An Analysis of Data Localization and Cross-Border Data Transfer Restrictions in Bangladesh

This paper examines the legal and regulatory framework surrounding data localization and cross-border data transfer in Bangladesh. The analysis highlights key provisions within the draft Data Protection Act 2022 (DPA), the Bank Company Act 1991, and the Cloud Computing Guideline 2021, while also considering the broader international context, including the General Data Protection Regulation (GDPR).

Data Localization Mandates:

The draft DPA mandates the storage of all sensitive, customer-generated, and classified data within Bangladesh. While the DPA emphasizes data localization, it notably lacks a precise definition of “classified data,” creating ambiguity and potential for regulatory overreach. Similarly, Section 12 of the Bank Company Act 1991 prohibits banking companies from transferring any business records or documents outside Bangladesh without prior written authorization from the Bangladesh Bank.

Restrictions on Cloud Computing:

The Cloud Computing Guideline 2021 further reinforces data localization measures. It generally prohibits the use of international public clouds for storing sensitive government data, including personal, financial, and health information of citizens, government financial data, and data related to national security. However, the Bangladesh Computer Council (BCC) may grant exemptions under specific conditions, such as the establishment of a data center within Bangladesh by the cloud service provider with assurances of data residency within the country. Moreover, Clause 13 of the Guideline explicitly prohibits the transfer of data stored on International Public Cloud platforms outside the geographical boundaries of Bangladesh.

International Considerations and Challenges:

Data stored in foreign jurisdictions may be subject to the legal processes and surveillance authorities of those countries, potentially compromising data privacy and security. This exposure to foreign legal frameworks poses potential risks to data sovereignty and can lead to conflicts with domestic regulations.

The GDPR, while permitting data transfers outside the EU under specific conditions, including adequate safeguards and enforceable data subject rights, creates a conflicting regulatory landscape for businesses operating in both jurisdictions. Flows of personal data to and from the European Union are crucial for international trade and cooperation. However, the transfer of such data must not undermine the level of protection afforded to individuals. Therefore, transfers to third countries must comply fully with Chapter V of the GDPR.

The absence of a clear and consistent international framework for data transfer and protection presents significant challenges for businesses operating across borders. This lack of a unified approach can lead to inconsistencies in enforcement, create potential loopholes for malicious actors, and hinder the free flow of data necessary for the globalized economy.

Emerging Trends and Future Considerations:

Data protection laws are constantly evolving, both within Bangladesh and internationally. Businesses must diligently monitor these changes and adapt their practices accordingly to ensure ongoing compliance with relevant regulations.

Trust in international data flows is currently eroding due to concerns that government demands for data access, driven by criminal investigations and national security interests, may conflict with universal human rights and freedoms, particularly privacy rights. These demands may also clash with other national laws when data transcends borders. In today’s interconnected global economy, government access laws must acknowledge the inherently global nature of data, recognizing its potential subjection to the laws of multiple jurisdictions. International agreements should prioritize the development of frameworks that minimize conflicts of law and provide clear mechanisms for resolving cross-border data disputes. Service providers should not be held liable for complying in good faith with the legal obligations of the jurisdictions in which they operate.

Conclusion

This analysis highlights the complexities surrounding data localization and cross-border data transfer in Bangladesh. The interplay between domestic regulations, international standards, and the evolving global data landscape necessitates a nuanced approach to data management and governance. Moving forward, a collaborative effort between policymakers, businesses, and international organizations is crucial to develop a robust and sustainable framework that balances data security, privacy, and the needs of a globalized economy.