INTRODUCTION

The Prevention of Electronic Crimes Act 2016 or more commonly known as the PECA presently appears to be Pakistan’s answer to all things related to the internet and cyber space. In an era where digital technology permeates every aspect of life, the rise of cybercrime presents a significant challenge for governments worldwide. Pakistan addressed this growing concern by enacting the PECA. The law was introduced to provide a legal framework for combating cyber threats, protecting citizens online, and regulating digital space.

PECA was designed to tackle a wide range of cyber-related offenses. These include:

  • Cyberstalking and harassment
  • Hacking and unauthorized access to data
  • Cyber terrorism and hate speech
  • Child pornography
  • Online impersonation and defamation
  • Electronic fraud and identity theft

 DATA PROTECTION NOT COVERED UNDER PECA

PECA is primarily a criminal law — it focuses on punishing offenses like hacking, cyberstalking, or hate speech, rather than establishing comprehensive data protection standards. It lacks:

  • A framework for data privacy rights.
  • Obligations for data handlers (both public and private) to secure user data.
  • Mechanisms for individuals to control how their data is collected, processed, or shared.

Without proactive requirements, the law remains reactive — addressing breaches after they happen rather than preventing them.

THE PERSONAL DATA PRORECTION BILL 2023

The Personal Data Protection Bill 2023 (PDPB) as opposed to the PECA is a regulatory law. PECA being a criminal law is a reactive law not a preventive law. Regulatory law works towards prevention rather than reaction and that is precisely why regulatory law as opposed to criminal law is better suited to governing data protection and preventing data breaches.

PECA is more about punishing cybercrimes, while the PDPB is about regulating data use and protecting privacy. PECA often deals with offensive content and digital threats, whereas the PDPB is about rights, consent, and ethical data use.

The PDPB focuses on:

  • Creation of the data protection authority
  • Concept of consent and the power to withdraw the same
  • Data processing and localization
  • Data breach notification
  • Cross border data transfers
  • Data Controllers

CONCLUSION

In an increasingly digital world, where personal information is constantly being collected, shared, and stored, the PDPB is a necessary and overdue step toward protecting the privacy and rights of Pakistani citizens. Without a clear legal framework, individuals remain vulnerable to data breaches, identity theft, unauthorized surveillance, and corporate misuse of their personal information. The bill not only empowers individuals with greater control over their data but also sets standards for how public and private entities must handle personal information responsibly. As digital economies grow and global data regulations tighten, Pakistan needs this legislation to build public trust, attract international investment, and safeguard its digital sovereignty. Properly implemented, this bill can lay the foundation for a secure, transparent, and rights-based digital future.

While the Prevention of Electronic Crimes Act (PECA) addresses critical issues like cybercrime, online harassment, and digital offenses, it is not a comprehensive solution for data protection. PECA primarily focuses on punitive actions against cybercrimes and the regulation of online behavior, but it lacks the framework necessary to protect individual privacy and regulate the collection, processing, and storage of personal data. Unlike a data protection law, PECA does not offer citizens explicit rights over their personal data, such as the right to access, consent to, or request the deletion of their data. Furthermore, PECA does not establish clear obligations for organizations on how to handle sensitive data securely. As a result, while PECA is essential for ensuring online safety and preventing electronic crimes, it falls short of the detailed, privacy-centric protections needed in the digital age. Thus, a dedicated data protection law is critical to safeguard individuals’ data privacy rights and ensure responsible data handling by both public and private entities.

More from Yousaf Amanat & Associates