Data, privacy and e-commerce

An easy conversion
March 1, 2019
Framing a social enterprise law
March 1, 2019

http://today.thefinancialexpress.com.bd/print/data-privacy-and-e-commerce-1544440456

Bikroy.com, Daraz, Priyoshop, Kiksha, Pickaboo, and Bagdoom are the e-commerce platforms listed among the top 10 such sites in Bangladesh. Pathao, Shohoz, Hungrynaki are home-grown ride-sharing and delivery services that Generations Y and Z cannot do without. Add to that the recent news on US$10 million funding raised by Pathao from Go-Jek, Daraz acquired by Alibaba Group, US$ 15 million raised by Shohoz from Golden Gate Ventures (Singapore) and US$ 1.6 million raised by ShopUp from Omidyar Network (impact investment firm established by eBay founder) and e-commerce is at the center-stage in our country's growth trajectory making our lives easier, shopping convenient and beating the Dhaka traffic. Such is the growth of e-commerce in Bangladesh that the e-commerce Association of Bangladesh (E-Cab), the trade body for e-commerce in Bangladesh, estimates there were about 700 e-commerce sites and 8,000 e-commerce pages on Facebook as of September 2016.

E-commerce is defined by the World Trade Organisation (WTO) as "production, distribution, marketing, sale or delivery of goods and services by electronic means". According to the WTO, an e-commerce transaction can be between enterprises, households, individuals, governments and other public or private organizations. The e-commerce sector's growth in Bangladesh has exceeded expectations and positively impacted the economy in terms of aggregate investment, growing rapidly as a result of the expansion of affordable internet services and increasing internet users. Bangladesh Telecommunication Regulatory Commission (BTRC) statistics estimate the number of internet subscribers in Bangladesh to have reached 91.194 million in September 2018. Massive changes occurred in the sector, when the Bangladesh Bank allowed online payment in the country in 2009, facilitating fund transfers and online payment of utility bills by credit cards. Since 2011 there have been important developments in financial transaction regulation (mobile payments, digital wallets, and smart cards) as well as transaction infrastructure (e.g., electronic fund transfer payment gateways) and creation of the Bangladesh Electronic Funds Transfer Network (BEFTN) to develop modern payment system infrastructure. Reports state that the annual rate of growth in the e-commerce sector for the past three years is trending above 200 percent year on year (from 2013 till 2016), with B2C being the most popular form of e-commerce with an observed growth rate above 300 percent for the last three years. This has created expanded business avenues for financial institutions as well as entrepreneurs and has already attracted local and foreign investments.

With new and innovative business avenues, increasing availability and use of smart technology, businesses are constantly looking to engage customers and with each successful onboarding are able to collect large amounts of data on users, which often make customers nervous. The use of digital systems allows data capture at a much larger rate and scope; e-commerce sites could potentially collect an immense amount of data about consumers' personal preferences, patterns of information search and use, especially if aggregated across sites. Entering the age of use of artificial intelligence (AI), new computational techniques allow data mining for buying patterns and other personal trends. These data can be used to personalize a customer's e-commerce experience, augment an organization's customer support or improve a customer's specific e-site experience. In addition, looking at this from a local behavioural context of frequent news and friends-and-family anecdotes/ accounts about online fraud, tricky coupons, intrusive target-based marketing and advertising, fake ads, adware, spam e-mail and scam of credit card information being stolen, more often than not negatively impacts the customer confidence in the system.

Privacy and security of personal data, therefore, become a serious issue in electronic commerce. Tackling privacy, however, is no easy matter with the ongoing cross-border debate on whether protection of consumer-generated data is to be considered a fundamental right or tradable commodity. But as an ad-hoc judge of the European Court of Human Rights has said, "Privacy is more than just a seven-letter word" and all the many different kinds of privacy have to be kept in sight when considering the legal, social, economic and/or political concerns that the use of technologies in e-commerce present over the issue of privacy. On the privacy front, privacy of the person, privacy of behavior and action, privacy of communication, privacy of data and image, privacy of location and space, amongst others, must be considered and on the security front, requirements protecting data relating to data integrity (prevention against unauthorized data modification), non-repudiation (prevention against any one party from reneging on an agreement), authentication of data source, confidentiality and protection against unauthorised data disclosure, provision of data control and disclosure and availability (prevention against data delays or removal) must be put in place in any legal framework enacted to safeguard privacy.

However, in the local context, although the National Information and Communication Technology (ICT) Policy sets out the broad objective for establishing a legislative and regulatory framework for ICT issues including data security and data protection, the Information and Communication Technology Act, 2006 (the "ICT Act", being the relevant and special law for the industry) does not define the term "personal data". Two of the closest terms whose definitions within the ICT Act may be construed to include personal data are "data" and "data message" defined in Sections 2(10) and 2(11) of the ICT Act respectively. Section 54 of the ICT Act imposes penalty for damage to computer, computer systems, etc. providing amongst others that the destruction, damage, alteration, deletion, addition or modification of data and/or data messages without permission of the owner or any person who is in charge of a computer, computer system or computer network would be a violation and amount to a criminal offense under the statute -- thus dealing with computer database theft and unauthorised digital copying, downloading and extraction of data or information only. However, it states nothing with regard to personal data stored anywhere else but computers and about instances when the personal data may be taken illegally in any other form. Section 63 of the ICT Act provides for punishment "for disclosure of confidentiality and privacy" and in essence creates an offense for any person who "discloses…electronic record, book, register, correspondence, information, document or other material to any other person" without the consent of "the person concerned". Notably in Section 63, "consent" of the concerned person is a must. However, it would be difficult to consider if it capable of providing users with a sufficient level of personal data protection. The new Digital Security Act, 2018 stipulates that collecting identifiable information of an individual without his/her consent or legal authority will be deemed an offense for which the perpetrator will be sentenced to a maximum of five years of imprisonment and/or a maximum fine of Tk 5.0 lakh. The Act further provides an explanation of what will constitute identifiable information but does not deal with personal information shared voluntarily while using e-commerce applications and platforms.

As a result, the protection of personal data is governed in Bangladesh predominantly on a contractual basis, i.e. parties agreeing to specific obligations for the protection of personal data or any other information in a contract and setting out the consequences of breach. The Bangladesh Contract Act, 1872 and the Bangladesh Specific Relief Act, 1877 govern private contracts through which customer confidentiality and protection of personal data are addressed.

Bangladesh, therefore, does not currently have a specific law governing data protection and the only basis of personal privacy under Bangladesh law is provided under Article 43 of the Constitution of Bangladesh, which protects the rights of citizens in relation to privacy of "correspondence and other means of communication". Article 43, however, is dedicated only to the protection of citizens of Bangladesh and does not bring within its purview other users of e-commerce platforms, which inevitably include foreign nationals residing in Bangladesh. Some companies in attempting to allay consumer privacy concerns put in place privacy policies on their sites. These policies generally state what kind of information about the sites' visitors can be collected and how such information will be used. Some policies allow users to decide whether the information being gathered by the site or platform can be disclosed to others and, if so, for what purposes. Other policies simply state that users, by visiting the site, indicate their acceptance of the terms and conditions of the privacy policy. If a site visitor does not agree to the terms and conditions, the user is advised not to use the site. Although commendable, it needs to be considered - are these policies adequate in the absence of a formal legal regime or do they fall short given that there is no guideline on what should or should not be addressed in the privacy policies and as such there is no requirement of uniformity between one privacy policy and the next. Where and how does each platform set control over consumers' data privacy and consent settings? The answer becomes - (the threshold is) at the choice of the platform, not the consumer.

This, therefore, begs the question -- is privacy law necessary for data protection in using e-commerce? Given that the e-commerce sector brings enormous opportunities to the business sector making economic activities more dynamic and playing an important role in achieving expected economic growth and socio-economic development, the dual considerations of consumer privacy and security to foster consumer trust and confidence in Bangladesh's e-commerce are vital to the growth and regulated sustenance of the sector. In other jurisdictions, the European Union has General Data Protection Regulation (GDPR) as of May 2018 giving EU citizens more control over how their personal data are collected and used by corporations and giving their citizens the right to access their personal data and delete them altogether if they wish to. In the United States, privacy rights are protected by both state and federal laws and India is working on a framework for a national policy on e-commerce to deal with issues including competition, regulation, data privacy, taxation and technical aspects such as localization of servers and technology transfer. Bangladesh can take a cue and work on formulating a data protection law or at least a policy for e-commerce and its enforcement to foster consumer trust. It is recommended that such a law or policy should at least define what is to be considered personal data and sensitive personal data, empower individuals with the right to know what data are being collected by a data controller/processor and how the data will be used, the right to deny the collection of the data or ask for removal of that data at any time and the right to be informed about any major breach that compromises their data. It should also include adequate data protection measures and incorporate safeguards for use of personal information about children through setting up verifiable parental control mechanisms.