Waiza Rafique
Technology-facilitated gender-based violence (TFGBV) has quietly become one of the most dangerous frontiers of violence against women in Pakistan. From deepfake pornography to image-based abuse and coordinated online smear campaigns, digital spaces are increasingly weaponised to silence women, destroy reputations, and, in some cases, cost lives. Yet Pakistan continues to confront these harms with fragmented laws and outdated regulatory thinking, while the structural driver of the crisis remains unaddressed: the absence of a comprehensive data protection law.
Existing legislation, particularly the Prevention of Electronic Crimes Act 2016, focuses largely on criminalisation after harm has occurred. It does little to regulate how personal data is collected, stored, shared, or misused in the first place. This gap is not abstract. It is visible in repeated data breaches involving banks, telecom companies, and state institutions such as NADRA, exposing citizens to identity theft, blackmail, impersonation, and offline violence. For women, whose personal data is often used as a tool of social control, the consequences are disproportionately severe to the extent that breach of such data can directly mean death in the name of honour.
Recent years have seen a surge in TFGBV cases documented by civil society and law enforcement alike, though even these figures underestimate the scale of the problem. High-profile cases involving journalist Asma Shirazi, Punjab Information Minister Azma Bukhari, and Chief Minister of Punjab Maryam Nawaz illustrate how AI-generated content and manipulated media are deployed to undermine women’s credibility and democratic participation. Beyond public figures, young women and content creators have faced harassment so severe that it has led to suicide and homicide, underscoring that digital abuse often spills into physical harm.
Globally, Pakistan is becoming an outlier. As of 2024, 167 countries and jurisdictions have adopted comprehensive data protection laws, covering approximately 83 per cent of the world’s population. These laws regulate personal data across both public and private sectors and apply to electronic and physical records alike. Nearly three-quarters of UN Member States now recognise data protection as a core governance obligation. Pakistan, despite repeated drafts and commitments, remains stuck at the proposal stage.
Comparative experiences are instructive. The European Union’s General Data Protection Regulations (GDPR) and the UK’s Data Protection Act 2018 and now the Data Use and Access Act, 2025 (DUAA) establish enforceable principles such as consent, purpose limitation, data minimisation, and independent oversight, creating meaningful remedies for misuse of data (UK Government, 2018). India’s Digital Personal Data Protection Act 2023, while imperfect, marks a decisive shift towards recognising privacy as a governance priority and addressing risks posed by large digital platforms and AI-driven processing (Government of India, 2023). Across the Asia-Pacific region, countries like Thailand, Sri Lanka, and Malaysia have also strengthened institutional accountability through dedicated data protection regimes.
These frameworks do not eliminate digital harm overnight. However, they gradually but certainly close the structural loopholes that allow abuse to flourish unchecked. Research consistently shows that data protection laws play a preventative role by regulating data flows before harm occurs, reducing opportunities for image-based abuse, deepfakes, and doxxing, and enabling civil remedies alongside criminal sanctions. Pakistan’s proposed Personal Data Protection Bill 2023 recognises many of these principles, including consent, breach notification, and the establishment of a regulatory authority. However, its progress has stalled amid concerns over government exemptions, weak enforcement capacity, and lack of political urgency. Delay carries a cost. Every year without comprehensive data protection deepens public mistrust, increases vulnerability, and leaves women exposed in an increasingly AI-driven digital ecosystem.
A dedicated data protection law will not, by itself, end TFGBV. But without it, meaningful protection is impossible. Pakistan must enact a law applicable to both public and private bodies, establish an independent and empowered data protection authority, mandate breach notification, and introduce heightened safeguards for biometric and AI-generated data. Equally important is investing in institutional capacity, training justice sector actors, regulators, and service providers in survivor-centred, rights-based responses, in order for the implementation of the law to follow. Digital spaces are now integral to political participation, economic opportunity, and freedom of expression. Allowing them to remain unregulated is not neutrality; it is complicity. For Pakistan, passing a comprehensive data protection law is no longer a technical exercise. It is a gender justice imperative.
