Shielding Personal Data: Draft law more about control than protection
The draft law for personal data protection is still about control and not protection, speakers told a press conference held at the Transparency International Bangladesh headquarters yesterday.
They observed how the ICT Act and the Digital Security Act have been misused and feared that this law too will have similar consequences.
The personal data protection act should reference existing constitutional protections for privacy and freedom of expression in the preamble, they said, adding that this establishes a rights-based foundation, prioritising citizen rights over advancements.
Addressing the conference, Sheikh Manjur-e-Alam, regional director at Article 19, said, "Our constitution recognises both our right to privacy and our freedom of expression, calling the latter, an alienable right."
He said that including a recognition of these rights in the preamble can curtail the scope for abuse of this law.
The speakers demanded a specific and detailed definition of personal data.
Alam further said the law allows unfettered access to personal data in the case of national security and prevention of crime.
"For example, Whatsapp would be a data fiduciary, because it has our data. The law says the state would have unbridled access to that data."
He also said that national security is not a well-defined term, and that it can encompass a wide range of abuses of the law.
"This exception will become the law," he said, pointing out that freedom of expression is criminalised in Bangladesh.
Data localisation could make data breaches more damaging, he said, adding, "Storing data in a single location creates a single point of failure for hackers."
Alam said that international companies may be hesitant to operate in Bangladesh due to data storage restrictions, and this could stifle foreign investment.
He added that data localisation also means the government can barge in and access citizen's data at any time. "Data localisation must not be made mandatory."
Alam also said, "Global cloud service leaders always monitor threats collaboratively. But if we store data locally in any data server, we are missing out on this international monitoring and oversight.
"Section 51 mandates storing all classified data within Bangladesh's territory. Data centres are energy-intensive, such that big tech companies are taking them underwater. We are not being able to give adequate energy to homes and people. How will we ensure that we can sustain these data centres?"
The speakers also demanded the Data Protection Authority be independent, instead of being government-controlled. "The government cannot hold itself accountable," Alam said, adding, "We are yet to see the government hold anyone accountable for the multitudes of data leaks happening."
Dr Iftekharuzzaman, executive director at TIB, said the law has improved a lot following consultations with stakeholders.
"It can be seen they are adopting a majority of the recommendations being placed by the stakeholders. But then we are observing that they are ignoring the recommendations we are most concerned about."
Comments