A data policy without a spine
.

Read the new Data Governance Policy, 2026, by the Ministry of IT & Telecom, and it is genuinely hard to find fault with the ideas inside it. The Federal Government calls itself a custodian of citizens' data rather than an owner. It talks about privacy by design instead of privacy as an afterthought bolted on once something goes wrong. It promises people the right to know who, inside the government, has looked at their data, and the right to correct it, move it or have it deleted. Consent has to be specific, not the usual scroll and click box that nobody reads. On paper, this is the vocabulary of the European Union's data protection regime, not the vocabulary Pakistani policy documents usually reach for.
The trouble begins the moment one asks what happens when a citizen actually tries to use these rights. In Europe, a person whose data has been mishandled can go to an independent data protection authority. That authority does not report to the ministry running the service in question. It can investigate, it can fine, and it has done so, famously against Meta, against Google, against a long list of companies that assumed good intentions were enough. Ireland's regulator alone has issued fines running into billions of euros. India took a rougher, slower path but got there, too. After years of drafts and a Supreme Court judgment that first had to declare privacy a fundamental right, it passed the Digital Personal Data Protection Act in 2023, with its own board meant to sit apart from the ministries it oversees.
Pakistan's policy has no equivalent, and it does not pretend otherwise. It says outright that a Personal Data Protection Law is still anticipated, and that once it exists, its provisions will take precedence. That is an honest admission, but it leaves this policy in an odd position. It hands out rights on one page and admits on another that there is nobody with the legal power to enforce them yet. The enforcement it describes runs through the Pakistan Digital Authority, a body barely a year old, created by the Digital Nation Pakistan Act of 2025, which is being asked to write the rules, police compliance and referee disputes involving other government ministries, all without a separate law or a separate court standing behind it.
This gap deserves to be taken seriously rather than dismissed as the usual boilerplate criticism levelled at every new government initiative. Writing eloquent principles is the easy part of digital governance. Estonia is the country everyone cites approvingly for its X Road data exchange system, and what usually gets left out of the story is that Estonia spent close to two decades building the institutional habits, the technical staff and the public trust that made X Road workable. It did not arrive with the law. It came after years of smaller systems, smaller failures, and a government that kept at it long enough for citizens to stop being suspicious of it. Pakistan is attempting something of a similar ambition through an authority that has existed for barely a year.
None of this is an argument for shelving the policy. Direction matters, and this one point somewhere sensible after years of digital initiatives that were announced with fanfare and quietly forgotten once the press conference ended. But a policy is a statement of intent. It becomes real law once parliament passes the Personal Data Protection Law. This document keeps gesturing toward a future where - once there is a regulator that does not answer to the ministries it is supposed to be checking, and once an ordinary citizen has an actual physical or institutional address to send a complaint to when the state gets its data wrong - true systemic accountability can finally exist. Until that happens, what exists today is a well-written promise, and promises are not usually the part of governance that Pakistan has struggled to produce.













COMMENTS
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ