TIB on draft data protection act: Law may enable govt actors to control data
The draft data protection act empowers certain government actors with unbridled power to control the personal data of citizens, said TIB.
Transparency International Bangladesh analysed the law and pointed out several provisions that will lead to this.
The Digital Security Agency has been given limitless power in a manner that is contradictory to the constitution, said Sheikh Manjur-e-Alam, TIB's director of communications, at a virtual discussion yesterday.
The director general of the Digital Security Agency will be considered the person in charge of overseeing the enforcement of the law.
In addition, the DG cannot be held accountable if any mishaps happen in "good faith".
"The police have been empowered to investigate these violations, but it [the law] does not take into account if the police have the capacity to investigate these offences," said Alam.
Furthermore, the law does not contain any provisions regarding how to seek legal redress in case of abuse of power.
These, combined with the provision that allows the DG to give any "data controller" an exemption from following the law, ring an ominous bell, the speakers said.
TIB said this is extremely concerning, and giving such blanket power to the DG is not appropriate.
The organisation also said several provisions in the law can be susceptible to abuse or misuse unless relevant guidelines are passed extrapolating on their use.
According to TIB's analysis, as many as 25 guidelines needed to be passed in the case of the Digital Security Act to prevent abuse, but only one has been passed so far.
It also said that the law contains many discrepancies in the area of data localisation and cross-border transfer.
The Framework Agreement on Facilitation of Cross Border Paperless Trade in Asia and the Pacific was signed by Bangladesh and came into effect from February 2021.
The UN agreement, meant to accelerate trade digitalisation by the electronic exchange of trade-related data across borders, requires exchange of personal data, pointed out TIB.
"It is unclear whether commercial data will be excluded," said Alam.
No internet service can be availed without the exchange and processing of sensitive personal data, they stated.
"The law is quiet on direct marketing, whistleblowers, witness protection and cookies," said Alam.
In the law, the penalties for companies are disproportionate, they said. Violations of the law can be punished with fines up to 25 percent of the annual turnover of the company.
TIB Executive Director Iftekharuzzaman said, "While trying to protect the rights to personal data of citizens, the law runs the risk of giving the government bureaucratic control over citizens' data."