Bangladesh: Draft Data Protection Act 2022 - what you need to know
The Department of Information and Communication Technology released, on 16 July 2022, the draft Data Protection Act, 20221 ('the Act'). The Act introduces consent requirements, data subject rights, data localisation requirements, and rules on cross-border data transfers, as well as a new independent agency to act as a data protection supervisory authority, called the Data Protection Office. In this Insight article, OneTrust DataGuidance spotlights what businesses should be aware of, and outlines the key provisions of the Act, with expert commentary and insights provided by Tanim Hussain Shawon, Partner at Dr Kamal Hossain & Associates, as assisted by Saraf Farhin Choudhury, Research Associate at Dr Kamal Hossain & Associates.
Scope and definitions
The Act sets out provisions on the processing of data to provide protection of data belonging to any person for the purpose of the overall development of the information and communication technology ('ICT') sector in Bangladesh. With regard to its scope, the Act applies to:
- any person collecting, processing, or using data in Bangladesh;
- any person outside Bangladesh, who collects, processes, uses, shares, or otherwise processes data relating to citizens of Bangladesh; or
- processing of data by a data controller or a data processor established outside Bangladesh, if such processing is in connection with any business carried on in Bangladesh, or any activity of offering goods or services to data subjects or which involves profiling of data subjects.
As such, the Act has extraterritorial application in certain circumstances and, on the other hand, does not apply to the processing of anonymised, encrypted, or pseudonymised data. Regarding the scope of application of the Act, Shawon observes, "The Act provides that in respect of certain data, the provisions of the Act will not be applicable. Such data includes data processed for the prevention or detection of crime, or for the purpose of investigations, or the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or any other imposition of a similar nature. The Act further provides that the Government may exempt the application of any provision to any data controller or class of data controller. The Act envisages fairness as one of the data protection principles, but these provisions are inconsistent with that principle".
Furthermore, the Act provides definitions for 'data processor' and 'data controller' that are consistent with their European counterparts: data controller means any entity who determines the purpose and means for the processing of data, or otherwise has control over or authorises the processing of the data. A processor, on the other hand, means any person who processes the data on behalf of the data controller, with the exclusion of employees of the data controller.
Additionally, 'data subject' means a person who is the subject of the data, which the Act includes a comprehensive definition for, as it is defined as 'a representation of any information, knowledge, fact, concepts or instructions which are being prepared or have been prepared in a formalised manner and is intended to be processed, is being processed, or has been processed in a computer system or computer network, and may be in any form including computer printout, magnetic or optical storage media, punch cards, punched tapes or stored internally in the memory of the computer, and includes the personal data for that purpose: provided that, the anonymised, encrypted or pseudonymised data which is incapable of identifying any individual shall not be included within the purview of personal data'.
Moreover, sensitive data is defined as data or information of a data subject which consists of information relating to: financial or commercial data, health data, both physical or mental including medical records or information as to health of an individual, genetic data, biometric data, the commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings, any other data as may be prescribed. With regard to the definition of sensitive data, Shawon considers that, "[it] is not exhaustive. The definition provides a list of data which will be regarded as sensitive data under the Act, but the definition also includes the expression 'any other data as may be prescribed'. This creates uncertainty as to what else would qualify as 'sensitive data' and be subject to the associated restrictions".
Data subject rights
Like many other privacy laws, the Act provides the data subject with various new rights with respect to their personal data, and extends such rights to foreign data subjects that reside in Bangladesh. More specifically, the Act grants data subjects the following rights:
- to access and rectify their data;
- to withdraw their consent to a given data processing;
- to erase their data;
- to prevent their data from being processed; and
- to data portability.
The Act specifies that the exercise of the abovementioned rights must be on the basis of a written request to the data controller containing information which demonstrates the identity of the requestor. Then, the data controller must acknowledge the receipt of a request within a period of time as may be prescribed. The Act further prescribes that the specification of such period of time, of the conditions for their exercise, and of the procedure for compliance by a data controller be specified by implementing rules to the Act.
Personal data protection principles
Organisations falling under the scope of the Act will need to ensure that all processing of personal data is compliant with the data protection principles laid out under the same. More specifically, the Act sets out the following principles:
- data accuracy;
- storage limitation;
- security of data processing;
- transparency; and
- participation of the data subject, entailing the participation of the data subject in the collection, processing, holding or use of data, and that data cannot, without the consent of the data subject, be disclosed for any purpose other than the purpose of processing set at the time of collection of that data.
Obligations for data controllers
The Act introduces several requirements for data controllers. Among the key obligations companies will have to implement to be compliant with the Act, Shawon highlighted the following:
- Data audit: data controllers will have to audit the data processed in their organisation by an independent data auditor authorised for that purpose by the Director General of the Digital Security Agency ('the Director General').
- Data storage: companies will be required to store sensitive data, user created or generated data and classified data within Bangladesh territories.
- Ensuring data security: companies will be required to adopt appropriate security measures that are necessary to ensure data security.
- Notice regime: companies will be required to issue a written notice to the data subject prior to collection and processing of their data, and will need provide to them information relating to the methods and purposes for the collection of data.
- Record-keeping: data controllers will be required to keep and maintain accurate and up-to-date records of any application, notice, request or any other information relating to data that has been or is being processed by them.
- Data breach notification: data controllers will be required to maintain record of any data breaches comprising the facts relating to the data breach, its effects, and the remedial action taken. Moreover, in the event of a data breach, data controllers will have to notify the Director General without undue delay.
- Accountability/ensuring that data processing is conducted as per the provisions of the Act: data controllers will be required to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Act, and perform the processing of data taking into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
- Data Protection by Design: data controllers must implement policies and measures to ensure that the organisational and business practices and standard technical systems are designed in a manner to anticipate, identify and avoid harm to the data subject; the legitimate interests of its functions may be achieved without compromising privacy interests and the interest of the data subject is accounted for at every stage of processing of data; and the processing of data is carried out in a transparent manner.
Crucially, Shawon explained that a subset of the legal requirements mandated by the Act is likely to have a more substantial impact on covered entities. In particular, while listing this type of requirements, Shawon made reference to data localisation and stated, "under the Act, […], the businesses and service providers are required to store sensitive data, user created or generated data and classified data in Bangladesh only, and such data cannot be made available to the courts or law enforcing authorities in any other country. […] The data localisation provision makes the locally stored data susceptible to government interference. The Act gives the Government broad powers to collect data from any person on the ground of 'national security'. This may lead to arbitrary interference with personal data".
Notably, the Act complements the aforementioned provision with the following rule on cross-border data transfers, as Shawon explains, "the Bangladesh Government may declare a class of data as classified data. To transfer such data, prior approval from the Government will be required. The Act does not elaborate the procedure for seeking such approval. The procedure is to be prescribed by rules which are to be framed under the Act".
Chapter IX of the Act calls for a data protection office to be established 'soon after' its commencement. Structurally, the office will be under direct control of the Digital Security Agency, with the DG sitting as the head of the office. Its powers will be investigative, corrective, authorisation, and advisory in nature. Accordingly, this body has the power to receive and examine complaints by data subjects, to carry out investigations, to issue warnings and orders to data controllers and processors to implement corrective actions, and to impose fines on any entity that is found breaching the provisions of the Act. In particular, fines to individuals may extend to up to Taka 5 lac (approx. €4,845), and, for companies, to 5% of their total turnover of the preceding financial year.
Finally, aggrieved data subjects may launch an action against a responsible party where they suffer damage caused by a violation of any provision of the Act. In such case, they may submit a complaint to the Director General seeking compensation from the data controller or processor for such damage.
In conclusion, after illustrating the abovementioned key innovations introduced by the Act, Shawon explained that certain aspects of it would benefit from further clarification and, as such, currently constitute critical points of the current version of the Act. In particular, Shawon concluded by stating that "Several provisions of the ACT provide that the procedures will be prescribed by the rules. For example, the functions of the data protection officer can be expanded in the rules, the procedure to keep the data protection register, the appeal procedure, and the notice regime among others would also be determined by the rules. This leads to a concern as to whether the rules to be framed would give rise to notice fatigue or not, or whether such procedural requirements would overburden the companies", and "The powers conferred on the regulatory authority are also wide and, in some cases, couched in vague language. As a result, private parties (both individuals and companies) may encounter arbitrary application of those provisions. Under the Act, the Government may allow immunity to any data controller or class of data controllers, which begs the question as to what parameters would be applied in granting such immunity".
Similarly, on the power of the Government to issue binding directions to the Director General, Shawon explained, "The provision relating to the issuance of directions in the interest of the sovereignty and integrity of Bangladesh, the security of the State, friendly relations with foreign States or public order are vague and not defined. The Government is given unfettered power".
Notwithstanding the abovementioned critical aspects of the Act in its current form, until it has formally come into force with notification by the Government of Bangladesh in the official Gazette, businesses still have time to evaluate its provisions and commence taking steps to ensure compliance. The Bill is still under consideration.
Francesco Saturnino Privacy Analyst
Comments provided by:
Tanim Hussain Shawon Partner
Dr Kamal Hossain & Associates, Dhaka
Saraf Farhin Choudhury Research Associate
Dr Kamal Hossain & Associates, Dhaka
1. See: https://ictd.portal.gov.bd/sites/default/files/files/ictd.portal.gov.bd/page/6c9773a2_7556_4395_bbec_f132b9d819f0/Data%20Protection%20Bill%20en%20V13%20Unofficial%20Working%20Draft%2016.07.22.pdf