Bangladesh steps into the data protection regime

The jurisprudence of data protection stems from the right to privacy. Data protection and privacy are recognised as fundamental rights. An individual’s “private life” includes the protection of his or her personal data. Personal data, in principle, is information that identifies an individual, or is related to the individual.

Data, in the age of the fourth industrial revolution, is considered as the new currency. The amount of data created and stored every day continues to grow at an unprecedented rate, and data-driven disruptive technologies like Artificial Intelligence, Internet of Things and Big Data are continuously challenging the legal framework in every jurisdiction.

Data protection laws by and large govern processing and handling of personal information and aim to protect individuals to safeguard their privacy and protect their personal information from being misused by others. According to Privacy International, 126 countries now have data protection laws. Article 43(B) of the Constitution of Bangladesh safeguards citizens’ privacy of correspondence and communication, but such protection would not usually extend to the breach of privacy caused by a private entity or caused through peer-to-peer data-sharing.

The basic distinction between “data” and “information” is that data is unprocessed, i.e. raw facts, texts, figures, symbols or characters. Data, once refined or processed, transforms into information, and becomes useful to users. The ICT Act, 2006 of Bangladesh was intended to provide the legal framework and recognition to digital signature, electronic records and controller of certifying authorities. It was not intended to deal with data privacy or data protection, nor does it intend to do so now. However, the government of Bangladesh has enacted the Digital Security Act, 2018, and the same was published through a gazette notification on October 8, 2018. Digital Security Act, 2018, which is commonly known as the Cyber Security Act in other jurisdictions, aims to promote confidentiality, integrity, and availability of public and private information systems and networks with the goal to protect individuals’ rights and privacy, economic interests and security in the cyberspace. Therefore, the inherent purposes of the ICT Act, 2006 and the Digital Security Act, 2018 are therefore distinct.

With the enactment of the Digital Security Act, 2018, Bangladesh has stepped into the data or information protection regime. Section 26 of the Digital Security Act, 2018 defines personal data as “identity information”. Section 26 requires that an individual’s explicit consent or authorisation be obtained for collecting, selling, storing/preserving, supplying or using his or her identity information.

Section 26 defines any external, biological or physical information or any other information which identifies a person or system singly or jointly as “identity information”. This includes name, picture, address, date of birth, mother’s name, father’s name, signature, national identity card, birth and death registration number, fingerprint, passport number, bank account number, driving licence, e-TIN number, electronic or digital signature, username, credit or debit card number, voice print, retina image, iris image, DNA profile, security question, etc. Collecting, selling, preserving, supplying, or using such “identity information” without the individual’s explicit consent or authorisation is a crime, which is punishable for a maximum term of five years’ imprisonment, or for a penalty of Tk 5 lakh maximum, or both.

Consent/authorisation unequivocally is the decisive factor, as far as Section 26 is concerned, and unless consent/authorisation is expressly given by the information/data subject, processing identity information is prohibited. Section 26 appears to interpret consent “strictly”, which means without consent, or once the consent is withdrawn, information cannot be used or processed. However, Digital Security Act, 2018 does not appear to contain further provisions to administer regulation of consent or processing identity information by an individual. Digital Security Act, 2018 in its preamble defines an “individual” as an organisation or public or private entity or a body created by law.

The doctrine of consent followed in various data protection regimes, including UK, EU, Canada and Australia, makes it very clear that “consent” must be voluntarily given, it must be specific, informed and unambiguous, and is subject to withdrawal by the same individual that gave the consent. Consent could therefore be conditional. Section 26 of the Digital Security Act, 2018 is therefore “the provision” that specifically governs protection of personal information or data in Bangladesh. It is the lone, yet a very powerful and persuasive, piece of law in Bangladesh, as far as protection of information/data is concerned. It therefore would not be appropriate to be under the impression that “Bangladesh does not currently have a specific law to govern protection of personal information or data.”

Section 26 can have an immense impact in Bangladesh’s digital economy, especially the telecommunication, e-commerce, banking and fintech industries. Companies in these industries handle a huge amount of customer data in electronic or digital form every day. Besides, there are entities that collect customer information/data. This information/data is mostly customer names, their cell phone numbers and email addresses that are regularly shared with various entities for sending bulk SMSs, phone calls and emails for marketing purposes. Post-enactment of the Digital Security Act, 2018, telecommunication, e-commerce, and fintech companies, banks, third parties and other entities now must obtain authorisation or consent, from the individuals (principal) whose identity information/data they are handling, or are required to revalidate their respective privacy terms and conditions in order to comply with Section 26. Breach or non-compliance of Section 26 could trigger potential criminal liabilities against such entities. Breach could result from absence of consent or for breach of any conditions of such consent too. Any pre-executed privacy policies or privacy terms and conditions must now be construed in accordance to Section 26(1), to ensure that an individual’s identity information is used lawfully, and for the purpose it was collected for.

It is also important to note that mere existence of any privacy policy or terms and conditions executed in the form of a contract prior to or post-enactment of the Digital Security Act, 2018, cannot oust the jurisdiction of a criminal court in cases where Section 26(1) is breached.

Nonetheless, the government, as a matter of fact, is going to frame rules (supplementary regulations) pursuant to Section 60(1) and (2) of the Digital Security Act, 2018, which is expected to address the breadth of issues related to information/data regulation, including categorisation of personal information/data, defining sensitive personal information/data, manners for processing information/data and exemptions thereof, duties of the information/data fiduciary, procedure for preserving information/data, rights of the information/data principal, procedure and conditions for obtaining and revoking consent, procedure for executing the right to seek remedy in case of breach, etc.

The need for framing rules or supplementary regulations is significant, considering the fact that we generate a huge amount of information/data in Bangladesh every day, and such information/data can be used for data analytics which could help us in many facets including designing new products or services, solving various problems that we experience in our daily social lives, improving healthcare services and traffic systems, combating crimes, managing supply chain efficiently, handling manufacturing process more robustly, transforming the agriculture eco-system, maximizing earning foreign currency by exporting information/data and so on. A comprehensive set of regulations therefore could go a long way, but without such supplementary regulations, Section 26 could turn into a terrifying legal threat.

In recent times, we saw how Pathao, one of the leading ride-sharing companies in Bangladesh, was accused of extracting data without authorisation from the smartphones of customers who had downloaded the Pathao app, and daraz.com, one of the leading e-commerce platforms in Bangladesh, was issued legal notice for using an individual’s email address (identity information) without his consent. We, therefore, cannot rule out the possibilities of experiencing more aggravated legal actions in the coming days, in the absence of comprehensive regulations to address the dynamics of the information/data driven society that we now live in.    

However, during the pendency of the enactment of such rules or supplementary regulations, if circumstances demand, the judiciary reserves the discretion to interpret Section 26 on the basis of the jurisprudence of data protection law followed in various common law regimes, in line with the legislator’s intention, preamble of the Digital Security Act, 2018 and the heading of Section 26.

Originally Published in www.thedailystar.net

April 08, 2019