Image via Pexels by Mati Mango. Used under a Pexels Licence.

The government of Bangladesh is working on a draft data protection law, known as the DPA, which will be the first legislation in the country that is focused on data privacy and protection. Analysts have pointed out that the draft contains loopholes, including the indemnification of government agencies, which could allow the government to use the prospective law to suppress the rights of citizens and government critics in a way similar to how the existing controversial Digital Security Act (DSA) of 2018 has been used.

A draft of the law was publicly available on the website of the Digital Security Agency earlier in 2021, but does not appear to be available at the time of writing. It broadly defines the rights and obligations of data subjects, data controllers and data processors, and describes data sourcing and archiving methods, including provisions for data audits and notifications in case of a data breach.

Until the DPA appeared, the main piece of legislation pertaining to online activities was the Digital Security Act (DSA), which has been widely critiqued by human rights organisations as a tool to suppress freedom of expression of citizens. The DSA has justified the arrest of over 400 people since its introduction in September 2018, including journalists, activists and citizens posting on social media.

Strategic advisory firm BGA Asia states that the Data Protection Act may enter into force before the December 2023 general elections. However, the draft law is yet to be finalised.

The government's motivations for the law are unclear. While data protection acts typically aim to protect citizens’ privacy rights, many of the proposals under this draft law would actually increase the government’s access to personal data, and, in theory, also increase their surveillance capabilities. Though there are some similarities with the European Union’s landmark General Data Protection Regulation (GDPR), a key difference is that certain state agencies are reportedly spared from complying with the law, and employees of the Digital Security Agency and the Data Protection Office will be exempt from prosecution. These exemptions remove accountability and lay the groundwork for the government to weaponise the law against critics.

Another major difference between the proposed DPA and the GDPR is the push for data localisation, or data sovereignty, as the draft law states that the personal data of Bangladeshi citizens must stay in the country. Specifically, the draft says that “every data controller should store at least one serving copy of data within the geographic boundary of Bangladesh.” Under this provision, the government of Bangladesh could potentially exert investigatory jurisdiction to gain access to more data than ever before. As Human Rights Watch describes, under the 2006 amendment to the Telecommunications Act, the government of Bangladesh can give any security officer the authority “to bar, record or to collect the information” that is “sent by any client using the service of any telecommunication” for the purposes of national security and public order — which is already a very broad mandate. This, combined with the Digital Security Act, and the exceptions noted above, create a far-reaching, privacy-invasive surveillance apparatus that is deeply worrying for the privacy rights of Bangladeshi citizens.

People protesting the death of Mushtaq Ahmed in judicial custody on February 25, 2021. He was arrested under the Digital Security Act (DSA). Screenshot from YouTube video by Nagorik News.

This law would also have significant consequences for international companies and organisations with operations inside Bangladesh, who might otherwise use servers located in other countries to host their data, and who would have to change large parts of their infrastructure to ensure that data of Bangladeshi citizens remain inside the country. Operationally, for international social media companies operating in Bangladesh, implementing such a law would be extremely difficult. But the draft DPA also reportedly applies to all businesses “irrespective of size or turnover,” which presumably would be close to impossible for all small entities to abide by without prohibitively large costs — meaning that all businesses or data controllers would be negatively affected, regardless of size.

Transparency International Bangladesh called on the government to conduct a stakeholder consultation, and make the draft law widely available again for public viewing, noting that stakeholders’ fears before the enactment of the Digital Security Act 2018 had been proven right. Bangladeshi citizens writing on social media expressed concerns about how the DSA had already gagged free speech, and worried that this new law would put social media users even more at risk.

Md Saimum Reza Talukder, who teaches cyberlaw at Brac University, notes that the data localisation proposition would also likely decrease the security of citizens’ data, given how few data centres there are in Bangladesh. He also pointed out that the privacy journalistic sources and human rights defenders would be particularly at risk under these provisions.

News of the law also comes amid reports that the ruling Awami League has started training “tens of thousands of cadres to wage a propaganda war on social media in preparation for the next general election.” Within the context of how the Digital Security Act 2018 has been used to censor and crackdown on government critics, the proposal of an online army focused on monitoring social media is deeply concerning.

The combination of the DSA, reports of the “online propaganda army.” and this data protection draft act suggests that the Awami League is turning its attention to the digital realm ahead of the 2023 elections, seeking to increase their surveillance capacities and control of data and technology in Bangladesh.