The problem with Bangladesh’s data protection framework and its solutions

Privacy protection is a human right under Bangladesh's legal system as it acceded to a key human rights treaty ‒ the International Covenant on Civil and Political Rights (ICCPR) unconditionally in 2000. 

Nevertheless, Bangladesh's data protection regulatory framework is incommensurate with contemporary data protection challenges. However, it can be solved.

First, the inability to protect data frustrates the purpose of the right ‒ to protect natural persons from all sorts of privacy harms. The unauthorised use of data leads to privacy harms that adversely affect individuals and society.

For example, at an individual level, evidence shows that data compromise led to physical, economic, reputational and related harms. It makes individuals vulnerable to targeted discrimination, and limited autonomy on informational self-determination. At the state level, it results in criminal and unethical activities resulting in unnecessary costs related to cybercrimes and damages to the country's integrity and also creates distrust in e-services.

Second, the existing laws of Bangladesh failed to set norms to protect against the unauthorised use of personal data. Countless privacy violations that were evidenced previously, and occur daily in Bangladesh support this claim. 

To illustrate, let me mention a few examples. The Turkish hackers hacked the Bangladesh Air Force website, which compromised 19 administrator identities in 2013. Again, Facebook compromised three million Bangladeshi citizens' data in 2022.

In addition, leakage of several high profile telephone conversations in the recent past has revealed identities of the accused, rape victims, accident victims and suicide victims indiscriminately. Then the case of a UNO (Upazila nirbahi officer) in the Jhenaidah district seizing mobile phones to read personal messages are also noteworthy examples. 

Third, recent incidents concerning policy framing depict that despite having some policies, Bangladesh is reluctant to move forward. The government adopted an extensive national information and communication technology policy in 2018, in which it recognised taking actions to protect personal data as an aspect of achieving digital security. Nevertheless, the government missed the opportunity to enhance certain aspects of personal data protection in its Data Security Rules adopted in 2020.

Fourth, the citizens are not aware of their privacy risks and rights. Therefore, they often, unknowingly, compromise their data.

For instance, sharing photos and other personal contents indiscriminately online on social media, unchecked deployment of video cameras and microphones in our surroundings by anyone and tolerance of various forms of surveillance are some of examples of being unaware of privacy risks.

Last but not the least, Bangladesh is not learning from different countries, which have already learned their lesson in the hard way. According to the 12th International Conference on Business Information Security, Bangladesh is among the 19% of countries that do not have specific privacy policies.

To demonstrate, in response to a national security threat in the United States, the Trump administration banned the Chinese mobile application TikTok in 2020. Again, Cambridge Analytica, a political consulting firm responsible for compromising 87 million Facebook users' data, misused voters' data to manipulate voters through targeted advertisements during Brexit and multiple presidential elections in the United States.

Later on, privacy proponents identified these incidents as the misuse of personal data due to the lack of a strong data protection framework. Now, several states of the US provide a medium level of protection. Additionally, being influenced by the European Union data protection laws, the United Kingdom provides among the highest-level protections in the world. 

However, the situation in Bangladesh did not change much. 

Private entities like some of the large e-commerce and ride-sharing companies collect customers' personal information (e.g. name, address, phone number, email address, national identification number, picture, signature, biometric information, location data, etc) and can process it at will. In addition to that, the mobile network operators collect and process customers' uniquely identifiable biometric data e.g. fingerprints.

No one knows whether they transfer those data to their base countries like Norway, Malaysia, Netherlands, India or elsewhere to data centres and how - or if - they exploit it. Public entities like the election commission, department of immigration and passport also hold records and process biometric data like fingerprints and iris scans of individuals when citizens register NIDs and passports. No one really knows how protection of these valuable data is being ensured; and what are the vast (and legal) implications of breach and misuse.

Bangladesh has many options to act upon. 

First, the legislature can include a separate right to personal data protection, or general privacy right under the constitution and thus enforce it like other fundamental rights under Articles 44 and 102 of the Constitution. 

Second, the legislature could enact an exclusive law regulating personal data protection norms that protects privacy harms.

Third, the judicial organ can enhance the existing constitutional protection related to privacy to cover data protection right by its ruling. Articles 32 and 43 of the Bangladesh Constitution incorporate privacy provisions that can be extended to cover the right. At least, India did the same. 

Fourth, the judiciary can restrict the application of privacy-violating laws and outline privacy-friendly doctrines. Such provisions include Section (Sec.) 5 of the Telegraph Act 1885, which authorises the government to possess licensed telegraphs and intercept messages. Sec. 96 of the Bangladesh Telecommunications Act 2001‒ empowers the government to take over any communications system, and force the network operator companies to comply with it. 

Moreover, the draconian misuse of Sec. 57 of the Information and Communication Technology Act 2006 is evidenced throughout the country. Again, Sec. 41 of the Digital Security Act 2018 allows law enforcement agencies to possess any computer systems and online traffic data without any prior warrant.

And finally, to reiterate, it is incredibly vital for the public to understand and be aware of data privacy rights, limitations and risks. The relevant stakeholders must take initiatives to build awareness among people and establish data protection behaviour. 

If not addressed early, it can yield a risk to national security.

Kamrul Faisal is a doctoral researcher at the University of Helsinki, Faculty of Law. 

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.