Bangladesh’s ongoing initiatives for a data protection law

- Tanim Hussain Shawon

Barrister; Advocate Supreme Court of Bangladesh
Partner, Dr. Kamal Hossain & Associates

Bangladesh has yet to enact a comprehensive data protection or privacy legislation with a
general scope. While the Bangladesh Telecommunication Regulatory Act 2001, the
Information and Communication Technology Act 2006 (“ICT Act”) and the Digital Security
Act 2018 (“DSA”) contain sporadic provisions on protection of personal data preserved in
an electronic form, the law to govern the data protection issues generally is still in the
process of being formulated.

Bangladesh strives to act as a member of the global community in terms of its commercial
activities and development in general. With the growing emphasis on a globally compatible
data protection and privacy regime as a precondition for business and cooperation on a
cross-border basis, it has become incumbent for Bangladesh, which is still categorized as an
emerging economy, to align its domestic data protection laws with the rest of the world.

The existing legal provisions on the protection of digital data not only fall far short of the
acceptable standard, they have also led to bitter controversy as a result of their selective
and distorted application. Although the intention behind enforcement of data protection
law should have been protection of private persons and date-subjects, the existing legal
provisions are being used mostly as a tool for achieving narrow political purposes.
Therefore, it is essential for Bangladesh to make a fundamental shift from the present
position to enacting a data protection law, which must have at its heart the interest and
protection of the ordinary and private persons.

In November 2020, a first draft of the Data Protection Act (“DPA”) was circulated by the
Government. The DPA has not yet been finalized, and various stake-holders have already
voiced concerns about certain aspects of the draft.

The DPA is proposed to have overriding effect over other laws and also extra-territorial
application. The DPA will apply to persons collecting, processing, using, sharing or
otherwise processing data within Bangladesh; if such data is related to any Bangladeshi
citizen, the application of the DPA may also extend outside Bangladesh. Similarly, if a data
processor or controller is not present within Bangladesh but the data processed by them is
in connection with business carried on in Bangladesh, the DPA may extend beyond the
territory of Bangladesh.

The DPA would require a data controller to issue notice to the data subject when the
controller first collects the data or uses the data for a purpose other than the purpose for
which the data was collected. Any data, including sensitive data, cannot be processed
without the consent of the data subject. Without prior consent of a parent, guardian or
relevant person having authority of making a decision, no data relating to a child can be
collected or processed. The DPA also provides a data subject with the right to erasure or
right to be forgotten. The data controller will have the obligation to erase data within a
prescribed period.

While the drafting team is said to have modeled the draft DPA after the General Data
Protection Regulation of the European Union (“GDPR”), there are various deviations from
the GDPR. The most concerning of such deviation is the Government’s wide power to grant
exemption to any data controller or class of data controllers, who may include any
Government entity, from any provision of the DPA.

Presence of a legal provision granting wide powers to the Government to carve-out

application of the data protection regulation in respect of a class of actors gives rise to
serious concern about the prospects of a fair and effective implementation of the law. Since
the experience thus far of enforcement of the ICT Act and the DSA is rather disappointing,
enactment of the DPA with wide arbitrary powers reserved for the Government may
frustrate the very purpose of the enactment. The stakeholders would expect the
Government and the legislature to ensure an effective harmonization of Bangladesh’s
ensuing data protection law with the relevant globally accepted standards.