by Ms. Sabrina Mahisha
Generally, Foreign Financial Institutions have the practice to provide loans to individuals directly or through banks. An individual (Applicant) can submit his personal information along with an Application to the Financial Institution with respect to the primary perusal of the financial Institution. On the other hand, the Financial Institutions may offer loans to the Applicants through Banks, in this case, the personal information of the Applicant is submitted to the Financial Institutions through Banks. After collecting this information, Financial Institutions generally send this information to their Head office where this information is stored and later scrutinized to justify the creditability of the Applicant to avail the Loan. Due to the advancement of technology and convenience, Financial Services Companies are more likely to use the Cloud Storage system to store necessary information and databases of their clients. Hence, this information of the Applicants is required to be stored in the Cloud storage of the Financial Institutions.
Although the Cloud storage system is a recognized and popular medium in the field of banking data storage around the world, in Bangladesh Cloud Storage system is a newly invented idea which is yet to be evolved. The big giant cloud companies such as AWS (Amazon Web Services), Microsoft Azure, Google Cloud Platform, and Oracle have no Cloud server station in Bangladesh, whereas, in other countries of the world like the United States, Canada, Singapore, and India has the Cloud server station. As a result, the International Financial Institutions that store their Client’s information in Cloud storage consider this lacking as a major obstacle to growing their business in Bangladesh. The system of some International Financial institutions requires the storage of clients’ data in their Cloud server which may locate outside Bangladesh. This writing will focus on the legal challenges in storing the Client’s data in a Cloud server located outside Bangladesh.
It is to be mentioned that, no such specific or concrete legislation has currently prevailed in Bangladesh which can directly monitor the storage of the Client’s data in a Cloud server located outside Bangladesh. However, a general legal standing can be drawn in the light of the existing provisions regarding this matter which is discussed below:
Generally,there is a separate Legislation in Bangladesh named “Digital Security Act, 2018” that deals with the protection of Digital Data. Hence, Applicant’s data will be protected under the above-mentioned provision. However, there is no such specific provision in Bangladesh that restrains the transfer of information of an Applicant outside the Country. Although a draft has been prepared by the Government of Bangladesh to protect the personal data of a person, no progress has been recorded yet. In this draft, section 43 is included to tackle the transfer of personal data outside Bangladesh but this bill is under observation and has not passed yet. Hence, there is no legal bar to collect personal information relating to the Loan with his permission.
Section 26 of the Digital Security Act, 2018 will be applicable for protecting Applicant Data. The abovementioned section has protected Personal Information by including it under the head of “Identity Information.” Under the said head, any personal information including the Father’s Name, Mother’s Name, Date of Birth, Passport Number, Signature, Birth Certificate, etc. cannot be published without legal authorization. Moreover, if someone uses, collects, sells, takes possession of, or supplies this information of the Company without legal authority or permission, he will be punished with imprisonment not exceeding five years or a fine not exceeding BDT 5,00,000 (five lacs) or both. In such a case, if the consent of the Applicant is taken there should not be any legal challenges in processing these data.
Since there are no such regulations given to guide on how to protect the personal information and to what extent personal information of an Applicant can be collected, therefore a guideline is hereby framed in this regard under the light of section 5 of the Right to information (preservation and management of information) Regulation 2010 (this Regulation is not typically applicable to private organizations), which can be considered in respect of collecting, storing and disclosing of the Applicant’s Data:
- Information of an Applicant will be collected with his consent and knowledge and cannot be disclosed his personal information to the Third Party or any other institution, without his prior consent and knowledge
- His personal information cannot be used except for the purpose for which it is given.
- Proper precautions have to be ensured in respect of protecting the personal information of the Applicant from any risk or interference of any Third Party.
So, personal information of an Applicant relating to the subject of the business or the Company Policy can be collected, this information is not categorized by Law. However, this information should be protected from being misused.
Since, no provision or legislation is prevailed to check the matter of cloud storage right now in Bangladesh, therefore, there is no legal bar in storing an Applicant’s information (for the business purpose) in Cloud servers located outside of Bangladesh.
It is to be noted that if the information is transferred through Banks, then it may fall under “Bank Data.” In plain text, no legal provision is restraining from storing Bank Data in a cloud server in this regard.However,there is a separate law to protect the information of the Bank named “Bankers’ Book Evidence Act, 2021” where section 7(1) expressly provided that Information of Bank-customers cannot be shared with another except on the grounds provided in the Schedule of the said Act. Since this law applies to the Banks under the Bank-Company Act, 1991 & Financial Institutions under the Financial Institution Act, 1993, therefore, the bank and financial institutions cannot typically transfer any such customer data to third parties. However, there is a provision whereby data can be disclosed with the consent of the customer. Apart from this, as per section 12 of the Bank Companies Act, 1991, a bank cannot remove any records and documents relating to its business from its office to a place outside Bangladesh without the prior permission of the Bangladesh Bank. It is not clear whether such restriction is applicable in respect of the data saved in the cloud service, moreover, this law is only applicable to Banks.
So, no such legislation has been made yet to restrain from transferring of information to the cloud services located outside Bangladesh.