The origins of Pakistan’s legal framework qua cyberspace have to be traced back to the

Constitution of Pakistan, 1973 that does not directly refer to the information technology or
cyberspace. It, however, lists the items of legislation in the Federal Legislative List to the Fourth
Schedule of the Constitution that confers legislative powers to the Federation with regards to
communications (Item 7), copyright, inventions, and designs (Item 25), international treaties and
conventions (Item 32), the State Bank of Pakistan (Item 28) implying e-banking and e-commerce
mechanisms, and insurance law (Item 29). On the criminal side, the constitutionality of powers
of the Federation rests on articles 142 and 143 of the Constitution of Pakistan that declare
criminal law, criminal procedure and law of evidence as shared responsibility of the Federation
and the Provinces. Based on this constitutional edifice, the Federation has passed many laws that
deal with cyberspace. The chief amongst these legislations are: (1) the Federal Investigation Act,
1974, (2) the Pakistan Telecommunication (Re-Organization) Act, 1996 and (3) the Prevention of
Electronic Crimes Act, 2016.
The PTA, with the passage of time and due to absence of a regulator of the telecommunication
media, discharges functions of policing under different sets of delegated legislation that include:
a) the Citizens Protection (Against Online Harm) Rules, 2020; b) the Critical Telecom Data and
Infrastructure Security Regulations, 2020; c) Mobile Device Identification, Registration &
Blocking (Amendment) Regulations, 2018; d) Data Retention of Internet extended to Public Wi-
Fi-Hotspots Regulations, 2018; e) Subscribers Antecedents Verification Regulations, 2015; and f)
the Telecom Consumer Protection Regulations, 2009. It also supplements and coordinates the
mandate of providing the computer emergency response teams for protection of critical
infrastructure as required under section 49 of the Prevention of the Electronic Crimes Act,
2016.
The Prevention of Electronic Crimes Act, 2016 (PECA) is the principal criminal law dealing
with cybercrimes in Pakistan. It criminalizes different conducts that involve cyberspace and
digital devices. In all, the law has enacted twenty-three offences that include accessing and
interfering with data, critical infrastructure, glorification of other cybercrimes, cyber terrorism,
hate speech on cyberspace, electronic forgery, electronic fraud, unauthorized use of identity of
another person, unauthorized interception, offences against dignity and modesty of natural
persons, child pornography, cyber stalking (criminal intimidation), spamming and spoofing. Out
of these twenty three offences, only three offences (cyber terrorism and offences related to
dignity and modesty of natural persons) are cognizable (as per section 43), which means that
except these three offences the legal action has been linked to judicial order, which, in practice,
affects legal rights of people who reach out to executive authorities/police for redress of their
grievances. PECA is not only a criminal substantive law, but is also procedural and regulatory in
nature. On criminal procedural side, it states that only authorized investigation agency shall
investigate cybercrimes. The Prevention of Electronic Crimes Investigation Rules, 2018 (PEC
Rules) enacted under section 51 of PECA authorize only the FIA to investigate cybercrimes. The
non-authorization of provincial police organizations is likely to be reviewed due to the all-
pervasive nature of cybercrimes and the use of digital devices in all sorts of crimes. It may be
noted that the PECA has a full-fledged chapter on preventive measures that include power of the
Federal Government to issue directions to owners of information systems and constitution of
Computer Emergency Response Team(s) (CERT). The PECA also provides for issuance of
warrant for search and seizure and warrant for disclosure of content data besides obliging service
providers to retain and provide data and information expeditiously to the authorized police
officers. Detailed procedure to be adopted by authorized officer on seizing data is also given in
the law. The PEC Rules provide for Cybercrime Wing of the FIA that must have a cybercrime
investigations’ section, forensics section and data and network security section. The PEC Rules
also provides for a cybercrime complaints registry mechanism to redress the complaints of
citizens efficiently. These Rules also provide for training of officers of Cyber Wing and for the
procedure to be followed for transfer of investigations related to cybercrimes. The Rules expand
on the procedure of international cooperation with INTERPOL and on the principles and values
that must be adhered by the authorized officers while conducting investigations especially with
regards to victim confidentiality and witness protection.

The law dealing with cyber-crimes in Pakistan is Prevention of Electronic Crimes Act, 2016
(“Act”) which is applicable to every citizen of Pakistan wherever he may be and to every other
person who is stationed in Pakistan for the time being.

The law address to following types of cyber-crimes under the Act:

Access or interfere the data or information system and copying or transmission of data; (Section
3, 4 and 5 of the Act).
Unauthorized access, unauthorized copying, unauthorized transmitting or unauthorized
interfering with the critical infrastructure OR threaten to commit any of the aforesaid offences
with an intention to coerce, intimidate, create a sense of fear, panic, insecurity or public or
community/society (Sections 6, 7 and 8 of the Act).
Prepare or disseminate information through any information system or device with the intent to
glorify an offence relating to terrorism, or any person convicted of a crime relating to terrorism
OR threaten to commit any of the aforesaid offences with an intention to coerce, intimidate,
create a sense of fear, panic, insecurity or public or community/society (Section 9 of the Act).
Whosoever prepares or disseminates any Hate Speech, information that invites motivation of
people to fund or recruits for terrorism through any information system or device (Sections 11 &
12 of the Act).
Electronic forgery and electronic fraud committed by interfering with any information system,
device or data with the intent to cause damage or injury to the public; or to make any illegal
claim; or title or to cause any person to part with property; or to enter into a contract; to commit
fraud; alteration, deletion or suppression of data etc. (Sections 13 & 14 of the Act).
An act to manufacture, generate, adapt, export, supply, offer to supply or import any information
system, data or device, with an intent to be used or believing that it is primarily to be used to
commit or to assist in the commission of an offence under this Act. (Section 15 of the Act).
Unauthorized use of another person’s identity information or to obtain, sell, possess or transmit
such information. (Sections 16 of the Act).
Issuance of SIM (subscriber identity module); R-IUM (re-useable identification module); or
UICC (universal integrated circuit) or any other module designed for authenticating users to
establish connection with the network and to be used in cellular mobile, wireless phone or other
digital devices without obtaining and verification of the subscriber’s antecedents. (Section 17 of
the Act).
Dignity of Natural Person: Public exhibit or display or transmission of any information
knowingly that such information is false and intimidate or harm the reputation or privacy of a
natural person through an information system. (Section 20 of the Act).
Modesty of Natural Person:, Intentional and public display or exhibition or transmission of any
information which superimposes a photograph over any sexually explicit image or video of a
natural person; includes a photograph in sexually explicit conduct of a natural person; intimates a
natural person with sexual act; sexually explicit image or video of a natural person; or entices or
induces a natural person to engage in sexually explicit act; through an information system to
harm a natural person or his reputation, take revenge, create hatred or blackmail a natural person.
(Section 21 of the Act).
Child Pornography: Produce, offer or make available, distribute or transmit through an
information system or to procure for himself or for any other person or without lawful
justification possesses material in an information system any material which contain the elements
of child pornography. (Section 22 of the Act).
Writing, offering, making available, distributing or transmitting malicious code through an
information system with an intent to cause harm to any information system or data resulting in
the corruption, destruction, alteration suppression, theft or loss of information system. (Section
23 of the Act).
Doing Cyber Stalking with an intent to coerce or intimidate or harass any person by using
information system, information system network, internet website, electronic mail or any similar
means of communication. The term Cyber Stalking includes: (a) foster personal interaction
repeatedly to a person who clearly indicates a disinterest from the stalker; (b) monitor the
internet, electronic mail, text message or any other form of electronic communication of another
person; (c) watch or spy upon a person in a manner that results in fear of violence or serious
alarm or distress in mind of such persons; and (d) take photograph or make video of a person and
display or distribute such video in a manner without his consent that harms a person. (Section 24
of the Act).
Spamming: A person commits the offence of spamming who with an intent transmits harmful,
fraudulent, misleading, illegal or unsolicited information to any person without permission of the
recipient or who causes any information system to show any such information for wrongful gain.
(Section 25 of the Act).