Govt seeks control over people’s personal information

According to the initial draft, there is scope to collect sensitive information outside of personal information. Sensitive information include ethnic, religious, philosophical and other types of beliefs like political beliefs, membership to any political party, trade union, organisation, biometric or genetic data and information related to health and sex life

There is bad news for people who resort to social media posts or take to messaging apps to talk to friends to vent their anger or frustrations over social, political or other issues as the government is pondering on taking control of all information, including sensitive information, by enacting a law, the ‘Personal Data Protection Act’. This has been revealed in an analysis of the initial draft of the act proposed by the information and communication technology ministry.

The draft says the government could collect any information of a person with his/her consent and use this whenever necessary. A high official, appointed by the government, will control this. If officials and employees under his jurisdiction cannot collect information, they can employ a third party to do the task.

If the personal information is somehow leaked out or any discrepancy appears, the victim cannot not go to the court. Instead, he has to file a complaint with the director general of the department and if the DG finds that the official/employees leaked the information "innocently", no action can be then taken against the accused. However, the victim will get compensation if anybody else leaks the information.

At the same time, all the tech giants including Facebook, WhatsApp, Google, Twitter and Amazon have to set up their servers in Bangladesh. The objective is to keep the data of Bangladeshis inside the country.

State minister for information and communication technology, Zunaid Ahmed, however, said, “Surveillance is not the objective of this law. We don’t want our people’s personal information to remain insecure. Facebook and Google are new colonial powers. Information will be the most important weapon in the coming days. People are handing over their information to them knowingly or unknowingly. Incidents of leaking have happened from them too.”

The state minister further said no draft has yet been finalised. They are analysing the laws of other countries and discussing the matter, he told Prothom Alo.

Zunaid Ahmed further said they will publish the draft on the website. He, however, admitted in an interview with a national newspaper in June this year, that an initial draft had been drawn up.

Surveillance is not the objective of this law. We don’t want our people’s personal information to remain unsecure. Facebook and Google are new colonial powers. Information will be the most important weapon in the coming days
Zunaid Ahmed, State minister for information and communication technology

Prothom Alo collected the primary draft from different sources and talked about this with Mohammad Ershadul Karim, lecturer at the Law and Emerging Technologies Department of the University of Malaya. He said you have to give personal information for access to almost all types of services these days. That’s why around 135 countries have passed laws to ensure security to their citizens’ personal information. There’s General Data Protection Regulation (GDPR) for the EU countries. These are to ensure security of the people’s personal information and to ensure that a person feels safe in the digital world.

But, it is not clear whether the government is enacting the law to stop commercial use of personal information, or taking human rights into consideration, or for the security of the state, observes Mohammad Ershadul Karim.

In other countries, an institution could use the information of a person only for the purpose the person provides the information. There are some scattered provisions on this in the Bangladesh’s Digital Security Act. But people receive messages of different commercial and service-related organisations over their phones as there is no specific law regarding this in the country.

In this context, the question is what is the purpose of this act? Concerned people said all of the recent big movements, including road safety movement by the school students, were mobilised through social media. Law enforcing agencies monitored the social media to control the movements. There could be a possibility to extend the controlling net further through gaining control over personal information.

But, according to Imam Hossain Tareq, the worst side is widely relieving the government officials from liability. The draft mentioned that no legal action could be taken against any law enforcing person from the DG to the data protection officer

Speaking at the sixth anniversary programme of Cybercrime Awareness Foundation in June this year, posts and telecommunication minister Mustafa Jabbar reportedly said YouTube and Facebook authorities gave only 40 per cent information of what the Bangladesh government sought. They (YouTube and Facebook) helped with providing information only in cases of massive anti-state propaganda and in some cases about terrorism. But they do not provide information if any citizen spreads rumours or militancy. They claim this is freedom of speech. That’s why we could not take action against them. The Digital Security Act is not enough. That’s why a new act is being composed. A draft of that has also been made.

Speaking to Prothom Alo, Mustafa Jabbar said he does not know the details as the information and communication technology ministry has been working on the law.

Government, not people, is all in all

The primary draft said the objective of the law is to provide security to personal information and privacy. In order to ensure this protection, the law will control the collection of an individual's information, make the information fit for use, and also control the preservarion and publication of the information, as freedom of thinking and dignity is intrinsically connected with privacy, the right to live and individual freedoms. The law is supposed to ensure the right of the person whose information will be collected. At the same time, it will bring data controller, data collector and data processor under the obligations.

As per the primary draft, data means any information gathered using electronic media. The person whose information is being collected is the data subject. Data controller is the person who works with the information of data subject. Data processors will make the information usable under the directions of data controller. The Director general will be above everybody else.

The Digital Security Act also talked about appointing a DG to oversee the implementation of the law. That same DG will carry out duties here as well.

According to the primary draft, there is scope to collect sensitive information outside of personal information. Sensitive information include ethnic, religious, philosophical and other types of beliefs like political beliefs, membership to any political party, trade union, organisation, biometric or genetic data and information related to a person's health and sex life. Besides, whether the person committed any crime or guided to commit any crime, whether the legal process about that are completed, whether the person was punished or not, is also sensitive information.

The primary draft says if the government (data controller) does have any legal bindings or if it thinks reasonable, it can take control of personal information. At the same, information could be collected if a person be a party of any agreement or the person himself can give information if he wants to be a stakeholder of any agreement.

The government’s representative or the data controller will have the authority to collect personal information. A person appointed by him could collect the information directly from the people. Information could be collected from any other individual, statutory body or government organisation. An individual himself could give information or could allow to collect the information from any approved organisation. Information could be collected from any other sources if privacy in not offended. Besides, personal information could be collected for the sake of curbing crimes, detect a criminal, investigation or national security.

It is not clear whether the government is enacting the law to stop commercial use of personal information, or taking human rights into consideration, or for the security of the state, observes Mohammad Ershadul Karim

But there is a legal obligation to inform and take clear approval from the person whose data is being collected. If any government employee commits any mistake or leak any information, the victim could file complaint with the DG. The victim will get compensation if he were defamed.

The draft also talked about data localisation. This means, Facebook, Twitter and other social media have to save the data of its users in servers within Bangladesh, said concerned people.

Incoherence and concerns

Research and rights activist Rezaur Rahman has been keeping an eye on the whole process. He told Prothom Alo that the first question is why the primary draft is composed in English. According to the Bangla Bhasha Procholon Ain, 1987 (Bengali Language Implementation Act, 1987), this was supposed to be done in Bangla. Secondly, third party that means the concerned IT organisation could have access to the data store. Any third party could sell the data or leak it. What are the measures to ensure security from that? Thirdly, does the judiciary have any right to monitor it to ensure justice to the citizens?

The rights activist further said the law provides the scope to send the data abroad. It is not clear either how much control the Bangladeshi authorities will have on the country where the data will be sent.

Rights activists and lawyers said answers to several questions are also not clear -- what will happen to sections 96 and 97 of Bangladesh Telecommunication Act, 2001 and the Section 43 of Digital Security Act.

Sections 96 and 97 of Bangladesh Telecommunication Act, 2001 gave the government preference over the operator or any other user in using a radio apparatus or telecommunication system during war declared, or a situation of war created, by a foreign power against Bangladesh, or during internal rebellion or disorder, or in a situation where the defence or other security of Bangladesh or any other urgent state-affair needs to be ensured. The government even could take possession of the telecommunication system or all other necessary equipment to keep them functional for any tenure and could keep employed the concerned operator and its employees for round-the-clock or for a certain period.

Again, as per the Section 43 of the Digital Security Act, the authorities could seize all the digital media of the suspected accused without any warrant. In that case, personal information of that person’s friends and relatives also comes under danger. Whether the proposed act will ensure their security or not, is also a question.

A "like" to any post on social media could provide sensitive information about the person. An authority with control over huge amount of data could bring allegations against any person of hurting religious sentiments, insulting or threatening a government official or degradation of law and order situation

Sources said data localisation is a matter of grave concern. Bangladesh government said the citizens’ data have to be kept within the boundary of the country. When a Bangladeshi uses Google, Facebook or any other platform, his information is saved in the servers of that platform. The country does not have any control over that server. That’s why citizen’s data becomes vulnerable to leak.

Speaking to Prothom Alo, Md Saimum Reza Talukder, Senior Lecturer at the School of Law, BRAC University, said, “Data localisation is like a weapon that cuts both ways. Information could be collected fast if the tech-giants set up data centres within the country. At the same time, the control of the government is also very important over the data centres where sensitive information like those of NID are being stored. But, it has to be ensured strictly so that no one could get unwanted access to any sensitive information. For example, judiciary monitoring is necessary to check whether the law enforcement collect information of other people while collecting information of any individual.”

But there are allegations that the authoritarian countries use the data localisation facility to crush democratic movements.

Freedom House published a report, ‘User Privacy or Cyber Sovereignty’, last year. It said many personal and professional information of a person could be extracted by analysing his use of internet. Geolocation data could reveal whether the person went to any rally, or frequency of going to religious organisations. A "like" to any post on social media could provide sensitive information about the person. An authority with control over huge amount of data could bring allegations against any person of hurting religious sentiments, insulting or threatening a government official or degradation of law and order situation. Likewise, democratic movements could be stopped. Brazil, India and Turkey followed the path of China and Russia in the name of securing personal information.

There are a number of allegations against the government and private organisations and hacker groups for breaching privacies. For example, the BTRC (Bangladesh Telecommunication Regulatory Commission) authorities collected mobile phone numbers of the people of 184 upazilas before the 11th parliament elections in 2018. In the letters, the BTRC authorities said the phone numbers were necessary for survey on electricity use. The Bangladesh Bureau of Statistics was supposed to conduct the survey. Later, it was learnt that no such survey was conducted. Prothom Alo published a report on this at the time.

There are allegations against the government bodies of leaking personal phone conversations. Besides, there were allegations that at least two organisations hacked accounts of local rights workers, journalists, representatives of minority community people, and expatriate people in the name of “ethical hacking”. They also play role in closing accounts by fake reporting of breaking “community standards”. Regarding this, Facebook issued a statement on 11 December last year saying it had taken actions against Crime Research and Analysis Foundation (CRAF) and Don’s Team (DT). In this context, the rights workers have apprehensions how the government would use the proposed act.

Speaking to Prothom Alo, lawyer Imam Hossain Tareq said, “There are some good provisions in the primary draft. It has talked about consent for taking personal information and pledged to store the data with care. It also talked about punishment for commercial use of personal data.”

But, according to Imam Hossain Tareq, the worst side is widely relieving the government officials from liability. The draft mentioned that no legal action could be taken against any law enforcing person from the DG to the data protection officer. Such a provision must not be included in the act.

He also said for the implementation of the act an independent organisation has to be set up so that it could take action against any government institution or the law enforcement agency for breaching the law.

* The report, originally published in the Bangla online edition of Prothom Alo, has been rewritten for English edition by Shameem Reza