It is reported that Pakistan imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card, or a passport in case of foreigners, to activate a new prepaid SIM card. In addition, SIM cards cannot be activated without biometric identification

According to Art. 7.5 of the Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguards) Rules 2020, Significant Social Media Companies have to deploy mechanisms to ensure immediate blocking of live streaming of any online content related to terrorism, hate speech, among others. According to Art. 2 of the law, Significant Social Media Company means and includes a Social Media Company with more than half million users in Pakistan or is in the list specially notifies by the Authority for this purpose from time to time

It is reported that in the period from June 2019 to May 2020, the government authorities continued shutting off internet connectivity in major cities and other areas. Around 900,000 websites have been blocked, including those hosting political, religious, and social content.

Section 31 of the Prevention of Electronic Crimes Act discusses “expedited preservation and acquisition of data”. It allows an authorized agent to require a person to hand over data without producing a court warrant if it is believed that it is “reasonably required” for a criminal investigation. This can be termed as a blanket authorization provision that gives the executive direct authority to take action without any judicial oversight or scrutiny. In addition to this, no test as to what amounts to a reasonable requirement is provided in the section. This is problematic because the lack of requisite checks and balances affords the executive a discretionary power that can be used to violate fundamental rights.
Section 35 provides law enforcement officers various powers relating to information systems. One of these is a power to require any person who is in possession of “decryption information of an information system, device or data under investigation” to grant the officer access to such data, device or information system “in unencrypted or decrypted intelligible format” for the purposes of investigating the offence.
Section 39 allows for "Real-time collection and recording" of data: "[i]f a Court is satisfied on the basis of information furnished by an authorised officer that there are reasonable grounds to believe that the content of any information is reasonably required for the purposes of a specific criminal investigation, the Court may order, with respect to information held by or passing through a service provider, to a designated agency as notified under the Investigation for Fair Trial Act 2013 or any other law for the time being in force having capability to collect real time information, to collect or record such information in real-time coordination with the investigation agency for provision in the prescribed manner."

The Prevention of Electronic Crimes Act (PECA) establishes a safe harbour regime for intermediaries for copyright infringements. According to Art. 38 of the PECA, there is a civil or criminal liability limitation for service providers for content posted by users, unless it is proven that the service provider had “specific actual knowledge and willful intent to proactively and positively participate” in cybercrimes committed the Act. However, it is reported that the Removal and Blocking of Unlawful Online Content (Procedure, Oversight, and Safeguards) Rules 2020 passed in November 2020 create new obligations and liabilities for social media companies which can be in contradiction of limitation of intermediary liability provisions for technology companies in PECA.

The Prevention of Electronic Crimes Act (PECA) establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Art. 38 of the PECA, there is a civil or criminal liability limitation for service providers for content posted by users, unless it is proven that the service provider had “specific actual knowledge and willful intent to proactively and positively participate” in cybercrimes committed the Act. However, it is reported that the Removal and Blocking of Unlawful Online Content (Procedure, Oversight, and Safeguards) Rules 2020 passed in November 2020 create new obligations and liabilities for social media companies which can be in contradiction of limitation of intermediary liability provisions for technology companies in PECA.

Pakistan does not have a comprehensive regime in place for all personal data, but it has sectoral regulation. The Prevention of Electronic Crimes Act 2016 contains some provisions on data protection. It prevents unauthorized acts with respect to information systems and provides for related offences as well as mechanisms for their investigation, prosecution and trial. Under the Act, unauthorized access, copying, interference to information system or data is a punishable offence and shall be punished with imprisonment or fine. In addition, there is some sectoral regulation on data in the banking and telecom sector.

Section 31 of the Prevention of Electronic Crimes Act includes data retention provisions that make it mandatory for service providers to hold traffic data for a one year minimum or as “authorised officers” see fit. Art. 32 states that a service provider shall, within its existing or required technical capability, retain the specified traffic data for a minimum period of one year or such period as the Authority may notify from time to time and, subject to production of a warrant issued by the Court, provide that data to the investigation agency or the authorized officer whenever so required.

Art. 4 of the Prevention of Electronic Crimes Act prohibits the transfer of data without the authorisation of the data owner.

Pakistan has not joined any agreement with binding commitments to open transfers of data across borders.

According to the Pakistan Telecommunication (Re-organization) Act, the Pakistan Telecommunication Authority (PTA), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

It is reported that Pakistan prohibits data transfers to any country that it does not recognize, including: Israel, Taiwan, Somaliland, Nagorno, Karabakh, Transnistria, Abkhazia, Northern Cyprus, Sahrawi Arab Democratic Republic, South Ossetia and Armenia. This list may change from time to time. Additionally, data transfers to India must be justifiable by the transferor.

Pakistan has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that there is no obligation for passive infrastructure sharing in Pakistan to deliver telecom services to end users. However, it is practiced in the mobile sector and in the fixed sector based on commercial agreements.

The incumbent operator, Pakistan Telecommunication Company Ltd (PTCL), is a state owned enterprise with majority shares.