Is the Data Protection Act an extension of DSA?
Over the past several months, efforts have been afoot to frame a data protection law in Bangladesh. Senior functionaries of the state justify that the proposed law has become a necessity in a country that has more than 130 million internet users and at least 2,000 internet-based services. The law will protect the interests of these people, they posit. The ostensible purposes for framing the law are to: (a) meet the burgeoning need for data protection; (b) create an effective regulatory institution in this regard; (c) ensure overall development of the information and communication technology (ICT) sector; and (d) ensure protection of the personal data of individuals. While there is a general agreement about the need for such legislation, concerns have been expressed, nationally and internationally, about the adverse impacts of the law on citizens' fundamental freedoms. Despite the concerned agency's initiatives to make the draft law available on its website and organise stakeholder discussions, there is widespread scepticism about what the final text would contain.
Commentators, rights activists, citizen and netizen groups, associations of editors and journalists across the ideological divide, and e-commerce and business leaders have all voiced their opposition to the proposed law, pointing out the authorities' reluctance to accommodate the views of stakeholders, vagueness of the provisions, unbridled authority and concomitant immunity accorded to the regulators, lack of judicial oversight, and the draconian penalties that the law imposes on potential "violators," among other issues.
Frustration was palpable as the two revised drafts largely ignored the stakeholders' input and recommendations. Assurances from senior ministers that their genuine concerns would be addressed in the final bill appear to have failed to assuage their anxiety. Some candidly noted the hollowness of similar assurances in case of the Digital Security Act, 2018 (DSA). One can surmise that the DSA's debilitating impact on freedoms of expression and the press and the state's failure to rescind or even amend the most contentious provisions of the law (despite overwhelming evidence of its abuse) have triggered this apprehension of misapplication of the Data Protection Act (DPA). They point out that the gaps that exist in the DSA are also present in the draft DPA, further arguing the point that Bangladesh's standing in the Press Freedom Index has continued to drop after the framing of the DSA.
In trying to unravel the reason behind framing the DPA, some analysts argue that growing national and international criticisms of DSA's misapplication has prompted the authorities to craft new tools. It is for this reason that the DPA bears some of the hallmarks of the DSA. Foremost among those are the reiteration of "sensitive" terms such as "public order," "Bangladesh's sovereignty and integrity," "state security," "friendly relations with foreign states," and the like. Quite like the DSA, the DPA refrains from providing any explanations of those terms, creating enormous scope for subjective interpretation by the authorities.
The proposed law has subjected the Data Protection Office answerable to the Digital Security Agency that has been established under the DSA. Thus, the director general (DG) of the agency would be legally in charge of implementing the DPA and enjoy unfettered power. There is little doubt that this dual role is patently contradictory. In a dispensation fraught with excessive use of authority by law enforcement agencies, weak judiciary, and very restricted parliamentary oversight, such institutional enmeshing of the DG's roles is likely to subvert the very purpose of framing the DPA. It was made amply clear when, at a stakeholders' meeting on the draft law, the state minister for ICT affairs candidly stated that the DG was bound to adhere to government directives, and this was sanctioned by the constitution. The symbiotic relationship between the DSA and DPA is further manifested in Section 60 of the DPA, which obliges all offences committed under the DPA be tried in the Cyber Tribunal established under the ICT Act, which also enjoys the competence to try cases under the DSA.
Right to privacy is a vital human right acknowledged in Article 17 of the International Covenant on Civil and Political Rights (ICPRR), which Bangladesh has been a state party to since 2000. However, the overriding effect of the proposed law would undermine people's right to information as guaranteed under the Right to Information Act, 2009 and "would breach the … government's commitment of ensuring accountability of all public, private and statutory institutions." Article 17 of the ICCPR prohibits arbitrary and unlawful interference with an individual's privacy. Article 43 of Bangladesh Constitution also stipulates that everyone shall have the right "to privacy of his correspondence and other means of communication," subject to reasonable restrictions imposed by the law.
While there is a need for protection of personal information, scope has been created for administrative control, which would undermine constitutionally guaranteed freedom of expression, personal freedom and that of privacy. The absence of clear definitions of some key concepts has made the law susceptible to abuse. The Transparency International Bangladesh (TIB) recommends that in order to ensure the primacy of protection of personal information, the proposed law should be titled "personal information protection act," as has been the case in at least 60 other countries. The use of the term "data" is likely to defeat the principal purpose of the law, the organisation observes. Moreover, TIB notes that the absence of a clear definition of the term "personal data" and vagueness of the term "individual consent" – a critical issue in personal information protection law – "would make the law open to severe abuse." The absence of the right to privacy in the draft law is also deeply disconcerting.
Section 10 of the DPA has given the state the authority to collect data for ensuring national security and preventing, identifying and investigating criminal acts, while Section 30 provides immunity to law enforcement and intelligence agencies. In all likelihood, this will make all data centres and servers, including those of non-state actors, subject to state scrutiny, while freeing the state agencies from being held accountable and from judicial oversight.
Like several other constitutionally guaranteed freedoms, personal privacy has long been a casualty in Bangladesh. Teletapping is a widely practised phenomenon; so are the occurrences of involuntary disclosure of contents of and seizure of personal mobile phones on flimsy grounds by the law enforcement agencies. Evidence is aplenty of the breach of personal information that was collected through the imposition of biometric registration, a measure fiercely opposed by civic bodies. Citizens are also weary at the government apathy and inaction to hold into account those institutions and individuals that have been involved in disclosure of private conversations in the public domain. On occasions, such disclosures have given rise to suspicions that the state agencies privy to records of those conversations were the sources of such release.
All such omissions and acts by the state have created a situation of distrust regarding its intent in framing the data protection law. There is a growing view that, instead of providing protection of personal data, the DPA will essentially be a handy tool for surveillance over the citizenry, further reinforcing the executive arm of the state. Under such circumstances, after being subjected to the unmitigated abuse of the DSA, and likelihood of misapplication of the undefined terms and draconian clauses that the proposed DPA contain, don't the discerning citizens have every reason to raise questions about the DPA?
Dr CR Abrar is an academic and human rights expert.