How far does it protect our privacy?
The Digital Security Act, 2018 (“DSA”), which came into force on October 8, 2018, was enacted to ensure digital security and to identify, block, prevent, trial digital crimes, etc. While the stakeholders raised some concerns regarding various provisions of this newly enacted law, the high-profile government spokesmen assured that the drafting of this law was necessary to, inter alia, protect the citizens' data and privacy. Looking at the relevant provisions of the law, even though one may identify some scattered provisions in the DSA which may be used to protect some aspects of information privacy, an intentionally designed personal data protection law is something very different from what we have in the DSA.
It is a matter of fact that under the existing Bangladeshi laws, there is no reference as to what will constitute 'personal data'. To the best of our knowledge, only the Passport of Bangladesh, in page no. 3, contains few information under the heading of 'personal data' and these include only - name, parents' name, spouse's name and permanent address. Even though, in page no. 2, few other information i.e. date of birth, gender, place of birth, national identification number, etc. are included, which are obviously personal information and are usually included in the personal data protection law as in force in other countries, there is scope of interpretation whether these information of page no. 2 will be included within the definition of 'personal data' when page no. 3 has explicitly included few things as 'personal data'.
In this given context, Section 26 of the DSA has attempted to define 'personal information'; however the section used 'identification information' and has included a long list of information as such information. Explanation to the section provides that 'identification information' means any external, biological, physical information or any other information which alone or jointly can detect an individual or system, whose name, photograph, address, date of birth, parent's name, signature, national identity card, birth and death registration number, finger print, passport number, bank account number, driving license, e-Tax Identification Number, electronic or digital signature, user name, debit or credit card number, voice print, retina image, Iris image, DNA profile, security questions or any other identity which are easily available for the advancement of technology.
The issue of grave concern is that this Section 26 has made it an offence to collect and use 'identification information' and it is provided that if anyone, without having the legal authority, collects, sells, possesses, supplies or uses such information, he will commit an offence for which he will be responsible for imprisonment up to five years or fine up to five hundred thousand taka or both for the first time offence; and for the subsequent similar offence he will be responsible for imprisonment up to seven years or fine up to ten hundred thousand taka or both.
There are some limitations in the definition 'identification information'. A standard definition of 'personal data' will provide with a clear outline on which information would be considered as 'personal data' – laws of many countries and regional laws include both identified (i.e. name, ID number, Passport, etc.) and identifiable (IP address, website browsing history, etc.) information, electronic and manual form of information, as personal data. Personal data are also categorised into sensitive and non-sensitive data to ensure appropriate protection mechanisms. Thus, though the explanation to the Section 26 has included some examples of personal data, it cannot be considered as a proper definition.
Section 26 has not defined 'persons with or having legal authority' or 'process or instances to get legal authority', etc. If we consider the provisions of some other personal data protection law, there are some serious problems with this provision. The law has not defined 'use' and 'collection' for the purpose of Section 26. No distinction is made between 'identification information' collected and used for social, family or recreational purpose; and such information collected or used for commercial purpose. Moreover, there is no distinction made between such information in general and such information which are sensitive in nature. There is no scope for future Rule making under Section 60 of the DSA in this regard. Without this, such acts of collection and use of 'identification information' is made cognizable, i.e. anyone can be arrested even without warrant and non-bailable offence under Section 53.
The reality is that under the existing personal data protection laws, the data subject enjoys the sovereignty before and during the collection, use and processing of his personal information. Simultaneously, even with legal authority, anyone cannot simply collect and use such data unless he obtains the consent of the data subject, who can anytime withdraw his consent and the data processor is bound to cease further activities with such data of the data subject. Moreover, even with such consent, data collected for one purpose cannot be used for another purpose.
Moreover, data protection laws give a guideline on the legal basis of the data processing – under which conditions/circumstances anyone can collect, use and process personal data of an individual. Additionally, to 'data controller' and 'data processor' have to comply with some duties, responsibilities and obligations to protect the personal information collected. However, the DSA has no provision on the legal basis of data processing, obligations of 'data controller' and 'data processor' and compliance issues.
In this age of internet of things, almost every single device and appliances are smart in nature and are connected to the internet where personal information, being the fuel, are used to get the services and access to various sites. We simply cannot carelessly overlook the protection of our personal data. Without the enactment of a personal data protection law, the true spirit of digital Bangladesh will remain a long distant dream. Surely, Section 26 of the DSA is not the proper and desired answer in this regard.
THE WRITERS ARE RESPECTIVELY SENIOR LECTURER IN LAW, UNIVERSITY OF MALAYA, MALAYSIA AND SENIOR GDPR AND GRC MANAGER, EUGDPR INSTITUTE, DENMARK.