Protecting data in Digital Bangladesh
The Digital Revolution in the latter half of the 20th century ushered in the Information Age; a period in human history featuring four key innovations: personal computers, the internet, smartphones, and data. At present, the innovation that is of the greatest significance in general is data. Data can basically be defined as any piece of information that is stored and can be transmitted electronically. Data, especially personal data, has become one of the most valuable commodities in the world. Therefore, not surprisingly, the commercial functions of four (Alphabet, Apple, Microsoft, and Facebook) of the top five most valuable companies in the world involve the collection, storage, and use of personal data. The commodification of personal data collected by these multinational corporations has increased threats of breach of privacy and misuse or abuse of private information belonging to ordinary citizens. To counter these threats, countries across the world have enacted legislations or implemented policies to protect their citizens. These measures are collectively referred to as data protection laws or policies. Fundamentally, data protection is defined as the process of protecting personal data against unauthorised access, misuse, abuse, destruction, or damage.
The Bangladesh government's vision of a 'Digital Bangladesh' has sparked a national digital revolution which is highlighted by the expansion of cellular subscriptions, digitisation of state-related activities (such as e-TIN registration, application for passport, registration for examinations, publication of results and notices, access to public information, etc.) and implementation of projects and programmes to facilitate the development of the ICT sector. To that end, the government has enacted legislations and drafted policies to guide this revolution and safeguard against abuse. The government has enacted the Information and Communication Technology (ICT) Act, 2006, and proposed the Digital Security Act, 2016, with the aim of ensuring cyber-security and preventing cyber-crime. However, it is quite unfortunate that the government has not yet formulated any legislation or policy on data protection.
Data protection is an issue that has a significant impact on the personal lives of every citizen. In recent times, personal information (which includes biometric data, call logs, internet browsing history, home address, salary, expenditures, credit card information, medical history, etc.) of citizens has been collected by various public and private entities like the telecommunication corporations, internet service providers, financial institutions, state agencies and government contractors. These entities that collect, store, or process personal data are referred to as data controllers or data processors. These databases that have been created or are being maintained by these entities are of great financial value. For example, a database containing home addresses, salaries, and expenditures of individuals is of great value to retailers, who, based on this information, can target advertisements, gauge pricing and arbitrarily limit competition. It gets even more disturbing when a retail store begins to figure out that an individual is pregnant even before that individual herself comes to know of that fact; this is a true incident that was reported back in 2012 by The New York Times. To put it plainly, at present, there is no law nor any policy in place in Bangladesh that prevents telecommunication corporations, internet service providers, financial institutions, contractors and even government actors from misusing or abusing personal data — including biometric data and medical history of citizens — that is being stored or processed by them. Therefore, it is essential that the government adopts measures to prevent misuse and abuse of the troves of personal data that have been collected by various public and private entities.
The European Union (EU) has been somewhat of a pioneer in data protection. Though one would not argue that the European approach to data protection is ideal, nonetheless, it is quite comprehensive, all-inclusive, and citizen-centred. Furthermore, the Data Protection Principles formulated by the EU in the early nineties greatly encapsulate universal objectives of data protection. The Principles basically state that data controllers and data processors must always collect or process personal data in a manner that: (a) is fair and lawful; (b) is only for a specified purpose and strictly use it for that purpose; (c) ensures that the data is adequate, relevant, and not excessive to that specified purpose; (d) ensures that the data is accurate, up to date, and not stored for longer than is strictly necessary; (e) ensures that the data is protected against unauthorised access, unlawful use, accidental loss, destruction, or damage; and (f) ensures that the data is not transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of the citizen. It is highly advisable for Bangladesh to legislate and frame policies on data protection that will reflect and effectuate these principles.
Some may argue that it would be expensive and unnecessary to put in place such a data protection mechanism. However, establishing a data protection mechanism now will be more cost-effective in the long-term, considering that the digitisation and ICT sector in Bangladesh are still in their infancy (in comparison to what it is envisioned to be), rather than later, when expensive reconstruction of database infrastructures and management systems may be required. Moreover, the potential threats to privacy and of misuse and abuse of personal data are already quite severe considering the present circumstances. Therefore, to protect the personal data and privacy of ordinary citizens, it is essential that the government establishes a robust and effective data protection mechanism in Bangladesh.
The writer is a researcher on data protection law and lecturer at the School of Law, BRAC University.