Can Bangladesh follow India in redrawing its data protection law?
Following protests by the opposition parties, rights groups and businesses, the Indian government has withdrawn its proposed Data Protection Bill. The draft bill received 81 amendment suggestions at the joint parliamentary committee. Reports suggest that the government is now considering bringing in a fresh bill, taking into consideration all the suggestions that came through the parliamentary committee.
While the government in India has listened to the opposition, in Bangladesh, the government has brushed aside the civil society's concerns about a similar bill and published a third draft with further expansion of authoritative controls over personal data and privacy.
In India, the bill was sent to the parliamentary panel in 2019 after the opposition parties said the data privacy law violated the fundamental rights of the citizens. They said the law gave sweeping powers to the government to access personal data of individuals under opaque conditions citing national security and other reasons. The law also reportedly would have required large social media platforms to offer an identity verification option, a potentially precedent-setting effort to rein in the spread of "fake news." Rights groups and tech giants argued that the requirement proposed by the Indian government would likely raise a host of technical and policy issues, including potential conflicts with other governments over data localisation.
Similarities between Bangladesh's draft law and the bill abandoned by India were too many, especially in the areas of invasive powers allowed to the government agencies on ill-defined grounds and imposition of the requirement of data localisation.
The worst part, however, is keeping the regulatory authority, the Data Protection Office (DPO), under the Digital Security Agency, which is to be set up in accordance with the infamous Digital Security Act, 2018, and the director general of the Digital Security Agency shall be the chief of the DPO. This is quite contrary to the idea of protecting the privacy of citizens through a legal framework of data protection, which requires absolute independence of the regulatory authority from any direct or indirect government influence or control. The government and state machinery are typically among the most prominent data collectors and processors of people's personal information, and the Digital Security Agency is assigned to be the lead agency in carrying out such work on behalf of the state. If the current draft becomes law, then the DPO will simply become another tool of the government to invade the private space of individuals and abuse opponents and critics.
The latest revised draft still contains too wide a scope for exemptions to meaningfully protect data and guard against the misuse and abuse of powers. Submissions made earlier by Access Now, a global advocacy group for defending the digital rights of users, pointed out that the scope of exemptions and the circumstances in which – and under whose authority – they may be applied is not clearly defined; the provision does not carry any meaningful limitations, and fails to lay down a procedure to ensure transparency and accountability, and adherence with principles of necessity and proportionality. But the draft does show their concerns have been ignored outright.
The draft act also retains undefined and unrestricted rule-making powers of the government, which experts and activists have been opposing, arguing that such powers must be restricted, and as much as is possible be prescribed in legislation formulated through a democratic process of participation and parliamentary procedures. Provisions with respect to scope and procedures for access, storage and disclosure of data and the mechanism for the affected parties to enforce their rights and seek remedy and redress must be well-defined by law.
Stringent data localisation provisions kept in the draft act also means retention of the government's access to and control over the data, increasing the vulnerability of people's privacy and free speech. Existing laws and regulatory frameworks in Bangladesh allow for any data stored in Bangladesh to be subjected to surveillance, monitoring and interception, as well as data disclosure or removal requests, by government and intelligence agencies, who could be exempt from the draft act. Access Now argues, "Insufficient safeguards to protect people's data may also undermine Bangladesh's trade prospects with other territories, such as the European Union, the United Kingdom and the United States, which place restrictions on transfer of personal data unless the country provides an adequate level of protection for the rights and freedoms of users in relation to the processing of personal data." As a result, it cautions, that people in Bangladesh may be deprived of access to internationally available services, thereby placing them at a disadvantage and negatively impacting rights, accessibility and growth.
The proposed legislation makes way for storing data in data centres and servers in Bangladesh with exceptions for necessary cross-border data transfer with prior notification to the director general of the Digital Security Agency, but what constitutes "necessary" has not been clearly defined. Domestic and foreign businesses connected to the global economy will thereby face serious impediment due to such restrictions on cross-border data flows. Experts say data centres are power-hungry and expensive to build and maintain, which will discourage new ventures, and small- and medium-sized business units will face huge challenges to survive.
One unique addition in the latest draft, perhaps the first in the world, is that the government has absolute liberty to fix different effective dates for different sections of this act, through official gazette notifications. Why want such an extraordinary measure to enforce a new legislation? It allows the government to delay the implementation of the sections that protect people's rights, but apply the harsh and anti-people sections immediately.
The publication of the third draft makes it clear that the Bangladesh government's understanding of data governance and priority have not changed. Its priority is to establish full control over all data collected and stored or its trafficking within and outside of the country. All of these would be done under the notion of security and sovereignty of the state, instead of allowing the citizens control over their personal data and protecting their rights to privacy. We could only hope our government would take lessons from our closest neighbour and one of the largest digital markets in the world, and consider rewriting the draft act with wider consultations with all the stakeholders.
Kamal Ahmed is an independent journalist and writes from London, UK. His Twitter handle is @ahmedka1