While exploring the data protection and privacy law framework of Bangladesh, one will immediately spot a glaring gap which is not only frustrating but also raises economic and national security concerns in relation to the processing of its citizens' personal data. With the total number of internet users in Bangladesh reaching a 54-million at the end of September 2015 - a figure that is predicted to increase by millions every year - it is time we took personal data protection seriously.

Take this straightforward example: imagine a scenario where an individual (data subject) filled in an online application form with all her personal details. Intriguing as it may sound; this simple online act could have a number of major implications. Firstly, the internet service provider (party no. 1) of the data subject can divulge a host of information and capture any information sent through its services. Secondly, the website (party no. 2) where the application form is hosted will have access to the data as well as the organisation (party no. 3) that she has completed the form for. Thirdly, to complicate matters further, the data centre (party no. 4) on which her data is hosted may be based out of the country altogether. In such situations, without having proper protection in the form of national legislation in the country where the data subject is based, personal data becomes prone to exploitation by any of the parties in the chain of processing and controlling it. Indeed, it has been recognized that, many big data companies have initiated and implemented spying and espionage programs to ensure they maintain a country competitive advantage. 

Contrast this with the European Union which has an effective data protection and privacy legal framework, allowing its courts to recently rule that one of the big data companies, Facebook Inc., violated its citizens' privacy for aiding the mass and indiscriminate surveillance carried out by the US intelligence services. Needless to mention, without any protection in place, Bangladesh may not be even aware of how seriously its citizens could be affected by such invasions.

It is no surprise that we are witnessing a constant rise in hacking incidents of databases of governmental organisations in Bangladesh, making the whole situation of sharing personal data online even more distressing. In 2013, for instance, some unknown hackers breached Bangladesh Air Force's website and extracted the full database.

While Bangladesh is well protected by virtue of the Information and Communication Technology (ICT) Act of 2006 to bring proceedings against perpetrators of such intrusion and unauthorized access, what it fails to take into account is that these perpetrators carry out their operations anonymously and thus, in most cases, it is difficult to identify them. In other words, a preventive framework at the pre-breach level is simply non-existent. The mere presence of legislation on post-breach offences will not in fact provide adequate protection given the anonymity of the offender and the mass surveillance practices of big companies. 

The only legislation that provides for the protection, albeit limited, of privacy in general terms is the article 43 of the Constitution of the People's Republic of Bangladesh – right to “the privacy of [one's] correspondence and other means of communication”. In addition, there are two guidelines passed by the Bangladesh Bank covering ICT security and outsourcing arrangements, providing a layer of protection in the financial sector. 

It is worth noting that the neighbouring country India, has already enacted specific data protection rules and a consolidated privacy bill is already in the pipeline. Given India's high profile in the IT industry worldwide, rules regarding data protection have led to an increase in investment by multinational data companies. Meanwhile, the lack of data protection and privacy laws has effectively been a restriction to this market for Bangladesh, although we have all the potential to become another influential South Asian player in the digital economy. 

Bangladesh needs to act promptly not only to protect its citizens' personal data from flowing into the hands of criminals and spying agencies both in and out of the country but also to be able to participate in the data business estimated to be worth a trillion Euros by the year 2020. Any law addressing data protection should clearly state the grounds for processing personal data, ensure data subjects' rights to access, delete and object to such data, develop a culture regarding the retention period of data, and establish a data protection authority. Bangladesh already has an Information Commission formed under the Right to Information Act of 2009, which can be vested with data protection responsibilities. In any event, institutions dealing with personal data should be required to register with the Commission and give prior notification if there is a possibility that such data will be processed outside of Bangladesh.

The writer is a Barrister-at-Law and an LL.M. graduate in Computer and Communications Law from Queen Mary University of London.