DLA Piper Intelligence

Data Protection
Laws of the World

Law

Bangladesh
Bangladesh

Digital Security Act 2018 (“DSA 2018”).

Last modified 11 Jan 2022
Law
Bangladesh

Digital Security Act 2018 (“DSA 2018”).

Last modified 11 Jan 2022
Definitions

Definition of personal data

Section 26 of the DSA defines the term "identity information" as "any external, biological or physical information or any other information which singly or jointly can identify a person or a system, such as name, photograph, address, date of birth, mother's name, father's name, signature, national identity card, birth and death registration number, finger print, passport number, bank account number, driving license, e-TIN number [Tax identification Number], electronic or digital signature, username, credit or debit card number, voice print, retina image, iris image, DNA profile, security related question or any other identification which are available for advance technology".

Definition of sensitive personal data

The DSA 2018 does not define the term "Sensitive Personal Data" or any similar or equivalent term.

Last modified 11 Jan 2022
Authority

Digital Security Agency.

Last modified 11 Jan 2022
Registration

No requirements.

Last modified 11 Jan 2022
Data Protection Officers

No requirements.

Last modified 11 Jan 2022
Collection & Processing

There are no statutes that expressly allow the collection and processing of identification information.

The DSA 2018 came into force in full on 8 October 2018. Section 26 of the DSA 2018 has been drafted in very wide terms. The contents of this provision would appear to provide, inter alia, that if anyone without lawful authority collects, sells, keeps possession of, supplies or uses identification information of another person, it would constitute an offence1. The punishment for a first-time offender would be imprisonment of a term not exceeding five years or a fine not exceeding Taka 5,00,000 (approx. US$ 5,950 as at 19 January 2021) or both. The punishment for second-time offenders or repeat offenders would be imprisonment of a term not exceeding 10 years or a fine not exceeding Taka 10,00,000 (approx. US$ 11,900 as at 19 January 2021), or both.

Please note that the DSA 2018 does not contain any exceptions to the Section 26 requirement. However, identification information may be, among other things, collected and stored by a person if he has lawful authority. The term "lawful authority" has not been defined in the DSA 2018. Due to the very recent enactment of this legislation, the Government of Bangladesh has not yet issued any clarification as to what would constitute 'lawful use' and has provided no guidance on what would satisfy the 'lawful authority' requirement. It is for these reasons (among others) that the legislation has been widely criticised.

In our opinion, a person will be deemed to have lawful authority if they are authorized by statute or contract to collect and store such identification information.

Footnotes

Note 1. Please note that this is an unofficial English translation of the wording of the provision in question.

Last modified 11 Jan 2022
Transfer

Bangladesh does not specifically regulate data transfers within Bangladesh or from Bangladesh to outside of Bangladesh. In our opinion, transfers would be permitted provided consent of the data subject is obtained.

While there are no general restrictions on transfer of data outside Bangladesh, please note that there are certain industry specific restrictions that are discussed below.

Banks 

Section I2 of the Bank Companies Act, I 99 I has imposed a restriction upon bank companies with regard to removal of documents and records outside Bangladesh without prior permission of Bangladesh Bank (i.e. the central bank of Bangladesh).

The requirement for obtaining prior written permission from Bangladesh Bank is upon the transferor, i.e. the bank company. Banks must also maintain confidentiality in banking transactions.

Telecommunication companies 

The Bangladesh Telecommunication Regulatory Commission ("Commission") is the authority that is responsible for regulating telecommunications companies ("telcos") in Bangladesh and issuing licenses to telcos for providing mobile phone services.

The license which is granted to the telcos contains a provision regarding subscriber confidentiality. The confidentiality requirement applies to "all information provided by the subscriber". As such, telcos will be prohibited from sharing any subscriber information (to entities or persons located inside or outside Bangladesh) that does not come within the exemptions listed above. Furthermore, in our opinion, subscribers would not have the option of giving consent to the telcos to share their data, instead for such sharing, approval from the Commission will be required.

Last modified 11 Jan 2022
Security

There are no data security requirements.

Last modified 11 Jan 2022
Breach Notification

There is no requirement to report data breaches to any individual or regulatory body.

Last modified 11 Jan 2022
Enforcement

There is no enforcement mechanism. Appropriate relief may be sought through courts of law having jurisdiction in the matter.

Last modified 11 Jan 2022
Electronic Marketing

There is no regulation on electronic marketing.

Last modified 11 Jan 2022
Online Privacy

There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate disclaimers.

Last modified 11 Jan 2022
Contacts
Dr. Sharif Bhuiyan
Dr. Sharif Bhuiyan
Partner and Deputy Head of Chambers – International and Commercial Practice
Dr. Kamal Hossain and Associates
T +88 02 9552946
Najeeb Huda
Najeeb Huda
Associate
Dr. Kamal Hossain and Associates
T +88 02 9552946
Last modified 11 Jan 2022