Need of personal data protection laws in Bangladesh: A legal appraisal
By Advocate Md. Shahabuddin Molla and Sumiya Nahara
“Personal data” means a data that relates to a person who is directly or indirectly identifiable, or any other feature of the identity of such person, or any combination of such features with any other information. Personal data will be turned to Sensitive Personal Data when it relates to passwords, health data, sex life, biometric data, genetic data, caste or tribe, religious or political belief, commission of any offence or proceedings relating to offences etc.
We provide lot of our personal data to various legal entities such as companies or government/public authorities, hospitals or educational institutions. Considering personal data provided to a legal entity such as a company or bank, or even any other service or product providing company requires the personal information for the purpose of processing consumers orders and managing and administering their account; delivering any services, products or information requested by them, responding to complaints or account enquiries, administering debt recoveries, verifying ones identity when required.
German State of Hesse was pioneer in passing the first Data Protection Act in the year 1970. In the year 1973, Sweden passed the first Data Protection Statute in the national level. In 1981 the Council of European Convention established standards among member countries, to ensure free flow of information among them without infringing the personal privacy. In UK, the First Data Protection Act was enacted in 1984. It made it mandatory for public and private organizations about access to computer-held personal data for registering with a Data Protection Registrar. However it is to be noted that it did not explicitly recognize the individual’s right to privacy. The subsequent UK’s Data Protection Act 1998 was introduced with the explicit aim of protecting the right to privacy. In the US, there is no single, comprehensive federal (national) law regulating the collection and use of personal data. However, each Congressional term brings proposals to standardize laws at a federal level. Instead, the US has a patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered “best practices”. These self-regulatory frameworks have accountability and enforcement components that are increasingly being used as a tool for enforcement by regulators.
Privacy law in different countries:
The Data Protection Act, 2018 of UK controls the way one’s personal information is used by others. The said Act is the UK’s implementation of the General Data Protection Regulation (GDPR) which replaces the Data Protection Act, 1998. The Act also sets out that the Information Commissioner’s Office will be the supervisory authority in the UK for the purposes of the GDPR, and as such, is given certain powers under the Act to scrutinize and invoke its provisions, among other duties.
In USA, citizens are pessimistic about the protection of their personal information in recent times. The ongoing scandal of data breach has led to massive flaws and malpractice. The Facebook–Cambridge Analytica data scandal is recent scenario of misuse of personal data in USA. Cambridge Analytica collected personal data of 87 million Facebook users. It was alleged that those information was used to influence the opinion of voter on behalf of politicians. Subsequently, Facebook apologized amid public outcry.USA Supreme Court protects against government searches, whenever a person has a ‘reasonable expectation of privacy’ by mentioning fourth amendment of US Constitution.
Our neighboring India has already enacted specific Data Protection Rules and a consolidated Privacy Bill namely the Personal Data Protection Bill, 2018 has been proposed. The most remarkable parts of this Bill are-
- definition of Personal Data and Sensitive Personal Data [Section- 3(29) and 3(30)];
- purposes for processing Personal Data shall be clear, specific and lawful [Section-5] and
- punishment for obtaining, transferring or selling of Personal Data and Sensitive Personal Data contrary to the Act [Section- 90 and 91].
Beside UK, USA, India many other countries explicitly protect privacy in their constitutions; for example, Brazil proclaims that “the privacy, private life, honor and image of people are inviolable”; South Africa declares that “Everyone has the right to privacy”; and South Korea announces that “the privacy of no citizen shall be infringed.” When privacy is not directly mentioned in constitutions, the courts of many countries have recognized implicit constitutional right to privacy, such as Canada, France, Germany, Japan, and India.
Existing provision regarding privacy law in Bangladesh:
Although there is no statute namely or more particularly Privacy or Data Protection in Bangladesh, but there are some enactment which may be applied to safeguard the personal data.
According to Article- 43(b) of the Constitution of the People’s Republic of Bangladesh, every citizen shall have the right to the privacy of his correspondence and other means of communication. This provision is included in the chapter of fundamental rights so the state is bound to implement the privacy of citizen, otherwise the victim may has the right to move the High Court Division in accordance with clause (1) of article 102 [Article-44].
As per section- 7(h), 7(i) and 7(r) of the Right to Information Act, 2009, any authority are not bound to disclose any information which may reveal the privacy of one’s life, any information which may endanger life or physical safety of any person, or any personal information protected by any law. That means anybody cannot get any information regarding privacy or personal data.
As per section- 2(10) of the Information and Communication Technology Act, 2006, data means any information, knowledge, facts, concepts or instructions which are prepared in a formal manner and is intended to be processed, is being processed or has been processed in a computer system or computer network, in any form including computer printouts, magnetic or optical storage media, punched cards, punched tapes or stored in the internal memory of the computer. Although this is not the definition of personal data but it can used to protect the personal data as well.
Section 54 of the ICT Act provides that any person, without any permission of the owner, makes accesses or secures access to his computer, computer system or computer network, downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage then the person shall be punished with imprisonment for ten years, or with fine which may amount to one million Taka or both. But if the personal data is taken illegally from any other form (e.g. office record or file) then this act would not be applied. Therefore, if any personal data is taken from any record except computer system, the offender could not be punished under this Act.
If anybody hacks a computer system of other, then he would be punished with imprisonment up to ten years and/or with fine up to a million Taka [Section- 56]. However, in case any personal data is disclosed by a custodian, either maliciously or bonafide, to any third parties, this section is not applicable. On the other hand, Section 63 of the ICT Act mentions that any person who, in pursuance of any of the powers conferred under this Act, or rules and regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term up to two years and/or fine up to Tk. 2 lacs. This section would be applicable to electronic data only and hence non electronic data provided to companies, authorities, corporation are beyond the purview of this Section.
Necessity of new privacy law in Bangladesh:
Personal information of an individual collected for a particular purpose is commonly misused for other purposes, like direct marketing without the consent of the individual. Some internal confidentiality standard within the system is required so that personal information of an individual does not get transferred to others easily causing irreparable distress or embarrassment. So it have to be clear in the new law that personal information of an individual collected for a particular purpose should be used for that particular purpose.
Recently, hacking incidents of databases of governmental organisations in Bangladesh are indicating the breach of personal data stored in their server. For instance, some unknown hackers breached Bangladesh Air Force’s website and extracted the full database, Official website of Bangladesh Parliament in 2013 and Official website of Bangladesh Judicial Service Commission.
While Bangladesh is well protected by virtue of the Information and Communication Technology (ICT) Act, 2006 to bring proceedings against perpetrators of such intrusion and unauthorized access, what it fails to take into account is that these perpetrators carry out their operations anonymously and thus, in most cases, it is difficult to identify them. In other words, a preventive framework at the pre-breach level is simply non-existent. There are some protection ensured by various Acts and Regulation on piecemeal nature, however there is no comprehensive data protection for consumers and general public for their non electronic data provide to various organizations, companies and corporations.
At last, we may conclude that Bangladesh should as soon as possible make a comprehensive statute regarding protection of personal data with clear indication of definition personal data, purposes for processing personal data, punishment for obtaining, transferring or selling of personal data without lawful authority etc. A mandatory provision in the new law should be included as the personal data of any person collected for a particular purpose shall not be processed without the consent of the person concerned except any statutory legal excuse.