The Information and Communications Technology Division of the Ministry of Posts, Telecommunication, and Information Technology recently released the Bill. The Bill aims to address the long-awaited necessity to provide for supervision relating to the protection of an individual's data and its processing. The Bill, if enacted into law, will apply to the processing, collection, use, retention, and distribution of an individual's data within Bangladesh and outside Bangladesh if the data relates to a citizen of Bangladesh. It will also apply to the processing of any data by a data fiduciary or processor not located in Bangladesh if such processing is carried out for the purposes of any business conducted in Bangladesh or in connection with any activity related to the supply of goods or for business purposes related to the preparation of profiling of the data subject. However, the Bill shall not apply to the processing of anonymized, pseudonymized, or encrypted data.

The Bill outlines 10 principles of data protection that must be complied with by any person who collects, processes, holds, or uses data. The principles include that data should be collected and processed with the consent of the individual or entity it pertains to. Additionally, those responsible for collecting and processing the data must be held accountable for adhering to the laws and regulations of Bangladesh regarding data handling. Further, data must be collected and processed in a fair and reasonable manner with integrity so that no additional or unnecessary data is collected from individuals. Concerning retention, the Bill mandates that data should only be retained for as long as necessary and should be securely stored during that period. While retaining data, it is also required to ensure its quality. Prior to the collection and processing of data, the purpose for which such collections are undertaken must be disclosed to the individual. Furthermore, the Bill mandates that organizations under the scope of the Bill must take necessary protection measures after determining the level of risk and comply with all relevant bilateral and multilateral agreements in relation to data processing and transfer. These principles form a framework to follow when dealing with the collection, processing, and storage of data, with the goal of safeguarding privacy and ensuring the appropriate handling of data.

In addition to the above principles, the Bill further mandates that free, specific, and clear consent must be obtained from the data subject, and such consent would be capable of being withdrawn. The data controller shall bear the burden of proof that consent has been given by the data subject in accordance with the provisions of the law. Such consent would be obtained pursuant to a written notice issued to the data subject by the data controller. The Bill also suggests that rules will be formulated by the Government of Bangladesh detailing the procedure for obtaining such consent from the data subjects.

The Bill further aims to establish the right of the data subject or a person authorized by law to access their data and obtain necessary materials. The data subject, upon payment of the prescribed fee, as determined by law, can request the data controller for access to their data, which the data controller shall be bound to provide if the request is justified.

Chapter 4 of the Bill provides that the data subject has the right to modify, complete, or update data, including incorrect or misleading data, for the purpose of data processing. If the data is in an altered state and not in compliance with the intended purpose of the data subject, they have the right to provide evidence and request modification, completion, or deletion. If the data controller disagrees with the modification, completion, or update of the data, the entity responsible for the data shall inform the data subject in writing of the reasons for disagreement in accordance with the process defined by the rules to be formulated by the Government. In addition, the data controller shall be bound to delete or dispose of the relevant data of a data subject if the purpose for collecting the data is exhausted, the data subject has withdrawn their consent or primarily objected to the processing of data, or deletion is required by law. However, the right to erasure of a data subject is not absolute. In case the data processing is required for exercising the right of freedom of expression and information, compliance with a legal obligation, or for the performance of a task carried out in the public interest or for purposes relating to the public interest, the data subjects will not be entitled to exercise their right to erasure.

Moreover, the data controller shall, at all times, be bound to adhere to all the obligations outlined in the Bill and the rules to be formulated, ensuring the proper application of all procedures. Notably, the Bill necessitates the data controller to maintain transparency when implementing data processing practices. No data shall be disclosed for any other purpose other than the one for which the data had been collected, and to which the data subject had consented. The Bill further states that the Government may, through the introduction of rules, prescribe standards for providing protection against loss, misuse, modification, accidental, or unauthorized access, alteration, or erasure of data.

The data controller, when processing data, is required to consider factors such as the nature of data, potential damages resulting from data deletion, misuse, or alteration, factors likely to compromise data integrity, location or area of data storage, trustworthiness, and competence of persons having access to the data, etc. No data shall be retained for a period exceeding the period as prescribed by law for the purpose for which the data was processed. The Bill specifies that the data controller, upon knowledge of any breach of confidentiality, shall notify the Data Protection Board (the Board) within 72 hours.

However, the provisions of the Bill shall not apply if data is collected for the prevention or detection of crime, investigations, apprehension or prosecution of offenders, assessment or collection of any tax or duty, or any other imposition of a similar nature, or in relation to information of the physical or mental health of a data subject, or for preparing statistics, carrying out research, or data necessary for the purpose of or in connection with adjudication of a court, or for journalistic, literary, artistic, or academic purposes.

Additionally, the Government may, by notification published in the Official Gazette, exempt the application of any provision of the Bill to any data controller or class of data controller. The Government may further impose any terms or conditions as it deems fit in relation to the abovementioned exemptions.

Chapter 9 of the Bill provides for the establishment of the Board, empowering it to regulate and oversee data protection in the country, ensuring compliance with the stipulated rules and guidelines. The Board would be constituted by the Government, consisting of a chairman and four members. The Board shall have the authority to take actions and exercise necessary powers for the execution of the provisions of the Bill. These powers include conducting audits related to data protection, ordering data controllers or processors to supply necessary data, issuing orders for the collection of data, giving notices of alleged breaches, and accessing data under the control of data controllers or processors, etc.

The Board shall, with prior approval from the Government, formulate a Standard Operations Procedure concerning data collection, processing, storage, retention, use, etc.

The Board shall have the power to address complaints made by data subjects or any person who has reason to believe that any data controller, processor, or collector has violated the rights granted under the provisions or has acted in violation of the provisions thereof. The Board shall also have the authority to impose an administrative penalty against any person or entity (including foreign companies incorporated in Bangladesh) found to be in violation of any provisions of this Bill or rules.

The Bill marks a significant step forward in acknowledging the importance of safeguarding an individual's data in today's digitally driven world. While the enactment of a data protection law is a crucial step forward, its efficacy and impact are contingent on the timely development and implementation of complementary rules. Formulating the rules in the most constructive manner is vital to ensure a cohesive, robust, and effective data protection framework that genuinely safeguards an individual's privacy and promotes trust in this digital age.

Asif Hasan Associate
[email protected]
Alfaed Salahuddin Associate
[email protected]
Tanjib Alam and Associates, Bangladesh