Dhaka, 28 April 2024: Article 19 and Transparency International Bangladesh (TIB) consider it urgent to revise the draft Personal Data Protection Act (PDPA) again, incorporating the views of relevant stakeholders, based on the fundamental rights-centered principle grounded in the constitutional recognition of individual privacy and freedom of speech. At a joint press conference titled “Draft Personal Data Protection Act, 2024: Review and Recommendations,” they demanded a clear definition of “personal data,” removal of mandatory data localization within the country’s borders, formation of an independent “Data Protection Commission” to ensure data security, judicial oversight of authority access to personal data, repeal of provisions allowing indiscriminate collection of personal data under rules, and setting a realistic timeline for the law’s implementation.
The press conference held today at TIB’s Dhaka office was attended by Dr. Iftekharuzzaman, Executive Director of TIB; Advisor and Executive Managing Professor Dr. Sumaiya Khair; Sheikh Monjur-e-Alam, Regional Director (Bangladesh and South Asia) of Article 19; and Mohammad Tauhidul Islam, Director of Outreach and Communication at TIB. Sheikh Monjur-e-Alam presented the review and recommendations on behalf of both organizations.
The review appreciated the government for involving institutions working on citizens’ rights and relevant stakeholders at various stages of the draft law and for incorporating several suggestions. However, it also pointed out that these additions and deletions amounted to a mere numbers game. Crucial concerns, which the stakeholders were most worried about and strongly raised, were largely ignored.
The presentation noted that the Constitution guarantees our right to privacy and recognizes freedom of expression as an inseparable right. Therefore, the first demand is to explicitly state in the preamble of the law that the necessity of this act is to ensure the fundamental rights enshrined in the Constitution. If such concerns are mentioned in the preamble, they will reflect in the main body of the law as well.
The current draft includes the definition of “legal person” (i.e., institutions) within the definition of a person, which may cause confusion. Although a definition of “personal data” is provided, it is not specific enough, increasing the risk of misunderstanding and misuse. The recommendation is to include a definition similar to the European Union’s GDPR, which offers a precise explanation of “personal” data. Moreover, since there is no necessity for the definition of a person in this law, it would be logical to omit that definition. Likewise, a clear explanation is demanded regarding the definitions and scope of data controllers and processors.
In the previous draft, all types of data were required to be stored locally. Now, the government has shifted to requiring only certain classified personal data. However, this still reflects government control and discretion, as it can declare any personal data as “classified” at will. Local storage of all data carries infrastructural weaknesses and security risks. On the other hand, international organizations must comply with global standards on data storage policies, which may hinder their business operations in Bangladesh. Most importantly, data localization could violate constitutional rights because local servers could be accessed by government agencies without restrictions, undermining the security of citizens’ personal information.
Above all, the demand for the formation of an independent, impartial “Data Protection Commission” outside government influence has been strongly emphasized from the outset to ensure data protection. However, the current draft proposes the establishment of a “Bangladesh Data Protection Board,” essentially a government body. A government-controlled institution cannot realistically ensure compliance and protection of data. This provision must be changed. Instead of a board under government control, an independent “Data Protection Commission” must be formed.
Meanwhile, the draft grants government agencies the authority to use personal data in the name of national security and public interest, considering it an exception. If government agencies can access data servers without judicial oversight, there is a high risk of abuse, potentially making this exception the norm of the law. As organizations working on citizen rights, accepting this is difficult. The law should be implemented gradually by institution type, starting with large organizations handling critical citizen data, and then extending to smaller and medium-sized organizations step by step.
Dr. Iftekharuzzaman, Executive Director of TIB, said, “The draft approved by the Cabinet through a fairly participatory process has positively considered several recommendations from TIB and other stakeholders. As a result, the draft Personal Data Protection Act, 2024 is in a better position than before. However, the main areas of concern for the general public remain unaddressed, which poses significant risks of the law being used as a tool for control and surveillance under the guise of data protection.”
Dr. Zaman added, “The core spirit of the law fails to reflect the constitutional commitment to privacy and freedom of speech. The absence of clear definitions of individuals and personal data risks government misuse through misinterpretation. The proposal to keep the data protection authority under government control is the most vulnerable aspect of the law. Unless established as an independent commission outside government control, the implementation risks being corrupted and the law’s main purpose undermined. Furthermore, granting extensive government access in the name of national security and public interest, without judicial oversight, will legalize control and surveillance rather than protect personal data.”
Sheikh Monjur-e-Alam, Regional Director of Article 19 (Bangladesh & South Asia), said, “While modernizing the law, care must be taken to ensure it does not become a repressive tool like the Digital Security Act. Our lives have become digital, and the government is emphasizing digitization. Therefore, we call for re-drafting the law through discussions with stakeholders to ensure the constitutional protections of freedom of expression and privacy in this digital age.”
Press Conference Recording Link
| Media Contact: | ||
|
Sheikh Monjur-e-Alam |
Mohammad Tauhidul Islam |
|
.png)
.png)