The Bangladesh government's draft of the Cyber Security Ordinance, 2024 has reignited debates surrounding digital rights and governance. Intended to bolster cybersecurity and address crimes in cyberspace, the ordinance has been met with sharp criticism for its vague provisions, unchecked powers, and a lack of safeguards against misuse. Many experts argue that, in some respects, the proposed law is more regressive than its predecessors, including the Digital Security Act, the Cyber Security Act, and the ICT Act.

Scope and intent of the ordinance

The draft ordinance is structured across nine chapters and 52 sections, covering a broad spectrum of issues such as preventive measures, crimes and punishments, and the establishment of the National Cyber Security Agency and the National Cyber Security Council. Cyberspace is defined broadly, encompassing digital networks, telecommunications systems, and physical infrastructures. The stated purpose is to ensure cybersecurity, protect digital assets, and prosecute cybercrimes. While the draft attempts to rationalise non-bailable offences and claims to safeguard personal freedoms and freedom of speech, critics highlight significant gaps and ambiguities.

Vague provisions and broad discretionary powers

One of the most contentious aspects of the ordinance is the sweeping authority it grants to the Director General of the National Cyber Security Agency. Under clause (8), the Director General can request the Bangladesh Telecommunication Regulatory Commission (BTRC) to remove or block information deemed harmful, with BTRC empowered to act in "appropriate cases." Critics argue that the term "appropriate cases" is undefined, leaving room for subjective interpretations and potential misuse to suppress dissent.

The ordinance also entrusts the National Cyber Security Council, chaired by the Head of State and supported by government and intelligence agencies, with decision-making powers regarding "cybersecurity development." However, the lack of clarity about what constitutes "cybersecurity development" raises concerns about overreach and accountability. Provisions for the collection of data for "global threat intelligence" further exacerbate fears, as they lack procedural safeguards and could facilitate surveillance and repression under the guise of regional and international cooperation.

Structural gaps and enforcement concerns

Several structural weaknesses in the draft have been identified, particularly concerning censorship, surveillance, and state power consolidation. Section (36) permits warrantless searches, seizures, and arrests, requiring reports to be submitted to a tribunal, but without a defined timeline. This absence of a reporting deadline increases the risk of harassment and abuse by authorities. Similarly, sub-section (3) of Section (48) allows for the confiscation of legitimate digital materials if they are found alongside prohibited content, a provision critics warn could unjustly shutter businesses or organizations.

The ordinance fails to address the rising threats posed by artificial intelligence, particularly in crimes involving deepfake technology, where victims' voices, images, and videos are manipulated to cause harm. It also lacks provisions to protect whistleblowers, leaving those who expose cybercrimes vulnerable to retaliation. Additionally, the draft does not obligate organisations to notify customers or the public after cyberattacks, even when citizens' data, finances, or digital assets are compromised.

Token clauses and unrealistic guarantees

One provision grants citizens the right to 24/7 internet access, a seemingly progressive step. However, experts argue that this clause is largely symbolic, as existing laws permit state-sanctioned network disruptions. Without addressing the legal framework that enables such interference, the guarantee is deemed unimplementable and unrealistic.

Criticism of the legislative process

The government's decision to allow only three days for public feedback on the draft ordinance has drawn widespread criticism. Stakeholders lament the lack of meaningful dialogue and transparency, calling the process disrespectful to citizens' right to engage in shaping legislation that affects their digital rights. The rushed approach reflects poorly on the government's commitment to reform and undermines trust in its intentions.

Critical sectors overlooked

The ordinance overlooks key sectors vulnerable to cyberattacks, particularly transport and healthcare, which are critical to public safety. Experts recommend including ministries responsible for these sectors in the Cyber Security Council to ensure comprehensive protection against potential threats.

A step forward or a step backward?

While the ordinance addresses some weaknesses of its predecessors, such as attempting to rationalise non-bailable offences, it retains and introduces provisions that raise serious concerns about civil liberties and digital rights. The lack of transparency, the absence of procedural safeguards, and the broad discretionary powers granted to authorities make the ordinance a potential tool for abuse rather than protection.

Critics emphasize the need for substantial amendments to ensure the ordinance aligns with global standards for digital rights and cybersecurity. Without these changes, the Cyber Security Ordinance, 2024, risks perpetuating the same issues that have plagued Bangladesh's digital governance for years, leaving citizens vulnerable to surveillance, censorship, and state overreach.