The draft of the Data Protection Act, the first legislation in the country focused on data privacy and protection, may be no better than a blunt sword as it will increase government agencies’ access to personal data and enhance their surveillance capabilities, experts fear.
The law will offer citizens the right to know when their personal data is being collected, used, preserved, or moved, but this will not be applicable when a government agency collects the data for official purposes, such as the investigation or prosecution of an individual or group.
Amid the concerns of rights experts, ICT Division Senior Secretary NM Zeaul Alam told Dhaka Tribune that there was nothing to be worried about as the DPA was still in the initial stage.
"There is scope for fine tuning, and we will do that until the finalized act is perfect. Although the deadline for giving opinions on the draft is over, we will still consider any opinions submitted by individuals or organizations,” he said.
Alam added that it would take time for the draft to be finalized and the authorities would sit with important stakeholders for further consultations.
"Different organisations and persons are expressing their concerns, which is a positive thing. We urge them to send their opinions, so that we can work on those as well," he added.
The law as it stands will be applicable domestically and internationally for all individuals and companies who collect or process data from or within Bangladesh, of its citizens or services, irrespective of the location of the data collectors.
The data collectors must also localize data storage and allow access for persons or authorities empowered by the government or courts.
Legal experts have reservations about some sections of the proposed act, including Sections 33, 34, 36(2)(A)(ii) 42, 63 and 66.
These sections contain definitions of some provisions and elaborations on concentration of power, indemnity from the act, and jurisdiction of the Data Protection Office.
Md Saimum Reza Talukder, an advocate who specialises in privacy and digital technologies law, told Dhaka Tribune the draft law also fails to define what personal data is.
“Biometric data, genetic data, and health data should all be clearly defined under personal data,” he added.
Concentration of power and indemnity
Section 2 (17) of the draft act says that the director general of the Data Controller Office will be the same person as the director general of Digital Security Agency (appointed as per Section 6 (1) of the Digital Security Act 2018), which goes against the spirit of the separation of powers.
The DG of the Digital Security Agency was also designated as the chief authority in implementing the proposed Social Media and OTT platform regulation.
According to the Section 33 and Section 34 of the proposed Act, the government can exempt any Data Controller or data processing activities from the obligations under the draft Data Protection Act, including the power of further exemption.
Section 34 gives additional indemnity provided by the government to the Data Controller.
Section 66 provides broad immunity to the director general and the staff, controllers, processors, and retainers of the Data Protection Office from criminal and civil liability for activities in good faith.
Powerful new Data Protection Office
According to Section 35 of the draft act, a Data Protection Office will be set up by the government.
According to Section 36(2)(A)(ii), the Data Protection Office can take any steps or exercise any power over the Data Controller or Data Processor or their representatives to provide necessary data for the purposes of the act.
Section 36 (2) (B) (VIII) says the Data Protection Office can order to stop sending data to clients in foreign countries or any foreign organizations, while Section 36 (2) (C) allows the Data Protection Office to advise Data Controller on various issues.
Section 39 says that the director general can issue orders to the data processor and data controller, and Section 41 says the director general can order initiating or conducting investigations if they have reasonable belief that their orders or instructions have been violated.
The DG can give such power to any staff under his supervision.
Data localization problematic for tech companies
Section 42 of the act requires sensitive data, user generated data, and classified data of Bangladesh and its citizens to be stored within the country.
Saimum Reza Talukder said that the provision would compel tech companies such Facebook, Amazon, Google, and YouTube to set up servers in Bangladesh, which would be difficult for them.
He said citizens must be provided a written notice about cross-border transfer of their personal data according to the draft. “That means foreign banks operating in Bangladesh, international human rights organizations, NGOs, development partners may have to localize data within territory as well.”
This may hamper the operational system of the international organizations, he added.
Criticism from rights watchdog
The Director General of the Digital Security Agency has been given unlimited and absolute power under the law. The draft does not include provisions for going to court or seeking legal redress against the use or abuse of this unlimited power by the director general, rights organizations have said.
Section 66 of the draft law provides impunity to the Data Protection Office for harm due to their actions in good faith. Although a provision has been made for an aggrieved person to appeal to the government, the impunity would put the person's privacy or personal security at greater risk, Transparency International Bangladesh (TIB) said during a press conference on Monday.
Section 59 empowers a police officer who is not below the rank of Inspector to investigate any offence committed under this Act. However, it does not consider whether a police officer has the technical skills and qualifications to investigate such matters in a specialized field.
A review of the provisions of the prevailing data protection laws throughout the world shows that an independent and impartial body has been established everywhere to implement the provisions of the Act because this is a very specialized subject, which requires specialized knowledge and human resources, TIB said.
The draft in question assumes that the Digital Security Agency is "superhuman" and that they are liable for all technical and financial liability for the implementation of the provisions of this Act, the organization added.
Amnesty International said no one, including the authorities, should be exempted from accountability for human rights violations.
Terming the law a dangerous one, it said that the draft used vague and overbroad provisions to enable and legitimize intrusive actions by authorities such as granting access to encrypted communication on personal devices physically or remotely. It violated an individual’s rights solely on the basis of pre-empting a law-and-order deterioration without adequate justification.
“The Bill exempts authorities from civil, criminal and any other legal proceedings for harms caused to people in the course of its actions. Keeping in mind how existing laws like the Digital Security Act have led to gross human rights violations in the past, the proposed bill is the newest addition to an insidious pattern in which the government wants to control the digital lives of people,” Saad Hammadi, Amnesty International’s South Asia campaigner, said.
