Pakistan's draft Personal Data Protection Bill, approved by the federal cabinet in July 2023 and still pending before Parliament as of May 2026, would impose one of South Asia's most expansive data localisation regimes. The bill empowers a proposed National Commission for Personal Data Protection (NCPDP) to designate categories of 'critical personal data' that may not leave Pakistan, and requires controllers handling such data to store it on servers located inside the country. For a digital economy heavily dependent on hyperscaler infrastructure based in Singapore, Dubai, Frankfurt, and Mumbai, the operative word is fragmentation.
The Ministry of Information Technology and Telecommunication (MoITT), which drafted the bill, frames localisation as a sovereignty and law-enforcement measure. But the draft as published leaves the most consequential question — what counts as 'critical' data — entirely to a body that does not yet exist. That deferred definition is the bill's central design flaw, and it has been the focal point of objections from Pakistan's own technology industry, including the Pakistan Software Houses Association (P@SHA) and the Asia Internet Coalition, whose 2023 submission warned that open-ended localisation powers would 'hinder Pakistan's digital transformation.'
What the bill actually says
The draft creates three tiers of data: personal, sensitive, and critical. Personal and sensitive data may flow abroad subject to adequacy determinations or contractual safeguards — a structure familiar from the EU's General Data Protection Regulation. Critical data is different. Section 14 of the draft prohibits its transfer or processing outside Pakistan altogether, with the Commission empowered to add categories by notification. Penalties for breach of localisation reach PKR 25 million per violation in the version circulated to stakeholders. Cross-border processors must also appoint a local representative and submit to NCPDP audits.
Crucially, the bill does not enumerate 'critical' categories upfront. In India's now-enacted Digital Personal Data Protection Act, 2023, Parliament took the opposite approach: cross-border transfers are permitted by default, with the government empowered to publish a narrow blacklist of restricted jurisdictions. Pakistan's draft inverts that logic — restriction by default for anything the Commission later names. That uncertainty alone is enough to deter long-horizon cloud investment.
The regional context: a patchwork hardening into walls
Pakistan's draft arrives as APAC's data-flow map is becoming increasingly balkanised. Vietnam's Decree 53/2022 already requires onshore storage for a broad set of categories. Indonesia's 2022 Personal Data Protection Law preserves localisation authority for the government to invoke. China's Personal Information Protection Law and its 2024 cross-border transfer rules added a security assessment for 'important data.' Each regime sounds bilateral; collectively they create a compliance maze that smaller fintechs, SaaS vendors, and content platforms cannot navigate without dedicated legal teams.
For Pakistan, the costs are not hypothetical. The country's fintech sector — Easypaisa, JazzCash, SadaPay, NayaPay and a long tail of payment processors — runs on cloud infrastructure provisioned through AWS, Microsoft Azure, and Google Cloud regions outside Pakistan. The State Bank of Pakistan already imposes sectoral rules on payment data through its Regulations for Payment System Operators. Layering a separate, broader localisation mandate on top, administered by a different regulator with no track record, multiplies compliance overhead without obvious privacy gains for citizens.
Resilience cuts both ways
Proponents of localisation often invoke resilience: data stored inside the country is, the argument goes, safer from foreign surveillance and geopolitical disruption. Recent events complicate that case. As Rest of World reported in May 2026, drone strikes on Amazon's Gulf data centres in March knocked banking and payment apps offline across the region, with hyperscalers scrambling for alternate fibre routes through Iraq. Concentrating critical data inside a single national jurisdiction — particularly one with periodic internet shutdowns and a constrained domestic data-centre market — does not necessarily reduce risk. It may simply replace one set of vulnerabilities with another.
Pakistan's own connectivity footprint underscores the point. The country is served by a small number of subsea cable landings at Karachi, and the Pakistan Telecommunication Authority's repeated throttling of platforms — including the extended restriction on X that began in February 2024 — illustrates how thin the line is between localisation and operational lock-in.
A proportionate path forward
None of this is an argument against a privacy law. Pakistan is one of the last large jurisdictions in the region without comprehensive data-protection legislation, and citizens deserve enforceable rights against arbitrary collection, profiling, and breach. The 2023 draft includes genuinely useful provisions: a data-subject access right, breach notification, purpose limitation, and a dedicated regulator. Parliament should pass those.
What it should not pass is open-ended localisation authority. A more proportionate model would:
- Narrow 'critical data' in statute, not delegate it to a regulator. National security and certain government datasets are defensible; broad commercial categories are not.
- Adopt a transfer-by-default framework closer to the DPDP Act's blacklist model, supplemented by standard contractual clauses for sensitive categories.
- Recognise hyperscaler in-region presence — including AWS's Karachi local zone and Azure's planned Pakistan region — as compliant storage where appropriate, rather than mandating physical co-location for every regulated dataset.
- Require an economic impact assessment before any new 'critical' category is notified, modelled on the UK Information Commissioner's Office consultation practice.
Pakistan's digital economy is one of the country's few genuinely high-growth export sectors, with IT exports crossing $3 billion in fiscal year 2024 according to the State Bank. A privacy law that fragments the cloud will not protect Pakistanis; it will price the country out of the workloads that fund its developers. Parliament has the opportunity to deliver rights without walls. It should take it.