Why the Draft Data Protection Act is concerning

The proposed Data Protection Act (DPA) of Bangladesh has raised some serious human rights and business-related concerns at home and abroad. The draft law poorly defines the classification of data and does not follow the international standards to define privacy. It also does not mandate that privacy-related data fields be removed from telecom voice and data call records, broadband internet packets, intercepting sources, financial sources, and smartphone app crowdsourcing data.

The United Nations has shared 10 observations and objections regarding potential human rights violations through the DPA. Amnesty International said the legislation would put individuals' privacy at risk. The law, if passed, will allow deep government surveillance in the guise of data governance and interference with individuals' privacy rights, not to mention increase the space for abuse of power. The Transparency International Bangladesh (TIB) and local experts say it will protect the government's interests, not the citizens'.

The UN pointed out that the definition of "sensitive data" in the draft DPA was quite limited – it doesn't include disclosure of information related to race or colour, political opinion, trade association membership, religious or other beliefs, sexual orientation, etc. The draft does not clearly define personal data either, and the principles of data protection stated in the fifth article is not enough.

The localisation of data as stated in the draft law would create serious risks of surveillance and human rights violations, according to the UN. Law enforcement agencies would be allowed open access to any private data. Section 33 of DPA empowers the government to exempt law enforcement and intelligence agencies from the application of the act, which may include surveillance of data centres and servers in Bangladesh. Private and public companies may be pressured to disclose confidential information, which would undermine democratic governance.

Corporate executives, if non-compliant, can be held personally accountable under this framework. According to the UN, while administrative fines for data privacy violations are reasonable, the proposal of imposing criminal liability is not consistent with the principles of criminal law or international standards. The purpose of this legislation should be data protection, not regulation. The UN is also concerned about the collection, usage and retention of data on Bangladeshis residing abroad and recommends to withdraw data localising obligations.

No data structure is complete without independent authorities, the UN said. Without sovereign authority and auditing mechanisms to check abuse, even the best laws in the world would be meaningless. Bangladesh should ensure a DPA that does not conflict with the country's Right to Information (RTI) Act and the Universal Declaration of Human Rights.

As the Atlantic Council explains, the expansion of the digital economy does raise concerns regarding data privacy that need to be addressed, but imposing blanket restrictions on information flow, along with vague enforcement provisions, will not strengthen consumer protection.

There is a need for a detailed definition of sensitive data classification, data handover scopes, sales and marketing scopes – for traders, corporates, and government agencies. There must not be any impunity for state forces in the question of invasion of personal privacy. In matters of state security, law enforcement agencies will receive special confidential information only with the permission of a court in pending matters; even there, a third party witness has to be ensured. Otherwise, with free access to sensitive data, the law enforcement forces will make the country's digital arena a toxic breeding ground for citizen harassment, oppression of political opposition, and suppression of freedom of expression in the name of state interests.

Data is the "new gold" in the world today. From digital marketing, product designs, digital trade and commerce, to artificial intelligence, virtual and augmented reality-related application development and deployment – all are based on big data mining. If properly designed, data localisation may serve local economic interests. However, for data giants such as Google, Facebook, Microsoft, OpenAI and others, backup storage and disaster recovery is as important as data access. Moreover, to serve users in less time, they divide data centres into geolocations and then deploy their servers in different countries, keeping copies of the same data at different locations. It serves as both sourcing backup and disaster recovery backup in case of technical problems. As a result, a country can create conditions for the establishment of a sufficient number of data centres within its territory for job creation and investment flow, but technically cannot dictate that all data be localised within its border.

Last month, US Ambassador to Bangladesh Peter Haas expressed concern that if the draft DPA was passed with the condition of strict adherence to data localisation requirements, some American companies currently operating in Bangladesh might be forced to leave. The ambassador said over 2,000 start-ups might have to go out of business as a result.

Clearly, online freedom and business investment are both linked to the legal framework of data protection.

Almost all data centres in Bangladesh are built and maintained by foreign contractors and engineers. Even the Bangladesh Bank's SWIFT software, commercial banking software, driving licence system, and income tax digitisation projects are mainly maintained and troubleshooted by foreign engineers. The National Identity Card scheme is the only nationally managed one. If foreigners and law enforcement agencies are all given access to sensitive private data or data centres, then the discussion of data centres' locations inside or outside the country becomes vague. The Digital Security act (DSA), too, was orchestrated to protect the government; there is nothing for personal, financial and social protection of the citizens.

Android and Apple apps source sensitive user information by flouting terms and conditions. Almost all personal data is available in the telecom call detail record (CDR). If personal data is not isolated and removed from public sourcing, it will remain subject to potential misuse. Localisation of data under non-abuse conditions is helpful for business development in the country. But in a country where there is no sound electoral system, functioning democracy, good governance and accountability, abuse and impunity for abuse is the main danger.

There is a need for a detailed definition of sensitive data classification, data handover scopes, sales and marketing scopes – for traders, corporates, and government agencies. There must not be any impunity for state forces in the question of invasion of personal privacy. In matters of state security, law enforcement agencies will receive special confidential information only with the permission of a court in pending matters; even there, a third party witness has to be ensured. Otherwise, with free access to sensitive data, the law enforcement forces will make the country's digital arena a toxic breeding ground for citizen harassment, oppression of political opposition, and suppression of freedom of expression in the name of state interests.

Faiz Ahmad Taiyeb is a Bangladeshi columnist and writer living in the Netherlands. Among other titles, he has authored 'Fourth Industrial Revolution and Bangladesh' and '50 Years of Bangladesh Economy.'