It has emerged from the print and electronic media that the government of Bangladesh has recently prepared a bill on the issue of personal data protection. Some very relevant questions regarding the bill are presented below.
Section 2 of the bill includes definitions of several key terms, including data, anonymized data, personal data, data subject, controller, processor, processing, etc., but hey many of the definitions are neither complete nor exhaustive. For example, in the proposed bill, anonymized data refers to âany data that has undergone the anonymization processâ, but there is no explanation for the anonymization process. Again, there should have been clues to personal data that can be used to identify a person. Generally speaking, personal data means and includes certain identifying indicators, such as name, identification number, location data, or any specific physical, physiological, genetic or mental condition, etc. The definition of personal data as provided in said bill does not include any of these identifying indicators, which makes the definition clause problematic.
For all the latest news, follow the Daily Star’s Google News channel.
Additionally, the bill did not define many other important terms commonly used in data protection laws including, but not limited to – international transfer / cross-border processing, profiling, pseudonymization, consent, data breach, health data, biometric data, establishment, etc.
As data processing activities become more and more complex in the digital age, there must be entities in place to act as watchdogs for the protection of the rights of individuals. As a result, most international, regional and national data protection frameworks, in particular Council of Europe Convention 108 of 1981, the General Data Protection Regulation (GDPR), and 90% of countries with Data protection laws have chosen to establish an independent supervisory authority. .
While under Article 28, the bill includes provisions for the creation of a Data Protection Office (DPO) under the direct control and administration of the Digital Security Agency incorporated in under the Digital Security Act of 2018 (DSA). The DPO will be equipped with officers and other employees as needed and headed by the Director General of the Digital Security Agency established by Article 5 of the DSA. Experts in the field are of the opinion that the DPO under the proposed bill should be independent from the Digital Security Agency. It should be borne in mind that privacy is not an option but one of the most precious rights for the growth of democracy in the digital age.
Under section 43 of the bill, there are provisions for the transfer of personal data outside of Bangladesh, subject to government notification published in the Official Gazette. It will be a long process. Cross-border data transfer can be made more simplistic by incorporating specific provisions such as transfers subject to appropriate safeguards, binding corporate rules, waivers / exemptions or international cooperation mechanisms. Although Article 43 (3) specifies seven circumstances of cross-border data transfer without government intervention such as consent, performance of a contract, vital interests of the data subject, public interest, etc., these provisions lack at least two other important provisions such as transfers subject to appropriate safeguards and international cooperation for the protection of personal data.
Data breach notification is being incorporated as one of the most comprehensive provisions in modern data protection instruments. Under Article 29 of the Personal Data Protection Bill, the controller will share the data breach with the CEO and the processor will notify the controller without undue delay. But there is no specific deadline for notice of data breach, and ultimately, said provision could hardly protect irreparable data loss of individuals. In addition, there is no obligation to notify the victim concerned. In this case, the controller and all other responsible persons must notify the data breach without undue delay, but at the latest within 72 hours. In addition, if the data breach appears likely to result in a high risk to the rights and freedoms of individuals, the controller should inform the data subjects without further delay.
The combined reading of Articles 60 and 65 of the Bill reveals that no legal action can be brought against the Director General, the authorized agent, an employee of the DOP in respect of any act or omission committed or omitted by one of them in good standing. faith in such a capacity. Likewise, under article 57 of the said bill, a company as well as other responsible persons may be exempted from being punished for the commission of an offense provided for in the bill if they can prove that the offense was committed without their knowledge or that they exercised all due diligence to prevent the commission of such an offense. Let us not forget that too many general exemption powers as evidenced by the bill will certainly destroy its objectives while rendering the law meaningless.
It is good to see that under Article 46 the draft data protection law incorporates the provisions of compensation of the victim by the controller, processor or data collector for their non-compliance with the provision of this law. There is no provision for the filing of a civil dispute nor any administrative fine fixed under the bill. In the absence of specific provisions on civil litigation, fixed administrative fines, etc., the bill risks turning into an impotent tool. Given the deep importance of privacy, the data protection laws of many countries such as Singapore, Switzerland, United States, United Arab Emirates, Portugal, South Africa, Malta, Macao, Chile, Lesotho, Cape Verde, Bahrain and Uzbekistan have incorporated provisions for the filing of civil suits. against data breach incidents.
Last but not least, an effective data protection law does not intend to stop the processing of personal data but rather allows processing within legal limits. A carefully designed data protection regime favors businesses, facilitates cross-border data transfers, encourages research and innovation, pays due attention to public interests and protects the privacy rights of individuals. Therefore, the main objective of an effective data protection regime is to strike a balance between the competing interests of all stakeholders, namely the state, businesses and data subjects. While the primary duty to ensure confidentiality rests with the government, all relevant stakeholders such as civil society, the legal community, judiciary and other legal institutions, national human rights institutions, government departments and agencies. legislative bodies, the industrial and technological community, and the media should have some roles in making a new law useful.
THE AUTHOR IS A DOCTORATE CANDIDATE IN PRIVACY AND DATA PROTECTION LAW AT THE UNIVERSITY OF MALAYSIA FACULTY OF LAW, MALAYSIA.