Localisation of data - A threat to citizens’ right to privacy?

Data, more specifically private data, on digital platforms has put a great impact towards the technological advancement over the last decade. Most of the data is now controlled by a few giant tech companies resulting in the monopolisation of data. Many countries are, however, adopting laws regarding data localisation.

Data localisation means regulating and controlling its citizens' data within the territory of the originated country before transferring the same overseas. Laws on this are special regulations enforcing how data can be processed and transferred in a certain territory. The argument behind data localisation is to increase a country's ability to regulate data flow and ensure data security.

More than 100 countries now require their internal data stored in servers physically located inside their borders. The proposed Data Protection Act, 2023; and the Bangladesh Telecommunication Regulatory Commission Regulation for Digital, Social Media, and OTT Platforms, 2021 are some of many efforts to protect citizens' information against big fishes.

However, experts fear that these initiatives are a legal way to nose out personal data and enhance the surveillance capabilities of law enforcing agencies. One of the main arguments for data localisation is that Bangladeshi citizens' sensitive data should be stored within Bangladesh. It is necessary to ensure users' rights as well as to safeguard government's jurisdiction over data produced in its territory. However, these measures have raised concerns among citizens who fear that they could be used to limit free speech and access to information.

December last year, Information Technology & Innovation Foundation (ITIF) confirmed that "a one-unit increase in an industry's data restrictiveness is associated with a 0.5 percent decrease in the following year's trade – including a 0.6 percent decrease in imports and a 0.9 percent increase in import prices". "After five years, restrictive data policies will reduce Bangladesh's volume of trade by 6 percent", the ITIF reported.

The proposed Data Protection Act of 2023 contains some sections which elaborate on the concentration of power and give indemnity to the proposed Data Protection Agency. Although terminologies such as 'data', 'biometric data' and 'health data' are defined, the proposed law does not define the personal data directly and there are no provisions for its protection. There is also no mention of privacy of personal data and the standards of privacy on the storing of personal data in the proposed law.

According to section 10, the data relating to national security, crime prevention, inspection and investigation can be collected by the authorised person. It apprehends that the data production institutions/servers and the NGOs will be bound to share their data with the government. Section 49 states that if someone violates any provision of this Act or any right of data subject, a complaint be filed to the Director General (DG) of the proposed Data Protection Agency.

To seek remedy for the violation of privacy, there is little to no chance to go the court under the proposed law. Section 33 empowers the government to exempt any Data Controller or data processing activities from the obligations under the proposed law, including the power of further exemption. Section 34 tells that the government may, by notification published in the official gazette, exempt the application of any provision of this Act too. According to this proposed law, the DG of the Data Protection Agency can order the data subject to collect any sort of data and the concerned person will be bound to provide the data. If this proposed law is passed without any modification, it will be a serious threat to the protection of personal data.

As data is very important, Bangladesh being an independent and sovereign country has the full right to control its own data which originates/originated in its own territory. If we cannot control our own data, this will go against our own national interest. Foreign companies will trade by using our data against us. For that, we need collective efforts between the state and the stakeholders of the data. Our legal system relating to storing and controlling data should be updated. Relevant intuitions should be functional following the best practices of the world. Awareness among the people must also be increased so that the government and its agencies cannot play with our personal data/privacy.

Data localisation laws around the world are evolving every year, and the IT operators as well as individual users should follow them. They are not as disruptive for businesses as they may seem at first sight, so it is possible to continue doing business without breaking them. Therefore, while data localisation can benefit data security, it is essential to implement it in a way that protects citizens' right to privacy and ensures free speech as well as access right to information.

The Writer is an Advocate, Dhaka Judges Court.