Bikroy.com, Daraz, Priyoshop, Kiksha, Pickaboo, and Bagdoom are the e-commerce platforms listed among the top 10 such sites in Bangladesh. Pathao, Shohoz, Hungrynaki are home-grown ride-sharing and delivery services that Generations Y and Z cannot do without. Add to that the recent news on US$10 million funding raised by Pathao from Go-Jek, Daraz acquired by Alibaba Group, US$ 15 million raised by Shohoz from Golden Gate Ventures (Singapore) and US$ 1.6 million raised by ShopUp from Omidyar Network (impact investment firm established by eBay founder) and e-commerce is at the centre-stage in our country's growth trajectory making our lives easier, shopping convenient and beating the Dhaka traffic. Such is the growth of e-commerce in Bangladesh that the e-commerce Association of Bangladesh (e-Cab), the trade body for e-commerce in Bangladesh, estimates there were about 700 e-commerce sites and 8,000 e-commerce pages on Facebook as of September 2016.
E-commerce is defined by the World Trade Organisation (WTO) as "production, distribution, marketing, sale or delivery of goods and services by electronic means". According to the WTO, an e commerce transaction can be between enterprises, households, individuals, governments and other public or private organisations.
The e-commerce sector's growth in Bangladesh has exceeded expectations and positively impacted the economy in terms of aggregate investment, growing rapidly as a result of expansion of affordable internet services and increasing internet users. Bangladesh Telecommunication Regulatory Commission (BTRC) statistics estimate the number of internet subscribers in Bangladesh to have reached 91.194 million in September 2018. Massive changes occurred in the sector, when the Bangladesh Bank allowed online payment in the country in 2009, facilitating fund transfers and online payment of utility bills by credit cards. Since 2011 there have been important developments in financial transaction regulation (mobile payments, digital wallets and smart cards) as well as transaction infrastructure (e.g., electronic fund transfer payment gateways) and creation of the Bangladesh Electronic Funds Transfer Network (BEFTN) to develop modern payment system infrastructure. Reports state that the annual rate of growth in the e-commerce sector for the past three years is trending above 200 per cent year on year (from 2013 till 2016), with B2C being the most popular form of e-commerce with an observed growth rate above 300 per cent for the last three years. This has created expanded business avenues for financial institutions as well as entrepreneurs and has already attracted local and foreign investments.
With new and innovative business avenues, increasing availability and use of smart technology, businesses are constantly looking to engage customers and with each successful onboarding are able to collect large amounts of data on users, which often make customers nervous. The use of digital systems allows data capture at a much larger rate and scope; e-commerce sites could potentially collect an immense amount of data about consumers' personal preferences, patterns of information search and use, especially if aggregated across sites. Entering the age of use of artificial intelligence (AI), new computational techniques allow data mining for buying patterns and other personal trends. These data can be used to personalise a customer's e-commerce experience, augment an organisation's customer support or improve a customer's specific e-site experience. In addition, looking at this from a local behavioural context of frequent news and friends-and-family anecdotes/ accounts about online fraud, tricky coupons, intrusive target-based marketing and advertising, fake ads, adware, spam e-mail and scam of credit card information being stolen, more often than not negatively impacts the customer confidence in the system.
Privacy and security of personal data therefore become a serious issue in electronic commerce. Tackling privacy, however, is no easy matter with the ongoing cross-border debate on whether protection of consumer-generated data is to be considered a fundamental right or tradable commodity. But as an ad-hoc judge of the European Court of Human Rights has said, "Privacy is more than just a seven-letter word" and all the many different kinds of privacy have to be kept in sight when considering the legal, social, economic and/or political concerns that the use of technologies in e-commerce present over the issue of privacy. On the privacy front, privacy of the person, privacy of behaviour and action, privacy of communication, privacy of data and image, privacy of location and space, amongst others, must be considered and on the security front, requirements protecting data relating to data integrity (prevention against unauthorized data modification), non-repudiation (prevention against any one party from reneging on an agreement), authentication of data source, confidentiality and protection against unauthorised data disclosure, provision of data control and disclosure and availability (prevention against data delays or removal) must be put in place in any legal framework enacted to safeguard privacy.
However, in the local context, although the National Information and Communication Technology (ICT) Policy sets out the broad objective for establishing a legislative and regulatory framework for ICT issues including data security and data protection, the Information and Communication Technology Act, 2006 (the "ICT Act", being the relevant and special law for the industry) does not define the term "personal data". Two of the closest terms whose definitions within the ICT Act may be construed to include personal data are "data" and "data message" defined in Sections 2(10) and 2(11) of the ICT Act respectively. Section 54 of the ICT Act imposes penalty for damage to computer, computer systems, etc. providing amongst others that the destruction, damage, alteration, deletion, addition or modification of data and/or data messages without permission of the owner or any person who is in charge of a computer, computer system or computer network would be a violation and amount to a criminal offence under the statute -- thus dealing with computer database theft and unauthorised digital copying, downloading and extraction of data or information only. However, it states nothing with regard to personal data stored anywhere else but computers and about instances when the personal data may be taken illegally in any other form. The Section 63 of the ICT Act provides for punishment "for disclosure of confidentiality and privacy" and in essence creates an offence for any person who "discloses…electronic record, book, register, correspondence, information, document or other material to any other person" without the consent of "the person concerned". Notably in Section 63, "consent" of the concerned person is a must. However, it would be difficult to consider if it capable of providing users with a sufficient level of personal data protection. The new Digital Security Act, 2018 stipulates that collecting identifiable information of an individual without his/her consent or legal authority will be deemed an offence for which the perpetrator will be sentenced to a maximum of five years of imprisonment and/or a maximum fine of Tk 5.0 lakh. The Act further provides an explanation of what will constitute identifiable information but does not deal with personal information shared voluntarily while using e-commerce applications and platforms.
This, therefore, begs the question -- is privacy law necessary for data protection in using e-commerce? Given that the e-commerce sector brings enormous opportunities to the business sector making economic activities more dynamic and playing an important role in achieving expected economic growth and socio-economic development, the dual considerations of consumer privacy and security to foster consumer trust and confidence in Bangladesh's e-commerce are vital to the growth and regulated sustenance of the sector. In other jurisdictions, the European Union has General Data Protection Regulation (GDPR) as of May 2018 giving EU citizens more control over how their personal data are collected and used by corporations and giving their citizens the right to access their personal data and delete them altogether, if they wish to. In the United States, privacy rights are protected by both state and federal laws and India is working on a framework for a national policy on e-commerce to deal with issues including competition, regulation, data privacy, taxation and technical aspects such as localisation of servers and technology transfer. Bangladesh can take a cue and work on formulating a data protection law or at least a policy for e-commerce and its enforcement to foster consumer trust. It is recommended that such a law or policy should at least define what is to be considered personal data and sensitive personal data, empower individuals with the right to know what data are being collected by a data controller/processor and how the data will be used, the right to deny the collection of the data or ask for removal of that data at any time and the right to be informed about any major breach that compromises their data. It should also include adequate data protection measures and incorporate safeguards for use of personal information about children through setting up verifiable parental control mechanisms.
Ms. Anita Ghazi Rahman, Barrister-at-Law, is a lawyer of the Supreme Court of Bangladesh and the Managing Partner of The Legal Circle. email@example.com
Ms. Pushpo Rahman, Barrister-at-Law, an Associate of The Legal Circle, Bangladesh. firstname.lastname@example.org