Keeping our data safe – The existing laws of Bangladesh are not adequate

In this digital era, businesses are more data-driven than ever before. The massive use of digital platforms has thrown data protection laws into the global spotlight. It has now become inevitable for businesses to implement strong data protection and cyber security measures. This does not only apply to online businesses, but also to other set-ups that receive personal data.

As per Article 43(b) of the Constitution of the People’s Republic of Bangladesh, every citizen shall have the right to the privacy of his correspondence and other means of communication. This provision is included in the chapter of fundamental rights.

But, until the enactment of the Digital Security Act 2018, there was no legal protection available in Bangladesh for any infringement of personal data except the constitution. For the first time in Bangladesh, this act provided protection of identity information.

Section 26 of the act defines crimes relating to collecting and using identity information. Under Section 26(1), any unauthorized use, ie collection, selling, taking possession, and supplying or using anyone’s identity information has been defined as an offense. Under the act, for any crime relating to identity information, imprisonment for a term not exceeding five years or a fine not exceeding Tk5 lakhs, or both, has been prescribed.

For repeated offenses, the punishment can be increased to seven years of imprisonment or a fine not exceeding Tk10 lakhs, or both.

For the purpose of this act, identity information has been defined as “any external, biological, or physical information or any other information which singly or jointly can identify a person or a system, his/her name, address, date of birth, mother’s name, father’s name, signature, national identity, birth and death registration number, fingerprint, passport number, bank account number, driver’s license, E-TIN number, electronic or digital signature, username, credit or debit card number, voice print, retina image, iris image, DNA profile, security-related questions or any other identification.”

When Bangladesh started to work on data privacy laws, the EU and the US already had long-standing stances on the issue. The German region of Hesse was the pioneer in passing the first law of data protection in 1970. In 1973, Sweden passed its first Data Protection Statute.

In 1981, the Council of European Convention established standards among member states to ensure free flow of information among them, without infringing personal privacy. In the UK, the First Data Protection Act was enacted in 1984.

Our neighbour India also recently prepared a draft of the legislation on data protection, titled Personal Data Protection Bill, 2018. Besides this, the UK, the US, Brazil, South Africa, South Korea, India, and many other countries explicitly protect privacy in their constitutions.

General Data Protection Regulation (GDPR) by the EU came into force on May 25, 2018. This regulation has taken the EU countries into a new era of personal data protection.

So far, this is the most advanced and relevant legislation in this regard. After four years of lengthy negotiations, this regulation was adopted by both the European Parliament and the European Council in April 2016.

GDPR contains 99 articles providing greater protection to EU citizens by harmonizing data privacy laws across Europe. It regulates the processing of personal data of individuals in the EU by an individual, company, or organization.

Any person from any part of the world who deals with even one EU member state’s citizen comes under the purview of GDPR. The “personal data” has been defined by the European Commission as “any information relating to an individual, whether it relates to his or her private, professional, or public life.”

GDPR provides EU citizens with a set of rights, including the right to access and deletion of personal information. They will have access to information regarding the usage of such data and regarding any access to such data by a third party.

Under GDPR, a consumer or user must give his informed consent regarding the use of his data. And this consent has to be specific, not general consent. Users have the right to request the controllers to erase their personal data permanently under some circumstances.

The European Court of Justice in the case of Google Spain and Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González’ c-131/121 (WP 225) upheld this right for the first time. Under GDPR, companies which control personal data are obligated to notify the users about any data breach within 72 hours.

GDPR imposes a hefty fine on companies which breach the rules. The maximum fine for a GDPR violation is 20 million euros, or 4% of a company’s annual global revenue from the year before, whichever is higher.

In today’s world of information and technology, personal data protection is a very important area. A draft rule has been formulated under Digital Security Act 2018, which has been prepared in the light of GDPR, but has not been finalized yet.

There are many important aspects of personal data protection, like classifying data, identifying the jurisdiction, processing personal data, setting up a separate regulatory body, creating different kinds of offenses and penalties, guidelines for business entities which store personal data, right to access, right of deletion, right to be forgotten, etc, which are not covered by the existing laws of Bangladesh.

It is not possible to cover this vast area in one section of a statute. Therefore, following the footsteps of the EU and other countries of the world, it is high time Bangladesh considered a separate comprehensive statute for data privacy and data protection.

Miti Sanjana is an Advocate of the Supreme Court of Bangladesh and a partner of LEGAL COUNSEL. Contact her at sanjana@legalcounselbd.com