Draft Data Protection Act: Cabinet okays it giving free rein to law enforcers
The cabinet yesterday approved in principle the draft Data Protection Act, which retains provisions for law enforcers to have unfettered access to citizens' data.
This was the first cabinet meeting since the announcement of the election schedule on November 15.
Since the very first draft of the act, stakeholders have been pointing out that keeping the provisions for law enforcement without oversight is tantamount to shooting oneself in the foot.
About a prior draft, Transparency International Bangladesh in March said the law would put the entire society under surveillance. It recommended that requests for access to data should be published in a monthly transparency report.
In October, Access Now and Tech Global Institute sent recommendations to the law and ICT ministries on a later draft, which was presented before the cabinet yesterday.
They pointed out that "discretion to access data without procedural safeguards risks violating the rights of the data subject".
"According to section 10(2)(d) of the Act, any data may be collected from a data subject if it is deemed necessary for national security or prevention or detection of an offence. It neither specifies well-defined conditions nor any third party or judicial oversight in the event data needs to be collected for an investigation," said the letter addressed to Law Minister Anisul Huq and ICT Minister Zunaid Ahmed Palak.
They recommended the necessity for the collection and access to data must be clearly defined and the collection has to be proportionate with legitimate purposes and under independent judicial oversight.
"Any request to collect data should be accompanied by procedural safeguards and limitations on what specific data can be collected, for how long, its use and disclosure to other parties, its retention and deletion standards and the rights of the data subject," said the letter.
The law approved in principle also empowers the government to exempt whomever it wants from having to adhere to the data protection rights afforded to citizens by the law.
Access Now and Tech Global Institute's letter pointed out that this is susceptible to misuse and recommended removing these provisions to ensure that the government cannot grant "unqualified and unchecked" exemptions.
While the law approved yesterday now says that a board -- instead of an agency, as suggested in previous drafts -- will oversee the enforcement of the law, Access Now states that concerns about government control over the supervisory body remain.
"Control over the Data Protection Board and the appellate authority is vested with the government, with the government having the absolute mandate to appoint its members, determine the terms and conditions of their service, and lay down policies that must be complied with while carrying out their functions. An independent regulatory or oversight authority is essential for ensuring the protection of individual rights, particularly because the government and its agencies and instrumentalities are likely to be large data fiduciaries under the law," it said.
Abu Sayed Md Kamruzzaman, director general at the National Cyber Security Agency, said this law would not be immediately effective.
"The government will issue a gazette specifying a day and the law will take effect from that day," he said in a press conference at the ICT Tower yesterday.
He said it might take at least a year to complete the entire process from passing the law to the formation of a board.
He said the draft would be sent to the law ministry for vetting. Then it would go to parliament. As there is no parliamentary in session, they may issue an ordinance in this regard. And later, when parliament is in session, it will be passed.