- Tawhidur Rahman
In this age of globalized connectedness, we are constantly in need to connect through sharing our personal data. Everyday terabytes of personal data are used through different technologies to access and operate various technological devices. It has become a matter of concern how these data are being stored, accessed and used. The need for a modern data protection law, considering the growth of ecommerce, cloud computing, social networks and online games has become pivotal across the globe. As such, more and more nations are enacting Personal Data Protection laws such as GDPR in Europe.
Data Privacy and Bangladesh
The 21st century has been defined by many as the age of information. In today’s digital information environment, personal data plays the most important role. With personal data, companies and entrepreneurs can target their customers easily and market their products accordingly. The modern era of information and technology has turned our personal data into a valuable commodity. And most often than not businesses around the world are infringing our privacy by accessing our personal information illegally without any informed authorization.
The main reason behind this is the lack of legal protection for our personal data. The evaluation of the legal regime protecting our privacy has failed to keep up with the ever-changing technologies. As a result, a lot of confusion has arisen over the past few years and many opportunists took advantage of this confusion by stealing and selling our personal data without informing us about our identity theft.
Digital Security Laws
Until recently there was no legal protection available in Bangladesh for any infringement of personal data. Bangladesh recently passed the Digital Security Act 2020 (the ‘Act’), which was enacted to ensure National Digital Security and enact laws regarding Digital Crime Identification, Prevention, Suppression, Trial and other related matters. This Act also contains provision protection of Identity Information. For the purpose of this Act Identity Information has been defined as “any external, biological or physical information or any other information which singly or jointly can identify a person or a system, his/her name, address, Date of birth, mother’s name , father’s name, signature, National identity , birth and death registration number, fingerprint, passport number , bank account number , driver’s license , E-TIN number, Electronic or digital signature , username, Credit or debit card number, voice print , retina image , iris image , DNA profile, Security-related questions or any other identification which due to the excellence of technology is easily available.”
Section 26 of the Act defines crimes relating to collecting and using identity information. Under section 26(1) any unauthorized use i.e. collection, selling, taking possession, supplying or using anyone’s identity information has been defined as an offense. Under the Act for any crime relating to identity information, imprisonment for a term not exceeding 5 (five) years or fine not exceeding 5 (five) lacs taka or with both has been prescribed and for repeating the punishment can be increased 7 (seven) years of imprisonment or with fine not exceeding 10 (ten) lacs taka or with both.
State Minister for ICT Zunaid Ahmed Palak on Friday said a draft of data privacy and localization law has been prepared under the direction from his cabinet colleague and relevant government personality. The draft will be presented in the Jatiya Sangsad after taking opinion from different platforms and media shortly, he said.
What should be data pricy law?
Data Breach Notification
Organizations are required to notify supervisory authorities and data subjects within 72 hours in the event of a data breach affecting users’ personal information in most cases.
Data Subjects’ Rights
• The right to be informed. Data subjects must be informed about the collection and use of their personal data when the data is obtained.
• The right to access their data. A data subject can request a copy of their personal data via a data subject request. Data controllers must explain the means of collection, what’s being processed, and with whom it is shared.
• The right of rectification. If a data subject’s data is inaccurate or incomplete, they have the right to ask you to rectify it.
• The right of erasure. Data subjects have the right to request the erasure of personal data related to them on certain grounds within 30 days.
• The right to restrict processing. Data subjects have the right to request the restriction or suppression of their personal data (though you can still store it).
• The right to data portability. Data subjects can have their data transferred from one electronic system to another at any time safely and securely without disrupting its usability.
• The right to object. Data subjects can object to how their information is used for marketing, sales, or non-service-related purposes. The right to object does not apply where legal or official authority is carried out, a task is carried out for public interest, or when the organization needs to process data to provide you with a service for which you signed up.
What’s next with global privacy?
With work already underway to amend and expand the remit of CCPA, we can expect the trend of new and more comprehensive data protection laws being introduced to continue. Other recent and upcoming developments in international data protection regulation include:
- India’s draft Personal Data Protection Bill 2019 introduced in December 2019
- Data breach notification and data security legislation recently passed in New York in October 2019
- Data protection laws regarding privacy or security approved in Maine, Nevada, Massachusetts, Ohio, and Colorado in 2019
- Draft data protection legislation proposed in Washington, Illinois, Massachusetts, Minnesota, Nebraska, New Hampshire, New York, South Carolina, Virginia, and Wisconsin during January 2020
- Draft Data Transparency and Privacy Act brought to Illinois Senate in January 2020
- Amendments to Hong Kong’s Personal Data (Privacy) Ordinance proposed in January 2020
- Draft bill amendments to Singapore’s Personal Data Protection Act anticipated early 2020
- The Australian Consumer Data Right effective 6 February 2020
- Thailand’s Personal Data Protection Act anticipated to be effective from May 2020
- Brazil’s General Data Protection Law expected to take effect from August 2020
- A revised proposal of the European E-Privacy Regulation (initially proposed in January 2017) anticipated during 2020
- UK GDPR to be effective in the UK on 1 January 2021 following the end of the agreed Brexit transition period
- Draft Data Protection Act brought to Bangladesh Ministry of ICT in October 2020
Digital diplomacy to Data diplomacy
The digital revolution arrived late at the heart of ministries of foreign affairs across the world. Ministries latched on to social media around the time of Tahrir Square and Iran’s 2009 Green Revolution, beguiled by a vision of the technology engendering a networked evolution toward more liberal societies. Foreign ministries scrambled to make ‘Twitter-Diplomacy’ part of their push-strategy in strategic communication and began, though arguably too slowly, to analyse US-based digital platform-generated data to inform foreign policy decisions. ‘Tech for Good’ was the universal assumption a decade ago.
Now, the advent of 5G systems and the capacity to run larger volumes of data across them, to develop greater applications for artificial intelligence (AI) and the internet of things, will not only have deeply disruptive impacts on our societies and the way we work – from manufacturing to services but it will also present steep challenges to how our bureaucracies manage big data and how – in the case of ministries of foreign affairs – they harness capacities for anticipatory foreign policy making. Bangladesh Telecommunication Regulatory Commission (BTRC) today officially disclosed its primary decision of making 5G internet service available in the country by 2021. BTRC gave licenses to the mobile operators with a condition that they will have to bring all the district headquarters under 5G service by 2023 while the entire country by 2026.
The Government has been proactively pursuing the digital penetration of all government portals by the year 2023. The country developed the National Portal in 2014, which now houses over 45,000 websites and services of different government offices, with about 60 million hits a month on average.
Over 5,000 Digital Centres have been set up across the country to cover the “last mile” and ensure the various digital services reach all citizens, addressing the issue of the digital divide. To ensure interoperability, the Bangladesh National Digital Architecture was established.
Digital services like Smart NID, the biometric database of unique IDs, fingerprints and iris scans has been successful in making citizen services run more smoothly, and negating problems like fake IDs and impersonation. In covid-19 Bangladesh launch covid-19 web data portal and also it launched covid-19 tracker which help a lot to taking decision for diplomats.
To be sure, the advent of greater data capacities holds promises – not just challenges – for diplomacy. Well-cultivated, big data will radically improve the consular process, bolster the preparation of diplomats for complex, multi-level negotiations on trade and sanctions and boost the ability to forecast humanitarian crises linked to climate change effects from drought to flooding.
Big data aggregation could also help identify disinformation campaigns targeted against a certain country more quickly and accurately. Chat bots are already improving the more tedious aspects of consular affairs, supporting registration processes or legal aid for refugees. Bangladesh ICT ministry are also working for disinformation. The government is cracking down on the spread of ‘disinformation’ about the government, public representatives, army officials and members of the law- enforcing agencies on social media from home and abroad. Besides the “untrue, imaginary, misleading, and provocative” statements on social media, the ministry also noticed “false and baseless news to mislead the security forces”.
“These can create the possibility of disrupting peace in the country, and concerns, anger and confusion among the people,” the notice said. The government has decided to act against the people behind the “disinformation” campaign in order to keep law and order, it said.
Much as geo-coding and social media mapping is already helping Global Affairs Canada and the UK Foreign and Commonwealth Office understand where their messages resonate most effectively, in the near-term future a bigger volume of data and increased interpretation capacities might be used to locate citizens in need and to monitor social media to predict possible consular crises. To realize the advantages of these data streams, the data will have to be harnessed and interpreted by trained analysts and diplomats. Bangladesh can also working on geo-coding and social media mapping for decreasing the disinformation.
New privacy law for Bangladesh Drafted :
“Personal information of an individual collected for a particular purpose is commonly misused for other purposes, like direct marketing without the consent of the individual. Some internal confidentiality standard within the system is required so that personal information of an individual does not get transferred to others easily causing irreparable distress or embarrassment.”
So it has to be clear in the new law that personal information of an individual collected for a particular purpose should be used for that particular purpose.
While Bangladesh is well protected by virtue of the Information and Communication Technology (ICT) Act, 2006 to bring proceedings against perpetrators of such intrusion and unauthorized access, what it fails to take into account is that these perpetrators carry out their operations anonymously and thus, in most cases, it is difficult to identify them. In other words, a preventive framework at the pre-breach level is simply non-existent. There are some protection ensured by various Acts and Regulation on piecemeal nature, however there is no comprehensive data protection for consumers and general public for their non-electronic data provide to various organizations, companies and corporations.
At last, we may conclude that Bangladesh is drafting new data protection act of Bangladesh, 2020 where it make a comprehensive statute regarding protection of personal data with clear indication of definition personal data, purposes for processing personal data, punishment for obtaining, transferring or selling of personal data without lawful authority etc. A mandatory provision in the new law included as the personal data of any person collected for a particular purpose shall not be processed without the consent of the person concerned except any statutory legal excuse.
After coming in power in 2009, Honorable Prime Minister Sheikh Hasina set several targets for Bangladesh, i.e. to achieve the status of a middle-income country by 2021, accomplishing the SDG goals by 2030, becoming a developed country by 2041, becoming a miracle by 2071, and executing a delta plan by 2100. Thus, one can argue that under the visionary leadership of Honorable Prime Minister Sheikh Hasina, Bangladesh is moving forward with specific targets in mind with new laws and policies for digital Bangladesh. One of the major strengths for Bangladesh is that among 170 million people more than 60 per cent are energetic and dynamic youths who can contribute immensely to the overall development of the country. The world needs to know that Bangladesh is no more an ‘international basket case’. And for this success, Bangladesh and its people sincerely appreciate the cooperation from the international community.
ABOUT THE AUTHOR:
With over 12 years of experience in Cyber security consultancy, Digital forensic, Framework Design, Policy Making and many other tech sectors, Tawhidur Rahman is working as Senior Technical Specialist (Digital Security & Diplomacy) of Government of Bangladesh E-Government Computer Incident Response Team. Also, he was working for Government Joint Defense Intelligence organization as a cybersecurity consultant. Tawhidur Rahman is certified from US Homeland Security, US State Department, EU Union on Cyber Crime investigation & Diplomacy too.