DISCLOSURE AND DISSEMINATION
13. Data operators.—
The act of making electronic data known to data operators appointed by the data processor, in writing, to perform the operations related to the processing, and acting directly on his behalf, shall not be considered disclosure and dissemination subject to such limitation as may be agreed upon between data controller and data processor.
14. Data disclosure.—
The disclosure and dissemination of personal or corporate data shall be permitted:
(a) by the data processor, when the data controller has explicitly given his consent or as provided in the contract with data controller;
(b) by data controller or data processor,—
(i) when it is performed under an obligation by national, provincial or local laws;
(ii) when necessary for the establishment, exercise or defence of legal claims in Court;
(iii)when requested by any relevant government authority for purposes of national security or prevention, investigation, detection and prosecution of criminal activities; and
(iv) as may be prescribed.
15. Sensitive data.—
(1) The processing of Sensitive Data shall be conducted in such a way as to minimize the risks of unauthorized access or use, by means of appropriate precautionary security measures.
(2) The minimal precautionary security measures for the sensitive data shall be as prescribed.
16. Transfer of local data abroad.—
Transfer of local data to any territory outside Pakistan shall only be carried out in the prescribed manner.
17. Powers and functions of federal government.—
(1) The federal government shall have the following powers and functions to,—
(a) prepare and encourage the drawing up of suitable codes of conduct and ethics by certain categories;
(b) verify the compliance of such codes with applicable laws;
(c) seek views of data controllers and data processors on any matter related to electronic data;
(d) contribute to the publicity and enforcement of such codes;
(e) interact and cooperate with international and regional bodies performing similar functions; and
(f) set up or accredit bodies to audit the security measures of the data processors.
(2) All public and regulatory authorities especially in the banking, insurance, telecommunication, legal and health sector shall assist the federal government in the exercise and performance of its powers and functions.
COMPLAINT AND OFFENCES
(1) Any data controller may lodge a complaint in a prescribed manner to the Sessions Judge [may be changed with ICT tribunal, if created before passing of this law] having territorial jurisdiction, if he does not feel satisfied with any action, contractual or otherwise, of his data processor.
(2) In case of local data any data subject or person having interest in the electronic data may lodge a complaint against any data controller in a prescribed manner to the Sessions Judge, having territorial jurisdiction, for enforcement of his rights or interest under this Act or any other law or contract.
(3) The Sessions Judge, if feels necessary, may direct any person or individual to investigate into the complaint lodge before him and report back to the court. To perform his functions, the person or individual so directed by the Sessions Judge, may require any information and documents from any data controller, data processor, data operator, data subject or any third person and if further authorized, may require access to data filing systems and where the processing is being carried on.
(4) During the course of the investigation of the complaint mentioned in sub-sections (1) and (2), the complainant, data controller and data processor shall have the right to be heard.
(5) After collecting all the necessary evidence the Sessions Judge shall, if the complaint is found to be correct, order the data processor or data controller to refrain from his unlawful or undesirable behaviour, impose fine not exceeding one million rupees or order appropriate measures to protect the electronic data, the rights and interest of the complainant and ensure compliance of the applicable provisions of this Act, rules and the contract.
(6) During the pendency of the investigation the Sessions Judge may temporarily order the blocking of some or all of the electronic data, or impose a ban on any or all the operations of processing.
(7) The Sessions Judge may request, if needed, assistance from any public and law enforcement authorities.
(8) Any final order of the Sessions Judge may be appealed against by any aggrieved individual or person as First Appeal against Order before the High Court having territorial jurisdiction, within thirty days from the communication of the said order.
19. Unlawful processing of electronic data.—
Anybody who, acting for his own or anybody else's benefit, processes electronic data in violation of any of the provisions of this Act or contract with the Data Controller or Data Processor, as the case may be, shall be punished with imprisonment for a term not exceeding three years or fine not exceeding three million rupees or both.
20. Unlawful dissemination and disclosure.—
Anybody who, acting for his own or anybody else's benefit, disseminate or disclose electronic data in violation of any of the provisions of this Act or contract with the Data Controller or Data Processor, as the case may be, shall be punished with imprisonment for a term not exceeding three years or fine or both.
21. Sensitive Data.—
In case the offence committed under section 19 and 20 relates to Sensitive Data the maximum term of punishment shall be five years.
22. Failure to adopt appropriate data security measures.—
Anybody who fails to adopt the security measures that are necessary to ensure data security, when he is required to do so, in violation of the provisions laid down in the rules, if binding or contract between the data controller and data processor, shall be punished with imprisonment for a term not exceeding three years or fine or both.
23. Failure to comply with orders.—
Anybody who fails to comply with the orders of the Sessions Judge when he is required to do so, shall be punished with imprisonment with imprisonment for a term not exceeding three months or fine or both.
Notwithstanding anything contained in this chapter, Act or any contract between the parties, shall constitute an offence if any data operator, employee of data controller or data processor acts on reasonable ground and in good faith to inform the Sessions Judge of any perceived violations of the Act, rules and contract between the data controller and data processor. On the request of the informer the Sessions Judge shall maintain secrecy about his identity in any or all circumstances.
25. Corporate liability.—
A person shall be held liable for a criminal offence committed on his instructions or for his benefit or lack of required supervision by any individual, acting either individually or as part of an organ of the person, who has a leading position within it, based on a power of representation of the person; an authority to take decisions on behalf of the person; or an authority to exercise control within it. The person shall be punished with fine not exceeding ten million rupees.
Provided that such punishment shall not absolve the criminal liability of the individual, who has committed the offence.
26. Offences to be bail-able, compoundable and non-cognizable.—
(1) All offences under this Ordinance shall be bail-able, compoundable and non-cognizable.
(2) The prosecution of the offence under this Act shall only be initiated with the prior of the authorized officer of the federal government.
27. Prosecution and trial of offences.—No Court inferior to the Court of Sessions shall try any offence under this Act.
TEMPORARY AND MISC PROVISIONS
28. Temporary provisions.—
(1) All data processors shall adopt necessary security measures within six months from the day in which the rules, if binding, on the subject come into force. In the meantime, electronic data should be kept under custody in such a way as to prevent any increase of the risks to the electronic data.
(2) In case of local data the data controller shall comply with the principles laid down in sections 7 and 8 of this Act within a period of one year.
29. Other Laws.—
For the purposes of Electronic Crimes Act 2005, any electronic or information system containing personal or corporate data shall be considered as sensitive electronic system.
30. Power to make rules.—
The Federal Government may, by notification in the official Gazette, make rules to carry out the purposes of this Act.