Bangladesh's proposed data protection framework in light of global standards
A consolidated data protection framework is still in the formative stages, and no date for promulgation has yet been announced. However, the working draft of the DPA has already received criticism from journalists, international organisations and civil society
Data is arguably the most valuable commodity of the modern age. It is desired by organisations, corporations, and governments alike. As a result, the necessity for protecting people's data has never been so crucial.
Although many countries around the world already promulgated and are actively implementing their data protection framework, Bangladesh is currently in the drafting stage.
The following contains an assessment of several global data protection regimes and assesses the draft stage Data Processing Agreement (DPA) in light of them.
Keep updated, follow The Business Standard's Google news channel
Data protection regimes around the world
General Data Protection Regulation (GDPR) – European Union: Promulgated in May 2018, the GDPR is considered the standard bearer of data protection laws that numerous countries take inspiration from. It prescribes that all must adhere to the following principles: transparency, lawfulness, integrity, confidentiality, accountability, accuracy and storage limitation.
In the GDPR, data is categorised into several types, such as physical data, physiological data, mental data, genetic data, economic data, social data and cultural data. Under this framework, personal data is defined as any data that can be used to identify an individual and it has been made mandatory to maintain processing records as evidence of compliance.
The draft legislation's ambit is rather ambiguous. It appears to be applicable both inside and outside of Bangladesh for anyone possessing data of Bangladeshis, including but not limited to foreign companies operating in Bangladesh.
Furthermore, when organisations process personal data, one of the following conditions must be met: legitimate interest, legal obligation, public interest, contractual obligation, vital interest and explicit content, appointing data processing-focused personnel to ensure the rights and freedoms of people in case of large-scale data processing, carry out regular data processing assessment, and organisation must maintain clarity in regards to data they collect and process.
Non-compliance can result in a fine of €20,000,000 or 4% of annual turnover.
Data Protection in the US: Data protection/privacy laws in the US are made on the state level. However, there remains the Privacy Law, 1974, which was enacted by the federal government.
A large number of states have already promulgated theirs, while the rest are still in the preparation stage. In this article, we focus particularly on the California Consumer Privacy Act (CCPA), which came into effect in January 2020. This law is designed to regulate for-profit companies that process data in large volumes, effectively categorising entities that make $25 million+ in gross revenue.
Consumers are granted several rights by this statute. They can opt for the "do not sell my data" plan, to know what kind of data has been collected and processed and for what purpose, the right to delete personal data and the right to non-discrimination against consumers.
Businesses have an obligation to inform those affected in case of a data breach and Civil Courts can offer remedies for those who are victims of the breaches.
Under the CCPA, California Attorney General's office must be informed if a data breach affects more than 500 citizens of California and can subsequently give fines per violation of up to $2500 for unintentional breaches and $7500 for intentional breaches of the law. This statute applies to those who buy, receive or sell data of 50,000 or more Californians.
Data Protection Legal Framework in Brazil: Known as the Lei Geral de Proteção de Dados (LGPD) in their native language, Brazil's data protection framework is based on the GDPR. Prior to the commencement of this law, there were nearly 40 regulations and directives that oversaw data protection in Brazil. Effectuated in September 2020, this Act established the National Data Protection Agency.
Any entity or individual is subject to this law if they process personal data in the physical jurisdiction of Brazil, process data of people living in Brazil and collect data from people who were in Brazil at the time of processing.
However, LGPD is not applicable to those who process data for non-commercial purposes. Under this Act, data processing entities must obtain clear and transparent consent from the subjects. The data collecting/processing entities must maintain a record of their activities for inspection by relevant government agencies. The penalty for non-compliance can be up to $9 million for every case of breach or 2% of annual turnover.
Bangladesh Data Protection Bill
Aside from bits and pieces from the DSA, ICT Act, and Telecommunications Act, as well as Article 43 of the Constitution, to this day, there is no comprehensive data protection regime in Bangladesh.
However, a consolidated data protection framework is in the works currently. It is still in the formative stages and no date for promulgation has yet been announced. However, the working draft of the DPA has already received criticism from journalists, international organisations and civil society.
The provisions of the DPA widely include remedy for unlawful processing of data, creating a framework for processing, collecting, storing, transferring and destruction of data, describing rights as well as obligations of data subjects, data processors and collectors, providing a statutory definition for the data that will be localised, the appointment of data protection officers, establishment and subsequent powers and functions of Data Protection Office, and method and procedure for filing of complaints.
The draft legislation's ambit is rather ambiguous. It appears to be applicable both inside and outside of Bangladesh for anyone possessing data of Bangladeshis, including but not limited to foreign companies operating in Bangladesh. Transfer of data outside of Bangladesh is not prohibited, but a copy must be maintained within Bangladesh. However, it may be difficult for foreign businesses to overcome these local hurdles.
Additionally, the DPA fails to specify the size of the company and the volume of data which will fall within its ambit. Due to the aforementioned uncertainty, it will be difficult for SMEs to comply. Many businesses would have to overhaul their business infrastructure to accommodate the provisions of this law, such as the storage of data in Bangladesh, which may be financially unpragmatic.
According to Transparency International, the enactment of the DPA is a step towards establishing bureaucratic control over personal data.
They further pointed out the lack of definition of "personal data" in the DPA and that investigative powers have been granted to the police, which needs to be revoked as it creates a conflict of interest. The formation of an independent agency or empowering the Data Protection Office is suggested instead of granting said power to the Digital Security Agency.
Wasif Jamal Khan is a Legal Counsel at BRAC International and the co-founder of the Bangladesh Forum for Legal & Humanitarian Affairs (BFLHA)
Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.
