As oil was once the new gold, data is now the new oil. The 2009 political promise to establish a “Digital Bangladesh” heralded the beginning of the data-driven digital and knowledge economy. In Bangladesh’s push for such a digital knowledge economy, even pre-covid-19 processes were being digitized – and entire platforms and products emerged. These have increased efficiency and reduced operating costs for the public and private sectors, at the same time giving citizens easier access to products and services. Local mobile payment services, such as bKash and Nagad, have been positively disrupting the traditional banking system, in turn expanding the net of financial inclusion and digital commerce.
Local e-commerce platforms such as Chaldal and ShopUp are now almost household brands. E-logistics companies such as Pathao and Shohoz, as well as internet-led on-demand entertainment platforms such as Bongo, have created a data-driven digital economy, which in the pre-Digital Bangladesh era was inconceivable. These information and communication technology (ICT)-driven players have seen remarkable growth, with their presence permeating among the urban population and slowing making headway in rural areas.
In the public sector, a radical move towards e-government, through transforming manual operations into digital services, is creating unprecedented opportunities. These services include online tax return filing, land tax payment, passport application, public procurement, welfare payment, utility payment and many more. Meanwhile, to ensure access for those at the grassroots, Union Information Service Centres have been established for those who have historically not been connected to digitised services.
The pace of all of this has accelerated since the covid-19 crisis began, with Bangladeshis throughout the country now more eager than ever to be part of the digital world.
Opportunity in crisis
It is said that every crisis brings opportunity – and the biggest opportunity that covid-19 has offered has been in the up-scaling of digitalisation. In Bangladesh, the restrictions put in place as a result of covid-19 have led many companies and not-for-profit organisations, in a bid to survive, to prove their agility by digitising segments of their business. Health care and essential services have been at the forefront of pandemic-induced innovation, from mobile testing solutions to tele-medicine consultations; even grocery super-shops have shifted to online delivery. For a largely informal economy like Bangladesh, this represents a resilient way forward.
Educational institutes are now rethinking their teaching and learning environment, making every effort to use online learning facilities, even in this context of new financial, technological and pedagogical limitations. Domains such as retail, finance and communication, which have already “digitalised,” are more effective than ever before, given the growing use of data analytics and Artificial Intelligence (AI).
As such, more “data” is being generated and is available in the market. And such huge data generation requires due regulatory attention. A regulatory framework, which does not duly facilitate data processing, stands in the path to establish a data-led economy.
The benefits of data-driven public health and social welfare management are already showing themselves. During the pandemic, Bangladesh’s government has actively taken movement control decisions, by collaborating with telecommunication companies to obtain location data not just on patients but also on those migrating from urban to rural areas, in order to be able to deliver welfare payments. China, South Korea and Taiwan, in an effort to enforce quarantine, have similarly used phone location data to trace the contacts of covid-19 patients. Globally, such data and information are being shared across jurisdictions in order to fight covid-19. According to Reuters, mobile carriers in Europe have been sharing anonymous and aggregated data with health authorities in Austria, Germany and Italy, in compliance with the European Union’s General Data Protection Regulation (GDPR).
What’s with so much data?
Salus populi est suprema lex: regard for public welfare is the highest law. The uptake of digital solutions also raises certain critical issues, related to privacy, security (including national security) and public safety. An individual’s personal and locational information can reveal sensitive details, such as place of employment, religious affiliation or political preference. Bangladesh’s legal apparatus – namely, the Digital Security Act (DSA), the ICT Act and the Telecom Act – addresses some of these data protection issues. However, there are clearly implementation challenges here.
Citizens of any country, whether or not they are aware of it, generate huge amounts of data, which data-driven enterprises use for either commercial or non-commercial purposes. When accessing sensitive personal data, regulators ensure careful collection, retention and processing, to minimise risks and maximise utility. There is also a wider security concern related to large data misuse. From the point of view of governments, the aim is to find a balance between economic opportunity and the risks posed to security and privacy. There is always the potential that data will be misused to instigate or fuel riots or large-scale anarchy. On the other hand, careful processing of data leads to efficient public service delivery and helps target marginalised groups and mitigate socio-economic issues, as well as driving AI, e-commerce and the social media sector. This has extensive implications across societies and economies.
The prevailing standard on managing the privacy risk posed by data generation is the principle of proportionality. Often at the data collection point, regulators set standards for the legal basis on data processing. These include 1) the consent of the data subject; 2) the contractual necessity – i.e. the need to process a contract to which the data subject is a party; 3) the vital interest of the data subject; 4) compliance with legal obligations; 5) the public interest; and 6) the legitimate interest of the regulator or the third-party stakeholders.
Privacy protection framework in Bangladesh
The speed of digitalisation in Bangladesh has brought the country to a point where it faces almost the same regulatory challenge as highly digitised societies. In the US experience on data use, especially in the covid-19 era, location data-sharing proposals have raised legal issues because of the varying nature of laws across states, as well as the privacy protection guaranteed by the federal Constitution. In Bangladesh, Article 43 of the Constitution protects the right to privacy of correspondence and communication. In other words, no law can impinge on privacy unless the government has a legitimate concern. However, such a generic protective provision is not sufficient to address the challenges of the digital era. Hence, a need for time-appropriate legislative framework arises.
Need for domestic data management
Protection of the personal data of users/subscribers is usually governed by a contract between the relevant parties under the existing legal framework. At present, there is no data localisation requirement under Bangladeshi law. As a matter of general practice, it is permitted to store data on a cloud or on servers located outside Bangladesh; this is now common industry practice. But for sensitive data, such a blanket approach is neither safe nor conducive to promoting a local data-oriented industry. A general requirement related to processing certain categories of data within Bangladesh is needed. Such a framework must protect and enable the data-driven digital economy, on which post-covid-19 Bangladesh is desperately reliant.
Bangladesh’s prime legislation on digital security, the DSA, addresses some regulatory issues, such as prohibiting harmful and malicious conduct involving computers, internet systems and digital devices, etc. Offences include illegally accessing a digital device; causing damage to a computer system; committing digital or electronic forgery; committing digital or electronic fraud; and conducting e-transactions without legal authority. The government has established an agency to monitor all issues related to ensuring digital security, including protection of identity. The fact that this agency has only just been established means that its approach to law enforcement and consultation with business is yet to be understood. At present, the agency is mandated to monitor and regulate in the areas of cybercrime, cyber-security and licence regulation.
The data protection framework as it stands
Data protection currently varies from sector to sector, with obligations to ensure the protection of personal data imposed through industry-specific directives on an ad hoc basis. Citizens’ primary identity information is given statutory protection but there is a confusing stipulation whereby anyone with “lawful authority” can process the data – but there is no definition of what this is or how it can be obtained. The regulator, the Bangladesh Telecommunication Regulatory Commission (BTRC), which leads on the major ICT-related issues, is not empowered to address the challenges of extra-territoriality. If empowered, the regulator could monitor international tech giants, and local data processing could be facilitated effectively. Meanwhile, the DSA focuses on digital security, with a prohibitive framework to address security breaches, but does not envisage the operation of international tech giants and their mode of data extraction and processing.
The DSA-mandated digital security provision thus does not address the management, processing and protection of data. Its operational position is such that the concern for digital infrastructure security has overridden the concern for citizen welfare. The data industry is growing in a situation of unprecedented access to local data by the international tech giants. Many nations have restricted such access, to ensure the growth of their own local data-driven industry and address security concerns. In Bangladesh, a draft data privacy and protection rule focuses unreasonably on local violators, whereas it should be looking more at regulating international tech giants and bringing them to work with the local industry.
A new approach for policy-makers
With the innovation in digitalisation comes a call for policy-makers to act as the guardians of society. What covid-19 has shown is what was known all along – that innovation will always be ahead of policy. This is why regulators play a major role in encouraging digital innovation: they can address the unidentified negative consequences through policies that reflect societal preferences – especially in a situation of crisis. “Agility” is not for businesses alone; policy frameworks also have to be “agile” to accommodate the pace of technological advancement. In the Bangladeshi context, there is a pressing need for a comprehensive statutory framework on the usage, processing and protection of generated data within the country, and also legal empowerment of the regulator not only from a security point of view but also for industry facilitators.
Borderless data and regulatory empowerment
The internet is borderless: it is not enough to regulate and facilitate it at the national level. Meanwhile, any change in law in a foreign jurisdiction will have follow-on effects in Bangladesh too. For example, in 2019 the knock-on effects of the European Union’s data protection and privacy law, the GDPR were felt in business operations in Bangladesh. Countries across the globe have quickly learnt that regulating digital technologies involves increased dialogue and coherence among government bodies and empowering the regulator with clear legislative provisions to address the borderless nature of the internet. Bangladesh’s regulator BTRC often faces difficulties invoking the DSA and addressing challenges posed by the international tech giants. To respond to this situation, operating laws, the DSA, the Telecom Act and the ICT Act need to be harmonised to empower the regulator.
In the Fourth Industrial Revolution (4IR), data will be the new oil. The future consists of tech-driven innovation, expanding into the 4IR with data as its fuel. From a national law point of view, an agile and flexible regulatory framework, which protects and facilitates the local economy and maximises citizen welfare, is a must. In this “new normal” world that started with the pandemic, it is now clear that the opportunity for the data processing industry in Bangladesh is immense.
But a question remains as to who will lead in this new territory. Will it be the tech giants, extracting big data from national users, or will the nation establish its own data processing industry by proactively directing international players to localise data and work with local industry? If Bangladesh takes the latter path, this will bring benefits to the national economy while addressing issues related to privacy, national security and sovereignty. An effective regulatory framework, focused not only on security threats or cybercrime but also on data extraction and processing for the benefit of local industry, should be prioritised as the way forward for Bangladesh. This requires revising the existing framework in consultation with sector stakeholders and framing a flexible regulatory framework that proactively connects the global with the local.
Photo ©️ Mahmud Hossain Opu