Digital Security Act 2018 (“DSA 2018”).
Digital Security Act 2018 (“DSA 2018”).
Definition of personal data
Section 26 of the DSA defines the term “identity information” as “any external, biological or physical information or any other information which singly or jointly can identify a person or a system, such as name, photograph, address, date of birth, mother’s name, father’s name, signature, national identity card, birth and death registration number, finger print, passport number, bank account number, driving license, e-TIN number [Tax identification Number], electronic or digital signature, username, credit or debit card number, voice print, retina image, iris image, DNA profile, security related question or any other identification which are available for advance technology”.
Definition of sensitive personal data
The DSA 2018 does not define the term “Sensitive Personal Data” or any similar or equivalent term.
Digital Security Agency.
There are no statutes that expressly allow the collection and processing of identification information.
The DSA 2018 came into force in full on 8 October 2018. Section 26 of the DSA 2018 has been drafted in very wide terms. The contents of this provision would appear to provide, inter alia, that if anyone without lawful authority collects, sells, keeps possession of, supplies or uses identification information of another person, it would constitute an offence1. The punishment for a first-time offender would be imprisonment of a term not exceeding five years or a fine not exceeding Taka 5,00,000 (approx. US$ 5,950 as at 19 January 2021) or both. The punishment for second-time offenders or repeat offenders would be imprisonment of a term not exceeding 10 years or a fine not exceeding Taka 10,00,000 (approx. US$ 11,900 as at 19 January 2021), or both.
Please note that the DSA 2018 does not contain any exceptions to the Section 26 requirement. However, identification information may be, among other things, collected and stored by a person if he has lawful authority. The term "lawful authority" has not been defined in the DSA 2018. Due to the very recent enactment of this legislation, the Government of Bangladesh has not yet issued any clarification as to what would constitute ‘lawful use’ and has provided no guidance on what would satisfy the ‘lawful authority’ requirement. It is for these reasons (among others) that the legislation has been widely criticised.
In our opinion, a person will be deemed to have lawful authority if they are authorized by statute or contract to collect and store such identification information.
Bangladesh does not specifically regulate data transfers within Bangladesh or from Bangladesh to outside of Bangladesh. In our opinion, transfers would be permitted provided consent of the data subject is obtained.
While there are no general restrictions on transfer of data outside Bangladesh, please note that there are certain industry specific restrictions that are discussed below.
Section 12 of the Bank Companies Act, 1991 has imposed a restriction upon bank companies with regard to removal of documents and records outside Bangladesh without prior permission of Bangladesh Bank (i.e. the central bank of Bangladesh).
The requirement for obtaining prior written permission from Bangladesh Bank is upon the transferor, i.e. the bank company.
Banks must also maintain confidentiality in banking transactions.
The Bangladesh Telecommunication Regulatory Commission (“Commission”) is the authority that is responsible for regulating telecommunications companies (“telcos”) in Bangladesh and issuing licenses to telcos for providing mobile phone services.
The license which is granted to the telcos contains a provision regarding subscriber confidentiality. The confidentiality requirement applies to “all information provided by the subscriber”. As such, telcos will be prohibited from sharing any subscriber information (to entities or persons located inside or outside Bangladesh) that does not come within the exemptions listed above. Furthermore, in our opinion, subscribers would not have the option of giving consent to the telcos to share their data, instead for such sharing, approval from the Commission will be required.
There are no data security requirements.
There is no requirement to report data breaches to any individual or regulatory body.
There is no enforcement mechanism. Appropriate relief may be sought through courts of law having jurisdiction in the matter.
There is no regulation on electronic marketing.
There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate disclaimers.