While exploring the data protection and privacy law framework of Bangladesh, one will immediately spot a glaring gap which is not only frustrating but also raises economic and national security concerns in relation to the processing of its citizens' personal data. With the total number of internet users in Bangladesh reaching 54 million at the end of September 2015 - a figure that is predicted to increase by millions every year - it is time we took personal data protection seriously.
WHAT IS PERSONAL DATA? Personal data can be defined as the data that relates to a person, also known as a data subject, who is identifiable from that data or other information which is in the possession of the data holder. Personal data is classified as sensitive when it includes the ethnic or racial origin of the individual, opinions which are regarded to be political, religious or similar beliefs, sexual life, the commission or alleged commission of any offence or proceedings relating to offences. There are usually two types of data holders, namely i) data controllers, who determine the manner in which personal data is processed, and ii) data processors (who cannot be employees of the data controller), who process the data on behalf of the data controller.
THE RISK FACTOR: In order to understand the risks associated with the sharing of personal data online, it is important to fully grasp the principles behind its protection such as personal data is required to be processed in accordance with the rights of data subjects and it shall not be transferred to another country unless that country ensures an adequate level of protection. The principles were first formulated in the EU Data Protection Directive of 1995 which can be seen as equally valid for today's Bangladesh.
In the present digital world, personal information has a significant economic and social value. Without any protection, such information can be used in a manner in which people may be discriminated or feel violated about the disclosure of such data. Therefore, it is imperative to have legal protection in order to stop automatic processing of personal information.
THE TRILLION-DOLLAR QUESTION: It has been estimated that data processing will be worth a trillion euros in the EU by the year 2020. Many organisations that have identified the economic potential of being custodians of personal information are looking to countries with large populations and lax laws to gather information in ways that would be deemed illegal in countries that currently have data protection and privacy laws. Bangladesh being one of such countries needs to safeguard its citizens so that current and future generations are not economically exploited, taken advantage of by foreign companies or racially profiled, and do not have their privacy undermined by spying agencies and/or criminals.
Take this straightforward example: imagine a scenario where an individual (data subject) filled in an online application form with all her personal details. Intriguing as it may sound, this simple online act could have a number of major implications. Firstly, the internet service provider (party No. 1) of the data subject can divulge a host of information and capture any information sent through its services as well as session information, such as the URLs (web addresses) visited. Secondly, the website (party No. 2) where the application form is hosted will have access to the data as well as the organisation (party No. 3) that she has completed the form for. Thirdly, to complicate matters further, the data centre (party No. 4) on which her data is hosted may be based out of the country altogether. In such situations, without having proper protection in the form of national legislation in the country where the data subject is based, personal data becomes prone to exploitation by any of the parties in the chain of processing and controlling it. Indeed, it has been recognised that, many big companies have initiated and implemented spying and espionage programmes to ensure they maintain a country competitive advantage. Armed with biometric, location and financial data, countries and organisations could then develop algorithms to impose indiscriminate blocks on citizens of any particular country.
Hence, putting our blind trust in these parties to sensibly handle and store our data in view of the wave of data breaches hitting the headlines every day raises serious questions of integrity in relation to the controllers and processors of personal data.
WHAT'S GOING ON IN THE EU? Contrast this with the United Kingdom which has an effective data protection and privacy legal environment. In addition, the UK has a strong regulator, allowing its courts to recently rule that Google had used cookies to track people surfing the web using Apple's popular Safari browser without the consent of the users and contrary to promises Google had made in its privacy policy. The English court ruled that this activity was unlawful under English privacy law. Specifically, it found that Google had violated both the English Data Protection Act and committed the tort of "misuse of private information".
Moreover, Facebook, another giant data controller, has been sued by some 25,000 users for alleged violations of European privacy laws in a class action suit led by Austrian data protection campaigner Max Schrems, focusing on the way it collects and transfers data. The legal action also claimed that privacy laws are breached in the way the social media giant monitors users when they use the site's "like" buttons. It was brought against Facebook's European headquarters in Dublin, which registers accounts outside the US and Canada. Accordingly, the European Court of Justice held that the transfer of personal data from the EU to the US gives rise to a breach of privacy since the surveillance carried out by the US intelligence services is mass and indiscriminate.
Needless to mention, without any protection in place, Bangladesh may not be even aware of how seriously its citizens could be affected by such invasions.
CONCERNS OVER BANGLADESH: It is no surprise that we are witnessing a constant rise in hacking incidents of databases of governmental organisations in Bangladesh, making the whole situation of sharing personal data online even more distressing. In 2013, for instance, some unknown hackers breached Bangladesh Air Force's website and extracted the full database, which contained more than a million names, family members' names and e-mail addresses.
While Bangladesh is well protected by virtue of the Information & Communication Technology Act 2006 to bring proceedings against perpetrators of such intrusion and unauthorised access, what it fails to take into account is that these perpetrators carry out their operations anonymously and thus, in most cases, it is difficult to identify them. In other words, a preventive framework at the pre-breach level is simply non-existent. Consequently, the mere presence of legislation on post-breach offences will not in fact provide adequate protection given the anonymity of the offenders and the mass surveillance practices of big companies.
The only legislation that provides for the protection, albeit limited, of privacy in general terms is the Constitution of the People's Republic of Bangladesh. Article 43 of the Constitution provides: "Every citizen shall have the right, subject to any reasonable restrictions imposed by law in the interests of the security of the State, public order, public morality or public health - (a) to be secured in his home against entry, search and seizure; and (b) to the privacy of his correspondence and other means of communication".
In addition, there are two guidelines passed by Bangladesh Bank covering ICT (information and communications technology) security and outsourcing arrangements. These guidelines provide two layers of protection in the financial sector. Firstly, banking systems dealing with personal data must comply with certain standards in order for them to be fully sheltered. Secondly, as a safeguard to tampering with confidential financial information, a bank must obtain prior approval from the Bangladesh Bank when it hires a third party based outside of Bangladesh to hold and process its data.
It is worth noting that the neighbouring country, India, has already enacted specific data protection rules and a consolidated privacy bill is in the pipeline. Given India's high profile in the IT (information technology) industry worldwide, rules regarding data protection have led to an increase in investment by multinational data-based companies. Conversely, the lack of data protection and privacy laws has effectively been a restriction to this market for Bangladesh, although we have all the potential to become another influential South Asian player in the digital economy.
To conclude, Bangladesh needs to act promptly not only to protect its citizens' personal data from flowing into the hands of criminals and spying agencies both in and out of the country but also to be able to participate in the trillion-euro prospect of data business. Any law addressing data protection should clearly state the grounds for processing personal data, ensure data subjects' rights to access, delete and object to such data, develop a culture regarding the retention period of data, and establish a data protection authority. Bangladesh already has an Information Commission formed under the Right to Information Act 2009, which can be vested with data protection responsibilities. In any event, institutions dealing with personal data should be required to register with the Commission and give prior notification if there is a possibility that such data will be processed outside of Bangladesh.
