Provisions in Data Protection Act may hamper Bangladesh economy: Asia Internet Coalition

The government's aim to make data localisation mandatory is one of the concerns highlighted by the Asia Internet Coalition (AIC) over the draft Data Protection Act, which it says will hamper the country's economy in its current form.

The AIC has submitted the tech industry's feedback about the Draft Data Protection Act to State Minister for ICT Zunaid Ahmed Palak, a press release says.

The AIC, an industry association that promotes the understanding and resolution of Internet policy issues in the Asia Pacific region, counts among its members Apple, Meta, Expedia Group, Twitter, Spotify, Rakuten, Amazon, among others.

In a statement, the AIC said it was pleased to see some positive changes in the March 2023 Draft, but there are still a number of significant concerns that remain unaddressed.

"We urge the government to further review and revise these provisions. Free cross-border data flows are essential for the development of the digital economy. 

The Bangladesh government must consider smart, forward-looking policies that stimulate the digital economy by spurring innovation, encouraging greater entry and participation of SMEs and entrepreneurs, and empowering businesses to grow and invest for the future," the statement reads.

Technology entrepreneur AKM Fahim Mashroor, former president of Bangladesh Association of Software and Information Services (BASIS), foresees three possible problems after the enactment of the act.

The act will force all the personal data dealing sites to have their locally hosted servers and tech giants like Google, Facebook, Uber which have long been escaping any physical presence in Bangladesh might refuse to get local servers until they feel the Bangladesh market is big enough for them.

Secondly, the government will have access to locally hosted data that is always controversial in citizens' privacy terms.

Thirdly, if the local data centre services cannot ascend up to the mark, their local clients would be deprived of quality services amid no alternative, Fahim Mashroor added.

Data localisation law requires data about a nation's citizens to be collected, processed, and stored inside the country and only a legal authority can exercise control over that data.

AIC's concerns on data localisation

Mandatory data localisation in respect of sensitive data, user-generated data, and classified data will invariably hamper the Bangladeshi economy.

Decisions about where to store data should be based on technical considerations of the global internet, organisational capacity, and users' needs, instead of being driven by data sovereignty.

Requiring default data localisation for sensitive data, user-generated data, and classified data would cut Bangladesh off from accessing state-of-the-art cloud security enterprises and implementing best practices designed to keep user data secure.

The definition of user-generated data is overly broad. No data privacy and protection legislation around the world requires mandatory special protection for such vague classes of data.

Data localisation requirements will be extremely expensive and operationally and technologically difficult, if not impossible, to implement for companies of all sizes – in particular SMEs lacking the resources or infrastructure to accomplish this.

Due to the significantly increased compliance and regulatory costs, Bangladesh would become a less attractive destination for overseas investors and increase costs for local companies seeking to take advantage of cloud technologies.

Recommendations for Data Protection Act

The coalition recommended deletions, incorporations and amendments to several sections in the Data Protection Act to align with international benchmarks and ensure that businesses can take steps to protect their customers from fraud and secure their internal operations.

It said the provision of mandatory data localisation in respect of sensitive data, user-generated data, and classified data should be deleted in its entirety. 

The draft act should also clarify that it applies only to those data that directly or indirectly identify an individual, and all reference to "data" should be deleted entirely.

It said the requirement to give the government access to user data should be amended to align with international frameworks and to avoid conflicts of law. 

The AIC also recommended removing the provision that penalises a foreign company for non-compliance with the Act as a criminal case.