Revisiting the Draft Personal Data Protection Act 2023
In digital age, personal data fuels the online ecosystem while also raising privacy concerns. To address this issue, Bangladesh aims to strengthen its data privacy framework by adopting the draft Personal Data Protection Act, 2023 (PDPA). The General Data Protection Regulation (GDPR) of the European Union (EU) serves as a global benchmark for data protection, influencing privacy laws worldwide through its robust framework and the European Commission's adequacy status. However, the current draft of the PDPA falls short of the GDPR's rigorous standards for the following reasons.
The first concern is regarding the grace period. Section 1(2) of the latest draft of the PDPA, states that the bill will take effect on a date specified by the government in the official gazette. International best practices recommend a minimum two-year grace period for preparation. For instance, the EU GDPR was adopted on 14 April 2016 and took effect on 25 May 2018, providing over two years for compliance preparation.
For all latest news, follow The Daily Star's Google News channel. 
While the draft PDPA represents a positive step towards establishing a comprehensive data protection regime in Bangladesh, it requires significant improvements to align with global standards. The adjustments outlined in this write-up will strengthen Bangladesh's data protection framework, align it with international standards, and help secure an adequacy decision from the European Commission, thereby enhancing global trade relations.
The draft Act also inadequately emphasises 'personal data' over 'data'. Indeed, the primary focus of a robust data protection law is 'personal data,' as it seeks to protect individuals' privacy and prevent the misuse of their personal information. To effectively protect 'personal data,' it must be explicitly defined. However, the draft PDPA's definition of personal data in section 2(o) is ambiguous, covering legal persons along with natural persons and lacking any reference to the identification of the natural persons it seeks to protect from data breach. Conversely, the GDPR in Article 4(1) precisely defines 'personal data' as any information that can identify a natural person, directly or indirectly. To align with global best practices, it is necessary that the proposed bill puts more emphasis on 'personal' data over 'data' as a whole.
Furthermore, the draft PDPA lacks a clear articulation of the key data protection principles established by the OECD Privacy Guidelines of 1980, which were later adopted by dominant data protection regulations, such as the GDPR. To align with global standards, the PDPA should explicitly incorporate GDPR-aligned principles, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
The next concern is regarding an independent data protection board. The provisions for establishing an independent data protection authority are essential for the unbiased enforcement of privacy laws and the protection of citizens' rights. While Section 35 of the draft PDPA details the composition and operations of the Data Protection Board, it lacks explicit guarantees of the agency's independence. Without clear safeguards for autonomy, there is a risk of conflict of interest that could undermine its impartiality as a regulatory body.
Moreover, the draft PDPA conflates 'anonymised' and 'pseudonymised' data, although they are distinct. Pseudonymised data can still identify individuals through additional information and remains subject to data protection laws, while anonymised data cannot be traced back and is not subject to these laws. Hence, the PDPA should clarify that these terms are not interchangeable.
Yet another area of concern is the data localisation principles that the draft bill embodies. Sections 50 and 51 of the draft PDPA restrict the transfer of government-classified data outside Bangladesh, except in specific circumstances like international trade or under international agreements. While data localisation policies can be motivated by privacy and security concerns, they often fail to effectively protect data privacy and can negatively impact economic activities, as demonstrated by the Information Technology and Innovation Foundation (ITIF).
Section 28 of the draft PDPA mandates data-fiduciary (upatta jimmadar)to notify the Data Protection Board within 72 hours of a data breach, similar to the GDPR. However, it lacks provisions for notifying affected individuals in high-risk cases that could impact data subjects' fundamental rights. The draft should be amended to include such provisions, ensuring transparency, accountability, and alignment with the international best practices.
Notably, the draft bill also falls short on protecting rights of foreign data subjects. Section 17 of the draft PDPA grants foreign data subjects in Bangladesh the same data protection rights but lacks details on enforcement and exceptions. The PDPA should clearly outline enforcement processes, criteria for foreign data subjects, and potential limitations to enhance clarity and transparency.
The draft PDPA excessively relies on rule-making powers, which may lead to broad, potentially misused interpretations. Without mandatory publication requirements, there's risk of executive overreach. Before Parliamentary approval, the PDPA's rule-making provisions should be limited, well-defined, and transparent. The bill also lacks any specific provision on 'data protection by design and by default,' which integrate privacy measures from the outset, ensuring automatic protection of personal data. While Article 25 of the GDPR mandates this, the current PDPA should also include similar provisions.
Yet another area of concern is the many exemptions that the bill provides for. Section 33 of the draft PDPA grants exemptions to government agencies for specific data processing activities, including crime prevention or investigation, health data, research, and journalism. Section 34, however, permits additional exemptions via the official Gazette, raising concerns about transparency and potentially weakening data protection enforcement.
In conclusion, while the draft PDPA represents a positive step towards establishing a comprehensive data protection regime in Bangladesh, it requires significant improvements to align with global standards. The adjustments outlined in this write-up will strengthen Bangladesh's data protection framework, align it with international standards, and help secure an adequacy decision from the European Commission, thereby enhancing global trade relations.
The writer is an Assistant Professor at the School of Law, Independent University, Bangladesh (IUB).
Comments