Increased State surveillance, privacy violations, and dampened digital growth are some of the concerns surrounding Bangladesh’s proposed Data Protection Act, 2022.
The law sets out to ‘make provisions to provide protection and control the matters relating to the processing of data of a person and matter ancillary and connected.’ Assuaging concerns over the law’s many potential infringements on civil liberties, Bangladesh’s Law Minister claimed last month that ‘the [proposed draft] Data Protection Act 2022 aims to protect data, not to control it.’
Why it matters: The proposed Act (reportedly framed along the lines of the GDPR) has been widely critiqued for giving the Bangladesh government sweeping powers that may potentially violate its citizens’ Right to Privacy. This mimics public responses to proposed IT laws in neighbouring India—highlighting a government-friendly approach to privacy appearing across South Asia.
The law’s announcement comes against the backdrop of Bangladesh’s rising digital economy and digital penetration over the years. When the legislation will be promulgated remains uncertain, however, regional observers speculate that it may come into force before Bangladesh heads to the national polls in December 2023. Public consultations on the law were held from March this year.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
How Does the Act Define Data, Who It Belongs To, and Who Processes It?
How is data defined in this Act and what does it include?: The Act defines ‘data’, within which personal data may be included, although a definition for the latter is not provided. That being said, it stipulates that anonymised, encrypted, and pseudonymised data ‘which is incapable of identifying any individual’ does not fall within the ambit of personal data.
- Data at large is considered to be a ‘representation of any information, knowledge, fact, concepts or instructions which are being prepared or have been prepared in a formalized manner and is intended to be processed, is being processed, or has been processed in a computer system or computer network, and may be in any form including computer printout, magnetic or optical storage media, punch cards, punched tapes or stored internally in the memory of the computer, and includes the personal data for that purpose.’
While a definition for personal data is missing from the Act, ‘sensitive data’ does find mention. It includes financial, commercial, health, genetic, biometric data, and ‘any other data as may be prescribed’. It also includes data pertaining to a criminal offence by the subject as well as related legal proceedings.
Who is a data controller?: This is ‘a person including the Government entity, a company or any juridical entity who either alone or jointly or in conjunction with other person determines the purpose and means of processes any data or has control over or authorizes the processing of any data, but does not include a data processor.’
Who is a data processor?: A person who ‘processes the data on behalf of the data controller, but does not include an employee of [the] data controller.’
Who regulates the data collected?: The Data Protection Office established under the Act. The Office is under the direct control of the ‘Digital Security Agency’ established under the Digital Security Act, 2018, and will be headed by its Director General. The Office is responsible for ensuring the Act’s implementation and has the power to order investigations, request information, and conduct enquiries. The Bangladesh government has the power to issue unspecified ‘directions’ to the Director General in the ‘interest of the sovereignty and integrity of Bangladesh, the security of the State, friendly relations with foreign States or public order.’ The Director General is ‘bound’ by these policy instruments.
Who Does the Law Impact?
Who does it apply to?: To three categories of persons:
- Those processing data within Bangladesh;
- Those outside of Bangladesh processing the data of its citizens;
- Data controllers or processors outside of Bangladesh processing business-related data or data that involves the profiling of data subjects.
What rights does the Act bestow on data subjects?: The Act attempts to strengthen multiple citizen rights, including:
- The right to access their data;
- The right to correct their data;
- The right to withdraw their consent to data processing;
- The right to erase their data;
- The right to prevent their data from being processed;
- The right to data portability, which allows for data collected on an individual to be transferred in a structured, machine-readable format to any other data controller.
- The Act also bestows rights on foreign data subjects residing in Bangladesh: ‘[he] shall have all his rights under this Act where his data has been collected’.
What does the Act not apply to?: The processing of anonymised, pseudonymised, or encrypted data.
How Should Data Be Processed Under the Act?
What core principles does the Act lay out for data controllers?: These principles include:
- Data must be processed with consent and accountability;
- Data collection should be fair and reasonable;
- Data collection, processing, and storage must be done with ‘integrity’ and data processors and controllers ‘must take reasonable steps to ensure that the data is accurate, complete, not misleading and kept upto date [through record-keeping]’;
- Data should only be retained for the period authorised by the Act and destroyed afterwards;
- Data subjects will have access to their data and be able to correct any errors within it;
- No data should be processed for purposes other than what it was collected for without the consent of the data subject;
- Data should be protected securely. In the event of breaches, the data controller must immediately notify the Director General of the Data Protection Office established under the Act.
- Most importantly, processing policies must incorporate privacy by design.
How should ‘sensitive data’ be processed?: Data controllers are prohibited from processing sensitive data except for:
- When the data subject has provided their consent;
- For medical reasons;
- Legal proceedings;
- Defending or exercising legal rights;
- Protecting the rights of another legal person, in cases where the data subject has ‘unreasonably’ withheld their consent.
- Sensitive data may also be processed to ‘protect the interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject.’
How should children’s data be processed?: Children’s data, or the data of people under the age of 18, may not be processed without the explicit consent of a parent or guardian. It may be processed for research or ‘authorized statistical purposes’. In all cases, it must be processed keeping in mind the ‘child’s rights’.
Are certain types of data exempted from the Act’s provisions?: Yes. They include:
- Data processed to prevent or detect crime;
- Data related to health if applying the provisions would harm the subject or another person;
- Data for research or statistical studies;
- Data related to a court order or judgment;
- Data for the ‘purpose of discharging regulatory functions’ if applying the provisions would hinder these functions;
- Data only for ‘journalistic, literary, artistic or academic purposes’.
- The government may notify further exemptions if it sees fit.
Where should the data collected be stored?: According to the Act, ‘the sensitive data, user created or generated data and classified data shall be stored in Bangladesh, and shall remain beyond the jurisdiction of any court and law enforcers other than Bangladesh.’
Some Concerns Surrounding the Law
Scope and applicability: Responding to the law in April 2022, the Asia Internet Coalition (AIC) raised concerns over its scope, given the broad definition of ‘data’ it rests on. The coalition argued that the government should clarify that the law applies to ‘data that directly or indirectly identifies an individual’, arguing that protecting virtually all types of data does not significantly improve the protection of individual privacy. Sensitive data may also need to be defined exhaustively, as opposed to inclusively, to protect user privacy. The AIC also noted that almost no limits to user rights exist in the Act—which may disadvantage organisations looking to reasonably apply their own discretion while executing company policy.
Data localisation and surveillance: Multiple commentators have raised concerns over the data localisation requirements—which may make citizen data easily accessible to the government. This widens the scope for state-sponsored surveillance of citizens, especially given that the Act applies to the processing of Bangladeshi citizens anywhere in the world, and gives the governments broad powers to request data for ‘national security’, among other reasons. In the event of government restrictions, this may cause ‘non-Bangladesh based companies to geo-block some or all of their services and resources so that they will not be accessible to Bangladeshi users, as a precautionary measure to avoid inadvertently infringing the law.’
‘Independence’ of data authority: Some also question whether the Director General’s role violates the separation of powers. The General also leads the country’s Digital Security Agency, which is authorised to further implement Bangladesh’s proposed laws governing OTT and social media platforms. This may challenge the notion of an ‘independent’ regulator overseeing data protection complaints in the country. Additionally, the government’s power to issue ‘directions’ to the Director General may ‘require foreign providers to provide user data to the Bangladeshi government,’ which may conflict with the privacy laws of the countries they are incorporated in. Similar issues have appeared in India, particularly between Twitter and the Union government.
Impacts on the free flow of data and ‘development’: Additionally, the law is open to data being transferred out of Bangladesh—as long as a ‘serving copy’ is kept in Bangladesh. However, it does not specify how or where this data should be stored in Bangladesh before being transferred abroad, potentially interfering with the operations of much sought-after foreign businesses. Some raise concerns that provisions like these may ‘increase the cost and time of doing business in Bangladesh’ and impact digital trade. A 2022 study by RAPID estimates that ‘digital services exports are estimated to decline, from 29 to 44 per cent, depending upon the severity of cross-border data flow restrictions and retaliatory measures.’
Feasibility for smaller data controllers and processors: Similar to concerns raised in India over proposed intermediary liability legislation, commentators have questioned the feasibility of small and medium-sized companies complying with the law. Issuing notices to users every time data is processed, for example, may not be ‘logistically or financially viable’ for them. Additionally, it may be impossible for companies to ensure the data they collect is ‘accurate’ and ‘complete’. The AIC also questioned the feasibility of notifying users each time a cross-border flow takes place, suggesting that this may result in ‘consent fatigue’ for the user as well.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Comparing Bangladesh’s Proposed Rules For Social Media Platforms With India’s IT Rules 2021
- Bangladesh Releases Draft Rules To Regulate OTT Platforms, Modelled On India’s IT Rules
- Bangladesh Bans Zero Rating Of Social Media, Ending Free Basics In The Country
- Bangladesh Bans Internet Services In Rohingya Camps: Report