A Comprehensive Guide to Data Privacy Bangladesh’s 2023 Act

Introduction

The Data Privacy Bangladesh Act of 2023 (Draft) represents a pivotal milestone in the legal landscape governing the handling of personal data. Enacted to address the evolving challenges posed by rapid technological advancements and increasing digitalization, this legislation aims to safeguard the privacy and rights of individuals in an era marked by data-driven innovation. By imposing stringent regulations on the collection, storage, processing, and sharing of personal information, the Data Protection Act establishes a comprehensive framework for organizations to adhere to ethical standards and ensure transparency, accountability, and responsible data management practices. This overview delves into the key provisions and implications of the Data Protection Act of 2023, highlighting its significance in shaping the future of data protection and privacy rights . The Ministry of Postal Service, Telecommunication, and Information Technology recently released the Bill through its Information and Communications Technology Division. With regard to safeguarding personal information and processing it, oversight has long been needed. This is what the Bill seeks to solve. The Bill will apply to the processing, gathering, using, retaining, and distributing of an individual’s data both inside and outside of Bangladesh if the data pertains to a citizen of Bangladesh, should it become law.

The Bill lays out ten data protection principles that all individuals who gather, handle, store, or utilize data must follow. The principles stipulate that agreement from the person or entity to whom the data relates must be obtained before any data is collected or processed . Furthermore, the people in charge of gathering and analyzing the data must be held accountable for following Bangladeshi laws and rules pertaining to data handling . To ensure that no extraneous or extra data is gathered from people, data must also be gathered and handled fairly, sensibly, and with integrity. The Bill stipulates that data must be securely stored and kept for no longer than necessary when it comes to retention.

Overview of Data Protection Act 2023 (Drafted)

1. Scope and Definitions: The act would likely define the scope of personal data covered by the legislation and provide definitions for key terms such as ‘personal data,’ ‘data controller,’ and ‘data processor.
2. Data Protection Principles: It would establish principles for the fair and lawful processing of personal data, including transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.
3. Rights of Data Subjects: The act would outline the rights of individuals regarding their personal data, including the right to access, rectification, erasure (right to be forgotten), restriction of processing, data portability, and the right to object to processing.
4. Lawful Basis for Processing: It would specify the lawful bases for processing personal data, such as consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests pursued by the data controller or a third party.
5. Special Categories of Data: The legislation would likely include provisions for the processing of special categories of personal data (sensitive data), such as health information, religious beliefs, racial or ethnic origin, political opinions, etc., imposing stricter requirements for their processing.
6. Data Breach Notification: The act would mandate data controllers to report data breaches to the relevant supervisory authority and, in some cases, to affected individuals, within a specified timeframe.
7. Data Protection Impact Assessments (DPIAs): It might require data controllers to conduct DPIAs for high-risk processing activities to assess and mitigate the risks to individuals’ rights and freedoms.
8. Data Protection Officer (DPO): Larger organizations or those processing sensitive data may be required to appoint a Data Protection Officer to oversee compliance with the legislation.
9. International Data Transfers: The act would address the transfer of personal data outside the jurisdiction to ensure that such transfers are subject to appropriate safeguards to protect individuals’ rights.
10. Enforcement and Penalties: It would establish mechanisms for enforcement, including sanctions and penalties for non-compliance with the legislation, which may include fines, injunctions, or orders to cease processing.
11. Supervisory Authority: The legislation would likely designate a supervisory authority responsible for monitoring and enforcing compliance with the data protection rules, handling complaints, and providing guidance to organizations.
12. Exemptions and Derogations: There might be specific exemptions or derogations from certain provisions of the act for purposes such as national security, defense, public safety, or the prevention, investigation, detection, or prosecution of criminal offenses.

The Bill stipulates that in addition to the aforementioned guidelines, the data subject must provide free, explicit, and understandable consent, which may be revoked. The onus of demonstrating that the data subject’s permission was granted in compliance with legal requirements rests with the data controller. The acquisition of this permission would occur once the data controller delivered a written notification to the data subject. The Bill further states that the Government of Bangladesh will create regulations outlining the process for getting such consent from the individuals whose data it is about. The Bill additionally seeks to establish the data subject’s or an authorized person’s right to access their data and receive documents that are required. After paying the legally mandated charge, the data controller will be obliged to grant the data subject’s request for access to their data, provided that the request is legitimate.

Furthermore, the data controller will always be required to follow all the guidelines provided in the Bill and the new standards, making sure that all processes are followed correctly. The Bill is noteworthy in that it requires the data controller to uphold transparency in the implementation of data processing methods. Data cannot be released for any other reason than the one for which it was gathered and with the consent of the data subject. The bill also says that the government can set criteria for safeguarding data against loss, misuse, alteration, unlawful access, unintentional modification, or deletion by introducing regulations . The Bill is a big step forward in that it recognizes how important it is to protect an individual’s data in the digitally driven world of today. The execution of complementing regulations is necessary for the efficacy and impact of data protection laws, even though their enactment is an important first step. To establish a coherent, strong, and efficient data protection system that truly protects an individual’s privacy and fosters trust in this digital age, it is imperative that the rules be formulated in the most productive way possible .

Share this Article

Comparisons with Developed Countries

When comparing a hypothetical “Data Protection Act 2023” to these established frameworks, key aspects to consider might include: Scope, Extraterritoriality, Rights of Individuals, Accountability, Enforcement. International data flows remain a major subject of interest, especially for the European Union. Organizations and data protection authorities are still addressing the practical ramifications of the Schrems II ruling, and future developments in this area are anticipated with the release of the draft adequacy decision for the EU-US Data Privacy Framework (you can read more in our update here). EU data protection authorities are increasingly taking enforcement action to bring attention to matters pertaining to privacy notices, transparency, and the lawfulness of processing personal data, especially when it comes to online behavioral advertising .

There are a lot of new privacy regulations outside of the EU that need to be kept up to date, along with changes to the many current ones. They include debates or suggestions for upcoming reforms, as well as recently enacted new laws (or amendments to already enacted laws) and laws that are anticipated to take effect this year. There are specific developments in Australia, Japan, Taiwan, Vietnam, India, Qatar, UAE, Saudi Arabia, Turkey, Canada, Argentina, Vietnam, Switzerland, a few US states, and the UK to be mindful of. Given the intrinsic connection between information-driven trade ecosystems, we anticipate that these changes will be significant, as over half of these are G20 economies.

United Kingdom

UK Data Protection Reform

With the DPDI Bill, the government hopes to lessen the perceived compliance burdens on organizations by doing away with or substituting some requirements, most notably those related to record keeping. Changes to records of processing obligations, requirements for data protection impact assessments, and the removal of the need to appoint a UK representative under Article 27 of the UK GDPR are among the proposed amendments. These changes affect organizations outside of the UK that are directly subject to the UK GDPR because they provide goods or services to data subjects in the UK or track data subjects’ behavior there.
The plans represent a gradual move away from what the UK Government views as needless administrative burdens in some areas and perceived “box ticking” exercises, rather than a complete replacement of the UK GDPR.
Additionally, there are plans to broaden the list of situations in which cookies are deemed to be “strictly necessary,” for example, so that more situations would not require consent in order to place cookies.

International Data Transfers

UK Addendum and IDTA:

As of September 21, 2022, the UK Addendum to the EU Standard Contractual Clauses or the International Data Transfer Agreement (“IDTA”) should be used for new contracts that entail the transfer of personal data to jurisdictions that are not deemed competent under the UK GDPR.
Agreements made prior to September 21, 2022, based on the previous EU Standard Contractual Clauses approved under the Data Protection Directive (hereinafter, “Directive SCCs”), are still enforceable under the UK GDPR until March 21, 2024, so long as the processing activities and the subject matter of the agreement remain unchanged. Relying on those Directive SCCs guarantees that personal data is transferred with the necessary safeguards in place.
Children’s Personal Data.

Beginning on September 2, 2021, organizations must abide by the ICO’s Age-Appropriate Design Code. For the purposes of this Code, any anyone under the age of eighteen is considered to be “likely” to access or use an online service.
The processing of children’s personal data remains an area of emphasis for the ICO, as stated in ICO25. In an effort to learn what compliance measures are in place to meet the standards of the Code, the ICO has been proactive in reaching out to organizations in certain sectors. This strategy will probably not change. In September 2022, for instance, the ICO announced that it is conducting continuing investigations and examining a number of distinct online businesses to determine if they comply with the Code.

Canada

In Canada, private, public, and health information custodian institutions are all subject to privacy laws that are passed at the federal, provincial, and territorial levels. Notable legislative and policy actions in 2022 modernized and reformed private sector privacy laws at the federal and Quebec provincial levels, and these developments will continue into 2023. Artificial Intelligence and Data Act (AIDA): At the moment, Canada lacks any laws pertaining to AI. Should AIDA be approved, entities involved in the design, development, and application of AI systems would have to recognize, evaluate, control, and eliminate biases and hazards related to high-impact AI systems. AIDA creates new criminal laws that forbid and punish using illegally obtained data for AI development, when AI systems are deployed carelessly and cause significant harm, and when there is a fraudulent intent to use AI systems to cause significant financial loss.
Personal Information and Data Protection Tribunal Act: Should this proposed legislation be approved, it would create the Personal Information and Data Protection Tribunal, a new regulatory body that would assist in enforcing the Consumer Privacy Protection Act. In addition to enforcing administrative financial penalties, this new body would have the jurisdiction to review Office of the Privacy Commissioner of Canada (OPC) rulings at the request of people or organizations.

Bill C-27 will continue to be reviewed by lawmakers in the upcoming year. In the event that this legislation is passed, the OPC will play a major role in creating and carrying out the new privacy rules’ transitional measures. The creation of enforcement procedures and regulatory instruments for the new privacy regulations may also be taken into consideration by the OPC. In light of the new privacy regulations, private-sector companies will also need to evaluate, update, and modify their privacy practices and policies.

Colombia

The Superintendence of Industry and Commerce (SIC), sometimes known as the Colombian DPA, was very active in 2020 and 2021, issuing orders and initiating investigations, especially against digital service firms whose operations experienced a sharp increase during the Covid-19 pandemic. There were a few noteworthy developments in Colombia even if the SIC’s activity in 2022 was not as intense—possibly due to changes in the agency’s data security team’s leadership.

Decree 2555 of 2022, which governs Colombia’s acceptance of Binding Corporate Rules, was released in February 2022 by the country’s Ministry of Commerce, Industry, and Tourism.
Additionally, the largest Latin American marketplace was punished by the SIC in 2022 for disclosing client information. In one instance, a business employee sent a promotional email to multiple clients, disclosing each recipient’s full name, email address, and surname. Unauthorized third parties exploited this information to send unsolicited messages to these people.

A significant financial services company was also sanctioned by the SIC. The authority claims that the financial services corporation routinely ignored public complaints about how their personal financial information was used. The agency’s ruling came with a broad warning to financial services organizations that handle personal data, encouraging them to take precautions to make sure similar problems don’t arise again. After arriving at a preliminary determination that the carrier obtained personal information through its applications using methods the SIC deemed to be illicit, the SIC launched an investigation into the biggest aerospace business in Colombia. The SIC is still preoccupied with digital service providers. Because cookies were being used to gather data from Colombian users, the agency in one instance issued an order on a tech business that was not based in Colombia. The ruling has since been contested by the firm.

Italy

The Italian Cybersecurity Agency and the Italian DPA, sometimes known as the “Garante,” established a memorandum of collaboration in 2022. Interaction between the two authorities was to be facilitated, information about data breaches and cybersecurity incidents to be shared, and good cybersecurity practices to be encouraged in the public and private sectors, all while utilizing partnerships with academic institutions and researchers.
The Garante conducted a survey on young people’s views on privacy, and the results showed that nearly two out of every three respondents had signed up for social networks even though they knew they weren’t old enough to do so, and nearly the same number of respondents had accepted terms of use when they signed up for online services and apps without first reading the applicable privacy policy.

A privacy-safe Christmas list of ideas called “Christmas in privacy” was part of an awareness campaign that Garante started in December 2022 with the goal of educating people about good practices and principles for protecting privacy in daily life.

The Garante has reaffirmed that enforcement of marketing and profiling operations is its primary focus. The primary concerns that the Garante has noted are the absence of clarity in privacy notices, the absence of consent serving as the legitimate justification for these kinds of actions, and the disregard for the accountability principle. The Garante also addressed managing client databases, using marketing lists obtained from vendors, and the necessity of accurately doing due diligence over the legality of the lists. The HR industry and projects connected to COVID-19 also pique the interest of Garante. Examples include the terms and guarantees needed in the event of employee corporate email account investigations, as well as the circumstances surrounding the permissible use of biometric data, such as fingerprints, in an employment setting.

The banking industry (particularly with regard to the lawful sharing of bank customers’ data with third parties) and the health sector have also been closely examined, as has the online/digital environment in general. A consent-by-step strategy in clinical studies was recently endorsed by the Garante in specific situations. Additionally, throughout the previous year, the Garante has been investigating data breaches . In the realm of consumer legislation, Garante has also weighed in, praising the new framework for safeguarding consumer rights and highlighting the intricate relationship between GDPR regulations. When it comes to data monetization, the Garante believes that in order to protect citizens’ fundamental right to their personal data, “commoditization” of that data should be carefully examined and governed by regulations. The Garante has suggested working more closely with the consumer authority. For instance, the Garante has been asked to provide guidelines and standards for the processing of data under particular circumstances, and there is a system that would allow one authority to interfere in the other’s proceedings.

Japan

On April 1, 2022, the Amended Act on the Protection of Personal Information, or “APPI 2022,” went into force. The modifications brought about important changes that affect a company’s commercial operations and privacy policies. Among the APPI 2022’s major modifications are:

Stronger legal penalties; more rights for data subjects; mandatory data breach reporting; a new definition of “pseudonymized information”; new limitations on data transfers to third parties (referred to as “personally referable information”); and more stringent restrictions on international data transfers.

The only obligation required by Japanese privacy law prior to the APPI 2022’s implementation last year was to attempt to notify data subjects in the event of a data breach. But under the APPI 2022, unless advanced encryption or other steps required to protect the rights and interests of the data subject have been taken in compliance with the APPI 2022 and applicable regulations, a business must notify the Japanese DPA and data subjects of certain data breaches (“Notifiable Data Breaches”). Notifiable Data Breaches are described as follows in the APPI 2022 and applicable regulations: Personal data breaches that involve sensitive information (such as the loss of a USB memory stick containing patient medical records); breaches that could result in financial harm if misused (such as the disclosure of credit card information from an EU website); breaches that are carried out for improper purposes (such as the disclosure of customer information by an employee without authorization or the unauthorized access to a network that allows for the encryption of ransomware); or breaches involving the personal information of more than 1,000 data subjects.

United States

The Virginia Consumer Data Protection Act (VCDPA) and the California Privacy Rights Act (CPRA), both of which go into effect on January 1, 2023, are likely to bring about significant changes to the US privacy legislation environment in 2023. The Utah Consumer Privacy Act (UCPA) goes into effect on December 31, 2023, while the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) go into force on July 1, 2023. The most comprehensive of the new laws is the CPRA, which modifies and enhances the California Consumer Privacy Act (CCPA) by encompassing business-to-business (B2B) and human resources (HR) data.

In addition, state legislatures are showing interest in enacting biometric privacy legislation like to Illinois’ Biometric Information Privacy Act. Meanwhile, the American Data Privacy and Protection Act of 2022 reignited interest in a federal privacy law.

Additionally, US-European data flows are emphasized. The European Commission (EC) published a draft judgment on December 13, 2022, about the EU-US Data Privacy Framework (DPF), which addresses whether the US data protection laws are sufficient to safeguard the personal information of EU citizens. This information was previously covered in our update. We anticipate that US businesses will act swiftly to certify compliance with the DPF and that the DPF will be finalized in 2023. The Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) are two federal regulators that have tightened their scrutiny over the gathering and handling of some sensitive data. In August 2022, for instance, the FTC’s enforcement case against Kochava maintained its focus on the gathering, sharing, and sale of sensitive data, including geolocation data, by mobile applications. Concerning the use of tracking technology on websites or mobile applications that are covered by HIPAA and collect protected health information (PHI), OCR, the organization responsible for implementing the Health Insurance Portability and Accountability Act (HIPAA), has released guidelines.

Conclusion

The Data Protection Act of 2023 marks a significant milestone in the regulatory landscape, aiming to safeguard individual privacy rights and regulate the handling of personal data in an increasingly digitized world. Drawing comparisons with data protection regulations in developed countries reveals both areas of alignment and divergence. In terms of alignment, the Act shares common objectives with established data protection frameworks such as the GDPR in the European Union and the CCPA in the United States. These include principles of transparency, accountability, and individual rights regarding data access, rectification, and erasure. By adopting similar principles, the Act demonstrates a commitment to international standards of data protection, fostering trust and interoperability in global data flows.

However, there are also notable differences that reflect the unique socio-cultural and economic contexts of the jurisdiction. For instance, the Act may include provisions tailored to address specific challenges or priorities within the country, such as the protection of sensitive personal information or the regulation of emerging technologies like artificial intelligence and biometrics. Moreover, enforcement mechanisms and penalties may vary, influenced by factors such as legal tradition, institutional capacity, and political considerations. In conclusion, the Data Protection Act of 2023 represents a crucial step towards enhancing data privacy and security within the jurisdiction. While drawing inspiration from global best practices, its distinct features reflect the nuanced needs and aspirations of the society it serves. As technology continues to evolve and data-driven practices proliferate, ongoing review and adaptation will be essential to ensure that the Act remains effective and responsive to emerging challenges. Ultimately, by striking a balance between innovation and protection, the Act seeks to foster a digital ecosystem that promotes trust, innovation, and respect for individual rights.

References:

1. Bangladesh: An overview of the Data Protection Act, 2023 (2024) DataGuidance.
   Available at: https://www.dataguidance.com/opinion/bangladesh-overview-data-protection-act-2023 (Accessed: 29 June 2024).
2. August, K. Faisal  19 and Faisal, K. (2022) The problem with Bangladesh’s Data Protection Framework and its solutions, The Business Standard.
   Available at: https://www.tbsnews.net/thoughts/problem-bangladeshs-data-protection-framework-and-its-solutions-480030 (Accessed: 29 June 2024).
3. Bangladesh – Data Protection Overview (2024) DataGuidance.
   Available at: https://www.dataguidance.com/notes/bangladesh-data-protection-overview (Accessed: 29 June 2024).
4. Taiyeb, F.A. (2023) Why the draft data protection act is concerning, The Daily Star.
   Available at: https://www.thedailystar.net/opinion/views/news/why-the-draft-data-protection-act-concerning-3271311 (Accessed: 29 June 2024).
5. Miqbal (2023) Bangladesh Draft Data Protection act 2023: Potential and pitfalls, Atlantic Council.
   Available at: https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/bangladesh-draft-data-protection-act-2023-potential-and-pitfalls/ (Accessed: 29 June 2024).
6. Hossain, K., Alam, K. and KHAN, U.S. (2018) ‘Data Privacy in Bangladesh A review of three key stakeholders perspectives’, Seventh International Conference on Advances in Social Science, Economics and Management Study – SEM 2018 [Preprint]. doi:10.15224/978-1-63248-164-1-32.
7. Islam, M.T. (2022) ‘Legal development for privacy and data protection in Bangladesh’, Global Privacy Law Review, 3(Issue 4), pp. 221–235. doi:10.54648/gplr2022025.
8. Manfredi, R. (2023) International Cybersecurity and Data Privacy Outlook and Review – 2023, Gibson Dunn.
   Available at: https://www.gibsondunn.com/international-cybersecurity-and-data-privacy-outlook-and-review-2023/ (Accessed: 29 June 2024).
9. The history of the General Data Protection Regulation (no date) European Data Protection Supervisor.
   Available at: https://www.edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en (Accessed: 29 June 2024).
10. Data protection adequacy for non-EU countries (no date) European Commission.
    Available at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en (Accessed: 29 June 2024).
11. Jensen, J.B., Quinn, D.P. and Weymouth, S. (2017) Winners and losers in International Trade: The effects on US presidential voting: International organization, Cambridge Core.
    Available at: https://www.cambridge.org/core/journals/international-organization/article/abs/winners-and-losers-in-international-trade-the-effects-on-us-presidential-voting/B946341FFC5A9A88182DC933BE770C5C (Accessed: 29 June 2024).
12. Bangladesh: An overview of the Data Protection Act, 2023 (2024) DataGuidance.
    Available at: https://www.dataguidance.com/opinion/bangladesh-overview-data-protection-act-2023 (Accessed: 29 June 2024).

Share this Article

Contact Us

Find Here More Articles