August 2023

1. Governing Texts

The concept of data privacy and underlying data protection rights and requirements is new in Bangladesh, but one that has never been so important as in this era of fast digital development, social networking, cyber crime, artificial intelligence, electronic communication, and increasing awareness of users/consumers. Data protection is the set of privacy laws, policies, and procedures that aim to minimize the intrusion into one's privacy caused by the collection, storage, and dissemination of personal data. Personal data generally refers to the information or data that relates to a person who can be identified from that information or data, whether collected by any government or any private organization or agency. The basic framework of such data protection and privacy is laid out by the rights of privacy granted under the Constitution of Bangladesh ('the Constitution'), along with the Information Communication Technology Act 2006 (only available in Bengali here) ('the Technology Act') and the Digital Security Act, 2018 ('the Digital Security Act').

1.1. Key acts, regulations, directives, bills

The Constitution

The Constitution provides a right to privacy of correspondence and other means of communication under Article 43 of the Constitution. Additionally, the courts have read the right to privacy into the following existing fundamental rights:

• freedom of thought and conscience;
• freedom of speech under Article 39; and
• right to life and personal liberty under Article 32.

These fundamental rights under the Constitution are, though, subject to reasonable restrictions provided under Article 39(2) of the Constitution that may be imposed by the State. Under Article 43, the Constitution grants every citizen the right, subject to any reasonable restrictions imposed by law in the interests of the security of the State, public order, public morality, or public health, to the privacy of their correspondence and other means of communication.

Furthermore, the Constitution provides that no person shall be deprived of life or personal liberty except according to procedures established by law. As such, judicial intervention is very much possible in the legal system of Bangladesh, and as such, privacy is subject to the application of lawful interception.

The Technology Act and the Digital Security Act, address issues relating to wrongful disclosure, misuse of personal data, and violation of contractual terms in respect of personal data.

The Technology Act

The Technology Act provides legal recognition for electronic certificates and transactions carried out by means of electronic data interchange, in addition to other means of electronic communication, which involve the use of alternative or paper-based methods of communication, and storage of information to facilitate electronic filing of documents with government agencies.

The Technology Act imposes responsibility for a person or body corporate that is possessing, dealing, or handling any sensitive personal data or information. In addition, the Technology Act requires the implementation and maintenance of reasonable security practices to avoid the wrongful loss or wrongful gain by the owner of such data as per the below provisions.

Pursuant to the Technology Act, the Government of Bangladesh ('the Government') has the power to intercept data provided that certain conditions are fulfilled. In particular, Section 46 of the Technology Act, which is an exception to the general rule for maintenance of privacy and secrecy of information, provides that the Government may intercept data where it is satisfied that such interception is necessary in the interest of:

• the sovereignty, integrity, or security of the state;
• friendly relations with foreign states;
• public order;
• for preventing incitement to the commission of any cognizable offense relating to the above; or
• for investigation of any offense.

The Government may, by order, direct any agency of the appropriate government authority to intercept, monitor or decrypt, or cause to be intercepted, monitored, or decrypted, any information generated, transmitted, received, or stored in any computer resource. Section 46 of the Technology Act empowers the Government to intercept, monitor, or decrypt any information, including information of a personal nature in any computer resource. Where the information is such that it ought to be divulged in the public interest, the Government may require disclosure of such information. Information relating to anti-national activities which are against national security, breaches of the law or statutory duty, or fraud may come under this category.

Under the above circumstances, the controller, appointed by the Government, can direct a subscriber to extend facilities to decrypt, intercept, and monitor information. The scope of Section 69 of the Technology Act includes both interception and monitoring along with decryption for the purpose of investigating cybercrimes. The controller may, by notification in the Bangladesh Government Press or in the electronic gazette, declare any computer, computer system, or computer network to be a protected system and authorize applicable persons to secure access to protected systems.

The Digital Security Act

The Digital Security Act was enacted to ensure national data security and develop laws regarding data crime identification, prevention, suppression, trial, and other related matters. Below are the relevant provisions laid out in the Digital Security Act.

Under the Digital Security Act, if any data or information is published or propagated in digital media regarding a subject that comes under the purview of the Director General of the Digital Security Agency ('DSA') which threatens data security, then the Director General can request the relevant regulatory authority to remove or block said data or information as appropriate.

The Telecom Act

The Telecommunication Act, 2001 ('the Telecom Act') is the only law that regulates electronic communication between two parties. Under Section 67(b) of the Telecom Act, no person shall intercept any radio communication or telecommunication nor shall utilize or divulge the intercepted communication, unless the originator of the communication or the person to whom the originator intends to send it has consented to or approved the interception or divulgence. Such an act is punishable with imprisonment for a term not exceeding three years or a fine not exceeding BDT 300,000 (approx. $2,740), or both.

Under Section 97(Ka) of the Telecom Act, on the grounds of national security and public order, the Government may empower certain authorities (e.g. intelligence agencies, national security agencies, investigation agencies, or any officer of any law enforcement agency) to suspend or prohibit the transmission of any data or any voice call and record or collect user information relating to any subscriber to a telecommunications service. This widely drafted provision encompasses interception capabilities. The relevant telecoms operator must provide full support to the empowered authority to use such powers. The Telecom Act does not provide for any time limits on these powers. As a result, an interception may last for as long as the agency implementing the interception decides.

Under the broad powers granted in Section 97(Ka) of the Telecom Act on the grounds of national security and public order, the Government may require a telecommunications operator to keep records relating to the communications of a specific user. However, when considering whether to give a retention request, the relevant government agency would need to consider the technical resources and capabilities of the operator to retain information.

Under Section 96 of the Telecom Act, the Government may, on the grounds of public interest, take possession of any telecommunication system, and all arrangements that are necessary for operating it. It may continue such possession for any time period and keep the operator and their employees engaged on a full-time basis or for a particular time for the purpose of operating such apparatus or system. The Government is obliged, however, to pay proper compensation to the owner or the person having control of the radio apparatus or the telecommunication system which it takes over.

Except for authorized persons as described in Section 97(Ka) of the Telecom Act (security agencies), if anyone taps or intercepts telecommunication between two persons without their authorization, then such intervention is considered an offense.

As per Section 68 of the Telecom Act, the following acts are considered offenses if conducted by an official of a licensee if they, in the course of their duty:

• use any telecommunication apparatus or radio apparatus with intent to obtain any information relating to the sender or addressee, or the content of a message sent by telecommunication or radio communication, unless the Bangladesh Telecommunication Regulatory Commission ('BTRC') has authorized that employee or the operator to receive the message;
• except for the requirement of a legal proceeding of the BTRC or a court or of a consequential proceeding, disclose any information about the sender, addressee, or contents of a message which has come to their knowledge only by using or in connection with the use of a telecommunication apparatus or radio apparatus; and
• create obstruction in any part of a telecommunication network that is being used for sending or receiving information or a message or anything else, or else obtain any information relating to the sender, addressee, or content of the message, unless they are authorized in this regard by the BTRC or by the sender or addressee of such message.

The Contract Act, 1872

The Contract Act, 1872 can be applied to the issue of data protection that has been generally governed by the contractual relationship between parties. Parties are free to enter into contracts to determine their relationship in defining terms related to personal data, personal sensitive data, data which may not be transferred out of or into Bangladesh, and the mode of handling the same.

The Consumers' Rights Protection Act, 2009

As per Section 52 of the Consumers' Rights Protection Act, 2009, whoever, in violation of any prohibition under any law for the time being in force, does any act that is detrimental to a service receiver's life or security, shall be punishable to imprisonment for a period not exceeding three years and/or a fine not exceeding BDT 200,000 (approx. $1,830). Under Section 53, any service provider who by negligence, irresponsibility, or carelessness damages the service receiver's finances or health, or causes death, shall be punishable by imprisonment for a period not exceeding three years and/or a fine not exceeding BDT 200,000 (approx. $1,830). In addition, the consumer may be entitled to claim damages.

These provisions implicitly impose responsibility over the person or body corporate that is possessing, dealing, or handling any sensitive personal data or information for the consumer, to implement and maintain reasonable security practices in order to avoid wrongful loss or wrongful gain to the owner of such data.

The Penal Code

The Penal Code, 1860 ('the Penal Code') can be adopted as an effective means to prevent data theft. Offenses such as misappropriation of property, theft, or criminal breach of trust attract imprisonment and a fine under the Penal Code. Although the offenses of theft and misappropriation under the Penal Code only apply to movable property, it has been defined to include corporeal property of 'every description', except land and things permanently attached to the earth. Therefore, computer databases can be protected under the Penal Code, as they are movable by their very nature.

The Copyright Act, 2000

The Copyright Act, 2000 ('the Copyright Act') protects intellectual property rights in literary, dramatic, musical, artistic, and cinematographic works. The term 'literary work' includes computer databases as well. Therefore, copying a computer database, or copying and distributing a database amounts to infringement of copyright for which civil and criminal remedies can be initiated. However, it is difficult to differentiate between data protection and database protection under the Copyright Act. Data protection is aimed at protecting the informational privacy of individuals, while database protection has an entirely different function, namely, to protect the creativity and investment put into the compilation, verification, and presentation of databases.

The Data Protection Bill

The Government is planning to submit the Data Protection Bill ('the Bill') to the National Parliament for enactment and in this pursuit internally circulated a first draft of the Data Protection Act in November 2020. While the content of the law has not been made publicly available, there have been a number of indications from the Government on the new dimensions to be introduced by the Bill.

The Bill is supposed to introduce the concept of data controller (as contrasted to data user) as persons collecting, processing, using, sharing, or otherwise processing data within Bangladesh or data of Bangladesh residents. It has been reported to cover certain aspects of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') especially adopting the data quality principle, use limitation principle, and security safeguards principle, as contrasted to the collection limitation principle and accountability principle which are to some extent addressed under the Digital Security Act.

Another new requirement is to push for data localization or data sovereignty, as the Bill states that the personal data of Bangladeshi citizens must stay in the country. More specifically, the Bill says that every data controller should store at least one serving copy of such data within the geographic boundary of Bangladesh.

Public sector

There is no separate law on this subject. However, under the Digital Security Act, if any person commits or aids and abets in committing an offense under the Official Secrets Act, 1923 through a computer, digital device, computer network, digital network, or through any other digital medium, then they will be punished with a term of imprisonment not exceeding 14 years or with a fine not exceeding BDT 2.5 million (approx. $22,840) or with both.

1.2. Guidelines

Under the Digital Security Act, the National Digital Security Council ('NDSC') has been entrusted with the authority that can formulate and issue data protection guidance as and when required.

1.3. Case law

Since data protection is a new area under legislative enactment, there has been no significant case law or precedents in this respect. However, there are a few cases from Indian courts, under a similar constitutional arrangement, which are used as precedent in Bangladesh courts:

In the case of Kharak Singh v. The State of U.P., the Supreme Court of India concluded that Article 32 of the Constitution of India includes 'right to privacy' as a part of the right to 'protection of life and personal liberty'. The court paralleled 'personal liberty' with 'privacy' and mentioned that the concept of liberty in the Constitution was wide-ranging enough for the inclusion of privacy.

In District Registrar and Collector v. Canara Bank, the Supreme Court of India mentioned that an individual's right to privacy exists and any illegitimate invasion of privacy would make the person committing such an offense responsible for the consequences with reference to the law, as well as that there is also constitutional recognition given to the right of protecting personal privacy against illegal governmental invasion.

In People's Union for Civil Liberties (PUCL) v. Union of India, it was held that telephone tapping by the Government amounts to an infraction of personal liberty under the Constitution of India. The right to privacy is a part of the rights to 'life' and 'personal liberty' enshrined under the Constitution. The said right cannot be curtailed "except according to procedure established by law."

In U.P. v. Raj Narayan, it was held that a citizen has a right to receive information derived from the concept of freedom of speech and expression.

2. Scope of Application

2.1. Personal scope

Data protection law applies to any natural person or institution, company, partnership business, farm, or any other organization, in the case of the digital device, its controller, and any entity created by law or artificial legal entity.

2.2. Territorial scope

The following extraterritorial provisions are stipulated under the Digital Security Act:

• if any person commits an offense or contravention outside of Bangladesh which is punishable under these provisions, then this Act shall apply as if they had committed such offense or contravention in Bangladesh;
• if any person commits an offense or contravention in Bangladesh under these provisions from outside Bangladesh using a computer, computer system, or computer network located in Bangladesh, then these provisions shall apply as if the entirety of the offense or contravention took place in Bangladesh; and
• if any person from within Bangladesh commits an offense or contravention outside of Bangladesh under these provisions, then these provisions shall apply against them as if the entire process of the offense or contravention took place in Bangladesh.

2.3. Material scope

The Digital Security Act covers all kinds of data processing including usage, saving, and transmission, and all kinds of data which may even relate to critical information infrastructure. In addition, it has expressly covered certain types of personal data under the term 'identity information'.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Under the Digital Security Act, the NDSC has been entrusted with the authority to formulate and issue data protection guidance as and when required. However, for executive matters such as blocking content or decrypting a data source, the DSA has executive power.

3.2. Main powers, duties and responsibilities

The powers, duties, and responsibilities of the NDSC include:

• if digital security is under threat, providing necessary directions on how to remedy the situation;
• advising on how to improve the digital security infrastructure, how to increase its manpower, and how to improve its quality;
• enacting inter-institutional policies with the aim of ensuring digital security; and
• taking necessary steps to ensure the implementation of the Digital Security Act and of the Rules enacted under the Digital Security Act.

The powers, duties, and responsibilities of the DSA include:

• taking necessary actions to ensure digital security of critical infrastructure;
• formulating a strategy for risk management;
• developing standards of digital security and standard operating procedure;
• establishing, operating, and controlling the Digital Forensic Laboratory;
• fixing the standards and value of hardware, software, and human skill used for digital protection;
• taking measures against crimes involving digital devices and cybercrime;
• establishing digital security service systems and operating, protecting, inspecting, controlling, and managing the interoperability among different institutions;
• facilitating research on digital security and collaboration among different universities and research institutions;
• inspecting if digital security service is being rightly implemented;
• monitoring internal and international risk and conducting awareness;
• actively participating in remedying any breach of digital security issues related to national security, public health, public discipline, and essential services;
• nurturing and facilitating digital security-related industries;
• following and collating digital security-related information from different countries and analyzing their impact in the local context; and
• investigating any weakness of digital security, as well as breaches and harmful activities.

4. Key Definitions

Data controller | data processor: The concepts of data controller, joint controller, and data processor are not defined in Bangladesh law. Additionally, there is no distinction between the concepts of data controller and data processor. Whoever deals with such data is considered the 'data user', which refers to the person who collects, sells, takes possession, supplies, or uses such data.

Personal data: Personal data is not expressly defined. However, the Digital Security Act expressly defines 'identity information' as any information which is biological or physical or any other information which uniquely or jointly with other information can identify a person (which includes body corporates) or system, whose name, photograph, address, date of birth, mother's name, father's name, signature, national identification card, birth and death registration number, fingerprint, passport number, bank account number, driving license, E-TIN number (i.e. electronic tax identification number), electronic or digital signature, user name, credit or debit card number, voice print, retina image, iris image, DNA profile, security related personal data, or any other identification which, due to the facilitation of technology, is easily available.

Sensitive data: Has not been expressly defined.

Data subject: Data subject has not been expressly defined. In local context, it refers to whoever owns such data or to whomever the personal information is tagged to and is considered the data owner.

Health data: Health Data has not been expressly defined in the Digital Security Act.

Biometric data: Biometric Data has not been expressly defined. However, certain biometric data has been covered under the definition of 'identity information' as discussed above.

Pseudonymization: Pseudonymization has not been expressly defined in the Digital Security Act.

5. Legal Bases

As per Digital Security Act, if any person without any legal authority collects, sells, takes possession, supplies, or uses any person's identity information, then that activity will be an offense under the Act. The concept of 'legal authority' is similar to the concept of 'legal basis' in the GDPR and can be granted in the ways outlined below:

5.1. Consent

The data subject may give their prior specific informative consent for processing or relevant purpose irrespective of any consideration. In addition to prior specific informative consent, consent may also be granted on terms inserted in the related contract for the subject matter. The person may supply data on their own with some pre-determined usage granted.

5.2. Contract with the data subject

In order to get consent from the data subject, as stated above, the data controller can either grant prior specific informative consent or such consent may also be granted on terms inserted in the related contract for the subject matter.

5.3. Legal obligations

In addition to consent, the data controller can also process data to which they are contractually or statutorily authorized to process without any additional consent.

5.4. Interests of the data subject

Such interest has not been expressly granted under the Digital Security Act. As such, as long as the data controller acts as per the terms of the contractual terms on consent.

5.5. Public interest

Access and use of data belonging to a data user on the grounds of public interest is only allowed by law enforcement agencies per the Digital Security Agency.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The data protection laws of Bangladesh do not expressly provide for any data usage principle such as transparency, purpose limitation, data minimization, accuracy, storage limitation, confidentiality, and accountability except for those agreed in the relevant contract of data usage (such as prior specific informative consent), although the data controller needs to ensure protection and confidentiality of such data and may be held accountable for any breach.

7. Controller and Processor Obligations

7.1. Data processing notification

The data protection laws of Bangladesh do not expressly impose any obligation over the controller and processor except for those agreed in the relevant contract of data usage (such as prior specific informative consent), except that the data user needs to ensure the protection and confidentiality of such data and may be held accountable for any breach. Unless there is a specific term agreed in such contract, the data user is not obliged to any of the below obligations such as data processing notification.

7.2. Data transfers

The data protection laws of Bangladesh do not expressly impose any obligations on data transfers or any localization requirements, except as otherwise agreed between the data user and the data subject. However, for certain industries such as banking and telecommunications, there is a restriction on the transfer of certain data beyond the jurisdictional limit of the country.

7.3. Data processing records

The data protection laws of Bangladesh do not expressly impose any obligation on data processing records, except as otherwise agreed between the data user and the data subject.

7.4. Data protection impact assessment

The data protection laws of Bangladesh do not expressly impose any obligation to conduct a Data Protection Impact Assessment ('DPIA'), except as otherwise agreed between the data user and data subject.

7.5. Data protection officer appointment

The data protection laws of Bangladesh do not expressly impose any obligation on data protection officer appointments.

7.6. Data breach notification

The data protection laws of Bangladesh do not expressly impose any obligation on data breach notification.

7.7. Data retention

The data protection laws of Bangladesh do not expressly impose any obligation on data retention.

7.8. Children's data

The data protection laws of Bangladesh do not expressly address regulating the processing of children's data.

7.9. Special categories of personal data

No such requirements have been imposed by Bangladesh data protection laws.

7.10. Controller and processor contracts

No such requirements have been imposed by Bangladesh data protection laws.

8. Data Subject Rights

The data protection laws of Bangladesh do not expressly grant any data subject rights, except for those agreed in the relevant contract of data usage (such as prior specific informative consent). This applied all of the rights below:

8.1. Right to be informed

Not applicable. Please see the section on Data Subject Rights above.

8.2. Right to access

Not applicable. Please see the section on Data Subject Rights above.

8.3. Right to rectification

Not applicable. Please see the section on Data Subject Rights above.

8.4. Right to erasure

Not applicable. Please see the section on Data Subject Rights above.

8.5. Right to object/opt-out

Not applicable. Please see the section on Data Subject Rights above.

8.6. Right to data portability

Not applicable. Please see the section on Data Subject Rights above.

8.7. Right not to be subject to automated decision-making

Not applicable. Please see the section on Data Subject Rights above.

8.8. Other rights

Not applicable. Please see the section on Data Subject Rights above.

9. Penalties

As per the Digital Security Act, if any person without any legal authority collects, sells, takes possession, supplies, or uses any person's identity information, then such person will be penalized with imprisonment for a term not exceeding five years or a fine not exceeding BDT 500,000 (approx. $4,570) or with both. If any person commits the offense for the second time or recurrently commits it then they will be penalized with imprisonment for a term not exceeding seven years or with a fine not exceeding BDT 1 million (approx. $9,140) or with both.

Offenses under the Digital Security Act

Unauthorized access in critical information infrastructure ('CII'):

• if any person intentionally or knowingly illegally accesses, or by means of such unauthorized access, harms, or destroys or renders inactive a CII or attempts to do so, then such an offense may be punished with imprisonment for a term not exceeding seven years, and/or with a fine not exceeding BDT 2.5 million (approx. $22,850). If such an offense is committed with the intention to commit any crime, then such person may be punished with imprisonment for a term not exceeding 14 years and/or with a fine not exceeding BDT 10 million (approx. $91,380).

Illegal entrance to a computer, digital device, or computer system:

• such an offense is punishable by imprisonment for a term not exceeding six months and/or by a fine not exceeding BDT 300,000 (approx. $2,740). If such an offense is committed with the intention to commit any crime, then the offense will be penalized with imprisonment for a term not exceeding three years and/or with a fine not exceeding BDT 1 million (approx. $9,140). If an offense is committed in the case of a secured computer or computer system or computer network, then the punishment is imprisonment for a term not exceeding three years and/or a fine not exceeding BDT 1 million (approx. $9,138).

Damage to a computer or computer system:

• such an offense is punishable with imprisonment for a term not exceeding seven years and/or a fine not exceeding BDT 1 million (approx. $9,140).

Offenses relating to a computer source code change:

• such an offense is punishable with imprisonment for a term not exceeding three years and/or a fine not exceeding BDT 300,000 (approx. $2,741).

Digital or electronic forgery:

• such an offense is punishable with imprisonment for a term not exceeding five years and/or with a fine not exceeding BDT 500,000 (approx. $4,570).

Digital or electronic fraud:

• such an offense is punishable with imprisonment for a term not exceeding five years and/or with a fine not exceeding BDT 500,000 (approx. $4,570).

Identity fraud:

• it shall be considered an offense if any person intentionally or knowingly uses any computer, computer program, computer system, computer network, digital device, digital system, or digital network:
  • with the intention of deceiving or cheating, carries the identity of another person or shows any person's identity as their own; or
  • assuming, by forgery, the identity of an alive or dead person as one's own in order:
    • to achieve some advantages for oneself or for any other person;
    • to acquire any property or interest in any property; or
    • to harm a person by using another person's identity in disguise; or
• such an offense is punishable by imprisonment for a term not exceeding five years and/or by a fine not exceeding BDT 500,000 (approx. $4,570).

Punishment for collecting or using identity information without permission:

• if any person without any legal authority collects, sells, takes possession, supplies or uses any person's identity information, then this activity will be an offense under the Act. If any person commits any such offense, the person may be punished with imprisonment for a term not exceeding five years and/or a fine not exceeding BDT 500,000 (approx. $4,570).

Cybercrime:

• it is considered an offense if any person:
  • with the intention to breach national security or to endanger the sovereignty of the nation and to instill terror within the public or a part of them, creates an obstruction in the authorized access to any computer, computer network, or internet network, or illegally accesses the said computer, computer network or internet network, or causes the act of obstruction of access or illegal entry through another person;
  • creates such virus within any digital device or inserts malware which results in the death of a person or results in serious injury to a person or raises a possibility of it;
  • damages or destroys the supply of daily necessities of the public or adversely affects any CII; or
  • intentionally or knowingly enters or penetrates any computer, computer network, internet network, any secured data information or computer database or such secured data information or computer database which can be used to damage friendly relations with another foreign country, or can be used for acts against public order, or which can be used for the benefit of any foreign country or any foreign person or any group.

Such offenses are punishable with imprisonment for a term not exceeding 14 years and/or with a fine not exceeding BDT 10 million (approx. $91,400).

Regarding e-transactions without legal authority:

• it shall be considered an offense if any person:
  • performs an e-transaction through an electronic or digital medium of any bank, insurance, or any other financial institution or any mobile money service providing organization without legal authority; or
  • performs an e-transaction that has been declared illegal by the Government or the Bangladesh Bank ('the Central Bank'); or 
• such an offense is punishable with either a maximum of five years of imprisonment and/or a fine of BDT 500,000 (approx. $4,570).

Illegal transferring, saving, etc. of data or information:

• if any person enters any computer or digital system illegally and does any addition or subtraction, transfer or act with the aim to transfer, save, or aid in saving any data or information belonging to a government, semi-government, autonomous or statutory organization or any financial or commercial organization, then the activity of that person will be considered an offense. If any person commits such an offense, then they may be sentenced to a term of imprisonment not exceeding five years and/or with a fine not exceeding BDT 1 million (approx. $9,140).

Hacking-related offenses:

• If a person commits hacking, then it will be considered an offense and for this, they may be sentenced to a term of imprisonment not exceeding 14 years and/or a fine not exceeding BDT 10 million (approx. $91,400) or with both.

Offences under the Technology Act

Damage to a computer or computer system:

• a person may be punishable with imprisonment for a term which may extend to 14 years (minimum seven years), and/or with a fine which may extend to BDT 1 million (approx. $9,140), if they, without permission of the owner or any person who is in charge of a computer, computer system, or computer network:
  • accesses or secures access to such computer, computer system, or computer networks for the purpose of destroying information or retrieving or collecting information or assists others to do so;
  • downloads, copies, or extracts any data, computer database, or information from such computer, computer system, or computer network including information or data held or stored in any removable storage medium;
  • introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system, or computer network; or 
  • damages or causes damage to occur willingly in any computer, computer system or computer network, data, computer database, or any other programs residing in such computer, computer system, or computer network;
  • disrupts or causes disruption of any computer, computer system, or computer network;
  • denies or causes the denial of access to any person authorized to access any computer, computer system, or computer network by any means;
  • provides any assistance to any person to facilitate access to a computer, computer system, or computer network, in contravention of the provisions of the Technology Act, rules, or regulations made thereunder;
  • for the purpose of advertisement of goods and services, generates or causes the generation of spam or sends unwanted electronic mail without any permission of the originator or subscriber; or
  • charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network.

Tampering with a computer source code:

• under Section 55 of the Technology Act the activity of, intentionally or knowingly concealing, destroying, or altering, or causing another person to conceal, destroy, or alter, any computer source code used for a computer, computer program, computer system, or computer network, when the computer source code is required to be kept or maintained by any law, is regarded as an offense. Whoever commits such an offense shall be punishable with imprisonment for a term which may extend to three years, and/or with a fine which may extend to BDT 1 million (approx. $9,140).

Hacking a computer system:

• under Section 56 of the Technology Act, activities considered a hacking offense include:
  • if any person with the intent to cause or knowing that they are likely to cause wrongful loss or damage to the public or any person, does any act and thereby destroys, deletes, or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means; or
  • if any person damages through illegal access to any such computer, computer network, or any other electronic system which does not belong to them; or 
• whoever commits hacking offenses shall be punishable with imprisonment for a term which may extend to 14 years (minimum seven years), and/or with a fine which may extend to BDT 10 million (approx. $91,400).

Disclosure of confidentiality and privacy:

• as per Section 73 of the Technology Act, no person who, in pursuance of any of the powers conferred under this Act, or rules and regulations made thereunder, has secured access to any of the following, shall, without the consent of the person concerned, disclose:
  • electronic records;
  • books;
  • registers;
  • correspondence;
  • information;
  • documents; or
  • other material.
• whoever commits the offense of disclosing confidential and private information shall be punishable with imprisonment for a term that may extend to two years, and/or with a fine which may extend to BDT 200,000 (approx. $1,830).

9.1 Enforcement decisions

There has been no such case law yet. However, please see the section on case law above.