Data privacy and cyber security in Bangladesh is mostly governed by the rules set out under the ICT Act (as amended in 2009 and 2013) and the DSA. However, the data privacy and cybersecurity regime are still in its early stage of development and the Bangladesh government is revising and updating these laws on a piecemeal basis in line with the public policy goals and requirements.
Data protection and cyber security in Bangladesh is mainly governed by the Information and Communication Technology Act 2006 ("ICT Act") and the Digital Security Act 2018 ("DSA").
Consent of the individual is a central element of the Data Privacy Law. The Data Privacy Laws require that any person or entity collecting or storing data will need permission from the individual sharing the data for any subsequent use or dissemination or may only use it in connection with the services for which permission was granted. As such, a written consent/permission will be required to collect, supply, or use any identity information of an individual.
The ICT Act and the DSA (collectively the "Data Privacy Laws") set out, amongst other things, that:
- any person who collects, sells, takes possession of, supplies or uses any person's 'Identity Information' without the legal authority, may be subject to punishment under the law. 'Identity Information' means among other things any external, biological or physical information or any other information which on its own or jointly can identify a person, including their name, address, date of birth, parent's name, signature, national identity number, finger print, passport number, retina image, DNA profile, and security related questions;
- access, without the permission of the relevant person or authority, into any computer or digital device or digital network system is punishable by law;
- collecting any data or information from any computer or computer network without permission of the relevant person is punishable by law; and
- illegally accessing any computer or digital system of any organization without consent and with the intent to introduce changes or otherwise transfer or save data is punishable by law.
The Data privacy and cyber security laws apply to the whole of Bangladesh and to persons who are involved in any cyber offence within Bangladesh or from outside Bangladesh. The ICT
Act determines the legal authenticity of any information contained in digital documents. It also lays down the structure for the applicable security regulation by recognising digital signatures and identities for digital records,
There is an upcoming law concentrating on data privacy which is at present in the drafting stage. It is expected to apply to all legal entities in Bangladesh and persons who are collecting, processing, and using shared or otherwise processed data relating to citizens of Bangladesh within Bangladesh or from outside Bangladesh. It will also apply to data processors or data controllers processing data in connection with any business carried out in Bangladesh or any activity of offering goods or services that involves profiling individuals.
The Draft Act will establish a Data Protection Office under the Director General of the Digital Security Agency, which will be the main regulator for enforcement and supervision of the laws. They will have investigative, corrective, and advisory powers, along with certain functions like overseeing the implementation of the Draft Act, promoting protection and observance of the right to privacy and of data, among other ancillary functions.
Find out more:
Information and Communication Technology Act, 2006
Digital Security Act 2018