'Our data is valuable, and it is we who should have the power to take charge of it'

From 21 January to 27 January 2024, Data Privacy Week 2024 was celebrated in Bangladesh to empower people with the knowledge to protect their online presence. Tasnuva Shelley, CEO & Founder of Legalized Education Bangladesh Ltd and Head of Chambers at Justicia Legal Minds, was the main organiser of the event. The Business Standard recently caught up with her to talk about where the idea for the initiative originated, what it aimed to achieve, the state of data privacy in Bangladesh and more.

Please tell our readers a little about Data Privacy Week 2024 and how the initiative came to be

The first legally binding international treaty dealing with privacy and data protection was the signing of Convention 108 on 28 January 1981.  Its extension, Data Privacy Day, began in the USA and Canada in 2008, but it was not until last year that it was expanded to Data Privacy Week. 

California was the first state in the USA to have its own Privacy Act in January 2020, probably a week after I moved to the Bay Area, so obviously, it was a hot topic for everyone, and I became more and more fascinated by it.

Here is a scenario that I think many can relate to: Have you ever been surprised or shocked after using a search engine and then suddenly all the ads on the websites you visit are about the thing you searched for? Do you want marketers to have your phone number so they can call you constantly? 

Our data is valuable, and it is we who should have the power to take charge of it, not an online marketer! It is necessary now more than ever to empower individuals with the knowledge and tools required to protect their privacy in our increasingly digitally interconnected world. 

With the newly elected government's vision of Smart Bangladesh, this initiative came on right on time with the support of the relevant regulatory agency, academicians, legal experts, and the industry.

Data Privacy Week 2024, for the first time in Bangladesh, has been initiated to spread awareness about the importance of data privacy and cyber security by encouraging open discussions, sharing experiences, and building a network of privacy-conscious individuals, businesses, and society as a whole. 

My goal was simply to help citizens understand that they have the power to manage their data and to help organisations understand why it is important that they respect their users' data.

Why do you think data privacy is essential in Bangladesh's context?

Data privacy might seem abstract, but it couldn't be more personal, particularly in Bangladesh's context, where we are all striving to be smart! The fact is, we all generate lots of data every time we access the internet, which is almost all the time, including people of all ages. 

Our data is collected every day—our names, emails, home addresses, and mobile numbers are all pieces of data. When we use our computer, smartphone, and pretty much every other internet-connected device, we gather data, which might even include our wristwatch or even the Bluetooth device in the car!

While we can't control the fact that our data is collected, we can take charge of how and with whom we share data, which is why the theme "Take Control of Your Data" aligns with our goal to create awareness and share knowledge.

For example, a Google Maps app needs to know the current location to give us directions. Since personal data can be stored indefinitely, it can also be used to make inferences about our socioeconomic status, demographic information, and preferences. 

Even seemingly innocuous information, such as our favourite restaurants or items we purchase online, can be used to make assumptions about us and our habits. So many companies are taking advantage of this trade-off as an opportunity to monitor the data of their users and consumers, and they sell the data for profit. 

This is where knowing about data privacy and cybersecurity can help us make smart decisions and form smart habits.

The participation of the high government officials of the relevant ministry, industry stakeholders, academics, and legal experts during the official inauguration of Data Privacy Week 2024 in Bangladesh for the first time ever at the BCC Auditorium ICT Tower with 250+ attendees emphasised the importance of this..

What are your expectations from Data Privacy Week 2024?

Our online activity creates a treasure trove of data. This data ranges from our interests and purchases to our online behaviours, and it is collected by websites, apps, devices, services, and companies all around the globe. 

This data can even include information about our physical selves, like health data—think about how an app on our phone might count how many steps you take. 

It is indeed not possible to control how each little piece of data about you and/or your family is collected. However, we still have a right to data privacy, and we deserve to have a say in it and have the power to take charge of our data. This goal is aligned with the theme of Data Privacy Week 2024: Take control of your data.

Our data is valuable, and it is our expectation that this awareness will have a multiplier impact on the millions of people in our country. That is why the kick-off webinar was about "Understanding the Importance of Privacy Laws in Today's Digital Landscape," which set the ideal scene as Bangladesh has a highly debated draft personal data protection bill for 2023 while striking a balance by empowering individuals about data privacy and cyber security awareness. 

Using social platforms for good and promoting awareness by engaging with commuters from two of the busiest metro rail stations and interacting with video content for staying safe online were included during the week-long campaigns of Data Privacy Week 2024.

Could you elaborate on the key privacy laws relevant to individuals and organisations in Bangladesh? How have they evolved in recent years? 

By respecting our own data privacy, it is possible to safeguard personal information and prevent it from being misused, whether there is a comprehensive data protection law or not. 

I think it is also inaccurate to assert that a data privacy legal structure is completely absent and would refer to Article 43 of the Constitution of Bangladesh and upholding the right to privacy in key acts such as the Cyber Security Act, 2023 (former Digital Security Act, 2018), ICT Act, 2006, Right to Information Act, 2009, Bangladesh Telecommunication Act, 2001, Consumers' Right Protection Act, 2009, Copy Right Act, 2023, Bankers' Books Evidence Act 2021, Bank Company Act 1991, Code of Conduct for Banks and Non-Bank Financial Institutions—all these sectored legislation touches on cyber security, data protection, including data retention rules, and localisation requirements.

It shows how the laws have evolved, and though the draft Data Protection Bill 2023 has been proposed, it applies to residents and entities providing services in Bangladesh. It outlines obligations for data controllers, addresses data security, and includes provisions on data processing principles, rights of data subjects, penalties, and more. The power of the dedicated data protection authority has ignited widespread concerns among critics for its ambiguous definitions, lack of alignment with international privacy standards, potential government surveillance, and perceived threats to human rights and privacy.

What are the current challenges regarding data privacy in Bangladesh?

There are many challenges regarding data privacy, not just in Bangladesh but globally. I believe we can overcome this by learning the best practices that have worked in other countries and continuously monitoring new threats as technology is ever-changing and ever-evolving. 

However, the first steps are to promote awareness and educate by sharing knowledge. It is important to know that privacy means something very specific when it comes to our digital lives because it revolves around our right to protect our personal data. 

The sheer volume of data generated about us and our activities online is staggering, which is why data privacy needs to become a defining issue of our digital age. Even if we don't care very much, thousands of businesses across the globe are willing to pay a high price to learn about us, our behaviour, and our patterns through this data. 

Another challenge is that we have to understand the difference between Data privacy and cybersecurity and how they are interconnected. Data privacy revolves around rules, guidelines, and your personal choices about who has access to your data and how much access they have. Cybersecurity is focused on preventing and solving threats like hacking, malware, and online scams, which is, in fact, to keep your data safe, even from those who aren't cybercriminals, like websites and businesses.

Children and teenagers are also exposed to these risks, as many of them have access to their own devices due to the increase of online schools and learning platforms. The rise in online live gaming and cyberbullying is also a current and ongoing challenge for regulators, parents, and the community as a whole. That is why we had exclusive sessions for the students of Independent University and Jaago Foundation during the Data Privacy Week.

Currently, no uniform syllabus offers cyber law courses for lawyers or IT professionals at local universities. The concept of digital forensics is limited to very few, and there is no plan to develop the relevant skills required under the draft new bill to be "data controllers/officers,"  a mandatory position for every organisation once the bill is passed.

How can individuals empower themselves to take control of their online data?

First, let's understand that online data can be categorised in specific ways: (i) there is personal information like our name, birthdate, NID, and phone number, and (ii) there is also important information such as our medical records and credit card numbers.

Then, there is data about what you do online, like what websites you visit, what products you buy online, and who you communicate with on social media. This data can be extremely granular, like how many seconds you spend looking at a webpage before clicking on something else. Advertisers and other businesses prize this sort of data because they can better target ads and products towards you. 

But staying safe online is easier than we might think. I'm going to go over four key behaviours that are easy to adopt. With these habits, we can lock down our online accounts and keep our data very safe. 

The core four behaviours are:

Firstly, use multi-factor authentication whenever possible to secure accounts. This is when an account requires multiple pieces of information for you to log in, like a fingerprint or approving a log-in attempt on an app.

Secondly, use strong passwords and password managers. Protect each of your accounts with a strong password. A strong password is unique to the account, at least 12 characters long, and uses letters, numbers, and symbols. A password manager can help you create strong passwords and store them in an encrypted vault.

Thirdly, keep your software updated on all of your devices and computers. It's best to just turn on automatic updates so you don't have to check regularly. Updating your software ensures you have up-to-date protection. Remember that travel app you downloaded and used two years ago? Delete it!

Finally, Auditing your devices and apps is like securing your home. You might have a lot of devices connected to the internet that you aren't even aware of, including cars, toys, and appliances. Knowing what is connected to the internet and what the permissions are helps keep your entire household secure. 

Most likely, you're on some social media network—Facebook, Twitter, LinkedIn, Snapchat, TikTok, Reddit—and the list seems to grow every year, so please be careful with what you share. Protect your reputation on social networks. 

What you post online stays online. Think twice before posting pictures you wouldn't want your parents or future employers to see. Some recent research finds that 70% of job recruiters rejected candidates based on information they found online. 

This is true even for apps that supposedly auto-delete posts, like Snap or Instagram Stories because others can screenshot or screen-record your posts. Limit what you do on public Wi-Fi and avoid logging in to key accounts like email and banking.

What are your predictions for the future of data privacy in Bangladesh and globally?

Technology has taken over our lives, and it will continue to do so in the coming years in Bangladesh and globally. The risks and challenges will increase if we are not aware of or educated on how to deal with a privacy or cyber security breach.

Here is an example of a recent cyber breach timeline and analysis of one of the world's largest apparel, footwear, and accessories companies connecting people to the lifestyles, activities, and experiences they cherish most through a family of iconic outdoor, active, and workwear brands including Vans, The North Face, Timberland, and Dickies, and the current one with Gen Z Supreme.

So, on 13 December 2023: 

Breach occurs: Mandatory regulatory filing as required by the SEC as a listed company on the stock exchange.

The expert independent digital forensic analysis identified the breach as being deemed material to the operations but uncertain of the financial condition or results of the operation.

Shortly after on 15 December 2023: The threat actor ejected
: Mandatory regulatory filing as required by the SEC as a listed company on the stock exchange.

The expert independent digital forensic analysis identified the breach as not material to the financial condition or results of operations.

Impact of the Breach:

• Drop in stock price by 17% in 3 weeks
• The ability to fulfil orders was impacted;
• Cancellation by customers and consumers of some product orders; reduced demand on certain of its brands' e-commerce  sites 
• Delay of some wholesale shipments
• The personal data of millions of customers compromised

My prediction is that it can very well happen here in Bangladesh, and it is a good time to start having internal privacy and cyber security policy awareness trainings amongst all industries. 

Our exclusive session at BASIS for its members focused on this point. Leaning, sharing, and knowing about data privacy and cyber security can help us make smart decisions and form smart habits so that we can do our part to help stop cybercriminals by not just recognising and deleting phishing emails but also reporting them via email as well.

Especially if the phishing attempt involved your work email, reach out to your tech team. Remember, it is possible, and we will really be making a positive move towards a secured smart Bangladesh by developing us as privacy- and cyber-security-conscious smart citizens.