Ikigai LawIkigai LawIkigai LawIkigai Law
  • About Us
    • About
    • Our Team
    • FinTales
    • Tech Ticker
  • Practice Areas
  • Blog
  • News & Events
    • Ikigai Law in the news
    • Ikigai Law at events
    • Ikigailaw on the social media
  • Careers

Introduction to Digital Security Laws in Nepal, Sri Lanka, and Bangladesh

    Home Other Areas Introduction to Digital Security Laws in Nepal, Sri Lanka, and Bangladesh
    NextPrevious

    Introduction to Digital Security Laws in Nepal, Sri Lanka, and Bangladesh

    By Ikigai Law | Other Areas | 0 comment | 9 August, 2019 | 5

    This post is the first in a series of three posts analysing the information technology (“IT”) ecosystem of Bangladesh, Sri Lanka, and Nepal.

     

    Introduction

    With over 4 billion people online[1], the internet has reshaped how we do business, communicate and conduct governance[2]. As the digital economy evolves, digital security has taken on a distinct urgency. Governments face a complex array of cyber-security threats with the potential to significantly damage economic growth and infrastructure critical to essential services[3]. This is especially true for countries in Asia, where unlike the West, internet expansion has risen amidst the internet revolution[4]. Keen to leverage the benefits of the digital economy while preserving national security in a post-internet world, Asian states tend to adopt policies that are protectionist and less aligned with international standards[5].

    Bangladesh leads the world in percentage of mobile malware infections[6] while Sri Lanka[7] and Nepal[8] have experienced a sharp rise in the number of cyber-security attacks  Therefore, with the aim to address these vulnerabilities, Bangladesh passed the “Digital Security Act, 2018”[9] (“Digital Security Act”), while Sri Lanka has presented a “Cyber Security Bill”[10] (“Cyber Security Bill”), and a “Framework for Proposed Data Protection Bill”[11] (“Data Protection Bill”). Nepal recently enacted the  “Individual Privacy Act, 2018”[12] (“Privacy Act”) and formulated the “Information Technology Bill, 2075” (“IT Bill”)[13]. While each bill/act proposes to address concerns with digital security, they are still located within a broader IT regulatory ecosystem. The following paragraphs will briefly outline the regulatory framework within each country:

     

    Nepal

    Rapid take-up of internet and mobile wireless communications is a key trend shaping digital transformation in Nepal[14]. As such, the “National Information and Communication Technology Policy, 2015”[15] (“ICP”) has been a significant policy intervention. Stressing the need to leverage the economic and transformative potential of IT, the ICP was formulated to establish the foundation for an overarching vision of “Digital Nepal”[16]. Significantly, the ICP also laid the groundwork for an extensive cyber-security policy, which though formulated[17], never saw the light of day.

    In September 2018, Nepal passed the Privacy Act. Implementing the constitutional right to privacy[18],  the Privacy Act has had a significant impact on legal usage of “personal information”[19]. It stipulates how ‘personal information’ available and stored with public entities is to be utilized[20], along with liabilities for breach[21].

    Seeking to replace the existing Electronic Transaction Act[22], the Nepal government proposed a comprehensive IT Bill in early 2019. It lumps together every cross-cutting IT sector, and may impact everything from social media use to surveillance, e-commerce and tech innovation[23]. While providing broad definitions for “social network”[24] and “service provider”[25], the IT Bill prescribes a licensing regime for various services such as social networks[26], data centers[27]. It also penalizes offences such as cyber terrorism, publishing/display of obscene materials, acts against morality etc.[28] , and empowers investigating agencies to access and intercept data[29].

     

    Sri Lanka

    Subsequent to Sri Lanka’s first ‘Information and Cyber Security Strategy 2019-23’[30], the Ministry of Digital Infrastructure and Information Technology formulated the Cyber Security Bill[31] and Data Protection Bill[32]. The cross-sectoral bills form part of the drive to strengthen[33] the regulatory framework dealing with emerging cyber-security and data protection challenges. If executed, both bills will supplement the existing Electronic Transactions Act, Payments Devices Frauds Acts, Telecommunications Act, Intellectual Property Act and Computer Crimes Act.

    The Cyber Security Bill has been drafted to protect vital information and essential services from cyber attacks[34]. It provides the government with power to establish a “Cyber Security Agency”[35] , and also empowers the “Sri Lanka Computer Emergency Readiness Team”[36] and “National Cyber Security Operations Centre”[37], all of whom aim to protect “Critical Information Infrastructure”[38].

    The Data Protection Bill, released shortly after the Cyber Security Bill, aims to protect personal data and regulate its processing[39] under the over-arching constitutional right to information[40] and corresponding right to privacy[41]. Further, it intends to enhance “consumer confidence and ensure growth of digital democracy and innovation”[42]. It defines “personal data”[43], “special categories of data”[44], and lists principles concerning the processing and controlling of data[45]. It also establishes a “Data Protection Authority”[46], a body empowered to control the implementation of the Data Protection Bill and hear matters related to data protection.

    Public consultations for both bills are still on-going, with the IT industry intent on addressing its concerns with the proposed legislation[47].

     

    Bangladesh

    Bangladesh is home to 87 million internet subscribers, accounting for approximately 53% of its entire population[48]. In 2016, Bangladesh was ranked 112 out of 139 nations on a Network Readiness Index according to a World Economic Forum report[49], while also performing poorly in the Global Cybersecurity Index in 2015[50]. The contemporaneous legal framework, i.e. the Information Communication Technology Act of 2006[51], was largely held to be insufficient in terms of addressing digital security and data protection concerns[52]. Consequently, Bangladesh has taken steps to improve its digital security framework through its e-governance project[53] and “Digital Bangladesh”[54] vision. Further, the government formulated a National Cybersecurity Strategy[55], charting a vision for cyber-security till 2021.

    Bangladesh enacted the Digital Security Act[56] in September 2018. Passed with the objective of curbing cyber-crime and ensuring digital security, the Digital Security Act creates a wide range of cyber-crime offences[57]. These provide punishment for “propaganda or campaign against the Liberation War, the Father of the Nation”[58], posting offensive content[59], cyber-terrorism[60] and defamation[61], amongst others. Significantly, it has extra-territorial application[62].  It also establishes a “Digital Security Agency”[63] , empowered to regulate content and request the Bangladesh telecom regulator remove/block the same[64].

    Significantly, the Digital Security Act provides safe harbour protection for intermediaries[65], and penalizes illegal use of “identity information”[66].

     

    Conclusion

    As South Asia becomes increasingly digitized, vital questions around the security of information arise. While each country has recognized the need for a robust digital security framework, problems are still abound. Larger issues stem from freedom of speech and surveillance concerns[67], and issues pertaining to strict regulation have also been raised by industry[68].

    The next post in this series will delve further into the challenges faced by each regulatory regime. Additionally, it will attempt to chart a path that may negotiate these challenges, and provide recommendations for the same.

     

    (This post has been authored by Vijayant Singh, Associate, with inputs from Nimisha Dutta, Counsel at Ikigai law)

     

    [1] Simon Kemp, digital in 2018: World’s internet users pass the 4 billion mark, available at https://wearesocial.com/blog/2018/01/global-digital-report-2018.

    [2] Anmar Frangoul, 10 ways the web and internet have transformed our lives, CNBC, available at https://www.cnbc.com/2018/02/09/10-ways-the-web-and-internet-have-transformed-our-lives.html.

    [3] Victoria A. Espinel, Cybersecurity threats defy national borders, so countries should collaborate, not clam up, South China Morning Post, available at https://www.scmp.com/comment/insight-opinion/article/2144126/cybersecurity-threats-defy-national-borders-so-countries.

    [4] Centre for Long Term Cybersecurity, Asian Cybersecurity Features, available at https://cltc.berkeley.edu/wp-content/uploads/2017/12/asianfutures.pdf.

    [5] Victoria A. Espinel, Cybersecurity threats defy national borders, so countries should collaborate, not clam up, South China Morning Post.

    [6] Security Magazine, Which Countries Have the Worst and Best Cybersecurity? Available at https://www.securitymagazine.com/articles/89829-which-countries-have-the-worst-and-best-cybersecurity.

    [7] Roartech, Can Sri Lanka’s Cyber Security Strategy Protect Us? available at https://roar.media/english/tech/insights/can-sri-lanka-s-cyber-security-strategy-protect-us/.

    [8] Kathmandu Post, 19 govt sites breached in latest cyberattack, available at https://kathmandupost.com/valley/2017/11/04/19-govt-sites-breached-in-latest-cyberattack.

    [9] Bangladesh Digital Security Act, 2018 available at https://www.cirt.gov.bd/wp-content/uploads/2018/12/Digital-Security-Act-2018-English-version.pdf.

    [10] Sri Lanka Cyber Security Bill, 2019, available at https://www.cert.gov.lk/Downloads/Cyber_Security_Bill_2019-05-22_LD_Final_Version.pdf.

    [11] Framework for Proposed Data Protection Bill, 2019, available at http://www.mdiit.gov.lk/images/Legal_framework_for_proposed_DP_Bill_11th_June_2019_-_revised_FINAL_ver3.pdf.

    [12] Nepal Privacy Act, 2075 (2018), available at http://www.lawcommission.gov.np/en/archives/category/documents/prevailing-law/statutes-acts/the-privacy-act-2075-2018.

    [13] Nepal Information Technology Bill 2075 (2018).

    [14] Para 4, National Information and Communication Technology Policy, 2015.

    [15]               National Information and Communication Technology Policy, 2015, available at http://www.youthmetro.org/uploads/4/7/6/5/47654969/ict_policy_nepal.pdf.

    [16] Para 5.1, National Information and Communication Technology Policy, 2015.

    [17] Nepal Draft Cyber Security Policy, 2016, available at https://nta.gov.np/wp-content/uploads/2018/05/Nepal-Cybersecurity-Policy-Draft.pdf.

    [18] Article 28, Constitution of Nepal: “The privacy of any person, his or her residence, property, document, data, correspondence and matters relating to his or her character shall, except in accordance with law, be inviolable.”

    [19] Section 2 (c), Nepal Privacy Act, 2075 (2018):

    “Personal information” means the following information related to any person:

    (1)       His or her caste, ethnicity, birth, origin, religion, color or marital status,

    (2)       His or her education or academic qualification,

    (3)       His or her address, telephone or address of electronic letter (email),

    (4)        His or her passport, citizenship certificate, national identity card number, driving license, voter identity card or details of identity card issued by a public body,

    (5)        A letter sent or received by him or her to or from anybody mentioning personal information,

    (6)        His or her thumb impressions, fingerprints, retina of eye, blood group or other biometric information,

    (7)        His or her criminal background or description of the sentence imposed on him or her for a criminal offence or service of the sentence,

    (8)        Matter as to what opinion or view has been expressed by a person who gives professional or expert opinion, in the process of any decision.”

    [20] Chapter 10, Nepal Privacy Act, 2075 (2018).

    [21] Chapters 11, Nepal Privacy Act, 2075 (2018).

    [22] The Electronic Transaction Act, 2063 (2008), available at http://www.lawcommission.gov.np/en/archives/16954.

    [23] The Kathmandu Post, Everything you need to know about the Nepal government’s new IT bill, available at https://kathmandupost.com/national/2019/02/22/everything-you-need-to-know-about-the-governments-new-it-bill.

    [24] Section 2 (z), Nepal Information Technology Bill 2075 (2018).

    [25] Section 2 (ff), Nepal Information Technology Bill 2075 (2018).

    [26] Section 91, Nepal Information Technology Bill 2075 (2018).

    [27] Section 73, Nepal Information Technology Bill 2075 (2018).

    [28] Chapter 15, Nepal Information Technology Bill 2075 (2018).

    [29] Chapter 16, Nepal Information Technology Bill 2075 (2018).

    [30] Information and Cyber Security Strategy, 2019-2023, available at https://www.cert.gov.lk/Downloads/NCSStrategy.pdf.

    [31] Sri Lanka Cyber Security Bill, 2019, available at http://www.mdiit.gov.lk/images/Cyber_Security_Bill_2019-05-22_LD_Final_Version.pdf.

    [32] Framework for Proposed Data Protection Bill, 2019, available at http://www.mdiit.gov.lk/images/Legal_framework_for_proposed_DP_Bill_11th_June_2019_-_revised_FINAL_ver3.pdf.

    [33] In 2017, Sri Lanka was rated with a ‘maturing’ performer under the Global Cybersecurity Index (“GCI”), receiving a rank of 71 amongst 193 countries. See: International Telecommunications Union, Global Cybersecurity Index 2017, available at https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-R1-PDF-E.pdf.

    [34] Section 2, Sri Lanka Cyber Security Bill, 2019.

    [35] Section 3, Sri Lanka Cyber Security Bill, 2019.

    [36] Section 15, Sri Lanka Cyber Security Bill, 2019.

    [37] Section 16, Sri Lanka Cyber Security Bill, 2019.

    [38] Section 18, Sri Lanka Cyber Security Bill, 2019.

    [39] Preamble, Framework for Proposed Personal Data Bill, 2019.

    [40] Article 14A, Constitution of Sri Lanka.

    [41] The constitutional right to privacy is carved out as an exemption to the right to information under Article 14A of the constitution of Sri Lanka.

    [42] Preamble, Framework for Proposed Personal Data Bill, 2019.

    [43] Section 53, Framework for Proposed Personal Data Bill, 2019.

    [44] Section 53, Framework for Proposed Personal Data Bill, 2019.

    [45] Part II, Framework for Proposed Personal Data Bill, 2019.

    [46] Part VII, Framework for Proposed Personal Data Bill, 2019.

    [47] Ruwandi Gamage, IT industry wants more say in Cyber Security Bill, available at http://www.ft.lk/front-page/IT-industry-wants-more-say-in-Cyber-Security-Bill/44-679709.

    [48] BTRC, Number of Internet Subscribers, available at http://www.btrc.gov.bd/content/internet-subscribers-bangladesh-june-2018.

    [49] World Economic Forum, The Global Information Technology Report 2016, available at http://www3.weforum.org/docs/GITR2016/WEF_GITR_Full_Report.pdf.

    [50] International Telecommunications Union, Global Cybersecurity Index & cyberwellness profiles, 2015, available at https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf.

    [51] Bangladesh Information Communication Technology Act, 2006, available at http://www.icnl.org/research/library/files/Bangladesh/comm2006.pdf.

    [52] Page 48, Cybersecurity Capacity Review, Bangladesh, 2018, available at https://www.nrdcs.lt/file/repository/resources/CMM_Bangladesh_Report_FINAL.pdf.

    [53] e-Government Master Plan for Digital Bangladesh, available at http://bcc.portal.gov.bd/sites/default/files/files/bcc.portal.gov.bd/page/ecbb5603_1eac_4bf0_99fe_628e9980c279/e-Government%20Masterplan%20for%20Digital%20Bangladesh_V6.0%20(2).pdf.

    [54] Digital Bangladesh Concept Note, 2009, available at http://btri.portal.gov.bd/sites/default/files/files/btri.portal.gov.bd/page/a556434c_e9c9_4269_9f4e_df75d712604d/Digital%20Bangladesh%20Concept%20Note_Final.pdf.

    [55] Bangladesh National Cybersecurity Strategy, 2014, available at http://www.dpp.gov.bd/upload_file/gazettes/10041_41196.pdf.

    [56] Bangladesh Digital Security Act, 2018, available at https://www.cirt.gov.bd/wp-content/uploads/2018/12/Digital-Security-Act-2018-English-version.pdf.

    [57] Chapter Six, Bangladesh Digital Security Act, 2018.

    [58] Section 21, Bangladesh Digital Security Act, 2018.

    [59]  Section 25, Bangladesh Digital Security Act, 2018.

    [60] Section 27, Bangladesh Digital Security Act, 2018.

    [61] Section 29, Bangladesh Digital Security Act, 2018.

    [62] Section 3(1), Digital Security Act, 2018.

    [63] Sections 5, Bangladesh Digital Security Act, 2018.

    [64] Section 8, Digital Security Act, 2018.

    [65] Section 38, Digital Security Act, 2018.

    [66] Section 26, Digital Security Act, 2018.

    [67] The Kathmandu Post, Everything you need to know about the Nepal government’s new IT bill, available at https://kathmandupost.com/national/2019/02/22/everything-you-need-to-know-about-the-governments-new-it-bill; Sandaran Rubatheesan, Flaws in draft cybersecurity bill under review, available at http://www.sundaytimes.lk/190630/news/flaws-in-draft-cybersecurity-bill-under-review-355893.html; Rock Ronald Rozario and Stephan Uttom, Bangladesh’s digital security act: old wine in new bottle? UCA News , available at https://www.ucanews.com/news/bangladeshs-digital-security-act-old-wine-in-new-bottle/83471.

    [68] The Kathmandu Post, Everything you need to know about the Nepal government’s new IT bill, available at https://kathmandupost.com/national/2019/02/23/everything-you-need-to-know-about-the-governments-new-it-bill; Ruwandi Gamage, IT industry wants more say in Cyber Security Bill, available at http://www.ft.lk/front-page/IT-industry-wants-more-say-in-Cyber-Security-Bill/44-679709; S. Barik, Banladesh’s Digital Security Bill can have a ‘chilling effect on free speech’: Asia Internet Coalition, available at https://www.medianama.com/2019/07/223-bangladeshs-digital-security-bill-can-have-a-chilling-effect-on-free-speech-asia-internet-coalition/.

    Bangladesh, cyber-security, Data Protection, digital economy, digital security, digital transformation, Information Technology, Nepal, Privacy, south Asia, Sri Lanka

    Ikigai Law

    More posts by Ikigai Law

    Related Post

    • New era of data protection regulation in South Asia

      By Ikigai Law | 0 comment

      There seems to be an explosion of new data protection regulations across the South Asia region in recent years. Although these proposed laws[1] codify a common set of guiding principles, each law is in factRead more

    • Analysis of the data protection regulations in South Asia: ‘regional interoperability’ as a way forward

      By Ikigai Law | 0 comment

      A comprehensive data protection regime with a robust institutional framework is not only imperative for protection of fundamental rights but also gives the necessary stimulus to the digital economy. In our second blog we hadRead more

    • Introduction to digital governance issues in the APAC region

      By Ikigai Law | 0 comment

      I. Introduction The Asia-Pacific, or APAC region, comprising of countries such as Australia, China, India, Japan, Singapore, Indonesia, and Vietnam,[1] has the largest number of internet users in the world, at around 2.1 billion.[2] TheRead more

    • Our Notes From the Dialogue Roundtable on Enabling a Progressive Privacy Regime in India

      By Ikigai Law | 0 comment

      The Dialogue organized a roundtable in New Delhi on 5th August, 2019, to discuss the way forward for a progressive data protection law that is rights-based and implements the Supreme Court’s principles on privacy. ThisRead more

    • Key reports released by the Standing Committee on Information Technology

      By Ikigai Law | 0 comment

      This blogpost summarizes some of the key reports that have been released by the Standing Committee on Information Technology since its inception. Since its inception, the Standing Committee on Information Technology (“SCIT”) has released 305Read more

    Leave a Comment

    Cancel reply

    Your email address will not be published. Required fields are marked *

    NextPrevious

    Tags

    #DataProtection #Fintales bitcoin Blockchain Budget Consent Consultation Consultation Paper cryptocurrency data Data Controllers data governance Data localisation Data Protection Data Subjects digital economy Digital India Drones E-Commerce Facebook Fintech Government Government of India healthtech Ikigai Law India Indian government Innovation MeITY Notice Payments Personal Data policy Privacy RBI Recommendation Regulation Srikrishna Committee Stakeholders Startups Surveillance Technology Tech Policy TechTicker TRAI

    Connect with Ikigai Law

    Copyright 2018 Ikigai Law | All Rights Reserved             

    Information

    • Practice Areas
    • Blog
    • Careers
    • Contact Us
    • Privacy Policy

    Contact us

    Office
    T-7/402, Commonwealth Games Village Apartment,
    New Delhi, Delhi 110092 India.

    Email Address

    contact@ikigailaw.com

    • About Us
      • About
      • Our Team
      • FinTales
      • Tech Ticker
    • Practice Areas
    • Blog
    • News & Events
      • Ikigai Law in the news
      • Ikigai Law at events
      • Ikigailaw on the social media
    • Careers
    Ikigai Law