Exploring true purposes of the Data Law and the Content Regulation

The Bangladesh Data Protection Act (“Data Law”) and the Regulation for Digital, Social Media, and OTT Platforms (‘Content Regulation”), both in their draft form, have faced a deluge of criticism, including from C.R. Abrar, the prominent academic, and Peter Haas, the US Ambassador to Bangladesh. Critics have rightly pointed to their shortcomings regarding the safeguarding of the data of Bangladeshi citizens, as well as their inherent potential for regulatory overreach.

However, in this article, I suggest we dispense with such polite theatrics. The purpose of the draft Data Law and draft Content Regulation are to continue the construction of a framework of laws that have the potential to restrict the exercise of constitutional rights of the citizens of Bangladesh regarding freedom of speech and freedom of expression. In this regard, these texts would continue the oppressive legacy of the 1974 Special Powers Act and the 2018 Digital Security Act.

Instead, we should be clear-eyed about the true purpose of the Data Law and the Content Regulation. They are likely to be twofold: i) getting content unpalatable to the authorities taken down, and ii) getting the IP address and other identifying information of the individuals posting the said content and comments from social platforms, so that they can be subjected to the coercive police powers of the state.

Let us say both the Data Law and the Content Regulation are duly promulgated. They will be picked up by the major law firms and data protection organizations from around the world. Eventually, Policy and Trust and Safety teams of social media platforms around the world will get some training, or an email alert, about the Data Law and Content Regulation. Assuming this happens by the middle of this year, I then foresee a torrential flow of takedown requests and user information requests being sent to these moderators under these two authorities during the runup to the upcoming Parliamentary elections.

How would this play out in real life? Let us say there is a piece of objectionable content that the Bangladeshi Government wants removed. It would send a take-down notice to the social media company under the Data Law. These requests are generally handled by frontline agents in outsourced teams. If there are any requests that are complex or unclear, then the teams escalate to the first escalation point, typically a manager in one of the corporate offices in the US or one of the corporate hubs. Remember also that due to the repeated layoffs in social media companies, most of these teams are understaffed and are trying to get through their daily quota of resources every day. The easy thing would be to look at the official-looking request under a law called the Data protection Act and comply with the takedown request. The correct approach, which would be to view the request through the prism of the current socio-political conditions in Bangladesh, would require more time-investment by these frontline responders as well the necessity to confer with their escalation points to decide on the right approach. However, this would take away time and resources that these teams may well not have. If the Government of Bangladesh starts sending take-down requests in bulk using this Data Law or Content Regulation, that may be enough to get the unfavorable content taken down since social media companies may potentially take the path of least resistance and treat take-down requests under this law as being genuine and bona fide.

What about the second scenario where the Government of Bangladesh is also interested in tracking down the person who posted an offensive content? The good news here is that the paradigm is completely flipped here. No platform wants to have the reputation of turning over their users’ data too easily; that would be a surefire way to lose users. Most social companies will fight very hard against any efforts to turn over their users’ data. There are limited exceptions: in the United States, in addition to responses to subpoenas, the one situation when social media companies will absolutely turn over all information with utmost haste (and even preemptively call and report such content) around any content that involved threats of shooting, bombing, or violence at schools. Generally for other countries, there will be a playbook directing how data information from each country should be handled, and presumably the instruction for data requests under the new Bangladeshi law would be to deny.

Unfortunately, this is not the end of the matter. National governments that have an interest in enforcing their will against social media policies have been experimenting with creative ways to get what they need out of these companies. India has implemented regulations since 2021 that mandated that all social companies with offices in India (which are all of them, due to the size and revenue of the India market), have a full-time employee called a Grievance Officer. This Grievance Officer has to be located in India, and is essentially personally liable for any failure by the social media companies to follow the government regulations. Which, in effect, means that the India Government has a hostage in India they can go after if the social media companies do not follow their diktat. The requirement to appoint individuals in similar positions in Bangladesh would give the government vastly greater leverage over social media companies, as the specter of arrest, legal harassment, and jail time would always be hanging over the social media companies when dealing with the government.

Another approach is the data localization requirement that is most widely associated with the Russian Federation. Russia’s dreaded data regulatory agency, Romkomnadzor, enforces the Federal Law on Personal Data, which holds that all the data of Russian citizens must be located in servers inside Rusia. A corollary provision in Russian law holds that unfettered access to unencrypted data of these servers must be provided to the Russian government. Effectively, this allows the Russian government from having to provide subpoenas and legal justifications on a case-by-case basis and instead gives them unfettered access to Russian user metadata, to do with as the authorities wish.

The importance of social media regarding freedom of expression in Bangladesh requires close scrutiny of Data Law and Content Regulation, which can only be done by using the correct theoretical framework. The potential presence of provisions, similar to the Indian and Russian provisions mentioned above in, the Bangladeshi Data Law and Content Regulation would have consequences familiar to anyone who has worked with Bangladesh’s Digital Security Act. The government would be able to use their increased leverage over social media companies to potentially further stifle the space available to criticism, dissent, and public discourse. Let us take heed.