Digital Identity , Governance & Risk Management , Privacy

Bangladesh to Propose a Privacy Law

Experts Offer Suggestions for Major Provisions
Bangladesh to Propose a Privacy Law

The government of Bangladesh is working with privacy experts to draft a data privacy law. The move comes as the nation continues its “Digital Bangladesh” campaign designed to improve delivery of all government services.

See Also: 2020 User Risk Report

“The Digital Bangladesh campaign has received a big push from the government. Each and every sector in the country has been impacted by this digital push,” says Mohammed Mahbubul Alam Rafel, head of information security at Prime Bank in Bangladesh. “While we have already stepped up the information security regime, there is now a need to give importance to data privacy as well. We hope to see a privacy law in the country soon with the right recommendations for organizations.”

Rafel recommends that the new privacy law specify:

  • Standards for data anonymization;
  • Additional information that must be included in privacy notices;
  • How personal data needs to be deleted when it’s no longer required;
  • “Reasonable purposes” for processing personal data without consent.

The nation’s privacy law must fit the local culture, Rafel stresses.

“Our privacy law cannot be a complete copy of the European Union’s General Data Protection Regulation,” he says. “There are many learnings from GDPR and we must ensure we do not repeat the mistakes that happened during GDPR implementation.”

Some GDPR critics argue that complying with the law is proving to be an economic burden for smaller companies (see: German Court Slashes a GDPR Privacy Fine by 90%)

The State of Privacy

Bangladesh lacks a privacy law, relying instead on provisions within a number of laws.

“Although our constitution does not expressly contain the ‘right to privacy,’ the courts have interpreted the right into the law,” says Pradeepta Sarkar, barrister and cyber law expert. “The relevant sections in our constitution would be Article 32, which talks about protection of right to life and personal liberty, Article 39, which touches upon freedom of thought and conscience and of speech, and Article 43(b) which states that every citizen shall have the right to the privacy of his correspondence and other means of communication.”

In December 2020, the government passed the Digital Security Rules, which call for organizations to establish help desks to help them comply with the Digital Security Act 2018, whose provisions deal with the misuse of personal data. Employees can register privacy-related complaints and raise security issues by contacting these help desks.

“Simply put, the few sections in the Digital Security Act 2018 are not enough to properly regulate a fundamental right as data privacy,” Sarkar says. “Hence, there is a need for new legislation.”

Sarkar suggests Bangladesh must draft a privacy law that’s written to avoid a negative impact on the economy. For example, he suggests the strictest privacy obligations should be imposed only on the largest data controllers and processors, such as major banks, hospitals and telecommunication companies.

Requirements in GDPR, such as the mandates for data protection officers, data protection impact assessments and audits, breach notifications and record keeping “can be particularly difficult or costly to implement for many small companies in Bangladesh,” he says.

Sarkar says the new privacy law should allow smaller data controllers to employ data protection officers with less expertise to focus on basic accountability duties, such as keeping record inventory, reporting to the authorities regularly and assisting complainants.

“Furthermore, efforts need to be made to ensure that we have enough data controllers in the country which will require skill development,” Sarkar says.

With many organizations in Bangladesh prioritizing cloud strategy, Rafel suggests that privacy laws must clarify on how to secure data on the cloud while ensuring privacy. “Organizations must know and have information on location of data. Also, the committee must make provisions to ensure people have the option to request erasure of data,” remarks Rafel.

Rafel suggests the new law should:

  • Clearly define of data processing and data consent;
  • Give consumers the right to access collected data from private entities as well as government agencies;
  • Focus on the need to adopt privacy protection measures;
  • Restrict how cookies are used;
  • Restrict international data transfers to only those jurisdictions that have similar privacy protections.

“India can be a source of guidance,” Sarkar suggests.

The proposed Indian Personal Data Protection Bill gives flexibility to smaller organizations, who do not have the bandwidth to employ data protection officers, to take the services of data auditors appointed by the government. “This way the government ensures that even the smaller organizations are part of the privacy journey. We can adopt similar provisions for our country as well,” says Sarkar.

About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.