How can abuse of privacy be legal?

Data is knowledge and knowledge is power. This is why protecting data is so vital, but some of the provisions in the draft act that Bangladesh is considering in this regard are something that we can do without. The invasive nature of the bill is neither respectful of citizens' privacy nor democratic in spirit. It is certainly not in step with international data protection standards. A recent assessment by the Transparency International Bangladesh (TIB) – that it will "put the entire society under surveillance" – shows that there is more at stake here. At a time when concerns are being raised over such attempts by the government, the length to which this bill, if passed into law as it is, could be potentially used is certainly worrisome.

One of the reasons behind this assessment is the bill's strict data localisation requirements. It makes it mandatory for every person or organisation dealing with data to enrol in a "data protection register", where they must state what type of data they are collecting and processing and why. Not only is this logistically impractical, it also adds a layer of bureaucracy at odds with how the internet functions. Furthermore, according to the TIB, even though stakeholders have been demanding that an independent commission be formed to oversee the implementation of the law, the bill puts a government-controlled agency in charge, giving it "unlimited powers" to access data without citizens' permission or explicit knowledge, and even without any judicial oversight. Ideally, along with operational independence, any institution in charge should have in-built provisions to check abuse of authority. The bill ensures neither.

Although recent changes to the draft sought to allay some concerns about data localisation requirements – creating scope for transferring data in case of international trade and international relations – the Data Protection Act (DPA) is still too restrictive, invasive and vague, just like its ideological cousin Digital Security Act (DSA). For example, there is no clear, detailed definition of data, and no mention of the definition and standard of privacy. All this has led to legitimate fears that it will "allow deep government surveillance in the guise of data governance and interference with individuals' privacy rights, not to mention increase the space for abuse of power," as one of our columnists put it. Thanks to the DSA, we now know that it is mostly political rivals and critical voices who will be subjected to such abuse, all in the name of state interests.

This is totally unacceptable. We urge the government to immediately revise the draft in light of the concerns raised by experts, human rights defenders and our international partners. Personal data shared on various online platforms must be protected at all costs from any kind of breach and abuse, particularly from government agencies and law enforcement forces. The law must clearly address all potential loopholes, and provide for an independent data oversight authority which can be trusted to check any breach of privacy. Otherwise, there will be no point at all for a data protection act.