Introduction to Digital Security Laws in Nepal, Sri Lanka, and Bangladesh

This post is the first in a series of three posts analysing the information technology (“IT”) ecosystem of Bangladesh, Sri Lanka, and Nepal.

Introduction

With over 4 billion people online[1], the internet has reshaped how we do business, communicate and conduct governance[2]. As the digital economy evolves, digital security has taken on a distinct urgency. Governments face a complex array of cyber-security threats with the potential to significantly damage economic growth and infrastructure critical to essential services[3]. This is especially true for countries in Asia, where unlike the West, internet expansion has risen amidst the internet revolution[4]. Keen to leverage the benefits of the digital economy while preserving national security in a post-internet world, Asian states tend to adopt policies that are protectionist and less aligned with international standards[5].

Bangladesh leads the world in percentage of mobile malware infections[6] while Sri Lanka[7] and Nepal[8] have experienced a sharp rise in the number of cyber-security attacks  Therefore, with the aim to address these vulnerabilities, Bangladesh passed the “Digital Security Act, 2018”[9] (“Digital Security Act”), while Sri Lanka has presented a “Cyber Security Bill”[10] (“Cyber Security Bill”), and a “Framework for Proposed Data Protection Bill”[11] (“Data Protection Bill”). Nepal recently enacted the  “Individual Privacy Act, 2018”[12] (“Privacy Act”) and formulated the “Information Technology Bill, 2075” (“IT Bill”)[13]. While each bill/act proposes to address concerns with digital security, they are still located within a broader IT regulatory ecosystem. The following paragraphs will briefly outline the regulatory framework within each country:

Nepal

Rapid take-up of internet and mobile wireless communications is a key trend shaping digital transformation in Nepal[14]. As such, the “National Information and Communication Technology Policy, 2015”[15] (“ICP”) has been a significant policy intervention. Stressing the need to leverage the economic and transformative potential of IT, the ICP was formulated to establish the foundation for an overarching vision of “Digital Nepal”[16]. Significantly, the ICP also laid the groundwork for an extensive cyber-security policy, which though formulated[17], never saw the light of day.

In September 2018, Nepal passed the Privacy Act. Implementing the constitutional right to privacy[18],  the Privacy Act has had a significant impact on legal usage of “personal information”[19]. It stipulates how ‘personal information’ available and stored with public entities is to be utilized[20], along with liabilities for breach[21].

Seeking to replace the existing Electronic Transaction Act[22], the Nepal government proposed a comprehensive IT Bill in early 2019. It lumps together every cross-cutting IT sector, and may impact everything from social media use to surveillance, e-commerce and tech innovation[23]. While providing broad definitions for “social network”[24] and “service provider”[25], the IT Bill prescribes a licensing regime for various services such as social networks[26], data centers[27]. It also penalizes offences such as cyber terrorism, publishing/display of obscene materials, acts against morality etc.[28] , and empowers investigating agencies to access and intercept data[29].

Sri Lanka

Subsequent to Sri Lanka’s first ‘Information and Cyber Security Strategy 2019-23’[30], the Ministry of Digital Infrastructure and Information Technology formulated the Cyber Security Bill[31] and Data Protection Bill[32]. The cross-sectoral bills form part of the drive to strengthen[33] the regulatory framework dealing with emerging cyber-security and data protection challenges. If executed, both bills will supplement the existing Electronic Transactions Act, Payments Devices Frauds Acts, Telecommunications Act, Intellectual Property Act and Computer Crimes Act.

The Cyber Security Bill has been drafted to protect vital information and essential services from cyber attacks[34]. It provides the government with power to establish a “Cyber Security Agency”[35] , and also empowers the “Sri Lanka Computer Emergency Readiness Team”[36] and “National Cyber Security Operations Centre”[37], all of whom aim to protect “Critical Information Infrastructure”[38].

The Data Protection Bill, released shortly after the Cyber Security Bill, aims to protect personal data and regulate its processing[39] under the over-arching constitutional right to information[40] and corresponding right to privacy[41]. Further, it intends to enhance “consumer confidence and ensure growth of digital democracy and innovation”[42]. It defines “personal data”[43], “special categories of data”[44], and lists principles concerning the processing and controlling of data[45]. It also establishes a “Data Protection Authority”[46], a body empowered to control the implementation of the Data Protection Bill and hear matters related to data protection.

Public consultations for both bills are still on-going, with the IT industry intent on addressing its concerns with the proposed legislation[47].

Bangladesh

Bangladesh is home to 87 million internet subscribers, accounting for approximately 53% of its entire population[48]. In 2016, Bangladesh was ranked 112 out of 139 nations on a Network Readiness Index according to a World Economic Forum report[49], while also performing poorly in the Global Cybersecurity Index in 2015[50]. The contemporaneous legal framework, i.e. the Information Communication Technology Act of 2006[51], was largely held to be insufficient in terms of addressing digital security and data protection concerns[52]. Consequently, Bangladesh has taken steps to improve its digital security framework through its e-governance project[53] and “Digital Bangladesh”[54] vision. Further, the government formulated a National Cybersecurity Strategy[55], charting a vision for cyber-security till 2021.

Bangladesh enacted the Digital Security Act[56] in September 2018. Passed with the objective of curbing cyber-crime and ensuring digital security, the Digital Security Act creates a wide range of cyber-crime offences[57]. These provide punishment for “propaganda or campaign against the Liberation War, the Father of the Nation”[58], posting offensive content[59], cyber-terrorism[60] and defamation[61], amongst others. Significantly, it has extra-territorial application[62].  It also establishes a “Digital Security Agency”[63] , empowered to regulate content and request the Bangladesh telecom regulator remove/block the same[64].

Significantly, the Digital Security Act provides safe harbour protection for intermediaries[65], and penalizes illegal use of “identity information”[66].

Conclusion

As South Asia becomes increasingly digitized, vital questions around the security of information arise. While each country has recognized the need for a robust digital security framework, problems are still abound. Larger issues stem from freedom of speech and surveillance concerns[67], and issues pertaining to strict regulation have also been raised by industry[68].

The next post in this series will delve further into the challenges faced by each regulatory regime. Additionally, it will attempt to chart a path that may negotiate these challenges, and provide recommendations for the same.

(This post has been authored by Vijayant Singh, Associate, with inputs from Nimisha Dutta, Counsel at Ikigai law)

[1] Simon Kemp, digital in 2018: World’s internet users pass the 4 billion mark, available at https://wearesocial.com/blog/2018/01/global-digital-report-2018.

[2] Anmar Frangoul, 10 ways the web and internet have transformed our lives, CNBC, available at https://www.cnbc.com/2018/02/09/10-ways-the-web-and-internet-have-transformed-our-lives.html.

[3] Victoria A. Espinel, Cybersecurity threats defy national borders, so countries should collaborate, not clam up, South China Morning Post, available at https://www.scmp.com/comment/insight-opinion/article/2144126/cybersecurity-threats-defy-national-borders-so-countries.

[4] Centre for Long Term Cybersecurity, Asian Cybersecurity Features, available at https://cltc.berkeley.edu/wp-content/uploads/2017/12/asianfutures.pdf.

[5] Victoria A. Espinel, Cybersecurity threats defy national borders, so countries should collaborate, not clam up, South China Morning Post.

[6] Security Magazine, Which Countries Have the Worst and Best Cybersecurity? Available at https://www.securitymagazine.com/articles/89829-which-countries-have-the-worst-and-best-cybersecurity.

[7] Roartech, Can Sri Lanka’s Cyber Security Strategy Protect Us? available at https://roar.media/english/tech/insights/can-sri-lanka-s-cyber-security-strategy-protect-us/.

[8] Kathmandu Post, 19 govt sites breached in latest cyberattack, available at https://kathmandupost.com/valley/2017/11/04/19-govt-sites-breached-in-latest-cyberattack.

[9] Bangladesh Digital Security Act, 2018 available at https://www.cirt.gov.bd/wp-content/uploads/2018/12/Digital-Security-Act-2018-English-version.pdf.

[10] Sri Lanka Cyber Security Bill, 2019, available at https://www.cert.gov.lk/Downloads/Cyber_Security_Bill_2019-05-22_LD_Final_Version.pdf.

[11] Framework for Proposed Data Protection Bill, 2019, available at http://www.mdiit.gov.lk/images/Legal_framework_for_proposed_DP_Bill_11th_June_2019_-_revised_FINAL_ver3.pdf.

[12] Nepal Privacy Act, 2075 (2018), available at http://www.lawcommission.gov.np/en/archives/category/documents/prevailing-law/statutes-acts/the-privacy-act-2075-2018.

[13] Nepal Information Technology Bill 2075 (2018).

[14] Para 4, National Information and Communication Technology Policy, 2015.

[15]               National Information and Communication Technology Policy, 2015, available at http://www.youthmetro.org/uploads/4/7/6/5/47654969/ict_policy_nepal.pdf.

[16] Para 5.1, National Information and Communication Technology Policy, 2015.

[17] Nepal Draft Cyber Security Policy, 2016, available at https://nta.gov.np/wp-content/uploads/2018/05/Nepal-Cybersecurity-Policy-Draft.pdf.

[18] Article 28, Constitution of Nepal: “The privacy of any person, his or her residence, property, document, data, correspondence and matters relating to his or her character shall, except in accordance with law, be inviolable.”

[19] Section 2 (c), Nepal Privacy Act, 2075 (2018):

“Personal information” means the following information related to any person:

(1)       His or her caste, ethnicity, birth, origin, religion, color or marital status,

(2)       His or her education or academic qualification,

(3)       His or her address, telephone or address of electronic letter (email),

(4)        His or her passport, citizenship certificate, national identity card number, driving license, voter identity card or details of identity card issued by a public body,

(5)        A letter sent or received by him or her to or from anybody mentioning personal information,

(6)        His or her thumb impressions, fingerprints, retina of eye, blood group or other biometric information,

(7)        His or her criminal background or description of the sentence imposed on him or her for a criminal offence or service of the sentence,

(8)        Matter as to what opinion or view has been expressed by a person who gives professional or expert opinion, in the process of any decision.”

[20] Chapter 10, Nepal Privacy Act, 2075 (2018).

[21] Chapters 11, Nepal Privacy Act, 2075 (2018).

[22] The Electronic Transaction Act, 2063 (2008), available at http://www.lawcommission.gov.np/en/archives/16954.

[23] The Kathmandu Post, Everything you need to know about the Nepal government’s new IT bill, available at https://kathmandupost.com/national/2019/02/22/everything-you-need-to-know-about-the-governments-new-it-bill.

[24] Section 2 (z), Nepal Information Technology Bill 2075 (2018).

[25] Section 2 (ff), Nepal Information Technology Bill 2075 (2018).

[26] Section 91, Nepal Information Technology Bill 2075 (2018).

[27] Section 73, Nepal Information Technology Bill 2075 (2018).

[28] Chapter 15, Nepal Information Technology Bill 2075 (2018).

[29] Chapter 16, Nepal Information Technology Bill 2075 (2018).

[30] Information and Cyber Security Strategy, 2019-2023, available at https://www.cert.gov.lk/Downloads/NCSStrategy.pdf.

[31] Sri Lanka Cyber Security Bill, 2019, available at http://www.mdiit.gov.lk/images/Cyber_Security_Bill_2019-05-22_LD_Final_Version.pdf.

[32] Framework for Proposed Data Protection Bill, 2019, available at http://www.mdiit.gov.lk/images/Legal_framework_for_proposed_DP_Bill_11th_June_2019_-_revised_FINAL_ver3.pdf.

[33] In 2017, Sri Lanka was rated with a ‘maturing’ performer under the Global Cybersecurity Index (“GCI”), receiving a rank of 71 amongst 193 countries. See: International Telecommunications Union, Global Cybersecurity Index 2017, available at https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-R1-PDF-E.pdf.

[34] Section 2, Sri Lanka Cyber Security Bill, 2019.

[35] Section 3, Sri Lanka Cyber Security Bill, 2019.

[36] Section 15, Sri Lanka Cyber Security Bill, 2019.

[37] Section 16, Sri Lanka Cyber Security Bill, 2019.

[38] Section 18, Sri Lanka Cyber Security Bill, 2019.

[39] Preamble, Framework for Proposed Personal Data Bill, 2019.

[40] Article 14A, Constitution of Sri Lanka.

[41] The constitutional right to privacy is carved out as an exemption to the right to information under Article 14A of the constitution of Sri Lanka.

[42] Preamble, Framework for Proposed Personal Data Bill, 2019.

[43] Section 53, Framework for Proposed Personal Data Bill, 2019.

[44] Section 53, Framework for Proposed Personal Data Bill, 2019.

[45] Part II, Framework for Proposed Personal Data Bill, 2019.

[46] Part VII, Framework for Proposed Personal Data Bill, 2019.

[47] Ruwandi Gamage, IT industry wants more say in Cyber Security Bill, available at http://www.ft.lk/front-page/IT-industry-wants-more-say-in-Cyber-Security-Bill/44-679709.

[48] BTRC, Number of Internet Subscribers, available at http://www.btrc.gov.bd/content/internet-subscribers-bangladesh-june-2018.

[49] World Economic Forum, The Global Information Technology Report 2016, available at http://www3.weforum.org/docs/GITR2016/WEF_GITR_Full_Report.pdf.

[50] International Telecommunications Union, Global Cybersecurity Index & cyberwellness profiles, 2015, available at https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf.

[51] Bangladesh Information Communication Technology Act, 2006, available at http://www.icnl.org/research/library/files/Bangladesh/comm2006.pdf.

[52] Page 48, Cybersecurity Capacity Review, Bangladesh, 2018, available at https://www.nrdcs.lt/file/repository/resources/CMM_Bangladesh_Report_FINAL.pdf.

[53] e-Government Master Plan for Digital Bangladesh, available at http://bcc.portal.gov.bd/sites/default/files/files/bcc.portal.gov.bd/page/ecbb5603_1eac_4bf0_99fe_628e9980c279/e-Government%20Masterplan%20for%20Digital%20Bangladesh_V6.0%20(2).pdf.

[54] Digital Bangladesh Concept Note, 2009, available at http://btri.portal.gov.bd/sites/default/files/files/btri.portal.gov.bd/page/a556434c_e9c9_4269_9f4e_df75d712604d/Digital%20Bangladesh%20Concept%20Note_Final.pdf.

[55] Bangladesh National Cybersecurity Strategy, 2014, available at http://www.dpp.gov.bd/upload_file/gazettes/10041_41196.pdf.

[56] Bangladesh Digital Security Act, 2018, available at https://www.cirt.gov.bd/wp-content/uploads/2018/12/Digital-Security-Act-2018-English-version.pdf.

[57] Chapter Six, Bangladesh Digital Security Act, 2018.

[58] Section 21, Bangladesh Digital Security Act, 2018.

[59]  Section 25, Bangladesh Digital Security Act, 2018.

[60] Section 27, Bangladesh Digital Security Act, 2018.

[61] Section 29, Bangladesh Digital Security Act, 2018.

[62] Section 3(1), Digital Security Act, 2018.

[63] Sections 5, Bangladesh Digital Security Act, 2018.

[64] Section 8, Digital Security Act, 2018.

[65] Section 38, Digital Security Act, 2018.

[66] Section 26, Digital Security Act, 2018.

[67] The Kathmandu Post, Everything you need to know about the Nepal government’s new IT bill, available at https://kathmandupost.com/national/2019/02/22/everything-you-need-to-know-about-the-governments-new-it-bill; Sandaran Rubatheesan, Flaws in draft cybersecurity bill under review, available at http://www.sundaytimes.lk/190630/news/flaws-in-draft-cybersecurity-bill-under-review-355893.html; Rock Ronald Rozario and Stephan Uttom, Bangladesh’s digital security act: old wine in new bottle? UCA News , available at https://www.ucanews.com/news/bangladeshs-digital-security-act-old-wine-in-new-bottle/83471.

[68] The Kathmandu Post, Everything you need to know about the Nepal government’s new IT bill, available at https://kathmandupost.com/national/2019/02/23/everything-you-need-to-know-about-the-governments-new-it-bill; Ruwandi Gamage, IT industry wants more say in Cyber Security Bill, available at http://www.ft.lk/front-page/IT-industry-wants-more-say-in-Cyber-Security-Bill/44-679709; S. Barik, Banladesh’s Digital Security Bill can have a ‘chilling effect on free speech’: Asia Internet Coalition, available at https://www.medianama.com/2019/07/223-bangladeshs-digital-security-bill-can-have-a-chilling-effect-on-free-speech-asia-internet-coalition/.