Asia Pacific

Pakistan Personal Data Protection Bill (PDPB 2023) + PECA 2016: AI Compliance Requirements

Pakistan's Personal Data Protection Bill (PDPB 2023) is pending final Senate passage as of 2024 but is being enforced through existing PECA 2016 (Prevention of Electronic Crimes Act) provisions by the PTA (Pakistan Telecommunication Authority) and FIA (Federal Investigation Agency). Organizations operating in Pakistan or processing data of Pakistani residents face existing PECA obligations and must prepare for full PDPB enforcement. Pakistan has the world's 5th-largest internet user base (~125M users), making it a significant market for AI services.

Check your compliance — free Download checklist

Key Facts

Effective Date

January 1, 2023

Enforcement Begins

January 1, 2025

Maximum Penalty

PECA 2016: PKR 10,000,000 (~$35,000 USD) and up to 7 years imprisonment. PDPB 2023 (proposed): PKR 25,000,000 (~$89,000 USD) for organizations.

What Your Business Must Do

4 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

Consent and Privacy Notice Requirements

Critical

PDPB 2023 Chapter 3 requires data fiduciaries to obtain informed consent before processing personal data and provide a clear privacy notice describing: identity of controller, purposes of processing, AI automated decision-making, data subject rights, and cross-border transfer information. Notices must be available in English and Urdu for Pakistani residents.

Data Principal Rights and Grievance Mechanism

Critical

PDPB 2023 Chapter 5 grants Pakistani residents rights to access, correct, erase, and port personal data. AI automated decisions must be explainable and subject to human review. Organizations must designate a Data Protection Officer (DPO) for large-scale processing. A grievance redressal mechanism must be operational within 30 days of a complaint.

PECA 2016 Data and AI Compliance

High Priority

PECA 2016 Sections 9-21 govern unauthorized access, data damage, and electronic fraud. AI systems deployed in Pakistan must ensure they do not inadvertently facilitate data theft, unauthorized profiling, or privacy violations under PECA. PTA has authority to block non-compliant digital services. AI systems in telecom, fintech, and media must obtain PTA pre-approval for deployment.

Data Localization for Sensitive Categories

High Priority

PDPB 2023 proposes mandatory data localization for sensitive personal data categories (health, financial, biometric, government ID) of Pakistani nationals. Cloud AI services processing such data must store primary copies on Pakistan-based servers. International transfers require PDPC approval or standard contractual clauses.

Frequently Asked Questions

Does Pakistan Personal Data Protection Bill (PDPB 2023) + PECA 2016 apply to my business?

What is the penalty for non-compliance?

The maximum penalty under Pakistan Personal Data Protection Bill (PDPB 2023) + PECA 2016 is: PECA 2016: PKR 10,000,000 (~$35,000 USD) and up to 7 years imprisonment. PDPB 2023 (proposed): PKR 25,000,000 (~$89,000 USD) for organizations.. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with Pakistan Personal Data Protection Bill (PDPB 2023) + PECA 2016?

The 4 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://moitt.gov.pk/personal-data-protection-bill

Last updated: 2026-04-14 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan