‘The aim of data localisation should be protecting data not controlling users’

Illustration: TBS

The Bangladesh government is drafting the Data Protection Act (DPA) to safeguard personal data and ensure privacy. The law, once enacted, will serve as a legal framework for data protection and privacy by ensuring the rights of users. The act also contains data localisation provisions requiring sensitive data to be stored within the borders of Bangladesh. 

The Business Standard interviewed Syed Almas Kabir, President, Bangladesh Association of Software and Information Services (BASIS) to discuss the necessity and caveats of the Data Protection Act and subsequent data localisation. 

The government of Bangladesh is drafting a data protection and localisation law, the first of its kind in Bangladesh. What is your take on this law?

To tell you the truth, I was the first one who said that we need a data privacy related guideline or law. I raised the issue around four years ago. Around that time, I could not make them [the government] understand the difference between data privacy and data security. Everyone, including people from the ICT ministry, said that we had the Digital Security Act and that was enough.

I tried to make them understand that security and privacy are two different things. For example, if you are in a room made of bulletproof glass, you are secured but you don't have privacy.

Regarding data privacy, we don't have any guidelines or laws. In the last quarter of 2019, I had a stakeholder meeting with government, non-government organisations and lawyers.

Around that time, digital e-commerce and ride-sharing became popular. Overall the IT industry was booming. As a result, millions of gigabytes of data were generated daily.

A big concern was how to maintain the privacy of such data. The law was much needed. Other than privacy, the other need was to support the business of "data centres" in our country.

While the government has realised the importance of the issue much later, sadly they are not discussing the issue with any stakeholders now. Without the stakeholders' suggestions, the draft was formulated. I must say that without consulting all the concerned parties, this law should not be finalised.

In the ICT law of 2018, there was a line about the necessity of data localisation in the geographic area of Bangladesh, but nothing detailed.

But the problem now is that the government has a rather controlling attitude. The purpose for which I was advocating the formulation of this law might not be realised. It seems to me that the government is willing to make the law a control mechanism.

Why is data localisation a necessity? How will the act impact the e-commerce business and IT industry?

Data localisation is a necessity to ensure users' rights as well as to ensure the government's jurisdiction over our data.

There is something to ponder here: which data to localise? That's why the data needs to be categorised in the first place. You have to categorise the data at least into three categories: a) highly sensitive data; b) moderately sensitive data; and c) non-sensitive data.

However, what types of data fall under what category is a discussion for another time.

Now, the highly sensitive data must be stored in Bangladesh. One copy of moderately sensitive data should be in Bangladesh along with other copies elsewhere. Non-sensitive data can be stored anywhere – it doesn't really matter.

Now an obvious question arises: why should sensitive data be kept in Bangladesh? Suppose your sensitive data is stored in a data centre in Singapore. Due to whatever problem, that centre is not providing the data to you. But you cannot take any remedial measures. You can complain to the government but they don't have jurisdiction over that server. The government cannot help you. You will be helpless.

Sensitive data must be stored within Bangladesh to ensure the government's jurisdiction over the data. So the purpose of data localisation should be to protect users, not control them.

You get dozens of promotional SMSs every day on your cell phone. How is this happening? This is because your data is sold by telecom operators. Again, when you buy something from an e-commerce site, you provide them with your name, age, address, contact number, etc.

There is no guarantee that they are not selling the data to third parties. Moreover, how long can they store your personal data in their database? Can they save your data for eternity? Are they sharing your data without consent?

These privacy-related issues can be solved once the law is enacted. But the main issue is categorising data properly. When it is said that data localisation is needed, that doesn't meet all data needs to be localised.

Some experts are expressing their concerns about the law. Do you think that such initiatives would hurt e-commerce businesses and the IT industry? 

I understand that there is some confusion over the act, especially concerning the government's controlling attitude.

Multinational banks and corporations are concerned. However, Standard Chartered, HSBC host their financial data abroad (in Hong Kong or Singapore) with special permission from the Bangladesh Bank. The United States Business Council also expressed concerns that multinational corporations will also face problems.

I understand their concerns. But I believe in data localisation. As a Bangladeshi citizen, my basic data such as my name, contact number, phone number, age, address, medical records, and bank records – are private and sensitive. These types of data must be localised.

But at the same time, we don't want to cause problems for the businesses. That's why a grace period or moratorium is important. If it is passed today, at least five years should be given to transition to the new system – for example, server migration.

And finally and most importantly, without data categorisation, it will not be very effective. Then companies will try to break the law or manoeuvre around it.

Bangladesh already has the Digital Security Act, a few more laws are in the offing. Other than the Data Protection Act, the government is also mulling over regulations for digital, social media and OTT platforms. What's the government's real intention? Are they trying to create data governance to establish a mass surveillance system?

As I said earlier, the government has a controlling attitude. But I am not fully aware of the real intention. I am against all kinds of control. 

I have been telling them [the government] for the past couple of years that I know a draft is being readied, if you share it with us it will be beneficial for all parties involved. But unfortunately, we have not seen the draft yet. From our side, a set of recommendations were sent to them.

Bangladesh wants Facebook and Whatsapp to set up their server here. It is a good thing, Bangladeshi citizens' sensitive data should be stored within Bangladesh. 

Then again, does the government want to tap phone conversations? If this is the purpose, then it is not ethical. At the same time, users also have the right to use encrypted services.