Transparency International Bangladesh (TIB) has urged the authorities concerned to review some provisions of the drafted Data Protection Act-2023 and include the guarantee of personal data protection through judicial oversight in it.
The organisation also called for clarifying the definition of "person" and "personal data" and establishing independent and impartial authority beyond government control in the new law.
"Otherwise, the Act will become a tool for strengthening government control over personal data rather than protecting it," said a TIB press release yesterday.
"Although the main objective of the Act is to protect personal data, unfortunately a meaningful definition of 'personal data' is not included in it. The internationally recognised principle of such legislation is that only a single individual [living person] will be covered. But in the draft, the meaning of 'person' includes a single person as well as legal entities, organisations, companies, associations, institutions and statutory bodies," it added.
"In fact, the amplitude of the definition of person fails to explain the precise purpose of the law."
"As per widely accepted international practices, concepts like 'data subject', 'profiling' and 'privacy' have not been considered in the context of data protection in the Act," it said further.
The organisation also reiterated its call to prohibit the processing of sensitive personal data except for cases related to the country's independence, sovereignty and security, and legal process.
Furthermore, TIB recommended setting the age of consent for data processing for minors to 13-16 years from 18 in the draft, stating that the drafted age limit is "unrealistic" and will cause various difficulties in particular cases.
The draft law has posed a risk of limiting privacy and protection of personal data in the name of freedom of expression. Also, there is a risk of increased interference by the executive department in the implementation of the Act, which tends to be overly restrictive, it added.
Similarly, it is necessary to consider the mandatory appointment of a competent data protection officer in all organisations in light of the actual situation, as it is impossible for small organisations.
"The scope of self-defence should be ensured by taking into account the TIB's recommendations on repealing all data controller liability provisions in data record keeping," added the media release.
Provisions for storing classified data, including super-indemnity of government agencies on data protection, should be repealed.
Similarly, provisions related to the mandatory registration of all categories of data controllers, and penalty [without scope of self-defence] of data controller for data deviation by the Director General of Data Protection Board should also be revoked, said the organisation.
Also, the provision for a 90-day extended disposal of appeals needs to be reviewed, it added.
"The definition of personal data in the Act is not clear and adequate. Lack of clear definitions will allow for mistakes and misinterpretations and will allow for misuse and control of personal information," said Dr Iftekharuzzaman, executive director of the TIB.
"The title of the Act should be renamed as "Protection of Personal Data Act-2023". The Act is not supposed to cover anything other than personal information," he added.