Analysis of the Draft Data Protection Law: Challenges for Human Rights in the post-pandemic world

Julian Rafah | 16 April 2023
No image

The COVID-19 pandemic has struck the world with not only economic hurdles but also the already declining Human Rights situation globally. According to Human Rights Watch, at least 83 governments worldwide have used the COVID-19 pandemic as a tool to justify violating right to privacyof its citizens through expanding surveillance technology and COVID-19 related phone tracking. The governments have continued this trend in the post-pandemic world often by implementing various laws that contradict the basic Human Rights norms enshrined in the International Bill of Human Rights and the Constitutions of the respective countries. In line with 130 countries, the government of Bangladesh has also enacted the draft Data Protection Act (DPA), 2022. But various provisions of this draft Bill have been criticized by experts to be in contravention with Article 17 of the International Covenant on Civil and Political Rights (ICCPR) and Article 43 of the Constitution of the People’s Republic of Bangladesh both of which guarantees protection from arbitrary, unlawful interference and right to privacy. 

The DPA has been given overriding effect over all existing laws under Section 3 of the Act which makes the Right to Information Act (RTI), 2009 ineffective. The RTI Act is instrumental in protecting the citizen’s right to information. Even though under Chapter VI of the DPA, several data subject rights including Right of access to data have been guaranteed, these are limited and not exhaustive. 

The notice-and-consent regime in Chapter III is inadequate because often consents are obtained through long, complex and onerous language questioning the genuineness and with the evolving nature of the digital world, there are risks of disclosure of sensitive data to the data controllers which would vitiate the purpose of this Act. Under section 34 of the draft Act, the government has been given power to make further exemptions to any data controller or class of data controllers. 

The prescriptive age verification and parental consent process under section 12(3) in relation to personal data of children is not flexible and clear enough. It must be supported by the 2018 UNICEF guidance on Children’s Online Privacy and Freedom of Expression to protect Children’s privacy and freedom of expression in accordance with their evolving capacities. 

The localization of data within the borders of Bangladesh under Section 42 and 43 of the draft act risks violation of Article 43 of the Constitution because these provisions create scope for security agencies to intercept data. Section 97Ka of the Bangladesh Telecommunication Regulation Act, 2001 allows such intervention by security agencies for national interests and bounds the licensee to establish monitoring and interception facilities and provide connection to state agencies for surveillance purposes. The High Court Division observed in “The State vs. Oli” [2019] that, these interceptions were in clear violation with the fundamental rights guaranteed under article 43 of the Constitution. 

The draft act gives enormous power to the Director General (DG) of the Digital Security Agency (DSA) established under the highly controversial Digital Security Act, 2018. The same person is in charge of the Data Protection Office (DPO) under the draft Act. Therefore, the DPO is not independent. Section 10(2)(d), 36(2)(a)(iv) and (v), 40, 42(1) and 36(1) of the draft DPA are highly controversial and create avenues for government interventions. Under Section 63(1), the powers of the government to issue directions to the DG legitimizing actions in the interests of the “sovereignty”, “integrity” and “friendly relation with foreign states” is vague and read together with the exemptions clauses, seems to be a dangerous provision that only protect authorities, allows them to take action without accountability thereby opening spaces for gross human rights violations. Also, provisions for maintaining a publicly accessible data protection register under Section 44 and 45 is also unclear as it must remain highly confidential. 

Therefore, the draft DPA, 2022 is ultra vires with the Constitution of the People’s Republic of Bangladesh. It also violates Article 17 of the ICCPR. If the proposed Act is passed without necessary amendments in namely four aspects- localization of data, inadequacy of the notice-and-consent regime, enormous power of the DG of the DSA and independence of the DPO, it will hamper the citizen’s right to privacycreating new challenges for the Human Rights Regime in the post-pandemic world. 

The writer is a Research Intern at the Center for Governance Studies (CGS) 

Views in this article are author’s own and do not necessarily reflect CGS policy.