A review of the new draft reveals various shortcomings. Roughly those could be divided into two types (A) Shortcomings in the draft laws and (B) Concerns regarding implementation if the act is passed in accordance with the draft. The shortcomings are as follows:

(A) Shortcomings in the draft laws

In the light of analysis of already existing such acts in 137 countries, it is revealed that there are some shortcomings in the draft laws.

1. The name of the draft act is ‘Upatto Surokkha Ain, 2022’. In English it is called the ‘Data Protection Act’. Assumption is the draft act is prepared following the ‘General Data Protection Regulation’ adopted in current Europe. And, the word ‘Upatto (Data)’ has been taken from the ‘Proshashonik Poribhasha, 2015 (Administrative Terminology, 2015)’ published by the Ministry of Public Administration.

Though the words ‘Data Protection’ have been used to mean personal data, it is not compulsory to use ‘Data Protection’ every time. The UK, Sweden, Malta, Ireland and a few other countries have used the words ‘Data Protection’ in the heading of their acts. But at least 60 countries (including Japan, South Korea, China, South Africa etc.) use ‘Personal Information Protection’ in the headings of their acts. On the other hand, the word ‘Privacy’ could be seen in the headings of acts by at least 30 countries. Some other countries have used ‘Personal Data Protection’ in the headings of their similar acts. That means, despite the differences in headings, the objective of the enactment is similar, i.e., securing personal data.

We can get an idea of what constitutes personal data from Section 26 of Bangladesh’s Digital Security Act (DSA). For example, name, photograph, birth date, mother’s name, father’s name. signature, National Identity (NID) card, birth and death registration numbers, fingerprint, passport number, bank account numbers, driving license, e-TIN number, electronic or digital signature, users name, credit or debit card numbers, voice print, retina image, iris image, DNA profile, security question or any other identifying marks. Collecting those, selling, occupying, supplying and using have been made a criminal offence by law.

Many countries regularly use ‘Personal Information’ and ‘Personal Data’ in the headings of their laws regarding personal data security. In the context of Bangladesh, the objective of the act would be hampered if ‘Upatto’ is used in place of ‘Data’. That’s why it would be reasonable to consider the heading as ‘Byatigoto Tothya Surokkha Ain’ (in Bangla) to avoid problems of explanation during its implementation from time to time.

2. There is no definition or example of ‘personal data’ in the proposed act. Even a few days ago, a definition on this was included in a regulation ‘Tothya Goponiyota O Surokkha Bidhimala, 2019 (Data Secrecy and Protection Regulation, 2019)’ published under the power of Digital Security Act to ensure security of personal data. If the law is passed without defining personal data, there would be chances of serious misuse.

3. No internet-based services could be availed without processing personal data. Regulations on some legal spheres to process personal data legally should be included in the law regarding personal data safety. Some of the regulations have been mentioned sparsely.

4. Any law concerning personal data safety, including the provision of taking individual’s permission for any personal data is very important. That’s why most of the countries include this provision with due importance. The matter has been included in the law under discussion in a rather sparse manner. That’s why there is fear of misuse of the regulation.

5. The draft has talked about policies regarding personal data security or rights of the concerned person. But there is no regulation on how the concerned person would know about the rights. Though it is said that, a written notice has to be issued before collecting personal data or disclosing that to any third party. Many countries publish the regulation on website in at least two languages. In case of Bangladesh, it is necessary to have regulation to publish Privacy Policy on website in state language Bangla, and in English.

6. The Bangladesh has signed the ‘Framework Agreement on Facilitation of Cross-border Paperless Trade in Asia and the Pacific’. The Framework has been implemented since February 2021. In case of doing something like this, some of the personal data will surely have to handover to other countries. But there is no provision in the act on how those data would be handed over.

7. No provision on important issues like marketing, security of evidence, cookies, spam has been included in the law.

8. Taking steps to operate mass awareness campaigns and imparting training to officials and employees of different levels are a must for appropriate and effective implementation of the act. But there is no such provision in the act.

(B) Concerns regarding implementation

There are models for laws regarding personal data security around the world. There are many reasons to be worried about the draft act especially in the light of experience of 137 countries and the misuse of the Digital Security Act, 2018.

1. When the draft would be made a law, a number of regulations have to be made for its proper implementation. Considering the experiences regarding the Digital Security Act, it could be said that there are chances of misuse of the provisions of the law. Though the Digital Security Act talks about composing regulations for about 25 times, only one regulation has been prepared in the last four years. But the image of the country has been severely damaged internationally because of rampant misuse of the act. There are enough reasons to fear the repetition of same experiences.

2. Preamble of any act plays a very important role in explanation of the act. Some of the matters have been included in the act’s preamble in a rather superficial way. Whereas constitutions of many countries do not acknowledge the right to privacy, the inclusion of such a provision in the constitution of Bangladesh is a matter of pride. But this is not included in the draft Data Protection Act.

3. If the definition of an “individual” is considered as per Section 2 of the draft, the provisions of the act would be applicable for all the people of Bangladesh. It needs to be considered whether such a provision could be implemented in Bangladesh, especially taking its socio-cultural context into consideration. Let alone the farmer, day labourer, beggar of marginal people, can any small and medium organisations abide by this act? The organisations that process huge personal data could come under the jurisdiction of the law. For example, telecommunication service providing organisation, bank, insurance office, educational institution, hospital, and other service providing organisations.

4. Section 3 of the draft says about giving prominence to this act over other laws. But a closer examination would reveal that this provision is devoid of reality.

5. Chapter 9 of the draft considered Digital Security Agency, formed as per the Digital Security Act, as its office while talking about the provision on data security office. That has been given unlimited and supreme power. This power is contradictory to various rights, especially the right to privacy, described in the constitution of Bangladesh.

If we review the provisions of personal data security acts of different countries, we could see that everywhere an independent and impartial organisation has been formed for the implementation of the regulations of the act. That’s why our proposal is, it is necessary to form an independent and specialised institution like Anti-Corruption Commission or National Human Rights Commission.

6. Section 59 gives the power of investigation of any crime to a police officer not below the rank of inspector. It has not been considered whether the investigation officer possesses any technical knowledge or quality to investigate something so specialised.

7. For example it can be said, controller of personal data and people involved with processing the data are “super human being”. Bearing all the technical and economic responsibilities have been imposed on them for the implementation of the law’s provisions. Interesting thing is, Section 2 defines controller of personal data and people involved with processing as “government authorities”. There are questions on how much the government authorities are capable of abiding by the provisions, especially when people face so much harassment at different government offices.

It is observed, just a draft of the act has been drawn up in the country but its implementation has not been considered. It’s not hard to assume that it would fail to achieve its objectives because of this. An act drawn up so swiftly will give birth to stern criticisms like other laws especially the misuse of the Digital Security Act. As a result, people’s harassment will increase and once again, the image of the country will be damaged internationally.

* The report, originally published in the print edition of Prothom Alo, has been rewritten for English edition by Shameem Reza