Recent events surrounding the use and sharing of personal data collected from users during registration for the recently concluded Dhaka International Folk Fest, has once again brought to the forefront the legal vacuum in the critical area of data protection in Bangladesh.
Although the relevant parties involved may have been the subject of significant “fury” and “uproar” from the users or registrants, as things stand, their reported actions are technically legal; and this is the actual problem.
Bangladesh has progressed significantly in the ICT sector in the last decade. There has been a proliferation of IT-based industries and start-ups, online platforms, mobile applications, and websites in Bangladesh that provide a wide variety of services starting from providing medical advice to filing income tax returns (although, one could argue about the user-friendliness of the latter).
These services and platforms have collected a treasure trove of personal data from users starting from their date of birth, all the way to extremely personal medical information. The websites and applications which collect such personal data may be owned and/or operated by banks, food delivery services, online shops, or a “not-so-reliable” tech start-up.
The collected personal data is and can be used for a plethora of commercial purposes and even sold to or shared with third parties, most of the times, without knowledge or consent of the actual user or consumer, and sometimes to their detriment resulting in a grave invasion of the user’s privacy.
It is unfortunate that more than a decade after the government began to promote the idea of a “Digital Bangladesh”, Bangladesh is yet to adopt a data protection law protecting the personal data of citizens by stipulating specific legal requirements and standards for the collection, use, storage, accurateness, and sharing of personal data with third parties by data controllers.
The lack of a legal regime for data protection in Bangladesh means that data controllers such as websites and mobile applications are not obligated to inform the users or data subjects about the purpose for which they are collecting the personal data, how they intend to use it, how long they intend to store it, or whether they will share it with a third party.
It is the lack of this legal regime that is the underlying cause of the “uproar” surrounding the Folk Fest registration; which has enabled businesses, online platforms, and even the state to collect and use personal data of citizens in whatever manner they please; many a times by inserting a clause in the “terms and conditions” of the service in order to legally justify their privacy infringing actions, which the user has to accept during registration.
In recent times, there has been a proliferation of online services and mobile applications which require a copy or a photo of the National Identification Card (NID) for registration and verification. Since Bangladesh does not have a legal regime on data protection, it is unclear whether these personal data are stored securely, and when, how and why they are used and shared with third parties. The aforesaid illustration relating to NID information can be replicated in case of every bit of personal data or information of users and citizens that has been collected or is being processed by companies and entities all across Bangladesh.
The lack of a data protection law in Bangladesh is also a significant hurdle to foreign investment in the high-end IT services sector. Therefore, it is high time to draft, enact, and implement an effective and efficient data protection law in Bangladesh.
Farhaan Uddin Ahmed is a Lecturer in Public International Law, School of Law, BRAC University.