PAKISTAN Law and Practice Contributed by: Saifullah Khan and Saeed Hasan Khan, S.U.Khan Associates
be challenged before the banking muhtasib (banking ombudsman). Once an investigation is initiated and the relevant law is applied, administrative fines are imposed in accordance with the provisions of the respec - tive laws that define the offence and prescribe the corresponding fines or penalties. 1.4 Data Protection Fines in Practice As of January 2025, there are no publicly report - ed cases of administrative fines having been issued in Pakistan specifically for breaches of individual privacy rights. The Draft Bill, howev - er, provides for fines of up to USD2 million for unlawful processing of personal data. 1.5 AI Regulation In 2023, under the Digital Pakistan Vision, the Ministry of Information Technology and Tele - communication issued the Draft National Arti - ficial Intelligence Policy (the “Policy”). In order to accelerate socio-economic adoption, this policy looks towards adapting legal and regu - latory frameworks needed to ensure safe and secure data-sharing mechanisms, considering international best practices. In September 2024, the Regulation of Artificial Intelligence Act, 2024 was introduced in the Senate of Pakistan, aiming to regulate artificial intelligence (AI) in the country – though this is yet to be passed. The draft of this Act is pend - ing with the standing committee on information technology and telecommunication. 1.6 Interplay Between AI and Data Protection Regulations The Policy aims to establish an Al Regulatory Directorate (ARD) under the NCPDP; this is to be established under the PDPL Draft Bill 2023. The ARD shall monitor technological development
and commercial practices from a data privacy perspective. The ARD shall be responsible for the following: • encouraging innovation in personal data protection through research and regulatory measures; • assessing AI-driven automated functions and data processing; • implementing policies and regulatory best practices with stakeholder consultation; • using a sandbox approach to regulate unique AI algorithms and programs; • defining regulatory functions for digital trust at the data creation and processing levels; • monitoring AI-driven operations, especially AI agents acting as data controllers/proces - sors that may affect the rules and regulations under the PDPA; • providing advisory services for compliance with PDPA regulations; • addressing direct issues (eg, AI in healthcare), indirect issues (eg, intellectual property) and relevant AI applications in sectors such as education and urban planning; • creating guidelines for data sharing, empha - sising obligations for receivers and elevating government policies to mandatory standards; • regulating data-sharing agreements at an international level; • incentivising AI adoption among local busi - nesses and supporting AI-based start-ups via funds and incubation centres; • ensuring fairness, data privacy, ethical control and algorithmic accountability; • guaranteeing user rights for managing their data used in AI systems; and • defining clear responsibilities among users, deploying organisations and manufacturers.
336 CHAMBERS.COM
Powered by FlippingBook