Data Localisation and Data Protection in Bangladesh: A Review

Data localisation requires for data, particularly personal and/or arguably sensitive, to be stored and processed within a specific geographical location or jurisdiction. It in a way relates to data protection as it aims to maintain control over data generated within a country's borders, enhance data privacy and security through local storage, provide easier access for regulatory purposes, and address jurisdictional challenges. However, experts contend that it can also lead to several challenges against the citizens' rights to privacy, free speech, and free access to information. In the case of Bangladesh, for instance, data localisation could be misused as a legal means to access personal data and thereby unduly bolster the surveillance capabilities of law enforcement agencies, leading to further curtailment of freedom of speech and access to information.

The most recent version of the draft Data Protection Act (DPA) incorporates specific provisions aimed at protecting the personal information of Bangladeshi citizens. Considering that the DPA is one of the key legislative initiatives to safeguard citizens' information in Bangladesh, both local experts and prominent human rights organisations including the Amnesty International, have voiced their concerns on different occasions regarding data localisation and other aspects of data protection under the draft DPA.

Data localisation was initially introduced in a previous draft of DPA, mandating the storage of sensitive, user-generated, and classified data within the geographical boundaries of Bangladesh, which was challenged by stakeholders and human rights organisations pointing out that the enforcement of stringent data localisation measures would restrict freedom of expression, hinder digital businesses, jeopardise privacy and increase expenses, among other risks and challenges. Hence, recommendations were made for a thorough assessment of the impacts and even options for complete removal of the provision from the DPA.

The latest draft, partially accepting the recommendations, has removed the requirement to store sensitive and user-generated data. Alternatively, it provides, in section 42, that the government shall periodically store "classified data" in Bangladesh as prescribed by law. However, worries remain as the wording of the provision would allow the government to designate data as "classified" at its discretion, without specifying criteria or limitations.

The draft law contains several other provisions that fall short of international best practices and are prone to potential misuse. For example, the draft defines 'personal data' as any information or data linked to an identified or identifiable individual. However, there is minimal opportunity to resort to the court to seek redress in case of privacy violations.

Again, Section 10 outlines authorised methods for data controllers to collect information from entities using prescribed means which include national security and public interest concerns. Considering the international best practices, it is crucial in this circumstance to define 'public interest' and 'national security' clearly involving strict rules to prevent misuse, maintain the delicate equilibrium between security and privacy, and ensure rigorous oversight to prevent discrimination and surveillance abuses.

Section 33 provides exemptions for data processing activities unless restricted by Section 34. Exemptions cover crime prevention, health data, research, court orders, regulatory functions, and activities in media, literature, art, and education. Here, Section 34 provides overly broad exemptions for government agencies in data protection, which deviates from international norms and raises concerns of potential misuse. Typically, data protection laws are designed to safeguard individual rights in data processing, imposing clear, impartial, and transparent obligations on data handlers, including government bodies. While some limited exemptions are considerable for government entities in cases involving national security, public order, or citizens' rights, this provision lacks a specific and more categoric list of exemptions.

As a final comment, the draft reportedly took cues from the EU's General Data Protection Regulation (GDPR), a global benchmark for data protection, covering data quality, usage limits, and security, but diverged therefrom on certain aspects. Aligning more closely with GDPR principles, especially regarding lawful processing, data minimisation, individual rights, and data breach response mechanisms, would enhance the intrinsic value of the legislation and align the same with global standards for secure and rights-focused data management. Predictably, the ambiguities in the draft could lead to arbitrary decisions that adversely impact the activities of civil society organisations and independent journalists who may transmit data to international partners, news outlets, and donors, or store their data in foreign-based data centres. The broad implementation of data localisation requirements, especially in environments conducive to censorship and extensive surveillance, raises valid concerns about potential misuse.

The Writer is Official Contributor, Law Desk, The Daily Star.