Data Privacy in Pakistan Without a PDP Act (2026 Legal Guide) — Rules & Requirements
About this article
Reviewed by the Commoner Law editorial team. Sources: pakistancode.gov.pk, Punjab/Sindh/KP/Balochistan provincial codes, Supreme Court of Pakistan, FBR, EOBI, SBP, NEPRA, OGRA, PMDC, FIA, and provincial Healthcare Commissions. Provincial variations cite Punjab/Sindh/KP/Balochistan Acts and ICT-specific ordinances. Written in plain English with everyday Urdu legal terms (FIR, qabza, khula, NTN, CNIC) for a general audience — this is educational content, not legal advice. Our editorial standards
What is this right?
Pakistan does not yet have a general data protection statute. Successive drafts of a Personal Data Protection Bill — most recently the draft Personal Data Protection Act 2025, and before it the 2023 draft — have not been passed into law. Until they are, there is no statutory right to access, port, or erase personal data held about you by a private company in Pakistan.
What does protect you, sector by sector: PECA 2016 creates criminal offences for unauthorised access (§14), unauthorised copying or transmission (§16), and identity-information offences (§19). The Pakistan Telecommunication (Re-organisation) Act 1996 §54 makes interception of telecommunications lawful only on authorised order — telecom operators cannot intercept or disclose your calls or messages outside that frame. The Banking Companies Ordinance 1962 imposes statutory banking confidentiality on banks operating in Pakistan. Article 14 of the Constitution protects the dignity of the person and (subject to law) the privacy of home; Article 4 protects the right of every citizen to be dealt with in accordance with law. Constitutional petitions to the High Courts under Article 199 have been used to enforce data and privacy claims in specific cases — but the path is slow and case-by-case, not a general data-rights regime.
When does it apply?
- A company in Pakistan holds personal data about you (CNIC scan, address, biometrics, contact history) and refuses to disclose what it holds, correct an error, or delete it.
- A bank, telecom operator, or insurer has disclosed your personal information to a third party without your authorisation.
- A SIM was issued in your name without your consent (biometric verification was bypassed or faked).
- Your CNIC, NTN, or other identity data is being used by a third party for fraud, account-opening, or a fake identity.
- A previous employer, school, or business is refusing to delete records you believe should be removed.
Protecting Your Data Without a Pakistan Data Protection Act
- Start with the operator's internal complaint channel. Even without a general data-protection statute, regulated sectors (banks under SBP, telecom under PTA, insurance under SECP) require operators to maintain internal grievance procedures. File a written complaint with the operator demanding the action and citing the relevant sectoral rules.
- For banking data, file with the bank's Consumer Grievance Handling Mechanism (CGHM), then escalate to Banking Mohtasib Pakistan within 45 days. Banking Companies Ordinance 1962 imposes banking secrecy; Banking Mohtasib resolves the dispute for free under FOIRA 2013. The order is binding on the bank if no representation is filed within 30 days.
- For telecom data and SIM-related issues, file at PTA. Pakistan Telecommunication Authority complaint portal: complaint.pta.gov.pk. PTA has operational power over telecom operators under the PTA Act 1996. Helpline: 0800-55055.
- For identity-data misuse, file at NCCIA under PECA §19 (offences against information system, including identity-information offences) and at NADRA where the CNIC itself is being misused. NADRA HQ in Islamabad handles identity-record corrections through its Customer Facilitation Centres.
- If the misuse is by a Pakistani public-sector body and no other route works, file a constitutional petition under Article 199 of the Constitution in the relevant High Court. Article 14 (dignity, privacy of home) and Article 4 (right to be dealt with according to law) are the available constitutional hooks. Article 199 petitions are not a general data-rights remedy but they are the residual channel where statutory routes don't exist.
- For ongoing data exposure (a published data leak, a website actively hosting your data), file at NCCIA under PECA §16 (unauthorised copying or transmission) and at PTA for content blocking. The criminal route runs in parallel with the takedown route.
What should you NOT do?
- Don't assume Pakistan has GDPR or DPDP-style rights. The Personal Data Protection Bill is not yet law. There is no statutory subject access request, no erasure right, and no portability right enforceable against a private Pakistani company in general terms.
- Don't pay a 'data removal' service. The sectoral routes (SBP / Banking Mohtasib for banks, PTA for telecoms, NCCIA for cyber offences) are free. Anyone charging an upfront fee to remove personal data is operating in the absence of a statutory regime — most are scams.
- Don't expect a constitutional petition to be a quick remedy. Article 199 High Court constitutional petitions are powerful but slow and case-by-case. Use them where the statutory route is closed.
- Don't share OTPs, biometrics, or CNIC scans more than necessary. Pakistan's data-rights regime is thin; the strongest privacy protection is restraint at the source.
About Data Privacy & Digital Rights in Pakistan
Pakistan does not yet have a general data protection law. The Personal Data Protection Bill — most recently in circulation as the draft Personal Data Protection Act 2025 — remains in Parliament and is not enforced. In its absence, your digital-rights protections come from scattered statutes: the Prevention of Electronic Crimes Act 2016 (cyberstalking §24, modesty offences §21, dignity offences §20, child pornography §22, spoofing §26); the Pakistan Telecommunication (Re-organisation) Act 1996 (telecom secrecy); the Banking Companies Ordinance 1962 (banking confidentiality); and Article 14 of the Constitution (dignity of person, privacy of home).
For non-consensual intimate imagery (NCII), 'deepfake' sexual content, or sextortion, the criminal path runs through the NCCIA under PECA §§ 21 and 24 — and victims should also use StopNCII.org in parallel. StopNCII generates a hash of the image on your device and shares the hash with participating platforms so they can detect and remove uploads; the actual image never leaves your device. The service is available in Urdu and requires the depicted person to be 18+ at the time the image was taken. For minors, use takeitdown.ncmec.org instead.
Frequently asked questions
Is the Personal Data Protection Bill in force?
No. As of 2026-05-23 the draft Personal Data Protection Act 2025 has not been passed by Parliament. Successive versions of the bill — including the 2023 draft and earlier drafts going back to 2005 — have not become law. Until the bill is enacted, Pakistan has no general statutory right of access, erasure, or portability of personal data.
Can I file a subject access request in Pakistan?
There is no general statutory subject access right of the GDPR / DPDP shape. You can file written information requests with regulated sectoral operators (banks, telecoms, insurers) under the operator's internal grievance procedure, and escalate to the sectoral regulator (Banking Mohtasib for banks, PTA for telecoms, SECP for insurers) where the operator refuses. For public-sector bodies, the federal Right of Access to Information Act 2017 and provincial RTI Acts provide a route to records held by government departments.
How is banking confidentiality protected?
Banking Companies Ordinance 1962 imposes statutory confidentiality obligations on banks operating in Pakistan. Disclosure outside the limited statutory and lawful-process exceptions is a breach. The Banking Mohtasib resolves disputes for free under the Federal Ombudsmen Institutional Reforms Act 2013; orders are binding on the bank if no representation is filed within 30 days.
What constitutional remedy is available?
Article 199 of the Constitution gives the High Courts power to issue writs (including habeas corpus and certiorari) against public bodies. Article 14 (dignity and privacy of home) and Article 4 (right to be dealt with according to law) are the substantive hooks for privacy-style claims. The remedy is slow and case-by-case — and against private companies the constitutional route is less direct. Use Article 199 where the statutory route is closed.
What is the what protects your data without a personal data protection act right in Pakistan?
Pakistan does not yet have a general data protection statute. Successive drafts of a Personal Data Protection Bill — most recently the draft Personal Data Protection Act 2025, and before it the 2023 draft — have not been passed into law. Until they are, there is no statutory right to access, port, or erase personal data held about you by a private company in Pakistan.What does protect you, sector by sector: PECA 2016 creates criminal offences for unauthorised access (§14), unauthorised copying or transmission (§16), and identity-information offences (§19). The Pakistan Telecommunication...
When does what protects your data without a personal data protection act apply?
A company in Pakistan holds personal data about you (CNIC scan, address, biometrics, contact history) and refuses to disclose what it holds, correct an error, or delete it.A bank, telecom operator, or insurer has disclosed your personal information to a third party without your authorisation.A SIM was issued in your name without your consent (biometric verification was bypassed or faked).Your CNIC, NTN, or other identity data is being used by a third party for fraud, account-opening, or a fake identity.A previous employer, school, or business is refusing to delete records you believe should...
Does Pakistan have a data protection law I can use?
Start with the operator's internal complaint channel. Even without a general data-protection statute, regulated sectors (banks under SBP, telecom under PTA, insurance under SECP) require operators to maintain internal grievance procedures. File a written complaint with the operator demanding the action and citing the relevant sectoral rules.For banking data, file with the bank's Consumer Grievance Handling Mechanism (CGHM), then escalate to Banking Mohtasib Pakistan within 45 days. Banking Companies Ordinance 1962 imposes banking secrecy; Banking Mohtasib resolves the dispute for free under...
What mistakes should I avoid with what protects your data without a personal data protection act?
Don't assume Pakistan has GDPR or DPDP-style rights. The Personal Data Protection Bill is not yet law. There is no statutory subject access request, no erasure right, and no portability right enforceable against a private Pakistani company in general terms.Don't pay a 'data removal' service. The sectoral routes (SBP / Banking Mohtasib for banks, PTA for telecoms, NCCIA for cyber offences) are free. Anyone charging an upfront fee to remove personal data is operating in the absence of a statutory regime — most are scams.Don't expect a constitutional petition to be a quick remedy. Article 199...