Personal Data Protection Law: Door ajar for misuse
In a forward-looking move, the government has set out to form a law for personal data protection fashioned on the EU's momentous General Data Protection Regulation (GDPR) as it looks to make Bangladesh fit for the digital age.
Like the GDPR, the law would allow citizens the right to know what personal information is being collected, how the data will be used or processed, for how long, and where the data will be kept or moved, according to the draft bill.
But where it diverged from the GDPR is that the certain state agencies like the law enforcement agencies are spared from complying with the law for "functions of the government". The Daily Star has a copy of the draft law prepared in November last year.
"The problem in the draft law is that it leaves loopholes for the government agencies, which will nullify the whole purpose of the law," said Md Saimum Reza Talukder, an advocate who specialises in law, privacy and digital technologies.
For example, the law will not be applicable for government agencies building a case against someone under the existing laws of the land.
In other words, someone being prosecuted under any law will not have the right to data protection, meaning the spectre of the contentious Digital Security Act (DSA) -- where digital data is the main evidence used -- would continue to loom large.
The DSA has been routinely abused to target journalists and muzzle online dissent.
The law is being drafted for data protection, privacy and to control social media, said Mustafa Jabbar, minister of post and telecommunication.
"I want this law," he said.
The Director General of the Digital Security Agency will be investigating violations, levying fines and ensuring overall compliance -- and will be exempted from prosecution along with employees of the Data Protection Office for violations to be considered as "done in good faith".
"If the DG or Data Protection Office is indemnified against any such prosecution, it contradicts the constitution, which guarantees the fundamental right of equality before the law. This provision cannot be expected in a democratic society," Talukder said.
As per the proposed act, it will be mandatory for private and public organisations to appoint or designate individuals as data controllers and data protection officers.
The data protection officer is a person appointed by the data controller to make sure that the relevant data protection laws are being followed.
A data controller is defined as the person responsible for collecting or processing (or supervising the processing) of personal data.
For the government, this could be a law enforcement officer; for a non-governmental organisation, it could be the person in charge of supervising beneficiary data or even an IT department.
The DG will have the power to intervene and give mandatory directions to all data controllers and data processors.
The draft contains a provision that will enable the government to officially publish gazettes exempting certain data controllers, or "class of data controllers" from having to follow any provision of the law. With this section, it is completely exempting government agencies, or state forces who are functioning as data controllers.
This coupled with the fact that the DG is indemnified from facing prosecution for such directions takes away checks and balances from the perspective of administrative law and might also hamper institutional autonomy, he said.
"The government's law enforcement mechanisms never hesitated to weaponise such laws before," said Faheem Hussain, a tech policy specialist and an associate professor at Arizona State University, who chairs the school's Global Technology and Development post-graduate programme.
The law gives the citizen the right to know about what kind of data is being collected about them, and whether any data profile is being created, but it exempts cases in which "processing is necessary for functions of the government".
In another section, the draft law says personal data can only be processed in compliance with the law, but will not be applicable "for compliance with any legal obligation to which the data controller is the subject."
Another touchy feature of the draft law -- which is present in the GDPR -- is that foreign organisations with a branch, agency or even a single piece of equipment in Bangladesh will have to comply and fall under the jurisdiction of the DG.
The personal data of Bangladeshi citizens must stay in the country.
The draft says citizens must be notified via written notice about any cross-border transfer of personal data being carried out and that the data controller cannot transfer any personal data to a place outside Bangladesh unless the government gives permission.
This means development partners, foreign NGOs and international human rights organisations as well as foreign banks like Standard Chartered and HSBC will have to localise data within the Bangladesh territory.
This might be problematic, according to Talukder.
"This might also be problematic if the government requires the development partners, INGOs, and international human rights organisations to localise data within Bangladeshi territory. Compliance with other regional and international personal data protection principles will be an issue then," said Talukder.
Last month, Zunaid Ahmed Palak, state minister for information and communication technology, told The Daily Star that the law is being formulated to ensure that data of the people of Bangladesh stay within the country and that all foreign organisations must comply with it.
"Or else, they will not be allowed to operate in Bangladesh," he said.
While such an uncompromising stance can work for the EU, it can backfire for Bangladesh -- a country in dire need of foreign direct investment and receives a rather modest sum every year.
In 2020, Bangladesh received about $2.6 billion in FDI, down 10.8 percent year-on-year, according to data from the Bangladesh Bank.
Cross-border transfer of data that serve the "strategic interests" of the country however are exempt from this, which begs the question what constitutes as strategic interest.
For a draft that defined in detail terms such as "medical purpose" or "healthcare professional", there are no definitions given for "strategic interest", "national security", or "public interest".
Contacted, Tarique Barkatullah, director of National Data Centre at Bangladesh Computer Council and one of the authors of the law, said the draft is not final yet.
"We have submitted four drafts so far, and each time they came back with recommendations as the government is vetting the law will very carefully."
Once the draft bill is finalised, it will be put up for public debate and then changed further.
The provisions for foreign entities might not stay in the final version of the law because the government does not want to impact the FDI flow in any way, he said.
"This provision has been rejected by the higher levels. We do not have the leverage required to make foreign companies comply with this. It is crucial for the country to attract foreign investment."
Quizzed about the exemptions left for government agencies and whether they will remain in the final draft, he said he was unsure.
"We have observed over 130 laws from across the world, and they all have similar provisions for law enforcement agencies," he added.