With people riding the bandwagon of the so-called Fourth Industrial Revolution or 4FIR, life and livelihood are becoming more and more reliant on digital technology these days. Data or information act as fuel to keep the wheel of digital technology running. Over the past years, enormous amounts of data have been generated and stored in the digital sphere at an unprecedented rate. In 2020, however, the volume of data produced and replicated hit a new high, thanks to the COVID-19 pandemic, as more people worked and learned from home and used home entertainment options more often.
Tech companies harnessing disruptive technologies like Artificial Intelligence, Internet of Things and Big Data often mine and process astonishing amounts of user data on different grounds. The 2018 Cambridge Analytica data scandal lays bare that tech behemoths gathering and harvesting user data potentially have the prowess to preserve more personal data of a country's citizens than their own government. The scandal brought the data protection issue to the fore, making the need for data protection regimes all too crucial. Needless to say, for delivering various services, unfettered access to citizen data is indispensable. But then, the likelihood of data breach stemming from unhindered access and associated security risks cannot be played down.
As more and more social and economic activities in Bangladesh are being carried out online with the resounding success in digitalisation, concerns over the collection, use and sharing of personal information to third parties without the notice or consent of consumers have equally grown in lockstep. Experts have long stressed the need for legislation in this area. Accordingly, the ICT Division has recently finalised the draft of the data protection law, which is certainly a step in the right direction.
The United Nations Conference on Trade and Development's (UNCTAD) tracker data reveals that 137 out of 194 countries have put in place legislation to secure the protection of data and privacy. Given the fact that Bangladesh is one of the countries with no personal data protection law, the initiative to finalise the draft and prepare it for clearance from the cabinet is indeed laudable.
The absence or vagueness of definitions of some terms in the draft, as legal experts pointed out, still remains an area of major concern.
Generally, data protection laws govern the processing and handling of personal information. According to ministry insiders, this law will attend to three broad aspects—it will pave the way to act against service providers, essentially meet the demand for a law on data protection, and facilitate the protection of people's privacy. Nonetheless, the draft bill is being closely scrutinised and its pros and cons are being thoroughly discussed by conscious citizens.
Perhaps one of the most significant features of the draft is that it formally recognises the average citizen's right to know what personal information about them is being collected and how the data will be used and stored.
The provision exempting some agencies from having to comply, however, sticks out like a sore thumb. This is because such a provision is against the spirit of Article 27 of our constitution which mandates all the citizens are equal before the law.
Again, it includes a hefty fine that can go up to Tk 1 million for unauthorised accumulation, processing, distribution, illegal sale or transfer of "sensitive" personal data, such as passphrases, biometric information, genetic information, religious and political ideals etc, to third parties. Undoubtedly, this part can act as an effective deterrent to personal data breaching if enforced properly.
While the bill stipulates citizens' right to know when and how their data is being collected, and for what purpose — it will not be relevant when agencies collect individual data for the prevention and exposure of any offence, any investigation, or for "national security". In absence of definitions explaining the context in which such an exception will be effective, one may find this section to be a fly in the ointment.
The new draft regulation intends to put service providers on the dock for the online activity of their users. Simply put, instead of prosecuting end users, it enables responsible agencies to hold publishers, tech companies and social media or microblogging platforms liable. In a recent policy brief, the Internet Society voiced concerns over the broad scope of content takedown and disproportionate measures of cancellation, suspension or revocation of registration of companies laid out in the draft. They fear such provisions will prompt service providers or intermediaries to opt for automated systems, which are notorious for their inability to meaningfully tell right from wrong. Doing so runs the risk of a broad swath of global knowledge being blocked by automated filters and inaccessible to internet users in Bangladesh.
Besides, provisions of a sweeping ban and the cancellation of registration will not only stymie the growth of the local IT industry but will also act as a powerful deterrent for non-resident companies to enter the Bangladesh market and offer services to its consumers. This will lead to a retrogressive situation, which in no way goes with the current investment-friendly and tech-savvy incumbent.
Overall, there is definitely a lot of merit in formulating data protection laws. Officials claim that the law is for citizens' data to be stored in the periphery of the country, and making foreign companies comply with it. These are all well and good, but the underlying concerns about the scope of misusing and misinterpreting the law cannot be glossed over.
Countries like the UK, Canada, Australia and those in the European Union, alongside many others across the globe, had framed such laws, keeping pace with the growing importance of the virtual world in one's personal life, predominantly to make people safe in the digital space and safeguard the privacy of people's personal data. They follow the doctrine of consent that makes it very clear that consent in terms of personal data must be informed, unambiguous and conditional, which Bangladesh can follow suit.
It must not forget that the personal data of any individual is like personal property that cannot be misused by any private or public entities. Therefore, legal experts, right bodies, advocacy groups and IT professionals have called on the government to pay heed to the concerns of stakeholders and put more flesh on the draft if necessary to make a streamlined, timely and pro-people law before giving it the greenlight.