In the global information economy, personal data have become the fuel driving much of the current online activity. Every day, vast amounts of information are transmitted, stored and collected across the globe enabled by massive improvements in computing and communication powers. With new technological developments in recent decades, particularly in information and communication technologies, this issue has been increasingly challenged. In response to these difficulties, there has been a wave of data protection laws in different parts of the world since the 1980s, which have attempted to safeguard the personal data of individuals.
According to UNCTAD report on Data Protection Regulations 2016, the number of countries with data protection legislation has grown rapidly in recent years, now reaching a combined 108 countries with either comprehensive data protection laws or partial data protection laws. However, this still leaves nearly 30 percent of countries with no laws in place and unfortunately and Bangladesh stands second in the list.
While exploring the data protection and privacy law framework of Bangladesh, one will immediately spot a notable gap which is not only frustrating but also raises economic and national security concerns in relation to the processing of its citizens’ personal data. With the total number of internet users in Bangladesh reaching an 89-million at the end of July 2018 according to BTRC – a figure that is predicted to increase by millions every year – it is time we took personal data protection seriously.
Take this straightforward example: imagine a scenario where an individual (data subject) filled in an online application form with all her personal details. Intriguing as it may sound; this simple online act could have a number of major implications. Firstly, the internet service provider (1st party) of the data subject can divulge a host of information and capture any information sent through its services. Secondly, the website (2nd party) where the application form is hosted will have access to the data as well as the organization (3rd party) that she has completed the form for. Thirdly, to complicate matters further, the data center (4th party) on which her data is hosted may be based out of the country altogether. In such situations, without having proper protection in the form of national legislation in the country where the data subject is based, personal data becomes prone to exploitation by any of the parties in the chain of processing and controlling it. Indeed, it has been recognized that many big data companies have initiated and implemented spying and espionage programs to ensure they maintain a country competitive advantage.
It is no surprise that we are witnessing a constant rise in hacking incidents of databases of governmental organizations in Bangladesh, making the whole situation of sharing personal data online even more distressing. In 2013, for instance, some unknown hackers breached Bangladesh Air Force’s website and extracted the full database.
While Bangladesh is well protected by virtue of the Information and Communication Technology (ICT) Act of 2006 to bring proceedings against perpetrators of such intrusion and unauthorized access, what it fails to take into account is that these perpetrators carry out their operations anonymously and thus, in most cases, it is difficult to identify them. In other words, a preventive framework at the pre-breach level is simply non-existent. The mere presence of legislation on post-breach offenses will not, in fact, provide adequate protection given the anonymity of the offender and the mass surveillance practices of big companies.
It is worth noting that the neighboring country, India has already enacted specific data protection rules and a consolidated privacy bill is already in the pipeline. Given India’s high profile in the IT industry worldwide, rules regarding data protection have led to an increase in investment by multinational data companies. Meanwhile, the lack of data protection and privacy laws has effectively been a restriction to this market for Bangladesh, although we have all the potential to become another influential South Asian player in the digital economy.
What’s in it for Bangladesh?
Bangladesh needs to act promptly not only to protect its citizens’ personal data from flowing into the hands of criminals and spying agencies both in and out of the country but also to be able to participate in the data business estimated to be worth a trillion Euros by the year 2020. Any law addressing data protection should clearly state the grounds for processing personal data, ensure data subjects’ rights to access, delete and object to such data, develop a culture regarding the retention period of data, and establish a data protection authority. Bangladesh already has an Information Commission formed under the Right to Information Act of 2009, which can be vested with data protection responsibilities. In any event, institutions dealing with personal data should be required to register with the Commission and give prior notification if there is a possibility that such data will be processed outside of Bangladesh.
Bangladesh is on the verge of major threats to privacy and personal data leakage and that is evidencing at times. Very often, we see upsetting news in the national dailies regarding privacy infringement and personal data loss from medical records, banks, educational institutions, Bkash outlets, spa center, hotel, shops and so on. However, it may appear that Bangladesh is well protected by virtue of the ICT Act of 2006 to bring proceedings against perpetrators of such intrusion and unauthorized access. But actually, the ICT Act has its own merits in some metrics, having several loopholes too; e.g., it fails to take into account all heinous incidents as perpetrators carry out their operations anonymously and in most cases, the culprit cannot be identified. In other words, a preventive framework at the pre-breach level is simply non-existent. Indeed, the mere presence of legislation on post-breach offenses will not provide adequate protection. Thus, it is a demand of the day that Bangladesh should have a data protection law to curb future challenges of protecting citizens’ privacy.