LONDON · ISLAMABAD · WARSAW · WISCONSIN
+92-323-2999999 | EN / اردو
LexForm
People Expertise Insights About Get in Touch

Expertise

Criminal Law Civil & Property Company Law Tax & Accounts Immigration UK & EU Practice US Practice

Insights & Tools

Blog News Case Analysis Tax Calculator Stamp Duty Calculator ATL Checker Statutes Library

Contact

+92-323-2999999

London · Islamabad · Warsaw · Wisconsin

WhatsApp
Criminal Law

PECA 2016 in Pakistan: Cybercrime Offences, the 2025 Amendments, the NCCIA, and the Fake News Controversy

By LexForm Research|17 April 2026|11 min read

The Prevention of Electronic Crimes Act 2016 (PECA) is Pakistan's principal legislation on cybercrime. Enacted on 11 August 2016, the Act defines a wide range of electronic offences, establishes procedural rules for investigation and prosecution, and provides for international cooperation in cybercrime cases. Since its enactment, PECA has been amended several times, most significantly by the Prevention of Electronic Crimes (Amendment) Act 2025, which was passed on 29 January 2025 and introduced major changes to the investigation framework and new offences related to false information.

This article sets out the key offences under PECA, the changes introduced by the 2025 amendments, the creation of the National Cyber Crime Investigation Agency (NCCIA), and the ongoing legal and constitutional challenges to the legislation.

Key Offences Under PECA 2016

PECA defines offences across several categories. The Act uses the term "information system" to cover computers, networks, servers, and any electronic device capable of storing, processing, or transmitting data.

Sections 3 and 4 deal with unauthorised access to information systems and data. Section 3 makes it an offence to intentionally gain unauthorised access to an information system or any part of it, punishable by imprisonment of up to three months, a fine of up to fifty thousand rupees, or both. Section 4 covers unauthorised copying or transmission of data, with the same penalties. These provisions target what is commonly known as hacking, though the low penalty reflects the basic nature of the offence where no further harm is caused.

Section 5 covers interference with information systems or data, including destroying, damaging, or altering data or rendering an information system inoperable. This is the provision used against denial-of-service attacks and ransomware. The penalty is imprisonment of up to two years, a fine of up to five hundred thousand rupees, or both. Where the offence relates to a critical infrastructure information system, the penalty increases to imprisonment of up to three years and a fine of up to one million rupees.

Section 6 creates the offence of glorification of an offence. Any person who prepares or disseminates information through an information system or device that advances, incites, or glorifies an offence against the integrity, security, or defence of Pakistan is liable to imprisonment of up to five years, a fine of up to ten million rupees, or both. This section has attracted criticism for its broad language, which, critics argue, could capture legitimate political expression or journalistic reporting on security matters.

Section 10 deals with cyber terrorism, defined as committing electronic offences with the intent to cause a sense of fear, panic, or insecurity in the government or the public, or to advance a religious, ethnic, or sectarian cause. The penalty is imprisonment of up to fourteen years, a fine of up to fifty million rupees, or both. This is the most severe penalty in the Act and has been used in cases involving online incitement to violence.

Sections 11 through 14 address offences against individuals. Section 11 covers electronic forgery, Section 12 covers electronic fraud, Section 13 addresses the making, obtaining, or supplying of devices for use in offences (analogous to provisions in the UK Computer Misuse Act 1990 and the Council of Europe Convention on Cybercrime), and Section 14 deals with unauthorised interception. Penalties range from two to five years' imprisonment.

Sections 20 through 24 deal with offences relating to dignity and privacy. Section 20 makes it an offence to intentionally exhibit, display, transmit, or make available any information through an information system that harms the reputation or privacy of a natural person, punishable by imprisonment of up to three years, a fine of up to one million rupees, or both. Section 21 covers offences against the modesty of a natural person, Section 22 addresses child pornography (with penalties of up to seven years' imprisonment), and Section 24 deals with cyberstalking (up to three years' imprisonment).

The 2025 Amendments: Section 26-A and the Fake News Offence

The most controversial change introduced by the Prevention of Electronic Crimes (Amendment) Act 2025, enacted on 29 January 2025, is the insertion of Section 26-A, which criminalises the intentional dissemination of false and fake information. Under Section 26-A, any person who intentionally creates, transmits, or disseminates information through an information system that is known to be false or fake, and that is likely to cause fear, panic, or unrest among the public, damage the reputation of any person, or harm the integrity, security, or defence of Pakistan, is liable to imprisonment of up to three years and a fine of up to two million rupees.

The section requires that the dissemination be "intentional" and that the person must "know" the information to be false, which introduces a mens rea requirement that, on its face, limits the offence to deliberate disinformation rather than innocent mistakes. However, critics, including Human Rights Watch and the Pakistan Federal Union of Journalists (PFUJ), have argued that the provision is dangerously vague in practice. The terms "false and fake information" and "likely to cause fear, panic, or unrest" are not defined with precision, leaving significant scope for prosecutorial discretion. There is concern that the provision could be used to silence journalists, political commentators, and ordinary citizens who share information that the government considers inconvenient.

The PFUJ challenged the amendment in the Islamabad High Court and announced a nationwide protest movement against what it described as an assault on press freedom. The constitutional challenge is based on Article 19 of the Constitution of Pakistan, which guarantees freedom of speech and expression subject to reasonable restrictions in the interest of the glory of Islam, the integrity, security, or defence of Pakistan, friendly relations with foreign states, public order, decency, or morality, or in relation to contempt of court, defamation, or incitement to an offence.

The National Cyber Crime Investigation Agency

The 2025 amendments also restructured the investigation of cybercrimes by establishing the National Cyber Crime Investigation Agency (NCCIA). Before the amendments, Section 30 of PECA authorised both the police and the Federal Investigation Agency (FIA) to investigate cybercrime offences. The FIA's Cyber Crime Wing was the primary investigating body, handling complaints through the National Response Centre for Cyber Crime (NR3C).

Under the amended Section 30, the NCCIA is given exclusive authority to investigate cybercrime-related cases. The NCCIA is headed by a Director General appointed for a non-extendable three-year term, who holds powers equivalent to those of an Inspector General of Police under the Police Order 2002. The NCCIA has the authority to establish its own forensic analysis laboratory, and reports generated by this laboratory are admissible as evidence in court proceedings.

The creation of a dedicated agency reflects the government's acknowledgement that cybercrime investigation requires specialised technical expertise that the regular police and even the FIA's existing infrastructure did not always provide. However, the concentration of all cybercrime investigation authority in a single agency, reporting directly to the federal government, has raised concerns about the potential for politicised enforcement, particularly in cases involving Section 26-A and the broader speech-related offences in the Act.

Data Protection and Removal Orders

PECA also contains provisions related to content removal and data preservation. Section 34 empowers the Pakistan Telecommunication Authority (PTA) to require service providers to remove or block access to any information through any information system if it considers the information to be necessary in the interest of the glory of Islam, the integrity, security, or defence of Pakistan, public order, decency, or morality, or in relation to contempt of court or commission of any offence under the Act. The PTA must record its reasons for any such direction, and the affected person may appeal to the High Court.

Section 29 requires service providers to retain traffic data for a minimum of one year from the date of the communication, and production data for a minimum of 90 days. Service providers who fail to comply face penalties. Section 31 empowers an authorised officer of the investigation agency to direct any person to provide data, including subscriber information, traffic data, and content data, necessary for the investigation of an offence under the Act. A warrant from a court is required for the production of content data, but not for traffic data or subscriber information.

International Cooperation

Chapter VII of PECA (Sections 39 through 42) provides for international cooperation in cybercrime investigations. Pakistan can request foreign countries to preserve data, produce traffic data, or assist in the search, seizure, and disclosure of stored data. Similarly, Pakistan may comply with requests from foreign countries, subject to certain conditions, including dual criminality and the requirement that the request is not politically motivated.

Pakistan is not a party to the Budapest Convention on Cybercrime (the Council of Europe Convention on Cybercrime), which is the principal international treaty on the subject. However, Pakistan cooperates with foreign law enforcement through mutual legal assistance treaties (MLATs) and informal channels. The absence of Budapest Convention membership means that Pakistan's international cooperation framework is less standardised than that of Convention parties, which can create delays in cross-border investigations.

Constitutional Challenges and Judicial Review

PECA has been the subject of several constitutional challenges since its enactment. In 2022, the Islamabad High Court struck down Section 20 of the Act (offences against dignity of a natural person) as unconstitutional in Asad Ali Toor v. Federation of Pakistan. The court held that Section 20 was vaguely drafted and imposed a disproportionate restriction on the fundamental right to freedom of speech and expression under Article 19 of the Constitution. The government appealed the decision to the Supreme Court, and the matter remains under consideration.

The 2025 amendments have generated fresh constitutional challenges, particularly regarding Section 26-A. The core argument is that criminalising "false and fake information" without adequate definition of those terms creates a chilling effect on speech, because individuals cannot know in advance whether their speech will be classified as false by the authorities. The petitioners argue that this uncertainty violates the requirement under Article 19 that restrictions on speech must be "reasonable" and that a law must be sufficiently precise to give citizens fair notice of what conduct is prohibited.

The outcome of these challenges will be significant for the future of digital rights in Pakistan. If the courts uphold Section 26-A, it will establish a precedent that the criminalisation of undefined "false information" is a permissible restriction on speech. If the courts strike it down or read it down (by imposing limiting conditions on its application), it will reinforce the position that broad and vague speech offences cannot survive constitutional scrutiny.

Practical Considerations

For businesses operating in Pakistan, PECA creates compliance obligations in several areas. Companies that provide information system services or telecommunications services must comply with the data retention and production requirements under Sections 29 and 31. Companies that operate social media platforms or online marketplaces accessible from Pakistan may receive content removal directions from the PTA under Section 34. Failure to comply with PTA directions can result in blocking of the platform in Pakistan, as has occurred with several international platforms in recent years.

For individuals, the practical risk of PECA proceedings has increased since the 2025 amendments. The creation of Section 26-A means that any post on social media that is later deemed to contain false information could potentially attract criminal liability. While the mens rea requirement of "intentional" dissemination of information "known to be false" provides some protection, enforcement practice will determine how strictly these requirements are applied.

Anyone who receives a notice or summons from the NCCIA or is named in a complaint under PECA should seek legal advice immediately. Cybercrime cases often involve the seizure of electronic devices and the production of digital evidence, and early legal intervention can be critical in protecting the rights of the accused.

For advice on cybercrime defence, PECA compliance, or digital rights matters in Pakistan, contact LexForm.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Cybercrime law is evolving rapidly and several provisions of PECA are subject to pending constitutional challenges. Always consult a qualified lawyer for advice on your specific circumstances.