request of the data subject with a view to entering a contract.<\/li>\n<li>for compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by contract.<\/li>\n<li>in order to protect the vital interests of the data subject.<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<p><u>Right to Erasure<\/u><\/p>\n<p>When processing is necessary for:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Exercising the right of freedom of expression and information.<\/li>\n<li>Compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.<\/li>\n<li>Reasons of public interest in the area of public health.<\/li>\n<li>Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.<\/li>\n<li>The establishment, exercise or defence of legal claims.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>An individual or relevant person, under the draft Bill, may file a complaint on its own before the Commission against any violation of personal data protection rights conferred under the draft Bill, conduct of any data controller, data processer or their processes.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill does not provide for entitlement for any monetary damages or compensation to the affected data subjects.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Commission would act as a regulator and enforcer of the subject matter. The data subjects may file a complaint to the Commission for enforcement of their rights, in case the data subject is not satisfied with the decision in complaint (of the Commission), the data subject has the right to present an appeal before the High Court or to the Tribunal established by the Federal Government for the purpose in the manner prescribed by the High Court.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><table style=\"font-size: 10px\" border=\"1\">\n<tbody>\n<tr>\n<td width=\"282\"><strong>Offence<\/strong><\/td>\n<td width=\"241\"><strong>Fine<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"282\">Unlawful processing of Personal Data<\/p>\n<p>If any one processes or disseminates or discloses any personal data in violation of the Act<\/td>\n<td width=\"241\">Fine upto 125,000 USD or an equivalent amount in Pakistani Rupees.<\/p>\n<p>&nbsp;<\/p>\n<p>If any one processes or disseminates or discloses sensitive personal data in violation of the drfat Bill,will be punishable with fine upto 500,000 USD or an equivalent amount in Pakistani Rupees.<\/td>\n<\/tr>\n<tr>\n<td width=\"282\">Failure to adopt the security measures that are necessary to ensure data security.<\/td>\n<td width=\"241\">&nbsp;<\/p>\n<p>Fine upto 50,000 USD or an equivalent amount in Pakistani Rupees.<\/td>\n<\/tr>\n<tr>\n<td width=\"282\">Failure to comply with the orders of the\u00a0 Commission or the court.<\/td>\n<td width=\"241\">Fine of up to PKR 2.5 million (US$ 86,800 approx.).<\/p>\n<p>Fine upto 50,000 USD or an equivalent amount in Pakistani Rupees<\/td>\n<\/tr>\n<tr>\n<td width=\"282\">Failure to comply with the notice given by the Commission ,<\/p>\n<p>Where anyone fails to respond to the notice issued by commission,<\/p>\n<p>Or fails to satisfy commission of any contravention committed<\/p>\n<p>Or fails to remedy the contravention<\/td>\n<td width=\"241\">&nbsp;<\/p>\n<p>Fine shall be imposed which may extend to 2,000,000 USD or an equivalent amount in Pakistani Rupees.<\/p>\n<p>The registration may be terminated or suspended and additional conditions shall be imposed.<\/td>\n<\/tr>\n<tr>\n<td width=\"282\">Corporate liability.<\/td>\n<td width=\"241\">&nbsp;<\/p>\n<p>Legal person shall be punished with a fine not exceeding 1% of its annual gross revenue in Pakistan or 200,000 USD, whichever is higher or an equivalent amount in Pakistani Rupees.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The draft Bill does not provide any guidelines or rules regarding the calculation of fines or thresholds for imposition of sanctions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Orders of the Commission are appealable to the High Court (or to a Tribunal established by the Federal Government for the purpose) in the manner(of filing of appeal) as prescribed by the High Court. Any person aggrieved by the order of the Commission may prefer such an appeal.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As the law (the draft Bill) has not yet been promulgated, therefore there is no enforcement activity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide details.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pakistan has no legislation regarding cybersecurity. \u00a0PECA is Pakistan\u2019s primary legislation dealing with cybercrime. While not a full-fledged piece of law regulating cybersecurity, PECA governs the imposition of criminal penalties on the wrong doers in the offences provided for in PECA<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed in Question No.36.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose information sharing requirements on organisations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>N\/A<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed in Question No.36.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there specific cybersecurity laws \/ regulations for different industries (e.g., finance, healthcare, government)? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>None<\/p>\n<p>As discussed in Question No.36<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What impact do international cybersecurity standards have on local laws and regulations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed in Question No.36<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose obligations in the context of  cybersecurity incidents? If so, how do such laws define a cybersecurity incident and under what circumstances must a cybersecurity incident be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed in Question No.36<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently Pakistan has no law regarding cybersecurity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently Pakistan has no law regarding cybersecurity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently Pakistan has no law regarding cybersecurity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently Pakistan has no law regarding cybersecurity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently Pakistan has no law regarding cybersecurity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently Pakistan has no law regarding cybersecurity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">5935<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/106534","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=106534"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}