The concept of data protection or privacy rights and requirements is not new in Bangladesh but there is no codified law or regulation on this till now. The data is protected by various piecemeal legislation and regulations. However, those regulations are more concerned with digital format data privacy but not with manual data privacy and the ambit is very limited. Moreover, those are more related to various hacking and computer-related offences. But a codified law related to data protection is as important in this era of fast digital development, social networking, cyber-crime, artificial intelligence, electronic communication, and increasing awareness of users/consumers. Hence, the government of Bangladesh intends to implement a proper data privacy law and recently published a data privacy draft Act and it is expected that it will be passed by the Parliament very soon. In this Article, we will discuss the key components and unless there is a last-minute change by the Parliament, it is more likely that this format will be passed by the Parliament as it is.
The proposed Act aims to overrun people’s privacy rights and redeem all the liabilities of authorities in accessing people’s data. Also, it will have precedence over all existing laws thereby having an overriding effect, which is a key instrument that protects people’s right to information in the present time.
Short title and commencement:
The proposed draft act includes a short title and commencement which states that The DPA shall come into force on such date as the Government may, by notification in the official Gazette, appoint.
Recommendation: A grace period of a minimum of 2(two) years for individuals and organizations to get prepared for the new law (DPA)
It is pertinent to note that there is no definition of personal data in the proposed draft. However, specifically, there should be a definition of personal data.
As per Section 2 (c) of the Data Protection Act 2023 (Hereinafter mentioned as “Proposed Draft Act”) “data” means a representation of any information, knowledge, fact, concepts or instructions that are being prepared or have been prepared in a formalized manner and is intended to be processed, is being processed, or has been processed in a computer system or computer network, and may be in any form including computer printouts, magnetic or optical storage media, punch cards, punched tapes or stored internally in the memory of the computer, and includes the personal data for that purpose. Provided that, the anonymized, encrypted or pseudonymized data which is incapable of identifying any individual shall not be included within the purview of personal data.
Section 2(a) of the proposed DPA deals with pseudonymized and anonymized data equally. Data that has been pseudonymized and anonymized are identical, but they differ. Pseudonymized data complies with personal data with data protection rules and demands that organizations replace identifiable information with a pseudonym or code. On the contrary, Anonymized data is no longer regarded as personal information and is excluded from laws governing data protection. Another definition under the DPA is the definition of ‘data subject’ in section 2(d)
Under section 2(r) of the said proposed act “person” includes an individual, any juridical person, company, firm, association, corporation, a body of individual or group of persons, whether incorporated or not. It is recommended the term “person” be amended to “natural person.”Applicability- Data protection law applies to any natural person or institution, company, partnership business, firm, or any other organization, in the case of the digital device and its controller, and any entity created by law or artificial legal entity.
Overriding Effect of the Act: Notwithstanding anything contained to the contrary in any other law for the time being in force, the provisions of this Act shall have an overriding effect.
Consent: No data shall be processed unless consent is given by the data subject. It is to be mentioned that the consent of the data subject must be free, specific, clear, and capable of being withdrawn along with revocable. The data controller shall bear the burden of proof to establish that consent has been given by the data subject for the processing of data in accordance with the provision. There is an exception in that for the benefit of the data subject consent in some cases is not necessary.
It is to be mentioned that before using or disclosing any data a written notice must be sent to the data subject by mentioning the objective and process to collect data.
As per section 5 of the Act, the data collector must have accountability to the data subject. Also, the data collection method must be fair and integrity and shall not disclose any means of data without prior permission or the data subject. Section 5 of the Proposed Act, 2023 stipulates some principles of Data protection:
(1) Consent and accountability (2) Fair and reasonable (3) integrity, (4) retention, (5) access to data and data quality, (6) disclosure, (7) security. – Collection of Data and processing 6-10: These sections set out the regulations that control the collection and use of data, outlining in detail when consent needs to be obtained from data subjects and how much information should be given to them about the data collection and processing. Section 7(6) states that A data controller may process data of a data subject if the processing is necessary for any public interest which may be prescribed by rules.
Data relating to children: Children’s age is set at eighteen (18) years old by section 12(3)(a). The age of majority for a child’s consent should be included in the draft DPA as 13 to 16 years old for data processing activities, in accordance with accepted international standards.
Rights of foreign data subjects. – Foreign data subjects residing in Bangladesh shall have all their rights under this act where their data has been collected.
Hence the law should clarify if rights granted to foreign residents are equivalent to those granted to Bangladeshi nationals, outline requirements for DPA services, and specify data collection, storage, and processing rules.
Right to erasure of personal data– The proposed law restricts personal data security and privacy in the name of freedom of expression. Although it is a fundamental right, freedom of expression can come into conflict with data protection if it involves the collecting and use of personal data without consent.
The requirement for data retention and maintaining data integrity: Sections 25 and 26 of the earlier DPA draft contained redundant provisions pertaining to the purpose limitation and accuracy requirements described in section 5.
Recommendation: The proposed amendment to sections 25 and 26, which pertain to purpose limitation and accuracy principles, is based on principles of clarity, and conciseness, and needs to be eliminated because these guidelines are already covered in section 5 under the heading “Data Protection Principles.”
Rights of Data Subject– Chapter VI discusses the rights of the data subject to enter or to correct or amend any data, also can withdraw his consent or prevent disclosing data and these rights shall not override by any other provisions of any other law. He also has the right to carry data into any readable format. This right also applies to any person residing in Bangladesh, even if he is not a citizen.
Chapter VII states the accountability of the Data controller and how Transparency will be maintained– The data controller shall collect data as per the procedure mentioned under this Act or by the government standard and shall ensure the rights of the data subject. Also, the data collector shall not use any data without the purpose for which the data collected also shall ensure security.
Breach of any provision of the Data Protection Act– Data subject means a person who is the subject of the data. Whereas data breach means breaching security whether accidental or unlawful destruction, loss or data transmitted, stored or otherwise processed, others.
If any kind of data protection breach occurs then the controller shall notify to Director General about the breach. Also, he shall collect all data breaches and shall try to prevent such breaches detect damages and delete them if necessary to ensure the security of the data subject.
In terms of any breach committed by the company every director, member, manager, or others shall be held liable unless proof that he was unaware of the breach.
Chapter IX states about the Formation of Agency– An agency shall be formed to ensure the purpose of the Act and shall be called the Data Protection Agency in Bangladesh consisting of 1 (one) person and 4 directors. The office shall be situated in Dhaka as well as outside Dhaka, if necessary. Both the Director General and Directors shall be appointed as per the Government’s approval. The government was given the authority to appoint and set tenure for the Director General (DG) of “The Data Protection Agency” and other directors under Section 36 of the proposed DPA Act. It is recommended to include explicit provisions regarding the independence of the Data Protection Board, based on data protection principles and international best practices. This ensures the authority operates independently, is free from conflicts of interest, and has clear powers and functions.
Power of Data Protection Agency – To enforce the object and purpose of this Act, the agency can take any steps and use any power, for example, to notice a person who has breached data protection. Also, if necessary for investigation may enter into any source or site. The agency can ban; rectify or erase data; enforce fines and even block any international websites. Also, the Data Protection Agency can enforce any regulations formed by the government and raise public awareness, taking complaints according to the Act. This Agency can also form standard operating procedures with the permission of the government to collect, protect and use data.
The Director General shall keep and maintain a data protection register and he shall enter all collected data of all persons or organizations name list to that. Also, he shall process, change, and save that register list as per the provisions of this Act.
Section 45: Provisions Regarding the Transfer of Data
: An exception to be mentioned is that the government can transfer any data internationally for any purpose of international trade or relation if necessary and may declare or list open data which would be transferred to other state or international organizations. Moreover, the transfer of sensitive, or user-generated or any other data outside of Bangladesh with the consent of the data subject and in accordance with the rules of Bangladesh Bank, BTRC, and NBR
Complaint Procedure– As per section 49, chapter XII any person may complain to the Director General if any breach of data protection under this Act is found.
Investigation– section 50 states that if it appears to the Director General Officer anything inconsistent with the Act or any breach occurs then he can investigate or with written notice appoint any officer sub-ordinate to him for investigation and that sub-ordinate officer shall update him as per Act. The investigation shall be held as per section 50 of this Act and if found any breach of any provision of this Act then the Director General may file a suit against him or can take legal action against him.
Trial and Appeal- any act or breach under this Act shall be trialed under the Cyber Tribunal formed as per the Information and Communication Technology Act, 2006 and if any person is aggrieved by the judgment of the Cyber Tribunal, he can appeal to the Appeal Tribunal consisted under section 82 of the following Act. In terms of the procedure of trial and appeal the Code of Criminal Procedure, 1898 shall be followed and the Tribunal shall have power as the Court of Sessions Judge. The Public Prosecutor shall on behalf of the complainant.
Punishment- Any data protection breach under this Act shall be punishable maximum with ten (1,000,000/-) Lakh taka or three years imprisonment or both as under section 61 of this Act.
A fine may also be imposed by the officer in some situations for example if any person illegally collects data or fails to ensure the safety of the data subject or if any person illegally transfers data or fails to follow orders, then he shall be punished with (200,000/-) two lakh taka fine. It is to be mentioned that foreign companies may also be fined if commit any breach of the provisions under this Act.
However, if any person illegally processes data, he will be punished with a maximum of three lakh (300,000/-) taka and a maximum of five lakh (500,000/-) taka administrative fine if he repeatedly does that activity. If the controller or relevant person fails to take proper measures to protect the data and violates the law, he will be punished with a maximum of three lakh (300,000/-) taka administrative fine.
Appeal– appeal can be filed within 30(thirty days) before the government and a copy of such application shall be submitted before the Director General or any other officer if required under the recent draft of the DPA. The appellate body has 90(ninety) days to respond to the appeal resolution
Lastly, it is to be mentioned that the Government may make regulations at any time if necessary to enforce any purpose or objective of this Act. In some situations an exemption is given in terms of applicability of the provision of this Act, those are for any criminal investigation or arrest or order of the Court or any journalistic or literary work or anything if the government by official gazette exempt either with conditions or without conditions.
Application of the Code of Criminal Procedure (section 65)- Save as anything contrary to the provisions of this Act, the provisions of the Code of Criminal Procedure, 1898 shall apply to the investigation, trial, appeal and all other incidental matters related to any offence under this Act.
It has to be noted that the Laws concerning data protection are under civil jurisdiction and not criminal jurisdiction. The latest draft incorporated the applicability of the Code of Criminal Procedure in accordance with civil jurisdiction principles administrative penalties, and civil remedies for improved data protection compliance.
As per section 65 of the draft proposed Act imposed contemporary liability for multiple roles, including partner, officer, staff, representative, director, manager, owner, and secretary. However, the highest authority holds the primary responsibility for data protection, instead of their subordinates.
Read More Article: Bangladesh Labour Act 2006