Bangladesh's cognitive dissonance in its data privacy commitment

'Cognitive dissonance' is a psychological phenomenon that humans experience. It becomes visible in one's attitude when the person tries to analyse the relationship among different cognitions. The term 'cognition' refers to beliefs, opinions or expectations, and 'dissonance' refers to the inconsistencies among those beliefs, opinions or expectations. 

I argue that Bangladesh is experiencing cognitive dissonance concerning its data protection commitment. It wants to protect citizens' data but does not act accordingly. The right to privacy through protecting personal data is a human right. The concept of privacy is not something new, as religious books carry related provisions. Nevertheless, the concept of modern privacy through protecting digitised data is comparatively new. 

Instruments such as Article (Art.) 12 of the Universal Declaration of Human Rights (UDHR), Art. 17 of the International Covenant on Civil and Political Rights (ICCPR), Art. 8 of the European Union Charter of the Fundamental Rights, etc. provide and protect humans from unlawful interference with privacy and data.

Since Bangladesh acceded to ICCPR unconditionally in 2000, it is within its responsibility to enforce its provisions and protect the data of its residents. But how far did Bangladesh go in the last 22 years in its commitment?

Bangladesh's data protection laws and enforcement practices signify a serious shortcoming in protecting personal data from unlawful use. To illustrate the point, we can mention a few examples – multiple telephone conversation leaks of top politicians, checking residents' mobile phones by the ruling party's student wing for determining opposition political affiliations and handing them over to the police in Dhaka, seizure of a mobile phone by the Upazila Nirbahi Officer (UNO) to check WhatsApp messaging in Jhenaidah, indiscriminate indirect identity revelations of the accused and rape victims by the news portals, etc.

Outlining contemporary practices, both private and public sectors process (collect, store, structure, adapt, retrieve, consult, use, disclose, transmit or perform any other act) personal data without any strict regulatory mechanism. 

For instance, large e-commerce companies like Daraz, Rokomari, Shajgoj, etc., social media like Facebook, Youtube, Twitter, and LinkedIn, etc., instant messaging, and voice-over-internet protocol companies such as Whatsapp, IMO, Viber, etc. process names, addresses, phone numbers, email addresses, payment data, national identification numbers, pictures, biometric information, location data, etc without any regard to the data protection provisions. 

Similarly, ride-sharing companies e.g. Uber, Pathao, etc. and multinational mobile network operators collect and process residents' uniquely identifiable biometric data like fingerprints along with other data. Government agencies e.g. election commission, passport authorities, etc. record and process biometric data like fingerprints and retina scans of individuals, while enrolling for national identity cards (NID) and passports, in an unchecked manner.

Notwithstanding, Bangladesh wants to protect its citizens' data which is apparent through its policy adoptions and recent developments. The Bangladeshi government adopted an extensive national information and communication technology policy in 2018. In the policy, the government recognised that taking actions to protect personal data is an important aspect of achieving digital security. 

Therefore, it is apparent that Bangladesh is experiencing cognitive dissonance regarding its data privacy protection. It does not act upon what it believes. Now, I outline a way through which Bangladesh can remove this dissonance.

According to Festinger (1962), humans can justify their behaviour using cognitive dissonance theory. There are three ways that humans use to neutralise the dissonance and make it consistent again: (i) by diminishing the importance of cognition, (ii) by adding more consistent cognitions to outweigh the dissonance and (iii) by eliminating the inconsistencies so that it does not remain dissonant anymore. 

Applying the first solution, different organs of the government may consider that it is alright not to protect a right to protect personal data strongly and continue as it is by withholding data protection machinery. Thus, the government removes the inconsistencies. Applying the second solution, the government may balance the benefits and harms of enforcing a strong data protection right. Benefits include protecting the country as well as the individuals Considering existing developments, injecting more privacy protection behaviour appears to be a consistent cognition. 

Applying the third solution, the legislature and the judiciary may discard the idea that it wants to protect personal data at all and remove the dissonance. However, it is detrimental to democracy, the country, human dignity, and ICCPR commitment, since it will undermine all the developments until now in the areas, and will create additional dissonances within the existing legal framework.

In my opinion, the second option provides the best solution. Under this solution, I propose, first, Bangladesh should protect a right to personal data protection as a fundamental right under part III of the constitution. Articles (Art.) 32 and 43 of the Bangladesh constitution can be extended to cover data protection rights. It will surely help to enforce a general data protection right. 

Second, I suggest interpreting existing laws to outline personal data protection doctrines while restricting the application of privacy abusive provisions. The responsibility lies in the judiciary to outline data protection dogmas that are necessary to fill the gaps. In the case of State vs. Oli, the court outlined and ordered the investigators, the network operator companies and the Bangladesh Telecommunication Regulatory Commission (BTRC) to respect the fundamental rights of the citizens. The court ruled to follow formal procedures before attempting to interfere with someone's privacy. However, the court did not protect the right to personal data protection under the constitution.

Third, individuals must be made aware of their data protection rights. People in Bangladesh, in both the public and private sectors, have little or no understanding of how personal information is handled using data processing technologies such as the Internet of things (IoT), Big Data analytics, artificial intelligence (AI), audio and video surveillance, and so on. They easily share images, location, web, preference and other data in the context of e-commerce and social interactions.

Last but not the least, I suggest enacting exclusive laws as soon as possible. Considering contemporary data processing practices, it is impossible to meet regulatory needs without an exclusive data protection law that provides extensive protection. It is inevitable to enact a new law to meet the data protection challenges in today's world. 

Ultimately, the solutions will protect personal data-centric businesses and privacy harms that may lead to physical, economic, relational, reputational and all forms of traditional harm.

Kamrul Faisal is a doctoral researcher at the University of Helsinki, Faculty of Law funded by the Eino Jutikkala fund of the Finnish Academy of Science and Letters.

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.