There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate disclaimers.
Cyber al Security Act 2023 (CA 2023).
Definition of personal data
Section 26 of the CA 2023 defines the term "identity information" as "any external, biological or physical information or any other information which singly or jointly can identify a person or a system, such as name, photograph, address, date of birth, mother's name, father's name, signature, national identity card, birth and death registration number, finger print, passport number, bank account number, driving license, e-TIN number [Tax identification Number], electronic or digital signature, username, credit or debit card number, voice print, retina image, iris image, DNA profile, security related question or any other identification which are available for advance technology".
Definition of sensitive personal data
The CA 2023 does not define the term "Sensitive Personal Data" or any similar or equivalent term.
Cyber Security Agency.
No requirements.
No requirements.
There are no statutes that expressly allow the collection and processing of identification information.
The CA 2023 came into force in full on 18 September 2023 repealing the Digital Security Act 2018. The provisions of the CA 2023 closely mirror those of the Digital Security Act 2018, with the only modifications being a decrease in penalties for specific offenses. Section 26 of the CA 2023 has been drafted in very wide terms. The contents of this provision would appear to provide, inter alia, that if anyone without lawful authority collects, sells, keeps possession of, supplies or uses identification information of another person, it would constitute an offence1. The punishment for violation of Section 26 of the CA 2023 is imprisonment of a term not exceeding two years or a fine not exceeding Taka 5,00,000 (approx. US$ 4,545 as of 3 January 2023 ) or both.
Please note that the CA 2023 does not contain any exceptions to the Section 26 requirement. However, identification information may be, among other things, collected and stored by a person if he has lawful authority. The term "lawful authority" has not been defined in the CA 2023. The Government of Bangladesh has not yet issued any clarification as to what would constitute 'lawful use' and has provided no guidance on what would satisfy the 'lawful authority' requirement. It is for these reasons (among others) that the legislation has been widely criticised.
In our opinion, a person will be deemed to have lawful authority if they are authorized by statute or contract to collect and store such identification information.
Footnotes
1: Please note that this is an unofficial English translation of the wording of the provision in question.
Bangladesh does not specifically regulate data transfers within Bangladesh or from Bangladesh to outside of Bangladesh. In our opinion, transfers would be permitted provided consent of the data subject is obtained.
While there are no general restrictions on transfer of data outside Bangladesh, please note that there are certain industry specific restrictions that are discussed below.
Banks
Section 12 of the Bank Companies Act, 1991 has imposed a restriction upon bank companies with regard to removal of documents and records outside Bangladesh without prior permission of Bangladesh Bank (i.e. the central bank of Bangladesh).
The requirement for obtaining prior written permission from Bangladesh Bank is upon the transferor, i.e. the bank company. Banks must also maintain confidentiality in banking transactions.
Telecommunication companies
The Bangladesh Telecommunication Regulatory Commission ("Commission") is the authority that is responsible for regulating telecommunications companies ("telcos") in Bangladesh and issuing licenses to telcos for providing mobile phone services.
The license which is granted to the telcos contains a provision regarding subscriber confidentiality. The confidentiality requirement applies to "all information provided by the subscriber". As such, telcos will be prohibited from sharing any subscriber information (to entities or persons located inside or outside Bangladesh) that does not come within the exemptions listed above. Furthermore, in our opinion, subscribers would not have the option of giving consent to the telcos to share their data, instead for such sharing, approval from the Commission will be required.
There are no data security requirements.
There is no requirement to report data breaches to any individual or regulatory body.
There is no enforcement mechanism. Appropriate relief may be sought through courts of law having jurisdiction in the matter.
There is no regulation on electronic marketing.
There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate disclaimers.
