Pakistan’s tax authority can now access deleted browsing history — what's next?

In a controversial move sparking nationwide debate, Pakistan’s top tax authority has gained legal access to citizens’ internet browsing data, including deleted logs, in an effort to crack down on tax evasion and monitor digital spending.

According to legal experts, the Finance Act 2025 empowers the Federal Board of Revenue (FBR) commissioners to issue written notices to Internet Service Providers (ISPs), telecom operators, and the Pakistan Telecommunication Authority (PTA), requiring them to provide subscriber details and IP history. Crucially, this can be done without a court order.

FBR spokesperson Dr Najeeb Ahmad clarified that the provision is not intended for the general public but specifically targets individuals engaged in fraudulent sales tax activity. “The objective is to identify the computers used in committing sales tax fraud,” he said.

However, digital rights advocates argue that the expanded surveillance authority lacks adequate legal safeguards and opens the door to state overreach.

Digital Rights Foundation (DRF) founder Nighat Dad, speaking to Nukta, raised alarm over the implications of Section 38B of the Finance Act 2025. She said it allows the FBR to access digital footprints, including private browsing history across devices, without judicial authorization.

“This marks a dramatic erosion of digital privacy,” Dad said. “Access to private data has effectively shifted from being a matter of judicial oversight to an administrative function.”

Section 38B of the Finance Act 2025 reads: “The Commissioner may, by notice in writing, require any Internet Service Providers, Telecommunication Companies and Pakistan Telecommunication Authority, to furnish subscriber's information pertaining to the Internet Protocols in connection with any inquiry or investigation in cases of tax fraud, as may be specified in such notice.”

What should citizens do now?

Dad urged legal professionals and civil society to push for judicial oversight and rights-based limits on FBR’s data access. She called for principles such as data minimization, timely deletion of data, and the creation of redress mechanisms that allow individuals to access, review, and challenge how their data is used.

“Digital privacy is essential to democratic expression and human dignity,” she emphasized.

Pakistan still lacks a digital privacy law

Institute for Research, Advocacy and Development (IRADA) founder and legal expert Advocate Muhammad Aftab Alam noted that Pakistan has no comprehensive data protection law. As a result, both government and private entities face little accountability for accessing or misusing personal data.

Official sources, speaking on the condition of anonymity, said the Personal Data Protection Bill has been pending for over five years. Originally drafted by the Ministry of IT and Telecom (MoITT) in 2018, it has undergone multiple revisions. Updated versions were introduced in 2020, 2021, and 2022.

Although Imran Khan’s cabinet approved the 2021 draft in February 2022, it was never tabled in the National Assembly. The current government asked for a fresh review, and the latest version — now called the Personal Data Protection Bill Draft 2023 — remains under consideration.

Is digital privacy still a fundamental right?

Alam emphasized that the right to data protection is a globally recognized extension of the right to privacy. “Personal data held by public or private entities must not be shared without the citizen’s explicit consent,” he said.

He argued that the absence of such protections in Pakistan violates international norms, even under the Right to Information (RTI) frameworks. “Globally, no third party, public or private, can disclose a person’s data without permission,” Alam explained.

Nighat Dad also condemned the new amendments as enabling “sweeping, unchecked surveillance.” She said the FBR can now compel ISPs to hand over user data, even deleted logs, without notifying individuals.

Can it be ethically justified?

Experts question the legality, necessity, and practicality of the FBR’s new powers. Alam highlighted the risk of false attribution in shared internet environments, where multiple users can access the web from the same IP address.

“This appears to be a clear overreach and a violation of the right to privacy,” he said. “Rather than aligning with modern privacy norms, the FBR is creating new avenues for intrusion under the guise of tax investigations.”

Still, not everyone sees it as a major threat.

Senior journalist Shahbaz Rana said he does not believe the provision will significantly impact journalists, since much of their work is already in the public domain. However, he warned that freelancers may be affected, especially since they are now subject to a 5% tax.

Legal loopholes

Advocate Alam pointed to a serious procedural flaw: citizens are not notified when their data is accessed. “There is no legal mechanism to inform individuals, which violates principles of due process and fair trial,” he said.

FBR officials maintain that this data access is conditional and invoked only in investigations under the Record of Discrepancies (RoD) framework, which is designed to detect suspicious financial activity or tax fraud.

But Alam argued that this sets a dangerous precedent. “An official’s suspicion alone can now trigger full access to a person’s digital footprint without their knowledge or consent,” he warned.

'A matter of national security'

An FBR official, speaking on condition of anonymity, defended the move as essential to protecting the national treasury from high-tech fraudsters.

“These actors exploit digital loopholes to create ghost companies, use fake IP addresses, and generate bogus invoices to claim fraudulent sales tax refunds,” the official said. “In the past, the system was so easily manipulated it cost Pakistan trillions in fake tax reimbursements.”

Fraudsters would allegedly register fictitious companies with fake names, forged addresses, and multiple IPs, use them to file fraudulent tax returns, and then vanish without a trace. Authorities, the official said, had no digital trail to follow — until now.