From the Editor’s Desk Data Protection Act and Cross Border Data Transfer – The New Era of Digitization

The concept of privacy as a social concept is rooted in some of the oldest texts and cultures. Privacy is referenced numerous times in the laws of classical Greece and in Bible. The concept of the freedom from being watched has historically been recognized by Jewish law. Privacy is similarly recognized in the Holy Quran and in the sayings of Prophet Mohammed where there is discussion of the privacy of prayer as well as avoidance of spying or talking ill of someone behind their back. The Hindu’s Holy Ramayan describes the defeat of Rabana because of breach of data privacy. Historically, the data privacy rights and breach of privacy has far reaching consequences.

Bangladesh got the wakeup call after the heist at Bangladesh Bank in 2016. The government promogulated a cyber security act titled ‘Digital Security Act 2018’. Taking into cognizance the new reality leading to adoption of data security law globally and in the region, the Government of Bangladesh through Information and Communication Division has initiated the process of drafting a Data Protection Law. The proposed law is a homegrown law and is designed to meet the challenges facing the country in general and the citizen in particular. Today in the era of digitization data is fueling an increasing number of businesses. Personalized customer experiences, automated marketing messaging, and science-driven insights all depend on the quality and volume of data. The global corporations, governments, state and non-state actors all are eager to gather data. Governments, on the other hand, are keen to protect the privacy and safety of individuals in their country. More and more countries are adopting the data protection legislation. Bangladesh is also in the process to bring legislation on data protection for protection of its vital data.

The drafting team has meticulously studied the data protection legislation in other countries specially California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) which are two most appreciated data protection legislation regarding data privacy in recent times. Both the CCPA and the GDPR are explicit in their aim to protect the data privacy by retaining the data from their domain within the domain of their own judiciary. Both laws do this partly by requiring businesses to be transparent in how they process personal information, and partly by granting individuals new rights over their personal information.

The person or personal data is defined in different forms by the countries. EU defines ‘personal data’ as any or all data that relates to an individual or identifiable individual. In United States of America ‘personally identifiable information (PII) is generally used to define the information that is covered by privacy laws. In Canada, ‘personal information’ is defined as information about identifiable individual, but does not include certain business contact information. In Japan, ‘personal information’ means information that relates to living individuals and that can identify specific individuals by name, date of birth, or other description.

Data privacy also concerns the information that helps the company operate. This could involve things like proprietary research, development data, or financial information. Proposed data protection legislation of Bangladesh similarly empowers the data subject. Proposed data protection legislation also provides data security through defining person to include non-juridical person.

“person” means an individual,

and includes any juridical

person, company, firm,

association, corporation, a body

of individual or group of persons, whether incorporated or not;’.

As part of the normal activities, organizations also may collect and generate information that by its nature would not be considered personal information, but is nevertheless a key part of the information assets of the organization. Examples of such information include – Financial data, operational data, intellectual property, information about organization’s products and services. Though not personal information, such information needs to be protected and secured to ensure its confidentiality. The proposed definition of person is holistic in nature to protect data in Bangladesh.

When the data elements used to identify the individual are removed, the remaining data becomes non-personal information, and privacy and data protection laws generally do not apply. These data are generally termed ‘de identified’, or ‘anonymized’ information. These anonymized data my also have pitfall if not properly screened. A well-known example is of a data set of search queries released by AOL after having removed all identifiers which nonetheless resulted in the identification of an individual within days of data release of data set. The proposed definition of DPA 2022 has been carefully drafted after studying other similar laws to make it inclusive.

The proposed definition eliminates confusions where definitions of some other countries are under inclusive where other data and anonymized data has been totally excluded. The proposed draft law is based on the data protection principles to ensure any person who collects, process, holds or uses data shall comply with the following principles of data protection and the provisions of this Act and the rules made thereunder, -

(a) Consent and accountability: be accountable to the data subject for the data collected or processed, other than sensitive data, of a data subject with his consent to the processing of the data and in case of sensitive data, processing of such data shall be made in accordance with the provisions of this Act and rules made there under;

(b) Fair and reasonable: collect and process such data in a fair and reasonable manner that respects the provisions of this Act and the rules made thereunder;

(c) Integrity: collect, process, hold or use adequate, relevant and not excessive or unnecessary data and take reasonable steps to ensure that the data is accurate, complete, not misleading and kept up to date by having regard to the purpose;

(d) Retention: retain data for the period authorized by this Act and rules made thereunder and for which data is required to ensure that all data is destroyed permanently if it is no longer required for the purpose for which it was to be processed;

(e) Access to data and data quality: ensure quality of information collected, processed, held or used and a data subject shall be given access to his data held and be able to correct that data where the data is inaccurate, incomplete, misleading or not up to date;

(f) Disclosure: ensure transparency and participation of the data subject in collection, processing, holding or use of data, and subject to the provisions of this Act, no data shall, without the consent of the data subject, be disclosed for any purpose other than the purpose of discloser as mentioned at the time of collection of the data;

(g) Security: observe security safeguards in respect of data and when processing data, take proper steps to protect the data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.

The legislation categorizes the data in the distinctly as (1) open data, (2) user generated data, (3) sensitive data. Open data are data declared open for use by entrepreneurs, journalists, researchers etc. without any further permission. Whereas “user created or generated data” means private data of a data subject (for example text, message, images, videos, audios, reviews, email or any other 2 DECEMBER 2022 private documents or similar other subject matter) which are created or generated by an individual or a group of individuals for limited use or share and not intended for public use. Sensitive data are data which may be used against data subject to malign or victimize socially. Sensitive data comprises of (1) commercial or financial data; (2) health data, both physical or mental including medical records or information as to health of an individual; (6) sexual orientation; (7) biometric data; (8) genetic data; (9)the commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings, (10) caste or tribe; (11) religious, racial, ethnic, philosophical belief; (12) political opinions; (13) any other data as may be prescribed; Keeping private data and sensitive information safe is paramount. If items like financial data, healthcare information, and other personal consumer or user data get into the wrong hands, it can create a dangerous situation. The lack of access control regarding personal information can put individuals at risk for fraud and identity theft. Additionally, a data breach at the government level may risk the security of entire country. And if one occurs within any company or organization or enterprise, it could make personal or proprietary data accessible to a competitor. This is where data protection laws come into play. As an increasingly large portion of our lives and activities occur online, cybersecurity is an ever growing concern.

The proposed legislation has proposed a section for storage of sensitive data, user created or generated data and classified data the provision of the section explicitly states that the sensitive data, user created or generated data and classified data shall be stored in Bangladesh, and shall remain beyond the jurisdiction of any court and law enforcers other than Bangladesh. This is of pertinent importance to allow the State to protect the local data of its citizen. In several cases, foreign entities have expressed reluctance to comply with orders of Bangladeshi courts or direction of the Government of Bangladesh to comply with local laws. A common plea in such cases ids that it is only the local arm of multinational is answerable to the concerned jurisdiction. The primary method of enforcing jurisdictional claims against foreign entities remains the cumbersome process of legal and Mutual Legal Assistance Treaties if applicable. The issue has become even more serious due to the rise of social media such as Facebook, Twitter etc. Countries adopted different methods to deal with the issue, Brazilian court in 2013 ordered that all Facebook IP domains be blocked for failure to comply to remove offending content on the ground that it was the responsibility of entities incorporated in other jurisdictions. The EU GDPR has taken a different approach of enforcing fines based on global turnover. The review of the GDPR a data protection and information privacy law in the European Union (EU) and the European Economic Area (EEA) revealed regulations related to the processing of personal data of individuals (formally referred to as data subjects in the GDPR) located in the EEA. GDPR applies to all enterprises — regardless of the location and size of the company or the citizenship and residence of the consumer. Noncompliance with GDPR could result in heavy fines of up to €20 million or 4% of total annual turnover, whichever is greater.

The proposed DPA 2022 legislation recognizes the data transfer for business, trade and commerce, innovation etc. and has kept a provision for declaring any classified data specified by the Government, from time to time, by general or special order, for transfer to a place or system outside Bangladesh if it is authorized so by the Government. The proposed legislation by the Government of Bangladesh has placed the interest of its citizens at the forefront ensuring protection of data subject privacy by stating data collector, data processor or data controller shall not collect, hold or process data in a manner which infringes the right of privacy of a data subject. The proposed law has ensured the Bangladeshi courts’ jurisdiction on local data. Globally the data protection acts have adopted common definitions from EU for data subject, data controller, data processor etc. The proposed data protection act 2022 has taken 3 DECEMBER 2022 the same definition to ensure cross border application of the law.

To read the full Magazine, please click here