Professional Documents
Culture Documents
MitKat Special Report - Bangladesh's Data Protection Act and Its Implications PDF
MitKat Special Report - Bangladesh's Data Protection Act and Its Implications PDF
Bangladesh’s Data
Protection Act and
its Implications
28 April 2023
MitKat Advisory Services Pvt. Ltd.
Contents
Introduction ....................................................................................................................................................... 3
Background ........................................................................................................................................................ 4
Why is the Data Protection Act Necessary in Bangladesh? ............................................................................ 5
Core Principles of Data Processing Under DPA ............................................................................................... 6
What is at Stake? Analyzing the Concerns of DPA .......................................................................................... 7
Scope and Applicability ................................................................................................................................ 7
Data Localization and Surveillance .............................................................................................................. 8
Independence of Data Authority ................................................................................................................. 8
Effects on the Free Flow of Data and Development .................................................................................. 8
Global Concerns ........................................................................................................................................... 8
Human Rights and Freedom of Expression ................................................................................................. 9
Increasing Authority of the Executive .......................................................................................................10
Comparative Analysis of Bangladesh’s DPA and India's Digital Data Protection Bill 2022 (DDPB) .............11
Impact of Data Protection Act on 2023 Presidential Elections .....................................................................12
Impact on businesses ......................................................................................................................................13
Conclusion .......................................................................................................................................................15
Author Profile .............................................................................................................................................16
Contact Us........................................................................................................................................................17
The concept of data privacy and the underlying rights and requirements for data protection are new in
Bangladesh. However, they have never been more crucial than in the current era of fast technological
advancement, social networking, cybercrime, artificial intelligence, electronic communication, and rising
consumer/user awareness. Data protection is the body of privacy laws, rules, and practices designed to
reduce the invasion of one's privacy by collecting, storing, and disseminating personal information.
Privacy rights set out the fundamental parameters for data protection and privacy. The Information
Communication Technology Act of 2006 (the Technology Act), the Digital Security Act of 2018 (the Digital
Security Act), and the Constitution of Bangladesh provide the fundamental framework for such data
protection and privacy.
The Government of Bangladesh has drafted a data protection and localization law (draft data protection
act, DPA), which, once enacted, will be the first data privacy law in Bangladesh. Broadly, the draft DPA
sets out the rights and obligations of data subjects, data controllers and data processors, with provisions
on notice-and-consent requirements, collection methods, recordkeeping, data correction and erasure,
data breach notifications, and data audits.
Bangladesh's digital governance is approaching a different path due to the 2022 Draft Data Protection
Act (DPA), which places additional constraints on processing, storing, and transferring data. The DPA is
the first proposed data privacy law in Bangladesh and comes following several years of new digital
privacy regulations being implemented globally. The bill's provisions have drawn criticism because of
their limitations on e-commerce and the lack of safeguards built for the government's enforcement
authority. The proposed Data Protection Act (DPA) has also caused significant domestic and international
business and human rights concerns. Data classification is poorly defined in the current law, and privacy
is not defined following international norms.
Further, some of the costliest provisions in the DPA concern data-localization requirements and data-flow
restrictions. Section 42 of the Act mandates that all consumer (“user created”) data be stored on servers
within Bangladesh. This requirement is likely to create cost burdens for foreign firms that are providing
services to Bangladesh’s fast-growing consumer market. Additionally, Section 43 of the Act prohibits the
transfer of consumer data outside of Bangladesh without the authorization of the government, a
requirement that significantly impedes many forms of digital trade.
DPA grants the government extraordinary enforcement powers through interconnected regulatory bodies
previously established by the controversial Digital Security Act of 2018. Under Section 35 of DPA, the Data
Protection Office which is the enforcement body of the DPA can be established. However, the Digital
Security Agency, established under the Digital Security Act of 2018, will exert direct control over the Data
Protection Office, with the director general of the Digital Security Agency acting as the head of the Data
Protection Office. Besides these provisions, concerns regarding the government’s enforcement authority
are also due to the ambiguous terms in the draft law. This is because under Section 63 of the draft, it has
been stated that the government has the power to issue directions to the director general of the Data
Protection Office “in the interest of the sovereignty and integrity of Bangladesh, the security of the State,
friendly relations with foreign States or public order”. The terms “sovereignty and integrity,” “security,”
and “friendly relations” are again ambiguous and not defined in the act, which means that the government
has the authority to effectively enforce the DPA as per their convenience.
A report published by United Nations Conference on Trade and Development (UNCTAD) stated that
Bangladesh's information and communication technology (ICT) industry has experienced a remarkable
yearly growth rate of 40 percent since the start of the Digital Bangladesh program in 2010. The local ICT
market is now estimated to be worth USD 1.54 billion. Currently, the industry employs more than 400,000
individuals and around 4,500 businesses. ICT exports doubled to USD 1.4 billion in 2019–2020, according
to the Bangladesh Association of Software & Information Services (BASIS), over the previous five years.
Bangladesh's government is attempting to regulate the ICT industry to safeguard the interests of many
stakeholders, including individuals, the government, and law enforcement agencies (LEA), mainly through
The Bangladeshi government has been steadily adopting data control over the past few years through laws
like the Digital Security Act of 2018 and the ICT Act of 2018. The Bangladesh government has proposed a
Draft Data Protection Act. The Act aims to protect people's rights to their lives, property, freedom of
expression, and conscience, focusing on their right to secrecy, privacy, and identification. This law will serve
as a statutory framework for data protection and privacy in the nation.
Broadly, the draft DPA outlines the rights and obligations of data subjects, data controllers and data
processors, with provisions on notice-and-consent requirements, collection methods, recordkeeping, data
correction, data breach notifications, and data audits. As the preamble of the draft DPA recapitulates, the
law is intended to safeguard personal data as to life, property, freedom of thought, expression, conscience,
with special regard to their right to privacy, secrecy, personal identity. Besides, the law is stimulated by the
global developments in privacy rules, which in turn is being shaped by the constantly evolving technologies
and the exponential growth in data generation and online activity all over the world.
The Act does not clarify data that directly or indirectly identifies an individual. Protecting virtually all types
of data may not lead to the significant improvement of the protection of individual privacy. The definition
of sensitive data has also not been defined extensively, as opposed to inclusively, to protect user privacy.
Moreover, the draft DPA will apply domestically and extraterritorially to all companies or individuals who
collect or process data from within Bangladesh or relating to its citizens or any services or outside the
country. The law will have a worldwide application, irrespective of the location of the data controller or its
link with the data subject. Such global application of the law can be considered disproportionate, especially
considering that the law stipulates burdensome requirements. For instance, the law obligates all data
controllers to appoint a data protection officer and conduct annual audits, irrespective of its location, size
of operations or volume of data being processed; this can be expensive and therefore compel non-resident
service providers to pre-emptively restrict access to its services in Bangladesh.
There is a concern that data of citizens can be accessed by the government. This expands the scope for
state-sponsored surveillance of citizens, especially given that the Act applies to the processing of
Bangladeshi citizens anywhere in the world and gives the government authority to request data for
national security. In case of government restrictions, this may lead non-Bangladesh based companies to
geo-block some or all their services and resources so that they will not be accessible to Bangladeshi users,
as a precautionary step to avoid inadvertently infringing the law.
Global Concerns
The United Nations (UN) pointed out that the definition of sensitive data in the draft DPA was limited
without the disclosure of information related to race or color, political opinion, trade association
membership, religious or other beliefs, sexual orientation, etc. Amnesty International further stated that
the legislation would put individuals’ privacy at risk. The law, if passed, will permit extensive government
surveillance in the guise of data governance and interference with individuals’ privacy rights. The US
Ambassador to Bangladesh also expressed concern that if the draft DPA was passed with the condition of
strict coherence to data localization requirements, few American companies currently operating in
Bangladesh might face disruptions including 2,000 start-ups.
• The DPA has expressed concerns and observations about possible human rights abuses. The
measure, according to Amnesty International, risks people's privacy. If the law is passed, it will
permit extensive government surveillance under the pretense of data governance, interfere
with people's right to privacy, and widen the scope for abuse of power. It will defend the
interests of the government rather than those of the people, according to Transparency
International Bangladesh (TIB) and local experts.
• Another major concern is DPA's definition of "sensitive data" has somewhat limited and
excluded disclosure of information like race or color, political opinion, membership in a trade
association, religious or other convictions, sexual orientation, etc. Personal data is not defined
explicitly in the draft, and the description of data protection principles needs to be revised.
• According to the UN, the localization of data, as proposed by the draft bill, would significantly
increase the risks of monitoring and human rights breaches. Any private data would be available
to law enforcement agencies without restriction. The government is given the authority to
exempt law enforcement and intelligence agencies from the act's requirements under Section
33 of the DPA, which may include monitoring servers and data centres in Bangladesh. Pressure
to reveal proprietary information may be applied to public and private organizations,
undermining democratic government.
• Under the framework, non-compliant corporate executives may also be subject to liability.
While administrative fines for data privacy violations are appropriate, imposing criminal liability
is inconsistent with international standards and the fundamentals of criminal law. Data
protection, not regulation, should be the goal of this legislation. The UN urges the removal of
data localization obligations because it is worried about gathering, using, and keeping data on
Bangladeshis living overseas.
• The proposed law is the most recent example of an ominous trend in which the government
seeks to regulate people's digital lives, especially since previous legislation like the Digital
Security Act has resulted in severe human rights violations.
• The localization of data, or storing the data domestically, is mentioned in the new law. However,
there is also room for data transfer in cases involving global commerce, global relations, or any
other matters listed by the government. Additionally, it has been said that the government will
have the power to join an international coalition or multilateral organization if necessary.
• With the revised draft of the data protection law, the director general will have the power to
direct those involved in data processing and other concerned parties to provide him with any
data he requires. The controller or data analyst must follow the directive. Therefore, the federal
government can access any data whenever it wants. Per the draft's section 10/A, the parties
concerned may obtain information from the analysts in the event of a threat to the nation's
security, to reduce crime, identify offenders, and for investigative purposes.
• The data saved on the server or in the data centre will always be under government scrutiny,
and the United Nations expressed worry over this provision. Private businesses will be under
pressure to reveal sensitive information. This portion of the proposed data protection law may
therefore compromise the democratic governance of the nation.
• Additionally, the new draft stipulates that the director general will be required to provide any
reports requested by the government on any data handled following this law. Per the draft's
• In addition, the rules contained in the new draft state that no one can immediately object to
the court if their right to privacy is violated.
The territorial scope of India’s DDPB is not limited to India and is also applicable to digital personal data
processed outside India, provided such processing is undertaken for the purpose of:
‘profiling’ or processing personal data specifically to ‘analyze or predicts aspects concerning the
behavior, attributes or interests’ of an individual in India;
offering of goods or services to individuals in India.
Similarly, the draft DPA of Bangladesh will apply domestically and extraterritorially to all companies or
individuals who collect or process data from within Bangladesh or relating to its citizens or any services
or outside the country. The law will have a worldwide application, irrespective of the location of the data
controller or its link with the data subject.
Further, the revised draft, ‘India's Digital Data Protection Bill 2022’, aims to relax data localization
requirements. It is likely to help companies maintain parity in the cost of running their businesses in India.
Whereas Bangladesh’s DPA comes with the condition of strict coherence to data localization
requirements. According to Bangladesh’s DPA, data shall be stored in Bangladesh, and shall remain
beyond the jurisdiction of any court and law enforcers other than Bangladesh. This requirement is largely
not cost-effective for foreign entities, big tech and companies that use cloud computing for data storage.
India’s Digital Data Protection Bill eases the free movement of data to trusted geographies and has
proposed simplified and business-friendly procedures. These geographies will be periodically defined by
the Indian government and are likely to be dependent on the "reciprocity" of these geographies with
Additionally, the new draft of India’s Digital Data Protection Bill does not provide for any criminal liabilities
or penalties directly linked to the turnover or revenue of the erring entity that decides the “purpose and
means of the processing of an individual’s personal data.” Whereas, under the framework of Bangladesh’s
DPA, non-compliant corporate executives may also be subject to liability and criminal penalties.
According to the proposed data protection law, citizens' personal information must be kept in Bangladesh.
Amnesty International commented on the proposed bill that, given Bangladesh's history of serious human
rights violations, "the localization of the data within Bangladesh gives authorities broad powers to access
people's data without judicial oversight and accountability for any violation of people's right to privacy."
The introduction of this measure should be seen considering the forthcoming 2023 election and the
potential harm it could create. Though the precise date of implementation of DPA is unknown, these laws
would probably take effect before the December 2023 national elections in Bangladesh. The Bangladesh
government has a history of introducing digital legislation just before elections, giving the government easy
access to harass and control the media, civil society, and political opposition. The ruling Awami League
used the Digital Security Act (DSA), introduced in 2018, months before the general elections, to control
Facebook Messenger and restrict internet access in Rohingya refugee camps. Over 200 journalists who
were critical of the administration have been detained by the ruling party since January 2020 due to the
DSA.
The news of the proposed law coincides with claims that the Awami League, the current government, has
begun training "tens of thousands of cadres to wage a propaganda war on social media in preparation for
Impact on businesses
By restricting development factors, the DPA risks reversing some of Bangladesh's hard-earned economic
accomplishments over the years.
• Cross-border data flows are necessary for digital services transactions, yet the DPA restricts the
transfer of data categories. By mandating companies to purchase servers in Bangladesh, the
DPA also raises the price of digital services in that nation. Additionally, Bangladesh is still a small
market; therefore, expensive barriers to reaching Bangladesh's consumers may prompt some
businesses to leave the market and others to avoid entering at all.
• The DPA's regulations requiring data localization and limiting data flow are the most onerous
and expensive. All consumer data must be kept on servers located in Bangladesh, according to
Section 42. This restriction may increase the cost of supplying services to Bangladesh's rapidly
expanding consumer market for foreign businesses. Additionally, data localization often
increases compliance costs for firms, disrupts global supply chains, functions as a non-tariff
barrier, and puts obstacles in the way of digitally enabled growth.
• With a few exceptions, Section 43 forbids the transmission of customer information outside of
Bangladesh without the government's consent, a restriction that severely restricts a variety of
digital transactions. The measure gives Bangladesh's government extraterritorial enforcement
authority through related regulatory organizations previously set up by the contentious Digital
Security Act of 2018.
• The new DPA applies to all organizations, regardless of size or turnover. There currently needs
to be more varied conglomerates in Bangladesh. In Bangladesh, there are 79,00,000
establishments (or roughly 98 per cent of all businesses), of which 93.6 per cent are small
businesses and 6.4 per cent are medium-sized enterprises (SMEs). Therefore, most enterprises
the rule will impact will be small businesses, which face common challenges such as limited
capital access and technological capabilities.
• The free flow of data encourages innovation by encouraging idea sharing, concept propagation,
and collaboration between people and businesses. Since data localization obstructs the very
fuel for their development, restricting the data flow could make it more difficult to fully utilize
the quickly expanding data analytics and methodologies, machine learning systems, and fraud
prevention measures. Restricted flow could lead to the limited or sluggish application of
cutting-edge worldwide approaches for information analysis.
The DPA regulations and law will similarly dissuade companies from investing in business if they face
criminal liability for user content. The consequences could have very adverse effects on Bangladesh. New
technologies including cloud computing, artificial intelligence and machine learning have the potential to
create new markets and drive prosperity in Bangladesh. However, with the enactment of DPA, Bangladesh
may face risk if a foreign business cannot access international tools, which are essential for doing business.
To strengthen Bangladesh's position as an appealing location for the ICT/ITES sector and, most
importantly, realize the full potential of Digital Bangladesh and Vision 2041, the legislature can include a
separate right to personal data protection, or general privacy right under the constitution. Moreover, the
judiciary can enhance the current constitutional protection related to privacy to cover data protection
rights by its ruling. It is, therefore, vital for the public to understand and be aware of data privacy rights,
limitations, and risks. The relevant stakeholders will have to take initiatives to build awareness among
people and establish data protection behavior. The concept of data privacy and the underlying rights and
requirements for data protection are new in Bangladesh. However, they have never been more crucial
than in the current era of fast technological advancement, social networking, cybercrime, artificial
intelligence, electronic communication, and rising consumer/user awareness.
Sakshi Mishra
Geopolitical Intelligence Analyst
Deeplaxmi Patil
Corporate Intelligence Intern
511, Ascot Centre, Suite #008, 4th Floor, C/O WeWork, 36, 101 Cecil Street,
Near International Times Square, Infantry Rd, Tasker #23-12, Tong Eng
Airport, Andheri (E), Sushant Lok – 1, Town, Shivajinagar, Building,
Mumbai - 400 099 Gurgaon - 122 002 Bengaluru - 560001 Singapore - 069 533
+91 22 2839 1243 +91 124 455 9200 + 91 95265 63359 +65 9452 1622
Follow Us On
©2023 All rights reserved. The information contained herein is the Intellectual Property of MitKat Advisory Services Pvt. Ltd. Any unauthorized use of this
content, in any form, violates our rights.
DISCLAIMER: The contents of this E-mail (including the contents of the enclosure/(s) or attachment/(s) if any) are privileged and confidential material of
MitKat Advisory Services Pvt. Ltd. and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee/(s). If thisE-
mail (including the enclosure/(s) or attachment/(s) if any) has been received in error, please advise the sender immediately and delete it from your system.