Data protection ACT: Latest draft too leaves room for rights abuse

The latest draft of the data protection act still provides scope for law enforcers to deny citizens the right to data protection.

Share at a meeting with the press at the Bangladesh Computer Council yesterday, it said the government can exempt certain classes of "data controllers" from following the stringent rules laid out in the law to protect citizens.

The government can make this exemption for the "prevention, identification, or investigation of any crime, for pressing charges, and for extracting unrealised taxes".

The draft, however, does not specify at length who can be exempted under such conditions, and what preventive measures there are.

It also does not mention anything about who can conduct digital forensics, and under what circumstances.

While these exemptions exist, the director-general of the data protection agency, to be set up under this draft law, can order anyone to provide them with access to their data to carry out the purposes set by the law.

"This means the director-general can access the data of anyone from Google and Amazon to the city corporations," said Zunaid Ahmed Palak, state minister for ICT.

"This is needed because they [DG of the data protection agency] need to be able to investigate whether the law is being followed and to investigate complaints against such organisations."

He stressed the need for storing data within the physical boundaries of Bangladesh.

At the same time the government can direct the DG in charge of this law to take action "in the interest of sovereignty and the integrity of Bangladesh, the security of the state, friendly relations with foreign states or public order".

The state minister himself, however, questioned the need for this provision – and reiterated that the draft is a work in progress, and has not been finalised yet.

Concerning storing data locally, Palak said, "We need to make sure that foreign organisations can't take our data without our consent or cause problems for the state."

The latest draft, however, included certain conditions under which citizens' sensitive data can be transferred across borders -- this includes international relations, international businesses and immigration. 

This transfer has to be governed by the DG of the data protection agency.

The law will also empower citizens to take action against data controllers for violating their rights, states the draft.

According to it, citizens can file complaints with the data protection agency, and violators will be fined up to Tk 3 lakh for domestic companies, and up to five percent of the annual turnover for foreign companies.

Furthermore, if the scale of a violation is seen to call for stricter penalties, a court will take over and can sentence violators to three years in jail and fine them up to Tk 10 lakh.

Tarique M Barkatullah, director of the National Data Centre, said, "The law is about protection of data, not its control."

Mohammad Shahidul Haque, former secretary of the law ministry's legislative and parliamentary affairs' division and NM Zeaul Alam, senior secretary of ICT Division were present at the event.