On April 10, 2026, Sindh Chief Minister Murad Ali Shah approved Phase-II of the Karachi Safe City Project: a Rs9.98 billion build-out of more than 2,300 smart cameras — 1,300 of them carrying live facial recognition and automatic number-plate recognition — alongside 10 surveillance drones, 56 mobile units and a backbone wired into NADRA, the national identity database. A formal launch was slated for May 2026, with completion projected inside twelve months (Radio Pakistan; ProPakistani).
The problem is not the cameras. It is the sequencing. Pakistan is deploying one of South Asia's most ambitious biometric policing systems while having no enacted data-protection law and no data-protection authority to govern it.
The strongest case for the build-out
Karachi is a city of more than 20 million people with a long, genuine history of violent crime, extortion and terrorism. Provincial officials argue — not unreasonably — that networked cameras with plate recognition help solve kidnappings, track getaway vehicles and deter street crime, and that the savings of over Rs1 billion negotiated on procurement show fiscal discipline rather than a vanity project. Earlier Safe City systems in Lahore and Islamabad, rolled out under the China-Pakistan Economic Corridor, are now woven into routine investigation. For residents who live with the threat of armed robbery, a faster path from CCTV to arrest is not an abstraction. A capable state that can identify a suspect in seconds is, on its face, a public good.
That case deserves to be taken seriously. But it is an argument for capability, not for capability without rules — and rules are exactly what Pakistan has not built.
A regulatory vacuum, not a regulatory choice
Pakistan has no comprehensive data-protection statute in force. The Personal Data Protection Bill, first drafted in 2018 and circulated by the Ministry of IT and Telecommunications as a May 2023 final draft, has been approved by the federal cabinet but still awaits passage by the National Assembly and Senate and presidential assent. As of 2026 it remains a draft, and no independent data-protection authority exists (DLA Piper, Data Protection Laws of the World).
What fills the gap is the Prevention of Electronic Crimes Act 2016 and its 2025 amendment — a cybercrime and content-control framework, not a privacy regime. PECA punishes the misuse of data after the fact; it does not constrain when the state may scan a face in public, how long a faceprint is stored, or who may query the system. The result is that police facial recognition in Pakistan operates on discretion rather than law.
Why "no rules" is the expensive option
Facial recognition is not an ordinary camera. As EFF's Threat Lab documented in June 2026 while analysing Meta's smart-glasses code, modern systems convert a face into a biometric template — a vector of roughly 2,048 numbers that uniquely fingerprints a person (EFF, Move Fast, Surveil Things). Once that template is linked to NADRA, the system no longer merely records who passed a junction; it can name them and reconstruct their movements. Researchers documenting Pakistan's Safe City programmes warn that this fusion of national ID and real-time tracking creates "mass identification with no distinct legal boundaries," with no warrant requirement, no retention limit and no independent oversight of when faces may be matched against criminal databases (Human Rights Research Center).
This is where the pro-innovation position and the pro-rights position converge rather than collide. Biometric tools deployed without statutory limits are not a sign of a confident, tech-forward state — they are a liability. Vendor algorithms that cannot be audited make wrongful matches that no court can scrutinise. A database that can map any citizen's movements becomes a single point of catastrophic failure the moment it leaks or is abused against journalists, protesters or political opponents. Lahore is already upgrading some 8,000 cameras with the same recognition stack, so Karachi is not an experiment — it is a template being scaled.
The proportionate path
The answer is not to halt Karachi's cameras. Plate recognition for stolen vehicles and CCTV for incident review are defensible, proportionate tools. The answer is to make deployment contingent on the safeguards that should have preceded it: enact the Personal Data Protection Bill, stand up an independent authority with audit powers over the Sindh Safe Cities system, require judicial authorisation before facial-recognition queries, set hard retention limits, and publish a transparency report on how often matches are run and with what error rate.
Democracies that take both security and liberty seriously legislate the guardrails before the cameras switch on, not years after. Pakistan has inverted that order — spending Rs9.98 billion on the most invasive surveillance capability first, and leaving the law that should govern it stranded in committee. Until the bill passes and a regulator exists, every faceprint Karachi captures is collected in a legal void. That is the real risk of Phase-II: not that the technology works, but that nothing in Pakistani law yet constrains what the state may do with it.