Every day Pakistanis hand over CNIC numbers, phone numbers, biometrics and bank details to banks, telecoms, apps and online shops. Yet many are surprised to learn there is still no dedicated law telling those organisations how they must collect, store and share that data. Instead, privacy in Pakistan rests on a patchwork of constitutional, criminal and sector rules. This guide explains exactly what protects you today, what the proposed reform would add, and what to do when your data is misused.
Is there a data privacy law in Pakistan?
The short answer is: not a comprehensive one. Unlike the EU's GDPR or India's recent data law, Pakistan has no single statute that sets out how personal data must be handled across every sector. What exists is a combination of three layers - a constitutional right, a criminal cybercrime law, and a draft bill that has been years in the making. Understanding each layer tells you where you stand.
Your constitutional right to privacy
The foundation is Article 14(1) of the Constitution of Pakistan, which declares that "the dignity of man and, subject to law, the privacy of home, shall be inviolable." Privacy is therefore a fundamental right, and the superior courts have read it to cover personal dignity and, increasingly, personal information.
The catch is enforcement. There is no dedicated privacy regulator to complain to, so vindicating Article 14 usually means filing a constitutional petition or a civil suit - a slow and costly route. For most people whose data is mishandled by a private company, the practical remedy today runs through the criminal law instead.
What PECA 2016 protects
The Prevention of Electronic Crimes Act, 2016 (PECA) is the workhorse of digital privacy protection in Pakistan. It is a criminal statute - it does not tell companies how to process data, but it punishes specific forms of data abuse. The key offences and their penalties are set out below.
| PECA offence | What it covers | Maximum penalty |
|---|---|---|
| Section 3 | Unauthorised access to a data or information system | 3 months / PKR 50,000 |
| Section 4 | Unauthorised copying or transmission of data | 6 months / PKR 100,000 |
| Section 5 | Interference with data or an information system | 2 years / PKR 500,000 |
| Section 16 | Unauthorised use of identity information | 3 years / PKR 5 million |
| Section 21 | Offences against the dignity / privacy of a person (including non-consensual intimate images) | Up to 5 years / PKR 5 million |
PECA also protects the confidentiality of information: a service provider or other person who transfers someone's personal or sensitive data without consent, except where required by law, can face imprisonment and a fine. Sections 21 and 22 offences are non-bailable and cognizable, reflecting how seriously the law treats intimate-image and modesty offences.
Note: PECA was significantly amended in January 2025. The amendment transferred cybercrime investigation from the FIA to a new National Cyber Crime Investigation Agency (NCCIA) and added content-related offences. The changes have drawn strong criticism from human rights bodies over their impact on free expression - but the data-abuse offences above remain the main tools for privacy complaints.
The draft Personal Data Protection Bill
To fill the gap, the Ministry of Information Technology and Telecommunication (MoITT) has drafted a Personal Data Protection Bill - the most discussed version being the 2023 draft, later revised. It was introduced in the Senate and approved in principle by the federal Cabinet, but as of 2026 it has not been passed into law. If enacted, it would be Pakistan's first modern, GDPR-style privacy framework. Its headline features include:
- A regulator: a National Commission for Personal Data Protection (NCPDP) to receive complaints, supervise compliance and impose penalties.
- Consent: organisations would generally need your consent to process personal data, and could not use it for a new purpose without telling you.
- Data subject rights: the right to access your data, correct it, and have it erased once the purpose is exhausted or you withdraw consent.
- Breach notification and security duties for data controllers and processors.
- Cross-border rules, with special treatment for "critical personal data" that may need to stay in Pakistan.
- Heavy fines - drafts have proposed penalties running into millions of US dollars for unlawful processing.
Until it is enacted, none of these rights are legally enforceable. Treat the Bill as a signal of where the law is heading, not as protection you can rely on today.
Your rights now vs the proposed law
It helps to see clearly what you can and cannot demand under the current framework:
| Right | Today (current law) | Under the draft Bill |
|---|---|---|
| Consent before processing | Limited - no general rule | Yes, as a default |
| Access / correct your data | No general statutory right | Yes |
| Erasure ("right to be forgotten") | No | Yes, on conditions |
| Complain to a regulator | No dedicated regulator | Yes - the NCPDP |
| Criminal action for data abuse | Yes - PECA 2016 | Yes, plus fines |
How to report data misuse
If your data has been hacked, leaked, sold or your identity misused, you can act now under PECA. Practical steps:
- Preserve the evidence: screenshots, URLs, messages, transaction records and dates. Do not delete anything. See our guide on using digital evidence in Pakistani courts.
- File a complaint with the NCCIA, which now handles cybercrime investigation, either in person at a regional office or through its online complaint portal.
- Report harassment or intimate-image abuse without delay - these Section 21 offences are treated seriously. Our cyber harassment reporting guide walks through the process.
- Consider a civil or constitutional claim where a company or public body has breached your privacy, and get legal advice on the strongest route.
Because the framework is fragmented and fees and timelines vary, it is worth speaking to a lawyer before you file. Our team can assess which law fits your facts and draft the complaint properly - book a consultation or browse the legal forms library.
Frequently asked questions
Is there a data privacy law in Pakistan?
Not a single comprehensive one. Privacy is protected through Article 14 of the Constitution, PECA 2016 offences and the Electronic Transactions Ordinance 2002. A dedicated Personal Data Protection Bill is drafted but not yet enacted.
Does the Constitution protect my privacy?
Yes - Article 14(1) makes the dignity of man and the privacy of home inviolable. It is a fundamental right, but there is no privacy regulator, so enforcement is usually through the courts.
What can I do if my data is leaked?
Preserve the evidence and file a complaint with the NCCIA under the relevant PECA sections. You may also pursue a civil or constitutional claim for breach of privacy.
When will the Personal Data Protection Bill become law?
There is no confirmed date. It has been approved in principle but not passed by Parliament, and successive drafts have stalled for years.
Can a company sell my CNIC or phone number legally?
Transferring personal or sensitive data without consent can be an offence under PECA. There is no general statutory consent regime yet, which is exactly the gap the draft Bill aims to close.