The proposed ‘Data Protection Act, DPA 2022’ has raised serious human rights and business-related concerns at home and abroad. Classification of data is poorly defined in DPA. It seriously lacks international standards for the definition of privacy and does not mandate that privacy-related data fields be removed from telecom voice and data call data records, broadband internet packets, intercepting sources, financial sources and smartphone APP crowdsourcing data.
The United Nations has shared 10 observations and objections regarding potential human rights violations. Amnesty International said the legislation would put individuals’ privacy at risk. The law, if passed, would allow for deep government surveillance and interference with individuals’ privacy rights, increase space for abuse of power. Instead of masking adequate protections for sensitive personal information like European General Data Protection Regulation (GDPR), the act has been arranged for serious government intrusion. TIB & Local experts too says, the act will protect the interests of the government and not the citizens.
The expansion of the digital economy raises legitimate concerns about data privacy that governments need to address. Yet, blanket restrictions on information flows, coupled with vague enforcement provisions, are unlikely to buttress consumer protections; and they may instead erode human rights. The Atlantic Council fears that governments can suppress opposition through digital surveillance under the guise of data governance.
UN objection monitoring and advice
Objecting to the definition of ‘sensitive data’, the UN said that the definition of sensitive data in the draft law is quite limited. Disclosure of information relating to race or color, political opinion, trade association membership, religious or other beliefs, sex life, sexual orientation is excluded from the definition of ‘sensitive data’. In the draft law, no definition of personal data is constructed. The principles of data protection stated in the fifth article of the draft law is not enough. The UN gave the example of ‘Convention 180 Plus’ on personal data. According to Articles 42 and 43 of the draft law, localization of data would create serious risks of surveillance and human rights violations. A Director General can direct the provision of data on companies, which would allow law enforcement agencies open access to any private data. Section 33 of the Act empowers the government to exempt law enforcement and intelligence agencies from the application of the Act, which may include surveillance of data centers and servers in Bangladesh. Private & public companies may be pressured to disclose confidential information that may undermine democratic governance.
Corporate Executives remaining non-compliant, can be held personally accountable under this framework. According to the UN, while administrative fines for data privacy violations are reasonable, the proposal of imposing criminal liability is not consistent with the principles of criminal law or international standards. The UN said the purpose of this legislation should be data protection, not regulation. UN is also concerned about the collection, usage & retention of data on Bangladeshis residing abroad & recommends to withdraw data localizing obligations.
No data structure is complete without independent authorities, the UN said. Without sovereign authority & abuse auditing mechanisms, even the best laws in the world would be meaningless. Bangladesh should ensure a DPA, that does not conflict with the Bangladesh’s Right to Information Act & the Universal Declaration of Human Rights.
Advantages and disadvantages of data localization
‘Data’ is the ‘new gold’ in today’s world. Today’s digital marketing, product designs, service definitions, digital trade & commerce, artificial intelligence, virtual & augmented reality related application development and deployment are all based on big data mining. If properly designed, Data Localization might serve local economic interest. However, for data giants (Google, Facebook, YouTube, Amazon, Microsoft, Open-AI and crowdsourcing companies), backup storage & disaster recovery is as important as data access. Moreover, to serve users in less time, they divide data centers into geo-locations and then deploy their servers in different countries, keeping copies of the same data in different locations. It serves as sourcing backup and also disaster recovery backup in case of technical problems. As a result, a country can create conditions for the establishment of a sufficient number of datacenters within its national borders for job creation and investment flows, but technically cannot dictate all data to be localized within its border.
US Ambassador to Dhaka Mr. Peter Haas has expressed concern that if the DPA is passed with the condition of strict adherence to data localization requirements, some American companies currently operating in Bangladesh may be forced to leave the Bangladeshi market. The ambassador said over 2,000 startups may have to go out of business if forced to localize.
Clearly, online freedom and business investment, both are linked to data protection legal framework.
What is really happening with datacenters in Bangladesh?
Almost all data centers in Bangladesh are built and maintained by foreign contractors and engineers. Even the country’s central bank’s SWIFT software, commercial banking software, driving license system, income tax digitization projects are mainly maintained or troubleshooted by foreign engineers. The National Identity Card scheme is the only nationally managed one. If foreigners & law enforcement agencies, all have open access to a sensitive private data or access to data centers, then the discussion of datacentre location, inside or outside the country becomes vague. The digital security act DSA too, was orchastrated to protect the government, there is nothing for personal, financial and social protection of citizens.
Android and Apple apps sources sensitive user information by flouting terms and conditions. Almost all personal data is available in Telecom CDR. If personal data is not isolated & removed from public sourcing, it will remain subject to potential misuse. Localization of data under non-abuse conditions is helpful in business development of the country. But in a country, where there is no electoral system, democracy, good governance and accountability, abuse and impunity for abuse is the main danger.
A detailed definition of sensitive data classification, data handover scopes, sales and marketing scope- for traders, corporates, government agencies. There must not be any impunity for state forces in the question of invasion of personal privacy. In matters of state security, law enforcement agencies will receive special confidential information only with the permission of the court in pending matters and even there, a third party witnesses has to be ensured. Otherwise, with the free access to sensitive data, the law and order forces will make the country’s digital arena a toxic breeding ground for citizen harassment, oppression on political opposition, suppression of freedom of expression in the name of state interest.