The digital era has transformed societies worldwide, revolutionizing economies, governance, and personal interactions. As technology becomes an integral part of daily life, legislation must address emerging digital threats and challenges.
Cybersecurity threats, data privacy concerns, digital fraud, misinformation, and ethical dilemmas surrounding artificial intelligence are among the critical challenges of this evolving environment.
Governments all over the world have introduced comprehensive legislative frameworks to safeguard citizens, ensure responsible data usage, and foster digital economies.
The recently-enacted Digital Nation Pakistan Act, 2025, (hereinafter, “the Act”) aims to establish a secure and inclusive digital society, yet its provisions require careful scrutiny, particularly when compared with the European Union’s General Data Protection Regulation (GDPR) (2016/679) and various U.S. data protection laws, such as the California Consumer Privacy Act (CCPA) and the New York SHIELD Act.
The Act introduces several key aspects related to digital governance, data exchange, and digital identity. It emphasizes the creation of a National Digital Commission and the Pakistan Digital Authority, to oversee digital transformation initiatives and regulate data governance policies.
The Act defines ‘data governance’ as the set of processes ensuring effective management and security of data.
The Act introduces a Data Exchange Layer, a framework enabling standardized data sharing between government and private enterprises while ensuring security, integrity, and accessibility.
However, as the Act does not explicitly define user rights, there are concerns about personal data protection and the potential misuse of sensitive information by government and private entities.
Unlike GDPR, which provides a clear framework for consent-based data collection, Pakistan’s legislation lacks explicit provisions requiring informed user consent for data processing, creating room for ambiguity in implementation. It is pertinent to mention that till today, Pakistan has not enacted Personal Data Protection law.
GDPR, which became enforceable on May 25, 2018, is a comprehensive regulation that grants individuals significant control over their personal data. It mandates strict consent mechanisms, data processing principles, and cross-border transfer regulations. Additionally, it grants rights such as access, rectification, data portability, and the right to be forgotten empowering individuals to manage their data proactively.
On the contrary, the United States has a fragmented data protection framework, relying on state-level laws such as the CCPA and the New York SHIELD Act.
The CCPA gives consumers rights to access, delete, and opt out of the sale of their personal information, while the SHIELD Act enforces security measures for businesses handling sensitive personal data. The Act lacks similarly detailed user rights, making it less protective of individual privacy compared to GDPR and state-level US laws.
A key component of Pakistan’s legislation is digital identity governance, which assigns the issuance and management of digital identities to the National Database and Registration Authority (NADRA). While a centralized digital identity system can streamline service delivery, it also jeopardizes privacy, data security, and misuse by state actors. Under Article 25, GDPR mandates data minimization and privacy-by-design principles, ensuring that data collection is proportionate, necessary, and secure.
The Act does not impose similarly stringent obligations on data controllers, making it vulnerable to potential breaches and unauthorized access. Unlike the Illinois Biometric Information Privacy Act (BIPA) in the US, which requires explicit consent for biometric data collection, Pakistan’s law does not establish clear safeguards for biometric data protection.
The Act is ambiguous about cross-border data transfer regulations. GDPR’s Article 45 states that data transfers outside the EU can only occur if the receiving country has adequate data protection measures in place.
In contrast, the Act does not provide clear stipulations on international data transfers, exposing Pakistani users to potential risks when their data is shared with foreign entities. The lack of well-defined data localization requirements and restrictions on data sharing can lead to concerns about foreign surveillance, data breaches, and commercial exploitation.
Cybersecurity is another important element missing from the Act. In the US, the Cybersecurity Information Sharing Act (CISA, 2015) and the New York SHIELD Act enforce mandatory security frameworks, breach reporting requirements, and penalties for non-compliance.
The EU’s NIS Directive (2016/1148) requires organizations in critical sectors to implement cybersecurity measures and report security incidents. The Act does not impose mandatory breach notification requirements or security compliance standards, leaving data holders uncertain about their obligations in case of cyberattacks.
Another significant gap in the Act is its failure to mandate anonymization and pseudonymization techniques, which are strongly emphasized in GDPR’s Article 25. These techniques reduce the risk of data breaches by ensuring that stored personal data cannot be directly linked to an individual.
Without such provisions, Pakistan’s legislation remains weaker in terms of data protection and privacy safeguards.
Several enhancements are necessary for improving the Act. User rights should be strengthened by introducing clear provisions that grant individuals the right to access, rectify, delete, and restrict processing of their personal data.
Similarly, mandatory encryption, data anonymization, and breach notification protocols should be incorporated to further check cybersecurity.
Regulations for cross-border data transfers should be established, ensuring that personal data is not transferred to countries with inadequate protection measures. Sensitive data classifications should be introduced, imposing stricter regulations on health, financial, and biometric data.
Additionally, the creation of an independent Data Protection Authority could help monitor compliance and enforce penalties for violations. Moreover, algorithmic transparency should also be mandated to prevent AI-driven discrimination and biases in automated decision-making systems.
Another important improvement would be the incorporation of clear penalties for data breaches and non-compliance. GDPR imposes fines of up to €20 million or 4% of a company’s global revenue, which acts as a strong deterrent against negligence in data protection. The Act, however, does not specify strict penalties for companies that mishandle personal data.
The government should encourage stakeholder consultations, allowing businesses, civil society, and digital right advocates to contribute to refining the Act before its full implementation. Public engagement is essential to ensuring that privacy concerns, cybersecurity risks, and economic considerations are adequately addressed.
If the federal government is interested in digital reforms, it must adopt international best practices to protect its citizens from emerging cyber threats. The regulations should be adaptive and forward-looking, incorporating protections against AI bias, automated surveillance, misinformation, and deep-fake technologies.
The Act should also support privacy-enhancing technologies such as zero-knowledge proofs, secure multi-party computation, and differential privacy techniques, which are gaining traction globally as effective mechanisms for safeguarding data.
The Act represents a bold initiative for Pakistan’s digital transformation, but it requires substantial refinements to align with global data protection standards. Strengthening user rights, implementing rigorous cybersecurity measures, regulating data transfers, and ensuring independent oversight are necessary steps toward building a secure and privacy-respecting digital ecosystem.
The world is rapidly advancing in terms of data protection laws, and Pakistan must ensure that its regulatory framework does not fall behind.
Copyright Business Recorder, 2025
The writer is MA, LLB, Advocate High Court, Visiting Faculty at Lahore University of Management Sciences (LUMS), member Advisory Board and Visiting Senior Fellow of Pakistan Institute of Development Economics (PIDE), is author of numerous books and articles on Pakistani tax laws. She is editor of Taxation and partner of Huzaima & Ikram. From 1984 to 2003, she was associated with Civil Services of Pakistan
The writer is Advocate Supreme Court, specializes in constitutional, corporate, media and cyber laws, ML/CFT, IT, intellectual property, arbitration and international taxation. He studied journalism, English literature and law. He holds LLD in tax laws with specialization in transfer pricing. He was full-time journalist from 1979 to 1984 with Viewpoint and Dawn. He served Civil Services of Pakistan from 1984 to 1996
The writer is a corporate lawyer based in the US with extensive expertise in financial regulations, including Virtual Asset Service Providers (VASPs), corporate governance, and global economic policies. He holds an LLM from Washington University in St. Louis and has completed the Management Development Program at the Wharton School. He has developed regulatory frameworks for North American and South American Financial Institutions and has consulted and trained bureaucrats of different regions. He can be reached at [email protected]
Comments