The Government of Bangladesh’s understanding of data governance and priority has not changed, which is evident from the Third Data Protection Bill. VISUAL: SALMAN SAKIB SHAHRYAR
The Government of Bangladesh’s understanding of data governance and priority has not changed, which is clear from the Third Data Protection Bill. VISUAL: SALMAN SAKIB SHAHRYAR
Following protests from opposition parties, rights groups and businesses, the Indian government withdrew its proposed data protection bill. The draft bill received 81 proposed amendments in the joint parliamentary committee. Reports suggest that the government is now planning to introduce a new bill, taking into account all the suggestions that have reached the parliamentary committee.
While the Indian government listened to opposition, in Bangladesh the government brushed aside civil society concerns over a similar bill and released a third bill with a further expansion of authoritative controls over personal data and privacy. private life.
In India, the bill was sent to the parliamentary panel in 2019 after opposition parties said the data privacy law violated fundamental rights of citizens. They said the law gave the government sweeping powers to access individuals’ personal data under opaque conditions, citing national security and other reasons. The law would also have required major social media platforms to offer an identity verification option, a potentially precedent-setting effort to curb the spread of “fake news”. Rights groups and tech giants have argued that the Indian government’s proposed requirement is likely to raise a host of technical and political issues, including potential disputes with other governments over data localization.
The similarities between Bangladesh’s bill and India’s scrapped bill were too many, especially in the areas of the intrusive powers given to government agencies on ill-defined grounds and the imposition of the requirement of data localization.
Worse, however, is keeping the regulator, the Data Protection Office (DPO), under the authority of the Digital Security Agency, which is to be set up under the infamous Data Protection Act 2018. Digital Security, and the Chief Executive of the Digital Security Act, 2018. The Security Agency is the head of the DPD. This is completely contrary to the idea of protecting the privacy of citizens through a legal data protection framework, which requires absolute independence of the regulatory authority from any influence or direct governmental control or indirect. The government and state apparatus are generally among the primary data collectors and processors of people’s personal information, and the Digital Security Agency is designated to be the lead agency in carrying out this work on behalf of the state. If the current bill becomes law, then the DPO will simply become another government tool to invade individuals’ private space and abuse opponents and critics.
The latest revised draft still contains too broad a scope of exemptions to effectively protect data and guard against misuse and abuse of power. Submissions made earlier by Access Now, a global digital user rights group, pointed out that the scope of the exemptions and the circumstances in which – and under whose authority – they can be applied are not clearly defined. ; the provision does not contain any significant limitations and does not define a procedure guaranteeing transparency and accountability, as well as respecting the principles of necessity and proportionality. But the project shows that their concerns were outright ignored.
The bill also retains indefinite and unlimited regulatory powers of the government, which experts and activists have opposed, arguing that these powers should be limited and, as much as possible, be prescribed in legislation formulated through a democratic process of participation and parliamentary procedures. Provisions on the scope and procedures for data access, storage and disclosure and the mechanism for affected parties to assert their rights and seek redress should be well defined in law.
The strict data retention provisions in the bill also mean maintaining government access and control over the data, increasing the vulnerability of people’s privacy and free speech. The laws and regulatory frameworks in force in Bangladesh allow all data stored in Bangladesh to be subject to surveillance, monitoring and interception, as well as requests for disclosure or deletion of data, by the government and agencies intelligence, which could be exempted from the bill. Access Now argues that “insufficient safeguards to protect people’s data may also jeopardize Bangladesh’s business prospects with other territories, such as the European Union, the United Kingdom and the United States, which impose restrictions on the transfer of personal data unless the country provides an adequate level of protection of users’ rights and freedoms with regard to the processing of personal data.” As a result, he warns that people in Bangladesh may be denied access to internationally available services, putting them at a disadvantage and negatively impacting rights, accessibility and growth.
The proposed legislation paves the way for data to be stored in data centers and servers in Bangladesh, with exceptions for necessary cross-border data transfer with prior notification to the Director General of the Digital Security Agency, but what constitutes ” necessary” has not been clearly defined. Domestic and foreign businesses connected to the global economy will thus face serious obstacles due to these restrictions on cross-border data flows. Experts say data centers are energy-intensive and expensive to build and maintain, which will discourage new businesses, and small and medium-sized businesses will face huge challenges to survive.
A unique addition in the latest draft, possibly the first in the world, is that the government has absolute freedom to set different effective dates for different sections of this law, through gazette notifications. Why would you want such an extraordinary measure to enforce new legislation? This allows the government to delay implementing articles that protect people’s rights, but immediately enforce harsh and anti-people articles.
The publication of the third project clearly shows that the Government of Bangladesh’s understanding of data governance and prioritization has not changed. Its priority is to establish full control over all data collected and stored or its traffic inside and outside the country. All of this would be done under the notion of security and state sovereignty, instead of allowing citizens to control their personal data and protect their privacy rights. We could only hope that our government would learn from our closest neighbor and one of the largest digital markets in the world, and consider rewriting the bill with broader consultations with all stakeholders.
Kamal Ahmad is a freelance journalist and writes from London, UK. His Twitter account is @ahmedka1