Concerns over the proposed personal data protection bill
It has come to light through print and electronic media that the Government of Bangladesh has recently prepared a draft bill on the matter of personal data protection. Some very pertinent issues regarding the bill are set out below.
Section 2 of the proposed bill includes definitions of several key terms, including data, anonymised data, personal data, the data subject, data controller, data processor, processing, etc., but many of the definitions are not comprehensive and exhaustive. For example, under the proposed bill, anonymised data refers to 'any data that has undergone the process of anonymisation', but there is no explanation regarding the anonymisation process. Again, there should have been clues about the personal data that can be used to identify a person. Generally, personal data means and includes some identification indicators, such as the name, ID number, location data, or any specific physical, physiological, genetic or mental condition, etc. The definition of personal data as laid down in the said bill does not include any of these identification indicators, and this turns the definition clause into a problematic one.
Moreover, the proposed bill did not define many other important terms, generally used in data protection laws, including but not limited to - international transfer/cross border processing, profiling, pseudonymisation, consent, data breach, health data, biometric data, establishment, etc.
Since data processing activities are becoming increasingly complex in the digital age, there must be entities to be in place to act as watchdogs for the protection of the rights of the individuals. Therefore, most international, regional, and national data protection frameworks, specially the Convention 108 of the Council of Europe 1981, the General Data Protection Regulation (GDPR), and 90% of countries having data protection laws have opted to establish an independent supervisory authority.
Whereas under section 28, the proposed bill incorporates provisions for the establishment of a data protection office (DPO) under the direct control and administration of the Digital Security Agency constituted under the Digital Security Act, 2018 (DSA). The DPO will be equipped with officers and other employees as required and headed by the Director-General of the Digital Security Agency established by section 5 of the DSA. Experts in the field opine that the DPO under the proposed bill should be independent of the Digital Security Agency. One should bear in mind that privacy is not an option but one of the most valued rights for the growth of democracy in the digital age.
Under section 43 of the proposed bill, there are provisions for the transfer of personal data outside Bangladesh, subject to the notification of the government published in the Official Gazette. This will be a lengthy process. The cross-border data transfer can be made more simplistic by incorporating specific provisions like transfers subject to appropriate safeguards, binding corporate rules, derogations/exemptions, or international cooperation mechanisms. Despite that section 43(3) specifies seven circumstances of cross-border data transfer without government's intervention such as consent, performance of a contract, vital interests of the data subject, public interest, etc., these provisions lack at least two other important provisions such as transfers subject to appropriate safeguards and international cooperation for the protection of personal data.
Data breach notification is being incorporated as one of the most exhaustive provisions in modern data protection instruments. Under section 29 of the proposed personal data protection bill, the controller will share the data breach with the Director-General and the processor will notify the controller without undue delay. But there is no specific timeframe for the notice of data breach, and eventually, the said provision could hardly protect the irreparable data losses of the individuals. Moreover, there is no notification requirement to the victim concerned. In that case, the data controller and all other responsible persons should notify about the data breach without undue delay, but no later than 72 hours. Furthermore, if the data breach appears likely to cause a high risk to the rights and freedoms of the individuals, the controller should inform the concerned persons without further delay.
The combined reading of sections 60 and 65 of the proposed bill reveals that no legal action can be taken against the Director-General, authorised officer, an employee of the DOP in respect of any act or omission done or omitted by any of them in good faith in such capacity. Similarly, under section 57 of the said bill, a company along with other responsible persons may get exemption from being punished for the commission of an offence under the bill if they can prove that the offence was committed without their knowledge, or they had exercised all due diligence to prevent the commission of such offence. Let us not forget that too much blanket powers of exemptions as evidenced in the bill will certainly destroy its purposes while making the law meaningless.
It is good to see that under section 46, the proposed data protection bill incorporates the provisions of compensation for the victim from the data controller, data processor or data collector for their failure to comply with the provision of this law. There is neither any provision for filing civil litigation nor any fixed administrative fine under the proposed bill. Due to the lack of specific provisions for civil litigation, fixed administrative fines, etc., the proposed bill may turn into a powerless tool. Considering the profound importance of privacy, the data protection laws of many countries such as Singapore, Switzerland, USA, UAE, Portugal, South Africa, Malta, Macau, Chile, Lesotho, Cape Verde, Bahrain and Uzbekistan have incorporated provisions for filing civil suits against data breach incidents.
Last but not least, an effective data protection law does not intend to stop the processing of personal data rather allows processing within the legal bounds. A carefully designed data protection regime promotes business, eases trans-border data transfers, encourages research and innovations, pays due attention to public interests, and protects the privacy rights of individuals. Hence, the principal aim of an effective data protection regime is to strike the balance of the competing interests among all stakeholders, namely the State, businesses, and data subjects. Though the primary duty of ensuring privacy lies on the government, all relevant stakeholders such as civil society, the legal community, judiciary and other legal institutions, national human rights institutions, ministries and legislative bodies, industry and technology community, and media should have some roles to make a new law purposeful.
THE AUTHOR IS A DOCTORAL CANDIDATE ON PRIVACY AND DATA PROTECTION LAW AT THE FACULTY OF LAW, UNIVERSITY OF MALAYA, MALAYSIA.