Evaluation of Bangladesh’s Data Protection Bill

Data protection and privacy are recognised as fundamental rights. An individual’s “private life” includes the protection of his or her personal data. Personal data, in principle, is information that identifies an individual, or is related to the individual.

Constitution of Bangladesh under Article 43 grants every citizen the right, subject to any reasonable restrictions imposed by law in the interests of the security of the State, public order, public morality, or public health, to the privacy of his/her correspondence and other means of communication.

This was recognized by the High Court Division of the Supreme Court of Bangladesh in “The State vs. Oli” [2019], wherein the court observed that the culture of “leaking” personal conversations and videos on social media, and the routine collection of call details and audio records from telecoms by state agencies, without warrant or knowledge of the customers, are a breach of fundamental rights guaranteed under Article 43 of the Constitution.

The Constitution does not expressly grant the fundamental right to privacy. There are many laws and rules for security of personal data of the citizens. Bangladesh authority has drafted the Data Security bill and asked for opinion the bill.

The draft Data Security Law has some basic differences with the European Union’s landmark General Data Protection Regulation (GDPR). A key difference is that certain state agencies are reportedly spared from complying with the law. Another major difference between the proposed Data Security Bill and the GDPR is the push for data localization, or data sovereignty, as the draft law states that the personal data of Bangladeshi citizens must stay in the country.

According to the draft law, the government may, from time to time, issue to the Director General of supervising authority, such directions as it may think necessary in the interest of the sovereignty and integrity of Bangladesh, the security of the State, friendly relations with foreign States or public order. The vague and overbroad terminologies such as the protection of ‘spirit of liberation war’ and ‘friendly relations with foreign states’ etc. The absence of proper definition of terms in the bill, the proposed absolute power for the authority and ambiguity in some sections of the bill keep chances open for the law to be misused against the citizens.

Article 51 of GDPR establish independent public authority to be responsible for monitoring the application of this regulation, to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the EU. The draft law restricted the authority to act in exercise of its powers or the performance of its functions under this Act, be bound by such directions on questions of policy as the Government may give in writing to it from time to time. In review the provisions of personal data security acts of different countries revealed that everywhere an independent and impartial organization has been formed for the implementation of the regulations of the act. It is necessary to form an independent and specialized institution.

As per GDPR article 10, Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorized by EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority. These are the data where the regulating authority may have direction and access to data in the national interest. The proposed law has no such provision for keeping records of criminal offenses.

In relation to third countries and international organizations, the Commission and supervisory authorities shall take appropriate steps to (article 50 of GDPR) to develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data and to provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms but proposed law does not have such provision.

The Bangladesh is a party to the ‘Framework Agreement on Facilitation of Cross-border Paperless Trade in Asia and the Pacific’. In case of doing something like this, some of the personal data will surely have to be handed over to other countries. But there is no provision in the act on how those data would be handed over.

This law would also have significant consequences for international companies and organizations with operations inside Bangladesh, who might otherwise use servers located in other countries to host their data, and who would have to change large parts of their infrastructure to ensure that data of Bangladeshi citizens remain inside the country. Operationally, for international social media companies operating in Bangladesh, implementing such a law would be extremely difficult.

The draft Data Security Bill also reportedly applies to all businesses “irrespective of size or turnover,” which presumably would be close to impossible for all small entities to abide by without prohibitively large costs — meaning that all businesses or data controllers would be negatively affected, regardless of size.

Experts have opinion that the data localization proposition would also likely decrease the security of citizens’ data, given how few data centers there are in Bangladesh.

Additionally, user data can be transferred outside the country if the statutory conditions are satisfied. The condition of approval through a bureaucratic procedure will be a barrier for smooth functions of different business organizations.

As per section 7 of the Right to Information Act, 2009, any authority is not bound to disclose any information which may reveal the privacy of one’s life, any information which may endanger life or physical safety of any person, or any personal information protected by any law. That means anybody cannot get any information regarding privacy or personal data. The proposed law states that it will have precedence over all existing laws thereby having an overriding effect on Bangladesh’s Right to Information Act, 2009, which is a key instrument that protects people’s right to information in the present time.

The draft Data Security Law did not make difference between data privacy and data security and a big concern was how to maintain the privacy of such data. The problem is that the government has expressed a controlling attitude to make the law a control mechanism rather than data security and data privacy.

While standard data protection acts typically aim to protect citizens’ privacy rights, many of the proposals under this draft law would increase the government’s access to personal data, and, in theory, also increase their surveillance capabilities.

The requirement to store user data locally creates a new avenue for the security agencies to survey and intercept data, which clearly contradicts the purported protectionist architecture of the law. At the same time the employees of the regulatory authority under the law will be exempt from prosecution. These exemptions remove accountability and lay the groundwork for the government to weaponize the law against commons citizens according to decision of the government and officials of the regulating authority. The proposed Bill aims to severely trample people’s privacy rights and relieves all liability of authorities in accessing people’s personal data both physically and remotely. The law proposes to give unlimited and supreme power. This power is contradictory to various rights, especially the right to privacy, described in the constitution of Bangladesh.

The writer Non-Government Adviser, Bangladesh Competition Commission. He can be contacted at [email protected]