Evaluation of Bangladesh’s Data Protection Bill

M S Siddiqui
https://businesspostbd.com/editorial/2022-08-31/evaluation-of-bangladeshs-data-protection-bill

31 Aug 2022 00:03:01 | Update: 31 Aug 2022 00:03:01

Data protection and privacy are recognised as fundamental rights. An

individual’s “private life” includes the protection of his or her personal data.
Personal data, in principle, is information that identifies an individual, or is
related to the individual.

Constitution of Bangladesh under Article 43 grants every citizen the right, subject
to any reasonable restrictions imposed by law in the interests of the security of the
State, public order, public morality, or public health, to the privacy of his/her
correspondence and other means of communication.

This was recognized by the High Court Division of the Supreme Court of
Bangladesh in “The State vs. Oli” [2019], wherein the court observed that the
culture of “leaking” personal conversations and videos on social media, and the
routine collection of call details and audio records from telecoms by state agencies,
without warrant or knowledge of the customers, are a breach of fundamental rights
guaranteed under Article 43 of the Constitution.

The Constitution does not expressly grant the fundamental right to privacy. There
are many laws and rules for security of personal data of the citizens. Bangladesh
authority has drafted the Data Security bill and asked for opinion the bill.

The draft Data Security Law has some basic differences with the European
Union’s landmark General Data Protection Regulation (GDPR). A key difference
is that certain state agencies are reportedly spared from complying with the law.
Another major difference between the proposed Data Security Bill and the GDPR
is the push for data localization, or data sovereignty, as the draft law states that the
personal data of Bangladeshi citizens must stay in the country.

According to the draft law, the government may, from time to time, issue to the
Director General of supervising authority, such directions as it may think necessary
in the interest of the sovereignty and integrity of Bangladesh, the security of the
State, friendly relations with foreign States or public order. The vague and
overbroad terminologies such as the protection of ‘spirit of liberation war’ and
‘friendly relations with foreign states’ etc. The absence of proper definition of
terms in the bill, the proposed absolute power for the authority and ambiguity in
some sections of the bill keep chances open for the law to be misused against the
citizens.

Article 51 of GDPR establish independent public authority to be responsible for

monitoring the application of this regulation, to protect the fundamental rights and
freedoms of natural persons in relation to processing and to facilitate the free flow
of personal data within the EU. The draft law restricted the authority to act in
exercise of its powers or the performance of its functions under this Act, be bound
by such directions on questions of policy as the Government may give in writing to
it from time to time. In review the provisions of personal data security acts of
different countries revealed that everywhere an independent and impartial
organization has been formed for the implementation of the regulations of the act.
It is necessary to form an independent and specialized institution.

As per GDPR article 10, Processing of personal data relating to criminal

convictions and offences or related security measures based on Article 6(1) shall
be carried out only under the control of official authority or when the processing is
authorized by EU or Member State law providing for appropriate safeguards for
the rights and freedoms of data subjects. Any comprehensive register of criminal
convictions shall be kept only under the control of official authority. These are the
data where the regulating authority may have direction and access to data in the
national interest. The proposed law has no such provision for keeping records of
criminal offenses.

In relation to third countries and international organizations, the Commission and

supervisory authorities shall take appropriate steps to (article 50 of GDPR) to
develop international cooperation mechanisms to facilitate the effective
enforcement of legislation for the protection of personal data and to provide
international mutual assistance in the enforcement of legislation for the protection
of personal data, including through notification, complaint referral, investigative
assistance and information exchange, subject to appropriate safeguards for the
protection of personal data and other fundamental rights and freedoms but
proposed law does not have such provision.
The Bangladesh is a party to the ‘Framework Agreement on Facilitation of Cross-
border Paperless Trade in Asia and the Pacific’. In case of doing something like
this, some of the personal data will surely have to be handed over to other
countries. But there is no provision in the act on how those data would be handed
over.

This law would also have significant consequences for international companies and
organizations with operations inside Bangladesh, who might otherwise use servers
located in other countries to host their data, and who would have to change large
parts of their infrastructure to ensure that data of Bangladeshi citizens remain
inside the country. Operationally, for international social media companies
operating in Bangladesh, implementing such a law would be extremely difficult.

The draft Data Security Bill also reportedly applies to all businesses “irrespective
of size or turnover,” which presumably would be close to impossible for all small
entities to abide by without prohibitively large costs — meaning that all businesses
or data controllers would be negatively affected, regardless of size.

Experts have opinion that the data localization proposition would also likely
decrease the security of citizens’ data, given how few data centers there are in
Bangladesh.

Additionally, user data can be transferred outside the country if the statutory
conditions are satisfied. The condition of approval through a bureaucratic
procedure will be a barrier for smooth functions of different business
organizations.

As per section 7 of the Right to Information Act, 2009, any authority is not bound
to disclose any information which may reveal the privacy of one’s life, any
information which may endanger life or physical safety of any person, or any
personal information protected by any law. That means anybody cannot get any
information regarding privacy or personal data. The proposed law states that it will
have precedence over all existing laws thereby having an overriding effect on
Bangladesh’s Right to Information Act, 2009, which is a key instrument that
protects people’s right to information in the present time.

The draft Data Security Law did not make difference between data privacy and
data security and a big concern was how to maintain the privacy of such data. The
problem is that the government has expressed a controlling attitude to make the
law a control mechanism rather than data security and data privacy.
While standard data protection acts typically aim to protect citizens’ privacy rights,
many of the proposals under this draft law would increase the government’s access
to personal data, and, in theory, also increase their surveillance capabilities.

The requirement to store user data locally creates a new avenue for the security
agencies to survey and intercept data, which clearly contradicts the purported
protectionist architecture of the law. At the same time the employees of the
regulatory authority under the law will be exempt from prosecution. These
exemptions remove accountability and lay the groundwork for the government to
weaponize the law against commons citizens according to decision of the
government and officials of the regulating authority. The proposed Bill aims to
severely trample people’s privacy rights and relieves all liability of authorities in
accessing people’s personal data both physically and remotely. The law proposes
to give unlimited and supreme power. This power is contradictory to various
rights, especially the right to privacy, described in the constitution of Bangladesh.

The writer Non-Government Adviser, Bangladesh Competition Commission. He

can be contacted at mssiddiqui2035@gmail.com