Somewhere right now, someone may be selling your personal information. This is not a metaphor. Your CNIC, biometric data, financial records or private conversations are probably packaged, priced and listed.
The person buying it does not need technical skills or criminal connections. They simply need to search online and make a small payment. And the institutions that collected your data in the first place, government agencies, banks, telecoms, digital platforms, bear no legal obligation to tell you it happened, explain how, or make it right.
Privacy is not a luxury but a constitutional promise and a fundamental right of Pakistani citizens. Yet we have no legal framework that would grant us the right to know who holds our data and why, to correct inaccuracies, to stop misuse or to seek redress when our data is leaked or abused. The risks and consequences are clearly visible, for instance, leaks, fraud, intimidation and a growing sense that our participation in the digital economy means surrendering control over our very own identity.
‘Personal information’ is any piece of information that can identify you, but there are different types. For example, some may be ordinary – your name or address – but others are sensitive, including bank balances, biometrics, private communications, medical records, academic scores and children’s data. Most jurisdictions treat sensitive data as a higher risk category, with stricter conditions on its collection and sharing because the potential harm is far greater.
While our constitution promises privacy, the promise has not stopped state and private firms from treating personal data as a resource to mine with little restraint and even less accountability. Legislators have been trying to plug this legal gap for years now. Drafts have come and gone. Personal Data Protection Bill, 2023 was the latest attempt. But it went nowhere.
In the meantime, government databases have grown, private firms are building detailed consumer profiles to drive advertising and sales, and data brokers have quietly built the industry in the shadows. When breaches occur, most of us find out through consequences, rather than a disclosure. For instance, a fraudulent transaction, a SIM swap or an extortion message. There is rarely a formal notification, explanation – and almost never a remedy.
The breach record speaks for itself. A Joint Investigation Team in 2024 found data on approximately 2.7 million Pakistani citizens was compromised from the NADRA database and offered for sale on the dark web. Later, Pakistan’s Computer Emergency Response Team (PKCERT) confirmed that over 180 million Pakistani usernames and passwords had been exposed. Separate investigations uncovered the sale of 115 million mobile users’ data, including names, phone numbers, CNICs and NTNs.
In 2018, a car-hailing app disclosed a breach affecting 14 million users and a skimming operation targeting 22 banks drained 20,000 debit and credit card records. Each incident follows the same pattern: a breach occurs, disclosure comes late or not at all, and accountability never follows.
The consequences of poor data protection are not theoretical. Leaked data enables financial fraud, account takeovers, SIM swaps, stalking, doxxing and targeted harassment campaigns. Often, journalists, activists and women are most at risk. When your messages, calls, searches, transactions,and movements can all be traced and misused, you begin to watch what you say. You self-censor.
The problem does not end here. Every Pakistani who has handed over a CNIC or a fingerprint scan did so trusting that the state and the private institutions would guard it. However, that trust is not just personal. It is national. We have just witnessed what becomes possible when identity data falls into hostile hands. The targets were not buildings. They were people, found and reached with precision that no conventional weapon alone could deliver. This is the stakes Pakistan is playing with every day its databases remain unprotected.
The fix is not complicated. We need a law that tells us what is held about us, gives us the right to challenge it and holds both companies and state agencies accountable, with an independent regulator that actually has teeth. Some will argue that strict regulation stifles innovation. But the EU’s experience under GDPR makes the point plainly: strict data protection did not slow digital adoption but built the foundation for it.
Digital services grow when users trust the system. Trust is not an obstacle to a digital economy; it is a precondition for one. Pakistan has had the drafts. What has been missing is the legislative will to act. If our identity and private life can be bought and sold today, then tomorrow’s digitisation is not progress but exposure at scale.
The writer is a CIPP/US-certified privacy lawyer. He can be reached at: [email protected]
