Professional Documents
Culture Documents
Evaluation of Bangladesh's Data Protection Bill
Evaluation of Bangladesh's Data Protection Bill
Evaluation of Bangladesh's Data Protection Bill
M S Siddiqui
https://businesspostbd.com/editorial/2022-08-31/evaluation-of-bangladeshs-data-protection-bill
Constitution of Bangladesh under Article 43 grants every citizen the right, subject
to any reasonable restrictions imposed by law in the interests of the security of the
State, public order, public morality, or public health, to the privacy of his/her
correspondence and other means of communication.
This was recognized by the High Court Division of the Supreme Court of
Bangladesh in “The State vs. Oli” [2019], wherein the court observed that the
culture of “leaking” personal conversations and videos on social media, and the
routine collection of call details and audio records from telecoms by state agencies,
without warrant or knowledge of the customers, are a breach of fundamental rights
guaranteed under Article 43 of the Constitution.
The Constitution does not expressly grant the fundamental right to privacy. There
are many laws and rules for security of personal data of the citizens. Bangladesh
authority has drafted the Data Security bill and asked for opinion the bill.
The draft Data Security Law has some basic differences with the European
Union’s landmark General Data Protection Regulation (GDPR). A key difference
is that certain state agencies are reportedly spared from complying with the law.
Another major difference between the proposed Data Security Bill and the GDPR
is the push for data localization, or data sovereignty, as the draft law states that the
personal data of Bangladeshi citizens must stay in the country.
According to the draft law, the government may, from time to time, issue to the
Director General of supervising authority, such directions as it may think necessary
in the interest of the sovereignty and integrity of Bangladesh, the security of the
State, friendly relations with foreign States or public order. The vague and
overbroad terminologies such as the protection of ‘spirit of liberation war’ and
‘friendly relations with foreign states’ etc. The absence of proper definition of
terms in the bill, the proposed absolute power for the authority and ambiguity in
some sections of the bill keep chances open for the law to be misused against the
citizens.
This law would also have significant consequences for international companies and
organizations with operations inside Bangladesh, who might otherwise use servers
located in other countries to host their data, and who would have to change large
parts of their infrastructure to ensure that data of Bangladeshi citizens remain
inside the country. Operationally, for international social media companies
operating in Bangladesh, implementing such a law would be extremely difficult.
The draft Data Security Bill also reportedly applies to all businesses “irrespective
of size or turnover,” which presumably would be close to impossible for all small
entities to abide by without prohibitively large costs — meaning that all businesses
or data controllers would be negatively affected, regardless of size.
Experts have opinion that the data localization proposition would also likely
decrease the security of citizens’ data, given how few data centers there are in
Bangladesh.
Additionally, user data can be transferred outside the country if the statutory
conditions are satisfied. The condition of approval through a bureaucratic
procedure will be a barrier for smooth functions of different business
organizations.
As per section 7 of the Right to Information Act, 2009, any authority is not bound
to disclose any information which may reveal the privacy of one’s life, any
information which may endanger life or physical safety of any person, or any
personal information protected by any law. That means anybody cannot get any
information regarding privacy or personal data. The proposed law states that it will
have precedence over all existing laws thereby having an overriding effect on
Bangladesh’s Right to Information Act, 2009, which is a key instrument that
protects people’s right to information in the present time.
The draft Data Security Law did not make difference between data privacy and
data security and a big concern was how to maintain the privacy of such data. The
problem is that the government has expressed a controlling attitude to make the
law a control mechanism rather than data security and data privacy.
While standard data protection acts typically aim to protect citizens’ privacy rights,
many of the proposals under this draft law would increase the government’s access
to personal data, and, in theory, also increase their surveillance capabilities.
The requirement to store user data locally creates a new avenue for the security
agencies to survey and intercept data, which clearly contradicts the purported
protectionist architecture of the law. At the same time the employees of the
regulatory authority under the law will be exempt from prosecution. These
exemptions remove accountability and lay the groundwork for the government to
weaponize the law against commons citizens according to decision of the
government and officials of the regulating authority. The proposed Bill aims to
severely trample people’s privacy rights and relieves all liability of authorities in
accessing people’s personal data both physically and remotely. The law proposes
to give unlimited and supreme power. This power is contradictory to various
rights, especially the right to privacy, described in the constitution of Bangladesh.