Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
The Prevention of Electronic Crimes Act 2016 (Act No. XL of 2016) addresses crimes relating to unauthorized access to data.
Individuals who intentionally gain unauthorized access to data or an information system may be imprisoned for up to 3 months and/or fined up to 50,000 PKR. Individuals who intentionally make unauthorized copies or unauthorized transmission of any data may be imprisoned for up to 6 months and/or fined up to 100,000 PKR. Individuals who intentionally gain unauthorized access to critical infrastructure information systems or data may be imprisoned for up to 3 years and/or fined up to 1,000,000 PKR. Individuals who intentionally make unauthorized copies or unauthorized transmission of any critical infrastructure data may be imprisoned for up to 5 years and/or fined up to 5,000,000 PKR. Interfering with critical infrastructure information systems or data may be imprisoned for up to 7 years and/or fined up to 10,000,000 PKR.
There are also penalties for the unauthorized use of identity information, which can include imprisonment of up to 3 years and/or a fine of up to 5,000,000 PKR. Intentionally and publicly exhibiting, displaying or transmitting information through an information system that is known to be false and intimidates or harms the reputation or privacy of an individual may be imprisoned for up to 3 years and/or receive a fine of up to 1,000,000 PKR.
