The concept of data protection or privacy rights and requirements is not new in Bangladesh, but there has been no codified law or regulation on this till now. The data is protected by various piecemeal legislation and regulations. However, those regulations are more concerned with digital format data privacy than with manual data privacy, and the ambit is very limited. Moreover, those are more related to various hacking and computer-related offenses.   But a codified law related to data protection is as important in this era of fast digital development, social networking, cyber-crime, artificial intelligence, electronic communication, and increasing awareness of users/consumers. Hence, the Government of Bangladesh intends to implement a proper data privacy law and recently published a data privacy draft Act. It is expected that it will be passed by the Parliament very soon. In this article, we will discuss the key components, and unless there is a last-minute change by the Parliament, it is more likely that the Parliament will pass this format as it is.

The proposed Act aims to overrun people’s privacy rights and redeem all the liabilities of authorities in accessing people’s data. Also, it will have precedence over all existing laws, thereby having an overriding effect, which is a key instrument that protects people’s right to information at present.  

Short title and commencement:

The proposed draft act includes a short title and commencement, which states that The DPA shall come into force on such date as the Government may, by notification in the official Gazette, appGazetteecommendation: A grace period of a minimum of 2(two) years for individuals and organizations to get prepared for the new law (DPA)

It is pertinent to note that there is no definition of personal data in the proposed draft. However, specifically, there should be a definition of personal data.

Data:

As per Section 2 (c) of the Data Protection Act 2023 (Hereinafter mentioned as “Proposed Draft Act”) “data” means a representation of any information, knowledge, fact, concepts or instructions that are being prepared or have been prepared in a formalized manner and is intended to be processed, is being processed, or has been processed in a computer system or computer network, and may be in any form including computer printouts, magnetic or optical storage media, punch cards, punched tapes or stored internally in the memory of the computer, and includes the personal data for that purpose. Provided that the anonymized, encrypted, or pseudonymized data, which is incapable of identifying any individual, shall not be included within the purview of personal data.

Section 2(a) of the proposed DPA deals with pseudonymized and anonymized data equally. Data that has been pseudonymized and anonymized are identical, but they differ. Pseudonymized data complies with personal data and data protection rules, demanding that organizations replace identifiable information with a pseudonym or code. On the contrary, Anonymized data is no longer regarded as personal information and is excluded from laws governing data protection. Another definition under the DPA is the definition of ‘data subject’ in section 2(d)

Under section 2(r) of the said proposed Act, the “person” includes an individual, any juridical person, company, firm, association, corporation, or body of an individual or group of persons, whether incorporated or not. It is recommended the term “person” be amended to “natural person.” Applicability- Data protection law applies to any natural person or institution, company, partnership business, firm, or any other organization, in the case of the digital device and its controller, and any entity created by law or artificial legal entity.

Overriding Effect of the Act: Notwithstanding anything contained to the contrary in any other law for the time being in force, the provisions of this Act shall have an overriding effect.

Consent: No data shall be processed unless the data subject gives consent. It is to be mentioned that the consent of the data subject must be free, specific, clear, and capable of being withdrawn along with revocable. The data controller shall bear the burden of proof to establish that consent has been given by the data subject for the processing of data in accordance with the provision. There is an exception in that consent is not necessary for the benefit of the data subject in some cases.

It is to be mentioned that before using or disclosing any data, a written notice must be sent to the data subject mentioning the objective and process of collecting data.

As per section 5 of the Act, the data collector must be accountable to the data subject. Also, the data collection method must be fair and have integrity, and any means of data should not be disclosed without prior permission or the data subject. Section 5 of the Proposed Act, 2023 stipulates some principles of Data protection:

(1) Consent and accountability, (2) Fair and reasonable, (3) integrity, (4) retention, (5) access to data and data quality, (6) disclosure, (7) security. – Collection of Data and Processing 6-10:  These sections set out the regulations that control the collection and use of data, outlining in detail when consent needs to be obtained from data subjects and how much information should be given to them about the data collection and processing. Section 7(6) states that A data controller may process data of a data subject if the processing is necessary for any public interest, which rules may prescribe.

Data relating to children: Children’s age is set at eighteen (18) years old by section 12(3)(a). The age of majority for a child’s consent should be included in the draft DPA as 13 to 16 years old for data processing activities, in accordance with accepted international standards.

Rights of foreign data subjects. – Foreign data subjects residing in Bangladesh shall have all their rights under this Act where their data has been collected.

Hence, the law should clarify if rights granted to foreign residents are equivalent to those granted to Bangladeshi nationals, outline requirements for DPA services, and specify data collection, storage, and processing rules.

Right to erasure of personal data– The proposed law restricts personal data security and privacy in the name of freedom of expression. Although it is a fundamental right, freedom of expression can come into conflict with data protection if it involves the collecting and use of personal data without consent.

The requirement for data retention and maintaining data integrity: Sections 25 and 26 of the earlier DPA draft contained redundant provisions pertaining to the purpose limitation and accuracy requirements described in section 5.

Recommendation: The proposed amendment to sections 25 and 26, which pertain to purpose limitation and accuracy principles, is based on principles of clarity and conciseness and needs to be eliminated because these guidelines are already covered in section 5 under the heading “Data Protection Principles.”

Rights of Data Subject– Chapter VI discusses the rights of the data subject to enter or to correct or amend any data, withdraw his consent, or prevent disclosing data, and any other provisions of any other law shall not override these rights. He also has the right to carry data into any readable format. This ri ht also applies to any person residing in Bangladesh, even if he is not a citizen.

Chapter VII states the accountability of the Data controller and how Transparency will be maintained– The data controller shall collect data as per the procedure mentioned under this Act or by the government standard and shall ensure the rights of the data subject. Also, the data collector shall not use any data without the purpose for which the data is collected and shall ensure security.

Breach of any provision of the Data Protection Act– Data subject means a person who is the subject of the data. At the same time, data breach means breaching security, whether accidental or unlawful destruction, loss of data transmitted, stored, or otherwise processed, or others.

If any data protection breach occurs, then the controller shall notify the Director General about the breach. Also, he shall collect all data breaches and shall try to prevent such breaches, detect damages, and delete them if necessary to ensure the security of the data subject.

In terms of any breach committed by the company, every director, member, manager, or others shall be held liable unless proof that he was unaware of the breach.

Chapter IX  states that an agency shall be formed to ensure the purpose of the Act. It will be called the Data Protection Agency in Bangladesh and will consist of 1 (one) person and four fourirectors. The office shall be situated in Dhaka or outside Dhaka, if necessary. The Director General and Directors shall be appointed upon the Government’s approval. The Government was given the authority to appoint and set tenure for the Director General (DG) of “The Data Protection Agency” and other directors under Section 36 of the proposed DPA Act. It is recommended that explicit provisions regarding the independence of the Data Protection Board be included based on data protection principles and international best practices. This ensures the authority operates independently, is free from conflicts of interest, and has clear powers and functions.

Power of Data Protection Agency – To enforce the object and purpose of the Act, the Agency can take any steps and use any power, for example, to notice a person who has breached data protection. Also, if necessary for investigation, you may enter any source or site. The Agency can ban, rectify, or erase data, enforce fines, and even block any international websites. Also, the Data Protection Agency can enforce any regulations formed by the Government and raise public awareness by taking complaints according to tactics. This Agency can also form standard operating procedures with the permission of the Government to collect, protect, and use data.

The Director General shall keep and maintain a data protection register, and he shall enter all collected data of all persons or organizations’ names. Also, he shall process, change, and save that register list as per the provisions of the Act.

Section 45: Provisions Regarding the Transfer of Data

: An exception to be mentioned is that the Government can transfer any data internationally for any purpose of international trade or relation if necessary and may declare or list open data that would be transferred to other state or international organizations. Moreover, the transfer of sensitive, or user-generated or any other data  outside of Bangladesh with the consent of the data subject and in accordance with the rules of Bangladesh Bank, BTRC, and NBR

Complaint Procedure– As per section 49, chapter XII, any person may complain to the Director General if any breach of data protection under the Act is found.

Investigation– section 50 states that if it appears to the Director General Officer anything inconsistent with tActAct or any breach occurs, then he can investigate or, with written notice, appoint any officer subordinate to him for investigation. That sub-ordinate officer shall update him as per tActAct. The investigation shall be held as per section 50 of this Act, and if any breach of any provision of the Act is found, then the Director General may file a suit against him or take legal action against him.

Trial and ApAppealanyActt or breach under that Act shall be trialed under the Cyber Tribunal formed as per the Information and Communication Technology Act, 2006. If the judgment of the Cyber Tribunal aggrieves any person, he can appeal to the Appeal Tribunal consisted under section 82 of the following Act. In terms of the procedure of trial and the Code of Criminal Procedure, 1898 shall be followed, and the Tribunal shall have power as the Court of Sessions Judge. The Public Prosecutor shall do so on behalf of the complainant.

Punishment- Any data protection breach under that Act shall be punishable by a maximum of ten (1,000,000/-) Lakh taka or three years imprisonment or both as under section 61 of this Act.

The officer may also impose a fine in some situations. For example, if any person illegally collects data or fails to ensure the safety of the data subject or if any person illegally transfers data or fails to follow orders, then he shall be punished with (200,000/-) two lakh taka fine. It is to be mentioned that foreign companies may also be fined if they commit any breach of the provisions under the Act.

However, if any person illegally processes data, he will be punished with a maximum of three lakh (300,000/-) taka and a maximum of five lakh (500,000/-) taka administrative fine if he repeatedly does that activity. Suppose the controller or relevant person fails to take proper measures to protect the data and violates the law. In that case, he will be punished with a maximum of three lakh (300,000/-) taka administrative fine.

Appeal– appeal can be filed within 30(thirty days) before the government., A copy of such application shall be submitted to the Director General or any other officer if required under the recent draft of the DPA. The appellate body has 90(ninety) days to respond to the appeal resolution.

Lastly, it is to be mentioned that the Government may make regulations at any time, if necessary, to enforce any purpose or objective of the Act. In some situations, an exemption is given in terms of applicability of the provision of that Act; those are for any criminal investigation or arrest or order of the Court or any journalistic or literary work or anything if tGovernmentent by official gazette exemGazetteer with conditions or without conditions.  

Application of the Code of Criminal Procedure (section 65)- Save as anything contrary to the provisions of thisActt, the provisions of the Code of Criminal Procedure, 1898 shall apply to the investigation, trial, apAppealand all other incidental matters related to any offense under thisActt.

It has to be noted that the Laws concerning data protection are under civil jurisdiction and not criminal jurisdiction. The late draft incorporated the applicability of the Code of Criminal Procedure in accordance with civil jurisdiction principles, administrative penalties, and civil remedies for improved data protection compliance.

Section 65 of the draft proposed act imposed contemporary liability for multiple roles, including partner, officer, staff, representative, director, manager, owner, and secretary. However, the highest authority holds the primary responsibility for data protection, not their subordinates.

To ensure a smooth transition when changing business ownership, it’s essential to understand the legal requirements and procedures involved. For detailed guidance, check out our comprehensive guide on how to successfully transfer business ownership to Bangladesh.

Read More Article: Bangladesh Labour Act  2006

Leave a Reply

Your email address will not be published. Required fields are marked *

eleven − four =

Verified by MonsterInsights