Bangladesh’s incumbent Government is about to adopt a new law titled “Personal Data Protection Bill” (PDP Bill). Citing the excuse of protecting the right to protection of citizens’ personal data the Bangladesh Government copied the European Union’s General Data Protection Regulations (GDPR) of 2016. They revised it, fitting to the conveniences of an authoritarian rule. It has drastically disfigured the principles and definition giving sweeping powers to the Executive Authorities and Law-Enforcement Agencies.
The PDP Bill is given an overriding effect (Section 3) over all other laws of the land posing the apparent higher risks of an overwhelming coercion of personal data. The potentially coerced personal date is feared to be used against individuals and entities targeted by the State, according to the precedence of practice in the country. Such overriding effect goes against the fundamental rights enshrined in Article 35 (4) of the Constitution of Bangladesh. The executive authorities are empowered to act with impunity subsiding the judicial process. The citizens have no access to the justice institutions if the Executive Authorities encroach the right to protection of personal data.
The PDP Bill excessively empowers the executive officials in the capacities of Data Controller, Data Processor, and Data Protection Officers who act at a Personal Data Protection Office to be established under Section 36 and headed by a Director General of the Digital Security Agency, as created under the existing draconian Digital Security Act (DSA) of 2018. The new law complements the DSA and further allows the authorities accessing to the personal data of individual citizens and foreigners as well as any company or entity found within the Bangladeshi Government’s jurisdictions, for the purpose of “prevention, detection, investigation of an offence or for the national security”, according to Section 10 (2). As per Section 7 (5) (g) and (h) the “Data Controller may process personal data of a data subject if the processing is necessary – for explicitly mandated under any law for the time being in force”, and “for legitimate interests pursued by the data controller.”
The definition of “personal data” in the PDP Bill “means any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller. including any sensitive personal data and expression of opinion about the data subject which — (i) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (ii) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or (iii) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system: Provided that anonymized, encrypted or pseudonymized data which is incapable of identifying an individual is not personal data;” according to Section 2 (h) of the PDP Bill. This definition is vague and more focused on the information in possession of data controller being processed and recorded by means of equipment operating automatically in response to the instructions given for that purpose. It indicates that the Bangladesh Government is legalizing the abuse of mass surveillance equipment that it reportedly purchased from Israeli companies.
The PDP Bill ‘shall not apply to – processing of personal data exclusively for journalists, artistic or literary purposes subject to the conditions as may be prescribed by rules’, according to Section 4 (3) (b). It should be recalled that the DSA has been massively used against investigative journalism, which has triggered further self-censorships in Bangladesh’s ruling party-leaning mainstream print, electronic, and visual media.
Section 4 (3) (d) reads: this law ‘shall not apply to – processing of personal data by a government entity for the purposes provided in any other laws for the time being in force subject to the condition of ensuring security and secrecy for the protection and confidentiality of personal data.’ As the Law complements the DSA, these provisions have to be read together with Section 43 of the DSA, which has empowered the Police to “search, seizure and arrest without warrant. (1) If any Police Officer has reasons to believe that an offence under this Act has been or is being committed, or is likely to be committed in any place, or any evidence is likely to be lost, destroyed, deleted or altered or made unavailable in any way, then he may, for reasons of such belief to be recorded in writing, proceed with the following measures, namely: (a) to enter and search the place, and if obstructed, to take necessary measures in accordance with the Code of Criminal Procedure; (b) to seize the computer, computer system, computer network, data information or other materials used in committing the offence or any document supportive to prove the offence; (c) to search the body of any person present in the place; (d) to arrest any person present in the place if the person is suspected to have committed or be committing an offence under this Act. (2) After concluding a search under sub-section (1), the Police Officer shall submit a report on such search to the Tribunal.” It implies that when the Police arbitrarily seizes computers, based on ‘belief’ instead of ‘evidence’, the personal data stored in that particular device the data subject will not be allowed to take his/her data in possession under the PDP Bill, although the Government pretends to protect personal data in this Law.
According to Section 20 (7), “[T]he data controller is not obliged to comply with any request made under the Chapter – on Data Subject’s Rights – where such compliance would harm the rights of any other data controller under this Act.” It means that if one or more data controller arbitrarily abuses their power that particular data controller(s) can enjoy impunity in collaboration with other colleagues by denying the data subject’s rights. In another word, the data controller’s supremacy is guaranteed at the costs of the rights of the data subject whose personal data is accessed by the Authorities under the Law.
Section 28 empowers the data controller to carry out ‘assessment of the impact of the envisaged processing of operations on the protection of personal data’ with ‘legitimate interest pursued by the controller’ and can impose a ‘code of conduct’ for the purpose of a data protection impact assessment. The term ‘legitimate interest’ is vague without any specific definition or limit under the law while the power of imposing ‘code of conduct’ has no specified principles-based guidelines for its application. These powers can be extensively abused against independent human rights groups, researchers, journalists, and even foreign investors in the given context of Bangladesh.
The Personal Data Protection Office is given ‘investigative power, under Section 37 (2) (a) (i), “to order the controller and the processor, and where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of tis tasks” and in Section 37 (2) (a) (iv), “to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of tis tasks”. This Office, under Section 37 (2) (b) (v), has power “to impose a ban on processing” and “to order the suspension of data flows to a recipient in a third country or to an international organization”, as per Section 37 (2) (b) (viii). Under sub-Section 37 (2) (c) it has ‘authorization and advisory powers’, which enables the Office “to issue to other institutions and bodies as well as to the public on any issue related to the protection of personal data”. These provisions are feared to be abused against national and international human rights organizations, including the independent human rights experts of the United Nations and researchers for the purpose of intercepting the flow of factual information sharing with the excuse of ‘personal data protection’.
The Data Controller, under Section 34, and the Government, under Section 36, are empowered to arbitrarily exempt any person or entity from abiding by the Law by publishing an order through Gazette notifications having the power to revoke such orders. Section 60 empowers the Director General and the employees of the Personal Data Protection Office blanket impunity for their actions done ‘in good faith’. Section 65 confirms that “No action, suit, prosecution or other proceedings shall lie or be brought, instituted or maintained in any Court against the Director General or any officer of employee of the Personal Data Protection Office or any Authorized Officer in respect of any act or omissions done or omitted by him or it in good faith in such capacity.” Such provisions of impunity does not reflect any good intention on the part of the incumbent Government as it maintains a catastrophic human rights record in Bangladesh.