Bangladesh's digital security legislation has undergone a significant evolution since the introduction of the controversial Digital Security Act (DSA) in 2018. Positioned as a measure to fortify digital security, the DSA faced extensive criticism for alleged infringements on freedom of expression, media freedom, and human rights. Recognizing its shortcomings, the government unveiled the Cyber Security Act (CSA) in 2023, aiming to strike a better balance between digital security and civil liberties.
The DSA, despite its objectives, drew widespread condemnation for its vague definitions and broad interpretations. From September 2018 to January 2023, over 7,000 cases were filed under the DSA, raising concerns about targeted criminalization of free speech and dissent. These cases, involving opposition politicians, journalists, businesspeople, students, and private employees, underscored the law's potential for selective targeting. The government's decision to replace the DSA acknowledged these issues, paving the way for the drafting of the CSA.
Upon examination, the draft CSA retained several repressive provisions of the DSA, prompting questions about its ability to address the fundamental flaws of its predecessor. The preamble and initial sections of the CSA closely mirrored the DSA, and while some changes were introduced, such as the definition of the National Computer Emergency Response Team (NCERT), concerns lingered about its effectiveness in safeguarding civil liberties.
The Cyber Security Act (CSA) closely mirrors the Digital Security Act (DSA) up to section 2(g), where only terminology changes and verbatim text from the DSA are introduced. Section 2(h) adds the definition of the National Computer Emergency Response Team (NCERT), a potentially unnecessary inclusion, as it could have been addressed by modifying the 'Computer Emergency Response Team' definition in section 2(d).
Sections 3 to 9 maintain the DSA content, with minor additions like 'National' in sections 9(3) and 9(4). Sections 10 to 16 largely replicate the DSA, except for renaming the “Digital Security Council” to “Cyber Security Council” and specifying officials' names in the National Cyber Security Council.
Section 17 reduces the imprisonment term for illegal access to critical information infrastructure from seven to three years in the CSA. Sections 18 to 27 maintain DSA penalties but eliminate harsher punishments for repeat offenses. Notably, section 33 on the punishment for holding and transferring data information illegally is omitted in the CSA. Section 40 extends the investigation time limit to 90 days from the DSA's 60 days. Sections 51-52, 53-55, and 56-60 show no modifications in the draft CSA, but section 57 from the DSA protecting employees acting in good faith is entirely omitted in the CSA.
The CSA acknowledges the importance of monitoring but falls short in detailing mandatory cybersecurity measures, incident response protocols, and technical standards. Comparisons with international standards, such as the European Union's NIS Directive, suggest potential enhancements in fortifying critical assets through proactive cybersecurity measures and specialized personnel training.
Sections related to offense and punishment in the CSA must be scrutinized against international human rights standards. Concerns include overbroad restrictions on expression, criminalization of certain online activities, potential privacy violations, and a lack of explicit safeguards for digital rights. The severity of punishments raises apprehensions about deterring legitimate cybersecurity efforts, highlighting the need for a nuanced approach.
Sections 38 to 53 of the CSA exhibit commendable efforts to address cybercrimes but raise significant concerns related to due process, privacy, and the balance between law enforcement powers and individual rights. Granting investigative powers to the investigation officer is crucial, but safeguards against potential misuse must be established. Technical expertise required for handling cyber-related offenses becomes a critical consideration, emphasizing the need for specialized skills in the digital realm.
The integration of speech-related offenses into cybersecurity laws poses challenges due to diverse jurisdictions and cultural differences. This inclusion may lead to conflicting regulations and divert resources from addressing critical cybersecurity issues. Balancing freedom of expression and security requires a comprehensive approach, acknowledging the unique challenges of cybercrimes. Ensuring effective judicial oversight becomes crucial in maintaining this balance, with clear legal frameworks, transparency mechanisms, and independent oversight bodies.
Recent cyber-attacks and data breaches in Bangladesh have exposed existing digital security inadequacies. The draft CSA, while introducing some modifications, raises concerns about its potential alignment with the DSA's repressive provisions. A strategic shift is recommended, aligning legal frameworks with evolving cybersecurity threats and international human rights standards. The approach should prioritize proportionality, accountability, and judicial oversight while fostering collaboration among stakeholders. Investments in cybersecurity education and workforce development are crucial to mitigate risks effectively.
As Bangladesh navigates the complexities of cybersecurity legislation, a delicate balance between bolstering digital security and upholding fundamental rights becomes imperative. The CSA, while introducing some positive changes, must undergo a thorough overhaul to address concerns about freedom of expression, investigative processes, and the balance between security imperatives and individual freedoms.
Transparency International Bangladesh (TIB) emphasizes the need for a genuine Cyber Security Act, free from provisions compromising freedom of speech, and involving diverse stakeholders in the legislative process. In crafting such legislation, Bangladesh has the opportunity to learn from past experiences, adopting a nuanced approach that safeguards fundamental freedoms while addressing evolving threats in the digital landscape.
Apurba Mogumder is a Junior Associate, FM Associates Bangladesh.
