Recently Pathao, a ride sharing homegrown platform from Bangladesh has come under a lot of flak and scrutiny for allegations of unauthorized access to users SMS and contact list. This incident also started an important discussion relating to the protection of personal data protection in Bangladesh.
21st century has been defined by many as the age of information. In today’s digital information environment, personal data plays the most important role. With personal data, companies and entrepreneurs can target their customers easily and market their product accordingly. The modern era of information and technology has turned our personal data into a valuable commodity. And most often than not in order to get hold on to these information, business around the world are infringing our privacy by accessing to our personal information without any informed authorization.
The main reason behind this is the lack of legal protection for our personal data. The evaluation of the legal regime protecting our privacy has failed to keep up with the ever-changing technologies. As a result, a lot of confusion has arisen over the past few years and many opportunists took advantage of this confusion by stealing and selling our personal data without informing us about our identity theft.
Until recently there was no legal protection available in Bangladesh for any infringement of personal data. Bangladesh recently passed the Digital Security Act 2018 (the ‘Act’), which was enacted to ensure National Digital Security and enact laws regarding Digital Crime Identification, Prevention, Suppression, Trial and other related matters. This Act also contains provision protection of Identity Information. For the purpose of this Act Identity Information has been defined as “any external, biological or physical information or any other information which singly or jointly can identify a person or a system, his/her name, address, Date of birth, mother’s name , father’s name, signature, National identity , birth and death registration number, finger print, passport number , bank account number , driver’s license , E-TIN number, Electronic or digital signature , username, Credit or debit card number, voice print , retina image , iris image , DNA profile, Security related questions or any other identification which due to the excellence of technology is easily available.”
Section 26 of the Act defines crimes relating to collecting and using of identity information. Under section 26(1) any unauthorized use i.e. collection, selling, taking possession, supplying or using of anyone’s identity information has been defined as an offense. Under the Act for any crime relating to identity information, imprisonment for a term not exceeding 5 (five) years or fine not exceeding 5 (five) lacs taka or with both has been prescribed and for repeating the punishment can be increased 7 (seven) years of imprisonment or with fine not exceeding 10 (ten) lacs taka or with both.
In Europe however, a new era for personal data protection has begun by the enforcement of the General Data Protection Regulation (GDPR) by the European Union (EU), which came into force on 25 May 2018. It is by far the most advanced and relevant legislation in this regard. It was adopted by both the European Parliament and the European Council in April 2016 after four years of negotiations.
GDPR has brought some sweeping changes in the field of data protection by harmonizing the data privacy laws across Europe. It is comprised of 99 Articles giving greater protection and rights to EU individuals. It regulates the processing of personal data of individuals in the EU by an individual, company or organisation. According to the European Commission, “personal data is any information relating to an individual-whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” So, a person from any part of the world who deals with even one EU member state’s citizen comes under the purview of GDPR.
Under the new rules, a consumer or user must give his informed consent regarding the use of his data. And this consent cannot be a general one for all rather they have to actively “opt-in” to give the required permission. The terms and conditions for the consent and information regarding the usage and purpose of harvesting data must be presented in a clear and concise way, using language that is comprehensible. The request will be distinguished from other general terms and conditions and will also include contact details of the company processing the data.
The new rules also provide the EU citizens with a set of rights including, right to access and erasure of personal information. Right to access means the EU citizens will be able to obtain every kind of information regarding any personal data held about them. They will be able to ask the controllers of their data to disclose the collection of data that they have about them. They will also have access to information regarding the use of such data and regarding any third party having any access to such data. The users will have the right to request a portable copy of the data collected and if and when requested, it must be entertained within a month. This service must be provided free of charge.
The users can also ask the controllers to totally erase their personal data under some circumstances. For example, any data provided during childhood will be deleted if requested. Same goes for any data which is incorrect or accessed illegally. This right is often referred to as the ‘right to be forgotten’. This right was first confirmed by the European Court of Justice in the case of Google Spain and inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González’ c-131/121 (WP 225). However, like most rights, this one is also not absolute and is under some restrictions when conflicts with other rights such as the freedom of expression and scientific research arise. This right also extends to correction of any incorrect data that the controller has of the users.
Under GDPR the companies who control personal data are obligated to notify the users in case of any breach of their privacy by any third party. If any company lost control over the customer data or they have been hacked, it is mandatory for the company to notify the users within 72 hours about the breach.
GDPR also put in place a strong enforcement mechanism with one GDPR supervisor in every country. Also, companies whose activities are centered around the processing of personal data are required to employ a data protection officer (DPO). Companies in violation of the rules set in GDPR will have to pay a hefty fine. The maximum fine for a GDPR violation is 20 million euros or 4 percent of a company’s annual global revenue from the year before, whichever is higher.
By inserting provisions for personal data protection, although in limited scope, finally our country has taken a step in the right direction. Nonetheless, with the growing digital dependency and most commercial services going online, the present protection is not enough and is destined for failure. First of all, personal data protection is an enormous area, which is impossible to cover in one section of a Statute. There are many important aspects of personal data protection like defining and identifying the jurisdiction of processing personal data, obligation of businesses to provide safety, setting up a separate regulatory body for enforcing the data protection law guidelines, different kinds of offences and penalties, guidelines for businesses who store personal data, right to access, right to be forgotten etc. So like most countries around the world we should consider as soon as possible to enact a separate law for personal data protection only. Our neighbor India has also recently prepared a draft of the legislation on data protection titled Personal Data Protection Bill, 2018. Furthermore, section 26 of the Digital Security Act 2018 seems misplaced. A careful evaluation of section 26 provides that it does not require the use of a digital device to commit the crime under this section, which is contradictory and confusing under the scheme of the Act.
In today’s world of information and technology, almost every aspect of our lives revolves around data. Most of the services that we receive or provide are related to some form of collection and analysis of data. It is high time we realised the effect of the enormous amount of unprotected personal data on the internet. European Union with the passing of GDPR Europe has went head and shoulders above and entered into a new era in data privacy regulations. Slowly but surely, we must also consider following the footsteps of EU and create a strong legislative basis for data protection in our country.
Latest posts by Md. Moniruzzaman (see all)
- High Court Division can Award Costs in Exercising its Inherent Power - April 27, 2019
- Personal Data Protection in Bangladesh and GDPR - March 25, 2019
- Case Study: Anti-Corruption Commission vs Md. Shahidul Islam & others - December 9, 2018