Proposed data protection act to hurt FDI: Diplomats

The Data Protection Act being worked on by the Bangladesh government for protecting user data in the digital world can backfire in terms of falling foreign direct investments, diplomats said at a discussion on Sunday.

"We worry the Data Protection Act, if passed with strict data localisation requirements, may force some US companies currently operating in Bangladesh to leave the market," US Ambassador in Dhaka Peter Haas said at the event titled "Online Freedom & Business Investment in Bangladesh" held at the EMK Center.

"The online platform regulations will similarly dissuade companies from investing in their businesses here if they face criminal liability for user content. The consequences could have very negative effects for Bangladesh. Over 2,000 startups could be put out of business…," he said.

Saying the laws would also hurt the culture of innovation, Haas then went on to add that such laws could also have ramifications in terms of human rights.

"The United States recognises the need to govern online content to protect end users and vulnerable populations. This is no easy task. However, as we look at the draft online platform regulations, we are concerned about the broad definitions for what type of online content is deemed criminal.

"We are also concerned about the recent announcement that 191 online news portals will be blocked," he said.

Urging the government to focus on recommendations given over the draft laws, he said, "the ability to accept criticism and ensure freedom of speech even when that speech is unpleasant are hallmarks of a strong democracy."

British High Commissioner to Bangladesh Robert Chatterton Dickson lauded Bangladesh's "remarkable progress in digital economy", but said, "We have already seen the impact on restrictions of freedom of expression by the 2018 Digital Security Act."

He said, "While we see promising signs, we also see concerns. We have concerns as it relates to privacy, how information will be handled, the safeguards in place and data localisation.

"The Data protection act is a chance to modernise data infrastructure, but there's a risk, if it goes wrong, then it will intensify the concerns international partners have about human rights in Bangladesh.

"Then there is also a risk for the nascent and impressive Bangladesh IT industry, which will be undermined."

Chatterton said the law might render companies unable to access some important tools used internationally, which he termed a risk as such a situation would affect much-needed investment.

Saying the law will require a huge amount of careful consideration, he said, "But the government is reaching out to ensure the framework is right."

He urged that international norms and processes be taken into consideration when making the law.

Rubaba Dowla, country managing director (Bangladesh, Nepal and Bhutan) of Oracle, stressed that the government aims to thrive in a knowledge-based economy.

"Knowledge means data: how we use, collect and store data is very important. Data in the 4IR is considered as currency," she said.

As Oracle is a data-based solutions provider, she said how the data was used was crucial to any discussion on the matter.

"We have seen over time how digitisation has progressed in Bangladesh, especially in the last 3-4 years.  We have seen unprecedented growth.

When we talk about online protection and freedom, these are vital for the growth of the digital economy," she said.

"But jurisprudence for data protection stems from right to privacy, data protection and privacy being recognised as fundamental rights."

Reiterating the importance of a data protection law, Dowla, however, stressed that implementing the laws won't do much.

"Most important is how we are doing it and who is accessing it

Do we keep data in the national borders or a public cloud? It is important to understand the security measures we have to ensure they are well protected."

She also pointed out how ICTs contribution to the GDP had grown, going from $25 million in 2008 to almost $2 billion in 2021.

She said IT and ITes services were set to reach over $4b in 2025. "But how can we do that if we provide barriers to such growth?"

She said a clear distinction must be made on which data was sensitive and which wasn't as many companies needed ready access to data.

Speaking at the event, Iftekharuzzaman of Transparency International Bangladesh said, "With the internet revolution, personal data has become a key engine for production and profitability for businesses and the most powerful and convenient tools in hands of the government to protect privacy and rights of protection of personal data."

He, however, said it can also provide huge flexibility in the hands of the government to control data and use it for surveillance and certain violations of human rights.

Saying there had been numerous discussions and recommendations on the draft laws, Zaman identified some areas of concern.

"I agree with my previous speakers. I am proud Bangladesh is moving towards Smart Bangladesh. One-hundred-sixty-five countries have such laws we are talking about. We definitely need these laws."

He, however, emphasised the need for context, reminding the audience of the ICT and DSA acts – both which were loudly panned as being draconian and vague.

"Since we went through two drafts [of the data protection act] we found that on one hand these drafts have created opportunities for the government to protect data.  

But there is evidence of huge risks created, which can put the right to privacy of individuals  at risk.

"There is a lack of clarity of many important concepts, particularly, about what is understood by personal data. If you look at global examples, there are specific categories. Our laws will also need such categorisation."

He said despite recommendations, even the third draft did not clarify this point.

"If you look at internationally credible laws, you will see more than a dozen identification of personal data and sensitive data. Without this, there will be a huge scope of abuse, misuse and misinterpretation and basis of violations of fundamental human rights, including freedom of expression and protection of private data."

He said the issue of data localisation was praise-worthy, but there were a few issues to address.

He said there was no clarity about what is understood by localisation, what are the implications and how it affects the rights of individuals in terms of handing over data to authority.

"Third, the authority that is created to ensure protection of data protection has to be an independent commission outside the government. The authority was providing the data to the digital security agency but we protested this. In the current draft, they don't call it a digital security agency but the authority is granted to another body under the government."

He said this was a great conflict of interest as it gave the state access to people's data which undermined their rights.

International Labour Organization's Country Director Tuomo Poutiainen said, "We have been seeing a tremendous increase in business in Bangladesh in recent years. Not only in garments sector, but many emerging sectors. We have also seen a big improvement and interest in supply chain management and how business is done."

He said supply chain management was becoming much more digitalised. "Establishing systems that are credible and based on trust and confidence are also important in today's global system."

He said the ILO promotes sensible regulation in the area, which "accommodates global business needs" and is in line "with good international practices in this area."

The proposed "Data Protection Act, 2022" can relieve all liability of authorities in accessing people's personal data both physically and remotely.

The proposed law states that it will have precedence over all existing laws thereby having an overriding effect on Bangladesh's Right to Information Act, 2009, a key instrument that protects people's right to information in the present time.

In the backdrop of vague and overbroad terminologies such as the protection of 'spirit of liberation war', 'sovereignty of state', 'friendly relations with foreign states', the government has reserved the right within the bill to issue any direction as it sees fit, the Amnesty International has said when the draft law was publicised.

"The Bill uses vague and overbroad provisions to enable and legitimise intrusive actions by authorities such as granting access to encrypted communication on personal devices physically or remotely," Amnesty International warned.

The government has maintained that the law will protect the interests of people and meet the burgeoning need for data protection; create an effective regulatory institution; ensure overall development of the information and communication technology (ICT) sector; and ensure protection of the personal data of individuals.