There are no laws or codes of conduct that regulate the metaverse in Pakistan. Prior to developing any significant laws that regulate or apply to the metaverse, it will be important for the general public and the legislature to be educated on what the metaverse is and the necessity of its regulation. Most laws in Pakistan will need to be revised/amended to apply to the metaverse.

Pakistan does not have any general laws or regulations that cover the umbrella term digital economy. The Ministry of IT & Telecom has issued a Digital Pakistan Policy in 2018 to enable the acceleration of a digitised ecosystem for expansion of a knowledge-based economy and to spur economic growth. The Digital Pakistan Policy represents a vision with objectives to have a holistic digital strategy, have sectorial digitalisation, enhance e-commerce, empower youth, promote innovation and entrepreneurship in the IT sector, increase software exports, increase foreign – domestic investment and reduce barriers for disabled persons to have online access and standardisation, among others. This policy document is not law but guides relevant departments for future development in this area.

Digital banking, an element of the digital economy, is one sector that has seen development. Developing the e-commerce industry has also been of keen interest to the government of Pakistan in recent times. Pakistan remains sceptical of cryptocurrencies, which are now an integral part of the digital economy in certain jurisdictions.

Digital Banking

The regulator for banks in Pakistan is the State Bank of Pakistan (SBP). The SBP has, under the relevant provisions of the Banking Companies Ordinance 1962, issued the Licensing and Regulatory Framework for Digital Banks, in January 2022.

A “digital bank” has been defined as a bank which offers all kinds of financial products and services primarily through digital platforms or electronic channels instead of physical branches.

Under this framework, SBP may grant two types of digital bank licences:

• Digital Retail Bank (DRB), which will provide financial solutions to retail customers; and
• Digital Full Bank (DFB), which may provide financial solutions to retail customers as well as business and corporate entities.

The following will be eligible to form and seek a licence for a proposed digital bank.

• A traditional bank with a minimum of one year of experience of delivering digital financial services (DFS) in the retail customer segments may apply either individually or with other equity participants. However, the SBP may advise an extended period of experience if the traditional bank’s performance is not considered satisfactory by the SBP.

• An international bank or international DFS entity with a successful track record of a minimum of three years of delivering DFS in the retail customer segments may apply either individually or with other equity participants.
• An Electronic Money Institution (EMI) seeking conversion into a digital bank with a minimum of one year of experience of delivering DFS in the retail customer segments. However, the SBP may advise an extended period of experience if the EMI’s performance is not considered satisfactory by the SBP. Further, the pilot phase operation period of an EMI may be counted towards the one year operations requirement for an EMI seeking to transform into a digital bank.
• Those holding majority stake in or exercising control over an MFB, EMI, international bank or international DFS entity with a successful track record of a minimum of three years of delivering DFS in the retail customer segments may apply either individually or with other equity participants.
• Any other person with a minimum of three years of experience in the financial services, financial technology, telecommunication, merchant aggregation technology platforms, information communication technology (ICT), or other pertinent digital or innovative financial and non-financial domains, when applying to form a digital bank with a minimum of 5% equity in the proposed digital bank, either individually or preferably with at least one of the individuals or entities listed in sub-clause (a), (b) and (d) being a minimum 5% equity participant in the proposed digital bank.

The digital banking regime is not, however, immediately effective – the application process will be followed by a no objection certificate, an in-principle approval, demonstration of operational readiness by prospective licensees, and thereafter a grant of a restricted licence to commence pilot operations before grant of licence to commence commercial operations. The length of time needed to obtain a licence varies according to the fulfilment of each specified criteria.

The SBP in its press release dated 13 January 2023 confirmed that it has issued no-objection certificates (NOC) to five applicants for establishing digital banks in the country, namely:

• Easy Paisa DB (Telenor Pakistan B V & Ali Pay Holding Ltd);
• Hugo Bank (Getz Bros & Co, Atlas Consolidated Pte Ltd and M & P Pakistan Pvt Ltd);
• KT Bank (Kuda Technologies Ltd, Fatima Fertilizer Ltd and City School Pvt Ltd);
• Mashreq Bank (Mashreq Bank UAE); and
• Ragami (Kuwait Investment Authority through PKIC and Enertech Holding Co).

These are the first NOCs that have been issued by the SBP for digital banks after a thorough and rigorous assessment process as per the requirements of the framework; they will now enter the next stages mentioned above for grant of licence.

E-Commerce

There is currently no sector-specific legislation applicable to the operation of e-commerce businesses in Pakistan. E-commerce operations in Pakistan are largely governed by existing laws and regulations on general commerce. The government of Pakistan published the e-Commerce Policy of Pakistan, October 2019 (Policy) with a vision to enable an environment for holistic growth of e-commerce across all sectors of Pakistan. A policy document of such nature is not law in Pakistan. As such, this policy only acts as guidance to various government departments and entities for the future development of e-commerce operations in Pakistan.

For the purposes of the foregoing, “e-commerce” includes the buying and selling of goods or services including digital products through electronic transactions conducted via the internet or other computer-mediated (online communications network).

The policy aims to address challenges faced in the following areas:

• e-Commerce regulatory and facilitation environment;
• financial inclusion and digitisation through payment infrastructure development;
• SMEs and youth empowerment through e-commerce;
• consumer protection in a digital environment;
• taxation on e-commerce activities;
• ICT sector and telecoms services in Pakistan;
• logistics for e-commerce platforms;
• data protection and investment; and
• global connectivity and multilateral negotiations.

Digital Currencies

Under BPRD Circular No 3 of 2018 (Circular), the SBP has prohibited the banks and financial institutions it regulates from enabling persons in Pakistan to deal in cryptocurrencies. While proceedings seeking issuance of a direction of appropriate nature so as to nullify the Circular and the implementation of a regulatory framework regarding crypto-assets and crypto mining in Pakistan are pending adjudication, the Federal Investigation Agency (FIA) has launched a crackdown on cryptocurrency dealers and has written a letter to the Pakistan Telecommunication Authority (PTA) to shut down 1,600 websites for this purpose, in view of the fact that millions have been purportedly embezzled from Pakistani citizens in digital currency fraud. Apart from shutting down these websites, the FIA has also sought the PTA’s assistance in taking action against the people running these websites.

The SBP is now undertaking a detailed cost and benefit analysis on launching its own digital currency, known as the Central Bank Digital Currency (CBDC). CBDCS are digital tokens, similar to cryptocurrency, and are the digital form of a country’s fiat currency. However, unlike cryptocurrency, a CBDC is issued and regulated by a nation’s monetary authority or central bank. The SBP intends to launch a Quick Response (QR) Code-based Person-to-Merchant (P2M) system in the recent future to enable merchants and small businesses to receive instant payments from their customers.

Separate to the above, the SBP has also promulgated the Regulations for Electronic Money Institutions (EMIs), with the aim of promoting new technological innovations to enable the non-banking sector to deliver innovative and efficient payment services to consumers at lower costs. These regulations are primarily aimed at removing entry barriers for non-banking entities by providing them a guiding as well as an enabling regulatory framework for the establishment and operations of EMIs in Pakistan. These regulations also address potential risks in order to ensure consumer protection in line the legal framework of the country while promoting digital payments and financial inclusion.

The regulations apply to EMIs, defined as nonbanking entities duly authorised to issue means of payments in the form of “electronic money”. Electronic money is the monetary value as represented by a claim on the issuer which is stored in an electronic, including a magnetic device or payment instrument, issued on receipt of funds of an amount not less in value than the monetary value issued, accepted as means of payment by undertakings other than the issuer and including electronic store of monetary value on an electronic device that may be used for making payments or may be prescribed by the SBP.

The SBP may grant an EMI licence in three stages, subject to compliance of the EMI Regulations:

• an “In-Principle” approval;
• permission to commence pilot operations (limited-scale real transactions) once the EMI attains operational readiness, fulfils minimum capital and security deposit requirements and any other requirements as mentioned in the In-Principle approval; and
• full scale licence to commence commercial operations to be granted subject to satisfactory completion of pilot operations and fulfilment of all SBP requirements.

To date, four non-banking entities have been granted a full-scale licence, while several more have received in-principle approval.

Challenges

With a large and growing population, Pakistan is among the countries with the highest number of smartphone subscribers and is well-suited to move towards a digital economy. Even though the past year has seen a significant shift from traditional means of doing business, educating the masses on the purpose and benefits of digitisation remains a noteworthy challenge. Moreover, access to a faster and reliable communication network is a major challenge, especially in remote areas. This is critical for any material effort to promote digitisation to take effect in Pakistan.

In February 2022, the Ministry of Information Technology & Communication notified the “Pakistan Cloud First Policy” (the Cloud Policy) to encourage cloud adoption across Pakistan, and to empower organisations to transition to cloud-based solutions. The Cloud Policy is expected to result in cloud adoption across a variety of markets and industries and foster the growth of the local ICT industry by enabling access to cloud-based technologies and complementing emerging technologies such as AI, machine learning, and the IoT.

The Cloud Policy recognises cloud service providers’ approach to information security and data privacy concerns, and further recognises different cloud service models including Software as a Service (Saas), Platform as a Service (PaaS) and Infrastructure as a Service (Iaas), as well as the different cloud deployment methods, including the public cloud, government cloud, private cloud and hybrid cloud.

For the implementation of the Cloud Policy, the Ministry of Information and Technology is to set up a cloud office to ensure a planned governance structure that will enable the roadmap for establishing a structured and formal organisation for cloud governance in Pakistan.

Industries with Greater Regulation

Banking sector

Pursuant to BPRD Circular No 01 of 2023, the SBP has notified a framework titled “Framework on Outsourcing to Cloud Service providers” (the Framework). The Framework overrides the previous framework titled the Enterprise Technology Governance and Risk Management Framework” which was notified vide the BPRD Circular No 5 of 2017 and amended by BPRD Circular No 6 of 2019 and BPRD Circular No 4 of 2020.

The Framework applies to all regulated entities (RE) including banks, digital banks, microfinance banks, electronic money institutions, etc, and sets out minimum requirements for REs to outsource their material and non-material workloads to cloud service providers.

Permissible cloud outsourcing arrangements

Material workload under the Framework means all systems, applications and services that are fundamental for carrying out the business of an RE and that, if disrupted, have the potential to significantly impact an institution’s business operations, reputation or profitability. Outsourcing of services to cloud service providers does not absolve the REs from their prime responsibilities, including managing and running the business operations effectively by adhering to the legal and regulatory requirements and the protection of consumers’ data, and REs are further encouraged to give preference to onshore cloud service providers.

The REs are permitted to outsource their workload to cloud service providers in the following manner:

• all type of workloads (material and non-material) may be outsourced to reputable onshore (domestic) cloud service providers;
• electronic money institutions, non-designated payment system operators or payment service providers may outsource their material and non-material workloads to offshore (outside Pakistan) cloud service providers; and
• banks, microfinance banks, digital banks, development finance institutions and designated payment system operators or payment service providers may outsource their non-material workloads to offshore cloud service providers, although outsourcing of their material workloads to offshore cloud service providers shall be subject to SBP’s approval.

Other requirements under the Framework include the following.

• REs are required to monitor and review capacity utilisation of their cloud workloads. 
• REs are to provide adequate training of the cloud environment, to their end-users and privileged users.
• All security incidents/breaches are to be reported to the SBP in compliance with the requirements specified in the “Enterprise Technology Governance & Risk Management Framework for Financial Institutions” or as advised by the SBP from time to time. Further, REs are to conduct investigations to identify the root cause, take appropriate actions to prevent recurrence of such incidents in future and fix responsibility for such lapse.
• For material workloads, REs are to provide the following information to the SBP one month before placing their services with the CSPs:
1. name of the CSPs, and their parent company (if any);
2. description of the activities and details of data to be placed with the CSP;
3. date of commencement/renewal/expiry of services;
4. last contract renewal date (where applicable); and
5. service and deployment models.

Internal controls in cloud outsourcing arrangements under the Framework

There are multiple safeguards and internal control guidelines provided under the Framework. These include having an overall structure and processes for managing cloud outsourcing arrangements, which is vital in maximising the benefits and managing the associated risks. REs planning to outsource need to consider adapting their organisational structure for effective and efficient oversight of cloud service providers by developing comprehensive internal policies, delegating cloud specific governance responsibilities etc.

The Framework requires the REs to exercise reasonable care before entering into cloud outsourcing arrangements by conducting reasonable due diligence of the cloud service providers and their material subcontracting arrangements by using the defined criteria set out in the Framework.

The REs are further required to maintain an effective oversight mechanism including but not limited to the assessment of performance against desired service levels and the ongoing viability of the cloud service provider’s cybersecurity practices and controls, changes in service location(s), subcontracting, change of ownership, and to review and monitor the cloud service provider’s compliance with the laws and contractual obligations on an ongoing basis.

The Framework also requires the REs to establish a mechanism for security event monitoring by complying with the requirements set out in the Framework.

Processing of personal data in the context of the cloud

The Framework provides that that outsourcing of the workloads to the cloud service providers does not relieve the REs from the responsibility of safeguarding data confidentiality and integrity and has laid out a set of obligations and/or responsibilities for REs to ensure the data protection.

Separately, the Ministry of Information Technology and Telecommunication is in the process of seeking comments from stakeholders on a consultation draft (v.25.08.2021) of a personal data protection bill (PDP Bill) before it is tabled in Parliament. This bill has undergone a few iterations, and the most recent draft appears to incorporate input received from stakeholders on the earlier drafts.

If enacted, the PDP Bill will require that personal data is not transferred to any system located outside Pakistan or a system that is not under the direct control of the federal or provincial governments of Pakistan, unless it is ensured that the country to which the data is transferred offers personal data protection at least equivalent to that under the PDP Bill. Such data is required to be processed in accordance with the PDP Bill and, where applicable, consent must be given by the data subject.

Since the PDP Bill aims to regulate the processing of personal data, cloud service providers will be required to comply with the provisions thereunder; personal data stored on a cloud may only be processed with the consent of the data subject unless the processing is necessary:

• for the performance of a contract to which the data subject is a party;
• for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by a contract;
• in order to protect the vital interests of the data subject;
• for the administration of justice pursuant to an order of a court of competent jurisdiction;
• for legitimate interests pursued by the data controller; or
• for the exercise of any functions conferred on any person by or under any law.

Furthermore, personal data is not permitted to be processed unless:

• the personal data is processed for a lawful purpose directly related to an activity of the data controller;
• the processing of the personal data is necessary for or directly related to that purpose; and
• the personal data is adequate but not excessive in relation to that purpose.

The PDP Bill also provides that critical personal data will only be processed in a server or data centre located in Pakistan. Personal data, other than that categorised as critical personal data, may be transferred outside the territory of Pakistan under a framework (on conditions) to be devised and a mechanism for keeping a copy of personal data in Pakistan, which is also to be devised by the National Commission for Personal Data Protection (which is required to be established within six months of the promulgation of the PDP Bill into law).

Additional compliance requirements

A person providing cloud computing and/or hosting services may fall within the definition of a “service provider”, “social media company” or a “significant social media company” in terms of the Prevention of Electronic Crimes Act 2016 (PECA) and the Removal and Blocking of Unlawful Online (Procedure, Oversight and Safeguards) Rules 2021 (RBUO Rules).

Pertinent definitions appearing in the PECA and RBUO Rules appear below.

• “Online information system” means an information system connected with other information systems through internet and any cloud-based content distribution services.
• “Service provider” includes a person who:
1. acts as a service provider in relation to sending, receiving, storing, processing or distributing any electronic communication or the provision of other services in relation to electronic communication through an information system;
2. owns, possesses, operates, manages or controls a public switched network or provides telecommunication services; or
3. processes or stores data on behalf of such electronic communication services or the users of such services.
• “Significant social media company” means and includes social media companies with more than half million users in Pakistan or companies on the list specially notified by the PTA for this purpose from time to time.
• “Social media company” means any person that owns, provides or manages online information system for the provision of social media or social network service.

The RBUO Rules have been notified under the PECA and provide that service providers, social media companies or significant social media are required to:

• make available community guidelines for access or usage of any online information system, and these guidelines should easily be accessible and will inform the user of the online information system not to host, display, upload, modify, publish, transmit, update or share any content in violation of local laws;
• provide to the Federal Investigation Agency (FIA) any information, date, content or sub-content contained in any online information system owned, managed or run by the respective service provider, social media company or social media company, in decrypted, readable and comprehensible format or plain version in accordance with the provisions of PECA; and
• deploy mechanisms to ensure immediate blocking of live streaming through an online information system in Pakistan of any online content particularly related to terrorism, hate speech, pornography, incitement to violence and that is detrimental to national security on receiving intimation from the PTA.

Technologies such as artificial intelligence and machine learning, which are at the forefront of computing, have had limited practical application until recently, but they have come to pervade daily life in a short span of time and are galvanising a technological paradigm shift. Business analytics and big data are transforming the way businesses and governments operate. Competing on analytics is the new norm, whereby competitive advantage is defined by turning proprietary and other data sets into insights using advanced algorithms. The advances in big data analytics, machine learning and the use of artificial intelligence in relation thereto may present a great opportunity for Pakistan. There is, however, no specific regulatory framework currently applicable in Pakistan that addresses the implementation and/or regulation of big data, machine learning and artificial intelligence, which may be the biggest challenge relating to the implementation of these technologies. A system or product utilising big data, machine learning and/or artificial intelligence technology is presently treated at par with any other system or product of a similar nature.

Internet of Things

While IoT projects and services are not subject to specific requirements and do not require a special authorisation, there are certain telecommunications standards that may become relevant depending on the type of device(s) to be used and/or service(s) the provision of which is contemplated.

The regulator for the telecommunications sector in Pakistan is the PTA, which was created pursuant to the Pakistan Telecommunication (Reorganisation) Act 1996 (PTA Act). Every licence granted by the PTA may contain:

• restrictions as to the types of telecommunication system or telecommunication service to be provided by the licensee, the area and period of operation and the types of telecommunication equipment that may be included in its telecommunication system;
• the obligation to ensure that only terminal equipment approved for connection to the telecommunication system in question is connected; and
• obligations to maintain confidentiality of customer data.

Devices that utilise the radio-electric spectrum to transmit and/or receive information require a “type approval” from the PTA before they can be connected to a public-switched network (further details of this are provided in 7.1 Scope of Regulation and Pre-marketing Requirements).

Machine-to-Machine Communications and Data Protection

Pakistan does not have a legal framework that specifically regulates machine-to-machine communications. While sector-specific regulators enforce data protection requirements as part of the law and the terms of the licences granted thereunder, the PECA criminalises the misuse of personal data without consent, and it is therefore important that machine-to-machine communications do not result in the commission of offences under the PECA. These offences include:

• unauthorised access to information systems or data;
• unauthorised copying or transmission of data;
• interference with information systems or data;
• unauthorised access to critical infrastructure information systems or data;
• unauthorised copying or transmission of critical infrastructure data;
• interference with critical infrastructure information systems or data;
• electronic forgery;
• electronic fraud;
• unauthorised use of identity information;
• unauthorised interception;
• malicious code;
• spamming; and
• spoofing.

Moreover, Protection from Spam, Unsolicited, Fraudulent and Obnoxious Communication Regulations, 2009, framed under the PTA Act, apply to all licensees of the PTA to ensure and protect the interest of telecoms consumers by preventing them from harassment, disturbance, spam, fraudulent and unsolicited communication.

Communication Secrecy

The transmission of encrypted data on a public-switched network as traffic is not permitted under the applicable laws. Non-standard protocols of communication, including encryption, cannot be undertaken without prior approval of the PTA. Prior approval of the PTA is required for use of a non-standard mode of communication including virtual private networks (VPN) and non-standard protocols which include encrypted messages. The use of any non-standard of communication, including all mechanisms by means of which communications become hidden or modified to the extent that they cannot be monitored, is a violation of applicable laws.

The Pakistan Electronic Media Regulatory Authority (PEMRA) – established under the Pakistan Electronic Media Regulatory Authority Ordinance, 2002 (PEMRA Ordinance) – is mandated to regulate the establishment and operation of all broadcast media and distribution services in Pakistan. It was established for the purpose of international, national, provincial, district, local or special target audience broadcasting. PEMRA regulates the distribution of foreign and local TV and radio channels in Pakistan.

For the purposes of the foregoing:

• “broadcast media” includes media which originates and propagates broadcast and pre-recorded signals by terrestrial means or through satellite for radio or television, and includes teleporting, provision of access to broadcast signals by channel providers and such other forms of broadcast media as PEMRA may, with the approval of the federal government, specify; and
• “distribution services” includes a service which receives broadcast and pre-recorded signals from different channels and distributes them to subscribers through cable, wireless or satellite options and includes Cable TV, local multipoint distribution service (LMDS), multichannel multipoint distribution service (MMDS), direct-to-home (DTH) and other similar technologies.

Licensing Regime

Operating broadcast media or providing distribution services can only be undertaken once a licence has been obtained from PEMRA. Applications are decided subject to clearance from the Ministry of Interior and frequency allocation by the Frequency Allocation Board (FAB) in relevant cases. PEMRA issues licences for broadcast media and distribution services for:

• international and national scale stations;
• provincial-scale broadcasts;
• local area or community-based radio and TV broadcasts;
• specific and specialised subjects;
• distribution services; and
• up-linking facilities, including teleporting and digital satellite news gathering units (DSNG).

PEMRA may also grant permission to a distribution service licensee for the running of an in-house distribution channel subject to such terms and conditions as PEMRA may prescribe, provided that only Pakistani content is permitted to be distributed on such channel.

A licence granted by PEMRA under the PEMRA Ordinance will be valid for a period of five, ten or 15 years subject to payment of the annual fee, as prescribed from time to time. PEMRA may renew a licence on such terms and conditions as may be prescribed and in case of refusal to renew a licence, reasons will be recorded in writing. Subject to the terms and conditions of the licence granted by PEMRA, a licensee is not permitted to sell, transfer or assign any of the rights conferred by the licence without prior written permission of PEMRA.

PEMRA is required to process each application in accordance with prescribed criteria and hold public hearings in the respective capitals of each province or, as the case may be, in Islamabad, before granting or refusing the licence.

Every application form is required to be accompanied by a non-refundable application processing fee as set out in Schedule-B of the Pakistan Electronic Media Regulatory Authority Rules 2009 (PEMRA Rules). Applications for the grant of a licence will, in the first instance, be shortlisted by considering their:

• financial viability;
• technical feasibility;
• financial strength;
• credibility and track record;
• majority shareholding and management control (which should vest in Pakistani nationals);
• prospects of technical progress and introduction of new technology;
• market advancement, such as improved service features or market concepts;
• contribution to universal service objectives; and
• contribution to other social and economic development objectives.

Ownership restrictions

PEMRA will not grant a licence to:

• a person who is not a citizen of Pakistan or resident in Pakistan;
• a foreign company organised under the laws of any foreign government;
• a company the majority of whose shares are owned or controlled by foreign nationals or companies whose management or control is vested in foreign nationals or companies; or
• any person funded or sponsored by a foreign government or organisation.

Foreign Programmes and Local Content Requirement

Licensees of PEMRA, pursuant to the terms of their licence, are required to carry all channels of Pakistan Television Corporation (PTV), the national broadcaster, and all licensed satellite TV and foreign satellite TV channels having landing rights permission from PEMRA. Such licensees, under all circumstances, will provide the “basic service”, which includes a range of satellite TV channels as determined by PEMRA, comprising channels with religious, educational, informational, news and entertainment content. A licensee will be restricted to carry or relay only those foreign satellite TV channels that have obtained necessary landing rights permission of PEMRA for “landing” into Pakistani territory. A licensee may not discriminate against any licensed TV channel or landing rights permission holder in offering its broadcast or distribution platform.

Licensees of PEMRA, pursuant to the terms of their licence, are required to offer at least one basic service package (this means the free-to-air television channels of the national broadcasters, non-commercial educational and health-related TV channels licensed by PEMRA, and such other free-to-air television channels as determined by PEMRA to be distributed by a distribution service licensee to its subscribers against a fixed minimum monthly subscription fee) that includes the must-carry channels (ie, the channels of national broadcasters, non-commercial educational channels licensed by PEMRA and such other free-to-air television channels as determined by PEMRA to be distributed by the distribution networks including IPTV networks to its subscribers), for which it does not charge a subscription fee at a rate higher than the maximum fee prescribed by PEMRA.

PEMRA has issued a notification whereby the airing of Indian content has been banned. Further, airing programmes that are a production of international entities requires prior approval from PEMRA. PEMRA has also prohibited broadcast media or distribution service operators from broadcasting or rebroadcasting or distributing any programme or advertisement if PEMRA is of the opinion that such programme or advertisement is:

• against the ideology of Pakistan;
• likely to create hatred among the people;
• prejudicial to the maintenance of law and order;
• likely to disturb public peace and tranquillity or endanger national security; or
• pornographic, obscene, vulgar or offensive to the commonly accepted standards of decency.

Online Content/Internet-Based Platforms

PEMRA regulates the traditional distribution platforms, whereas the PTA and PEMRA jointly regulate internet-based platforms.

PEMRA has provided, on its website, Consultation Paper No Web&OTT/1- 2020 in relation to regulating web TV and over-the-top (OTT) TV; however, there is no specific legal framework to regulate such content, except for the RBUO Rules which allow the PTA to block certain online content and/or the entire online system if such content is not removed by the service provider or social media company.

The PTA Act and the rules and regulations framed thereunder (the PTA Laws) provide a framework to regulate the operation of telecommunications systems and the provision of telecommunications services. The PTA Act provides that no person is permitted to establish, maintain or operate any telecommunication system or provide any telecommunication service unless they have obtained a licence under the PTA Act.

For purposes of the foregoing:

• “telecommunications system” means any electrical, electromagnetic, electronic, optical or optio-electronic system for the emission, conveyance, switching or reception of any intelligence within, into, or from Pakistan, whether or not that intelligence is subjected to rearrangement, computation or any other process in the course of operation of the system, and includes a cable transmission system, a cable television transmission system and terminal equipment; and
• “telecommunications service” means a service consisting of the emission, conveyance, switching or reception of any intelligence within, into or from Pakistan by any electrical, electromagnetic, electronic, optical or optio-electronic system, whether or not the intelligence is subjected to rearrangement, computation or any other process in the course of the service.

Network and Service Provider Obligations

The definitions of the above-mentioned activities are very broad – therefore, the PTA Act could apply to a wide range of entities and services.

Radio-Electric Spectrum

The PTA is also responsible for dealing with applications relating to the use of radio-spectrum frequency through its Frequency Allocation Board (FAB), which has the exclusive authority to allocate and assign portions of the radio frequency spectrum to the government, providers of telecommunications services and telecommunication systems, radio and television broadcasting operations, public and private wireless operators, and others.

Terminal Equipment/Type Approval

An approval by the PTA will be required before any terminal equipment can directly or indirectly be connected to a public switched network. The PTA may impose certain conditions on the approval, including conditions limiting its connection to specified types of telecommunication systems. The technical standards for terminal equipment and the procedure for approving test equipment, testing any terminal equipment and certifying that it complies with the relevant technical standards has been provided in the Type Approval Technical Standards Regulations 2021 and its subsequent amendment, Type Approval Technical Standards (Amendment) Regulations, 2022.

A type approval granted by the PTA signifies that particular telecommunication equipment is approved for general sale and is suitable to connect with a specific public telecommunication network.

The following categories of equipment require prior type approval from the PTA:

• tracking system devices with subscriber identity module (SIM) or international mobile equipment identity (IMEI)-based functionality and which transmit location details (eg, vehicle tracking or smart watches with SIM/tracking);
• satellite terminal equipment;
• wireless radio trans/receiver sets with more than 2 MW output power (eg, very high frequency, high frequency, ultra-high frequency and two-way radios);
• terminal devices operating in information security management (ISM) as defined by PTA ISM band regulations, global navigation satellite systems (GNSS) within the band and usage conditions prescribed by the Frequency Allocation Board (FAB) of the PTA;
• short range devices (SRD), ultra wide band (UWB), IoT devices, radio-frequency identification (RFID), Bluetooth, immobilisers, inductive loop systems, smart metering, technology telemetering, machine-to-machine (M2M), etc, as defined in PTA Regulatory Framework for Short Range Devices (SRD) and Terrestrial Internet of Things (IoT) Services, etc;
• internet protocol phones, videoconferencing, voice-over internet protocol (VoIP) systems, gateway, etc;
• private automatic branch exchange (PABX) or internet protocol private automatic branch exchange (IP-PABX); and
• SIM/IMEI/Wi-Fi-based mobile devices (eg, mobile handsets, Wi-Fi tablets, dongles, wingles).

The following types of equipment are exempted from type approval:

• networking equipment (switches, firewalls, servers, storage devices);
• laptops, desktops and personal computers;
• tablet PCs with Wi-Fi-only functionality (non-SIM based devices); and
• global positioning system-only devices.

A non-refundable processing fee of PKR5,000 (PKR2,500 for SRDs and UWBs) per application for locally manufactured terminal equipment and USD100 (USD50 for SRDs and UWBs) per case for internationally manufactured terminal equipment is charged by the PTA for all new cases, for amendments of issued certificate and for issuance of duplicate certificates.

VoIP/Instant Messaging

Given that transmission of encrypted data on the network as traffic is not permitted under the applicable laws, non-standard protocols of communication, including encryption, cannot be undertaken without prior approval of the PTA. Operators are required to obtain prior approval of the PTA if they use a non-standard mode of communication including VPNs and non-standard protocols which include encrypted messages. Furthermore, the use of any non-standard of communication, including all mechanisms by means of which communications become hidden or modified to the extent that they cannot be monitored, is a violation of applicable laws.

While it is mandatory for service providers to provide local enforcement agencies with decryption and interception abilities for encrypted services, regulation relating to messaging and VoIP is highly topical.

Technology agreements are not specifically regulated under Pakistan law and are therefore subject to being governed according to the volition of the parties in terms of the Contract Act 1872, and are generally reflective of best practices in the sector. This provides parties with the ability to reflect their interest and will in their legal relationship. A contract, however, may not be contrary to the law that is in force, and parties may be required to comply with certain obligations, which may result from sector-specific regulations.

Please also refer to the “Banking sector” and “Processing of Personal Data in the Context of the Cloud” subsections in 3.1 Cloud and Edge Computing.

Foreign Exchange Controls

One of the greatest challenges that local organisations encounter in terms of entering into technology agreements with non-residents is in seeking an exemption from the SBP in connection with the restriction imposed on outward payments to non-residents under the Foreign Exchange Regulation Act 1947 (FERA). Pursuant to the FERA, no person located or resident in Pakistan is permitted to make any payment to or for the credit of any person resident outside Pakistan, except as may be provided in and in accordance with any general or special exemption form the provisions of FERA which may be granted conditionally or unconditionally by the SBP.

The SBP has, however, extended a general exemption to the restriction contained in the FERA, whereby scheduled banks have been given general permission to release foreign exchange up to a maximum of USD100,000 (or its equivalent in other currencies) per invoice for private sector companies incorporated in Pakistan, and branches of foreign companies operating in Pakistan with the permission of the Board of Investment. This exemption applies when such companies/branches are undertaking permissible business/commercial activities, paying local taxes and periodically repatriating their profits abroad (subject to compliance with the relevant provisions of applicable law).

After satisfying themselves of the genuineness of the requests, and after deducting all applicable taxes, the SBP allows the above-mentioned payments for charges on account of utilisation of IT services such as:

• satellite transponder charges;
• international bandwidth charges;
• international internet service charges;
• international private line charges;
• software licence, maintenance or support fees for proprietary/specialised software; and
• subscriptions or payments for access to foreign electronic media and databases.

The SBP has also extended a general permission to scheduled banks to release foreign exchange up to a maximum of USD400,000, or equivalent in other currencies, per year (starting from the date of designation of the relevant scheduled bank), for each company/firm/sole proprietorship incorporated/established in Pakistan on account of commercial payments, pertaining to digital services, in favour of digital service provider companies.

The above permissions are subject to the fulfilment of procedural requirements, set out in the Foreign Exchange Manual (a compendium of permissions granted by the SBP with regard to FERA, from time to time).

Pursuant to EPD Circular Letter No 02 of 2023, the SBP, in a move to encourage exporters of software and IT and IT-enabled services to bring their foreign exchange earnings into the country, has allowed 35% retention of earnings outside the country. For meeting this objective, the SBP has amended the Foreign Exchange Manual and advised the banks to mandatorily allow, until 31 March 2023, retention of 35% of their export proceeds in special foreign currency accounts. After the expiry of this period, the instructions will be reviewed in light of the export performance of the IT sector and export proceeds during this period.

Electronic Signatures

The Electronic Transactions Ordinance, 2002 (ETO) was enacted to recognise and facilitate documents, records, information, communications, transactions and signatures in electronic form, and to allow their admissibility as evidence in a court of law without witnessing being necessary. 

An electronic signature under the ETO can be in the form of letters, numbers, symbols, images, characters or any combination thereof in electronic form incorporated in an electronic document with the intention of authenticating or approving the same. An advanced electronic signature under the ETO is either:

• a signature which is unique to the person signing it, capable of identifying such person, created in a manner under the sole control of the person using it, and attached to the electronic document to which it relates in a manner that any subsequent change in the electronic document is detectable; or
• provided by an accredited certification service provider and accredited by the certification council as being capable of establishing authenticity and integrity of an electronic document.

Trust Services

The federal government of Pakistan established an Electronic Certification Accreditation Council (ECAC) under the ETO, one of the main functions of which is to grant and renew accreditation certificates to certification providers, their cryptography services and security procedures, in order to establish trust through the use to accredited digital signatures.

The Certification Service Providers’ Accreditation Regulations, 2008 (CSPA Regulations), framed under the ETO, provide for a mechanism for the ECAC to issue accreditation to eligible applicants to be an “Accredited Certification Service Provider”. The purpose of an accredited certification service provider is to provide certification services and certificates confirming the authenticity and/or integrity of an electronic document or an electronic signature.

Digital Identity

The National Database & Registration Authority (NADRA) launched computerised and chip based national identity cards in 2012 and has recently been working to make the computerised national identity cards into digital wallets and introduce a mobile application for that purpose.

Amendments have been made in the Income Tax Ordinance, 2001, vide the Finance Act, 2022, to enable NADRA to share its records and any information with the Federal Board of Revenue for the purpose of carrying out the objectives of the Income Tax Ordinance, 2001.

In addition to the above, the ECAC facilitates regulators and authorities in Pakistan such as the SBP, NADRA, the Securities and Exchange Commission of Pakistan (SECP), the FBR, the PTA and the Election Commission of Pakistan (ECA), for use of digital identity for the integrity of electronic transactions as per the guidelines set out in the ETO.

More recently, Parliament has enacted the Pakistan Single Window Act, 2021 (PSW Act), to establish and operate a single point of submission and receipt of trade data and information to enable synchronised processing of data and information; achieve standardisation and harmonisation of documents required for regulatory control; remove legal, regulatory and operational barriers to electronic transactions for external trade; and facilitate co-ordination and partnership among all the relevant trade regulatory agencies and stakeholders dealing with international trade and trade facilitation.

The federal government, to further achieve the object of the PSW Act, framed the Pakistan Single Window Evidence of Identity (EOI) Rules, 2022 (EOI Rules), under the PSW Act. The EOI Rules apply to all individuals, sole proprietorships or bodies corporate registered with the FBR, the SECP, government organisations, diplomatic missions, foreign individuals, businesses or any other commercial and non-commercial entity engaged in cross-border trade.

The EOI Rules require all persons wishing to conduct a cross-border trade transaction to undergo an electronic verification process by subscription to a PSW system whereby the applicant upon furnishing the necessary information and payment of subscription will be issued a unique user ID electronically. The PSW system is designed to function in connection and in conjunction with the FBR, the SECP, NADRA, Pakistan Mobile Number Portability Database Company (PMD) and commercial banks, amongst others.

Challenges

While Pakistan is taking noteworthy steps towards digitising identity, the country’s personal data protection laws are not yet following suit, in the absence of which the risk of misuse of a person’s identity information remains significant. NADRA’s database is accessed by scores of public and private service providers, from the tax department to the election commission to mobile service providers. As there is no data protection law, there is no accountability even when personal data of persons is leaked. Promulgation of appropriate data protection laws and their strict enforcement is necessary to mitigate such risks.