The southern region of Asia includes India, Sri Lanka, Nepal, Bhutan, Bangladesh, Pakistan, Afghanistan, and the Maldives. The association between these nations is the South Asian Area of Regional Co-operation (SAARC). The growth of data protection laws in these countries has been significant since 2013. Even though the laws in these countries are based on European standards, yet they are unique due to the socio-economic, cultural, and geopolitical context.
i. Unlike the European context, there is no single international organization in Asia to oversee the development of privacy laws in the continent and there have been no developments in this regard from the SAARC agreements. Hence, a bottom-up approach must be adopted to understand the development of these laws from national legislations.
ii It is pertinent to understand the privacy laws and policy developments in these nations since it has an impact on trade and the transfer of information among nations.
In India, the Personal Data Protection Bill has been placed before the parliament in 2019, pursuant to the Puttaswamy Judgement in 2017 which ruled that Privacy is a fundamental right under the constitution. As an overview, the bill which is based on GDPR provides the regulation for processing and storing the personal and sensitive information of an individual to whom the data belongs. A data protection authority is to be instituted for redressing grievances. Further, it also provides for transparency and accountability measures and exemptions of processing personal data.
Sri Lankan Ministry of Digital Infrastructure and Technology has recently drafted the bill for Regulation and Processing of Personal Data, 2021. The bill is based on the principles of GDPR. The territorial scope extends to any service or goods that are accessed through an online medium by a data subject in the country. This is wider than GDPR because the law applies to all the services that are accessed from the country even though it may not be specifically for data subjects in the country. The regulatory authority is a public corporation or statutory authority that is controlled by the government and it will monitor the compliance requirements of controllers and processors of personal data. It provides a consent-based model, wherein the processing of personal data is legal if the data subject permits out of free will. It also legal to process the data in furtherance of a contract, for establishment of claims for legal proceedings and if it is in public interest such as promoting health. It is mandatory for the controller to carry out Data Protection Impact Assessment (DPIA) to monitor and mitigate the risk of privacy violation. The bill imposes a penalty of up to LKR 10 million which is around 50 thousand US dollars.
In Nepal, Article 28 of the constitution grants the fundamental right to privacy for all individuals. The laws on privacy are provided under the Privacy Act, Privacy Regulation, Civil Code, Criminal Code, Labour Regulation and Information Technology (IT) bill. These laws do not specify the territorial applicability and upon strict interpretation it does not apply extra-territorially. But the IT bill provides that the law is applicable to any information within and outside the country if it is processed by individuals located in Nepal. The Privacy act and the regulations are rudimentary since it does not establish any data protection authority. It does not provide the definition for key terms such as data controller and data processor. The laws prescribe that the information must not be collected without consent from the individuals, but the process of confirming this compliance is not provided. It provides that personal and sensitive personal data can be processed for health reasons with the permission of a registered medical practitioner. It does not provide exemptions to the data controller to protect their interests. The Privacy Act prescribes the penalty of NPR 30 thousand which is 260 US dollars(approx.).
Pakistan has proposed the Personal Data Protection Bill of 2020. Article 14(1) of the constitution of Pakistan prescribes the right to privacy of the home. The laws that are in force for data protection are the Prevention of Electronic Crimes Act, 2019 and the Payment Systems and Electronic Fund Transfers Act 2007 which is applicable for the financial sector. It also has sector specific regulations in heath and telecommunication. The bill when made into law will be applicable for any person who has control or directs that personal data must be collected or processed of any data subject in Pakistan. The controller shall nominate a person from Pakistan if he is not established in the country. Additionally, the bill provides similar provisions as seen in the other countries concerning data protection authorities and the rights of data subjects.
In Afghanistan, there is no specific law or bill for data protection. The constitution under Article 37 guarantees the right to privacy and freedom of confidentiality. There is a brief mention of these rights in sectoral laws such as telecommunication, penal code, tax, public health and mass media law. In Bangladesh, the courts have read the right to privacy under the fundamental rights of thought and conscience, freedom of speech under Article 39 and right to life and personal liberty under Article 32 of the constitution. There is no specific law on data protection. However, the Information Technology Act 2006 and Digital Security Act 2018 briefly addresses the protection of privacy in addition to cybersecurity and electronic crimes. Similarly, in Maldives there is a lack of separate law for data protection and the bill that was circulated in 2016 has not been passed. The right to privacy is provided under Article 24 of the constitution and the remedies available are in the nature of unlawful surveillance under Section 231 of the Penal Code and there is a brief mention in sectoral laws.
https://www.ikigailaw.com/new-era-of-data-protection-regulation-in-south-asia/. http://classic.austlii.edu.au/au/journals/UNSWLRS/2014/55.pdf. https://www.prsindia.org/theprsblog/personal-data-protection-bill-2019-all-you-need-know http://22.214.171.124/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf https://www.mondaq.com/india/data-protection/956530/comparing-the-sri-lankan-personal-data-protection-bill-2019-and-the-gdpr https://www.dataguidance.com/sites/default/files/sri_lanka_draft_data_protection_bill_2021.pdf https://www.dataguidance.com/notes/sri-lanka-data-protection-overview https://www.dataguidance.com/notes/nepal-data-protection-overview. https://www.nab.gov.bt/assets/uploads/docs/acts/2018/ICMActofBhutan2018.pdf https://www.dataguidance.com/notes/pakistan-data-protection-overview https://www.dataguidance.com/notes/afghanistan-data-protection-overview https://www.dataguidance.com/notes/bangladesh-data-protection-overview
Ayottaz can help you understand more about how to become Data Privacy-aware and become future-ready.