Data Protection Act: Everyone dealing with citizens’ data must register
The government will maintain a publicly available register of all organisations and persons collecting and processing data, and the purpose for which data is being processed.
This is as per the latest draft of the data protection act dated yesterday. The draft states that an entity called a Data Protection Agency will maintain this register, and will make the information contained in the data protection register available for inspection by any persons.
Organisations collecting or processing personal data vary from government entities, law enforcement agencies, research organisations, banks, embassies, NGOs, marketplaces, trade bodies and others.
"Every person who wishes to perform the functions of controller and processor under this Act must be enrolled in the agency. The procedure for enrollment, terms of enrollment, renewal and suspension of enrollment [...] shall be determined by rules," states the new draft.
Although stakeholders have been recommending that an independent commission be created to implement the data protection law and protect the rights of citizens, this law still maintains that a government agency will be in control.
The agency called the Data Protection Agency will be headed by a Director General and four directors appointed by the government.
This government body can "access to the data processing premises of the controller or processor, including data processing infrastructure and other related facilities, for the purpose of inspection" and "ordering the controller or processor or, the representative empowered for the purpose to provide the data necessary", and have "access to data under the control of the controller or processor for the purposes of enquiry".
Dr Iftekharuzzaman, the executive director of Transparency International Bangladesh commented, "The government is a user of data, and subject to this law, so there is a conflict of interest if they are in control of the law." He said that it is international good practice to have an independent agency.
This agency can penalise those violating the law, as well as ban them from processing data, and transferring data to foreign customers and international organisations.
However this draft omitted a provision that was present in past drafts, which had granted indemnity to this agency by preventing the citizens from prosecuting them in court.
This draft allows those aggrieved by the agency's decisions to file appeals with the government.
The law still exempts controllers using data "for the prevention or detection of crime or for the purpose of investigations; or the apprehension or prosecution of offenders" but does not mention how subjects seek redress for violations caused by these exemptions.
"In order to get a remedy a person needs to be proved that he or she has been harmed – is a breach of privacy equivalent to harm?" commented Christabel Randolph, advocate of Supreme Court, and technology, law and policy scholar at Georgetown University's Law Centre at an online discussion on the law held by Bangladesh Legal Aid and Services Trust yesterday.
She also pointed out that data subjects can request controllers for access to their own data, but they have to pay a fee for it.
The law minister Annisul Huq and ICT state minister Zunaid Ahmed Palak met with civil society members at the law ministry yesterday to discuss the law and stated that there will be a followup meeting on April 6.
The civil society members also discussed about repealing the Digital Security Act.