Mapping South Asia’s digital landscape
Data protection regulations in Bangladesh, India, and Pakistan are of immense importance to the three countries and to the world. In addition to their geopolitical importance, Bangladesh, India, and Pakistan are home to large and young populations, with digital economies that are either fast-growing or have the potential to be. Close to 2 billion people in total reside in the three countries, with more than 60 percent of this population younger than 35 years old. All three countries boast high cellular connectivity: there are around 200 million mobile phone subscribers each in Bangladesh and Pakistan and over 1.2 billion in India. This connectivity is driving rapid growth in new, data-reliant industries such as e-commerce.
Recognizing this rapid progress as well as the tremendous potential, policymakers in the three countries are rightly betting on the promise of their technology sectors to play key roles in economic growth, job creation, and overall social good. As policymakers are aware, developing vibrant and innovative technology sectors is even more urgent given the ongoing transition worldwide from labor-intensive economies to more knowledge-intensive ones. This trend is accelerating because of recent technological breakthroughs, including in automation and robotics, big data, and generative artificial intelligence (AI).
Policymakers are also rightly prioritizing greater data regulation, for reasons that range from combating misinformation to safeguarding national security and sovereignty. These priorities—including economic, social, and security—involve complex trade-offs.
To be sure, none of these trade-offs and complexities are unique to these three South Asian countries. Governments across the world are navigating similar issues, made even more challenging by the rapid pace of technological progress.
Recognizing the importance and complexity of this topic, the Atlantic Council’s South Asia Center embarked in 2023 on a study of the state of data protection regulations in Bangladesh, India, and Pakistan. The project resulted in three issue briefs—one each for the three countries—that were published from March through May 2023 and provided an overview of the regulatory landscape, the underlying politics, and watchpoints. This paper represents the capstone of the project.
The subsequent sections of this paper provide summaries of the three issue briefs. A snapshot of the main reasons why data protection regulation matters is presented below.
- Economic: A broad range of sectors and companies stand to gain substantially from well-designed data protection regulations, and to thereby enable countries’ economic objectives that include growth, job creation, foreign direct investment, and foreign exchange reserves. Small and medium-size enterprises stand to gain substantially from opportunities in e-commerce and gig economies. Conversely, they are more likely than large firms to be hurt by digital trade restrictions. Good data protection regulations support the growth of innovative sectors such as those in AI, blockchain, biotech, robotics, 3D printing, electric vehicles, and other technologies of the 21st century. Digital trade regulations can enable or curtail the growth of services such as IT, financial, and business consulting.
- Social: Data protection regulations affect social development objectives, such as privacy, the growth and effectiveness of democracies, and the efficient delivery of essential social services, such as health care, education, and benefits. Achieving these social objectives involves careful navigation of trade-offs in data regulations, for instance, between the goal of protecting free speech and the goal of minimizing hate speech and misinformation.
Join the South Asia Center mailing list
The South Asia Center serves as the Atlantic Council’s focal point for work on greater South Asia as well as its relations between these countries, the neighboring regions, Europe, and the United States.
Bangladesh
The South Asia Center’s issue brief on Bangladesh, “Bangladesh’s Draft Data Protection Act,” authored by Stephen Weymouth in March 2023, focused on the potential implications of new restrictions on cross-border data flows and data localization requirements. The brief tracked the recent history of efforts by the Bangladesh government to promote digitalization of the economy while seeking to curb threats to data privacy and to protect personal data.
The Digital Bangladesh initiative, launched in 2009, sought to build a national digital infrastructure that could connect Bangladesh to the larger global economy, position it as a regional commercial hub, and spur more access for its citizens to digital services. The initiative was generally seen as successful in providing the digital underpinnings for an economy that saw enormous growth in the decade that followed. The Digital Security Act of 2018 and its successor, the Cyber Security Act, however, raised questions about the increased role of Bangladesh enforcement bodies in governing the digital activities of its citizens.
The draft Data Protection Act of 2022 caused concerns among many stakeholders over the risk of some of the proposed provisions undermining the vision and ambitions of the Digital Bangladesh initiative. Some of the proposed measures were seen as being counterproductive by constraining the required range of digital services and increasing regulatory uncertainties and costs. The concerns of stakeholders included aspects such as the draft act’s requirement that sensitive data, user-generated data, and classified data be stored on servers located in Bangladesh and the draft act’s proposed restrictions on the transfer of personal data outside Bangladesh.
More recently, there have been encouraging signs that the Bangladesh government is noting some of the inputs received about the Data Protection Act. The latest version, issued in January 2024, took an important step forward in narrowing the scope to “personal data” rather than the more general “data.” Stakeholders in the United States and elsewhere have welcomed this improvement and expressed hope that this trend toward less restrictive treatment of data flows will continue as Bangladesh finalizes and enacts the legislation.
Concerns remain, however, about some aspects of the latest draft act. For instance, the three-year transition period that was included in a March 2023 draft has been deleted, even though it would have enabled stakeholders to fully understand and properly implement new data flow restrictions. Additionally, the conditions for transfer of data that is not “classified” outside Bangladesh are not clear in the draft and could create new legal uncertainties for data fiduciaries. The draft could also benefit from greater discussion and clarity about proposed measures involving extraterritorial application, disclosure of protected data to government authorities, and the practicality of parental consent and age verification.
Bangladesh is at a turning point, with significant potential to build on its remarkable socioeconomic progress and diversifying beyond dependence on the garments sector. If Bangladesh strikes a productive balance between policies that would bolster its vibrant growth and those that enable government oversight, the country will be on a fast track to unlocking its immense potential.
To note, the ongoing political crisis in Bangladesh has added new uncertainties to policy making, including the digital landscape.
India
Stephen Weymouth also authored the South Asia Center’s issue brief on India, “India’s Personal Data Protection Act and the Politics of Digital Governance,” in May 2023. The brief highlighted the role of digital trade in India’s continuing economic growth and the recent efforts of the Indian government under the Narendra Modi administration to bring some regulatory order to the country’s burgeoning digital marketplace. The brief provided a summary of the wide-ranging legislation in the works at that time, including the Digital Personal Data Protection Bill, the Digital India Bill, and the Telecommunications Bill.
Since then, the government succeeded in passing two pieces of legislation: the Digital Personal Data Protection Act (DPDP Act) and the Telecommunications Act. The government’s vision going forward involves a comprehensive regulatory framework to govern digital commerce and trade. Its legislative agenda therefore includes other rules and draft bills such as the Information Technology Rules, the draft Digital Competition Bill, and the draft National E-Commerce Policy. It remains to be seen how this agenda is advanced through the many relevant ministries.
Reactions to all this activity have been mixed. For example, on the US-India bilateral front, the joint statement on the Trade Policy Forum, convened by Minister of Commerce and Industry Piyush Goyal and US Trade Representative Katherine Tai on January 12, 2024, noted that Ambassador Tai “appreciated India’s extensive consultations and noted that India’s approach of enhancing data protection, privacy and security while enabling connectivity will support further expansion of the bilateral digital trade.” To this point, an important and welcome amendment to the final DPDP Act was a shift from data localization—a prospect in earlier drafts that had caused widespread concern—toward permitting data flows from trusted geographies. However, while the DPDP Act signals a moving away from express data localization mandates, it does not specify to which countries data may be transferred nor does it list the criteria for trusted geographies.
The Modi administration is preparing for a third term in power following India’s national elections, conducted from April 19 to June 4. Despite Prime Minister Modi’s party falling short of a majority in parliament and now leading a coalition government, the administration’s likely focus will remain on preparing India to be the third-largest economy in the world by the end of the decade and to be a compelling pole in an increasingly multipolar world. The global marketing of data public infrastructure, as witnessed during India’s G20 presidency, is a manifestation of this.
To enable the administration’s vision for India’s growth and global stature, the government needs to promote foreign investment in both goods and services production. At the same time, the government is sensitive to concerns in key electoral constituencies about the threat of foreign competition. The government has also sought to regulate social media content with measures that have been criticized by some as authoritarian and intended to control the political narrative but supported by others as necessary to prevent the spread of misinformation and to ensure public order.
The Modi administration has demonstrated admirable ability to advance a socioeconomic agenda by navigating these trade-offs and to take into account inputs from a range of stakeholders. The administration should continue to show its readiness to listen to many different voices through opportunities for consultation and stakeholder engagement. Doing so will help continue putting in place a regulatory environment that balances complex trade-offs and lays the groundwork for India’s continued rise in the coming decades.
Pakistan
In his April 2023 issue brief, “Pakistan’s Data-Protection Landscape in 2023,” Uzair Younus highlighted that the Pakistan government risks curtailing the development of its digital economy if its legislation on data protection increases regulatory uncertainties and costs. Such legislation may discourage foreign investment and impede development of a facilitative ecosystem for local start-ups as well as other domestic and multinational investors. Per Younus,1Uzair Younus, “Pakistan Needs to Press Pause on Its Data Overhaul,” New Atlanticist, July 26, 2023, https://www.atlanticcouncil.org/blogs/new-atlanticist/pakistan-needs-to-press-pause-on-its-data-overhaul/. this would be a self-inflicted wound, given the impressive growth of Pakistan’s technology sector from USD 1 billion in fiscal year 2018 to around USD 2.6 billion in 2023.
The Prevention of Electronic Crimes Act (PECA) of 2016 was among the first pieces of data regulation in Pakistan. The act involves many measures that are stated as being intended for public order and to prevent misinformation, which are important goals. However, the act is also counterproductive to building a strong, globally competitive digital economy. PECA increases uncertainties and costs of doing business, for instance, providing unclear levels of authority to the Pakistan Telecommunication Authority to control content on social media. Although a range of private sector and civil society stakeholders within and outside Pakistan have advocated against continuing this approach, the measures remain in place and appear likely to be reinforced with new legislation on data protection.
Since 2020, the Ministry of Information Technology and Telecommunication has been working on data protection legislation that involves potential features that could negatively affect growth and homegrown innovation in digital services. These features include data localization requirements, many controls on data flows, low autonomy of data regulatory authorities, and insufficient opportunities for checks and feedback on enforcement. These concerns were discussed in bilateral US-Pakistan trade dialogues, as reflected in the joint statement on the ninth meeting of the Trade and Investment Framework Agreement Council in February 2023.
While admittedly operating in challenging circumstances, Pakistan’s government—newly formed after elections in February—could consider slowing the pace of new data regulations and prioritizing additional rounds of inputs and consultations on existing and proposed legislation. The government could even seize the opportunity to reset and refresh the regulatory agenda by considering changes to the Data Protection Act approved by the cabinet. Additional engagements with key stakeholders both in the private sector and civil society groups would enable the new government to revise the act to better balance the goals of protecting data privacy, preventing misinformation, and promoting a robust digital economy.
Pakistan’s technology sector holds tremendous promise for the country’s future, even more so amid the ongoing economic stasis. The sector can play a key role in Pakistan’s economic recovery and in fully realizing the country’s economic potential. The Pakistan government should safeguard and catalyze the sector through any means in its tool kit. A well-designed regulatory framework could be a core component of that tool kit.
Conclusion
With their large, youthful, and highly digitized and connected populations, Bangladesh, India, and Pakistan have immense potential as emerging economies, vibrant demographies, and key players in a multipolar world. Admittedly, each country is in a different state of development in terms of economic growth, economic diversification, digitization, integration into global trade and value chains, democratic parameters, and social services, among others.
The differences in context notwithstanding, all three countries stand to benefit economically and socially from well-designed data protection regulations. For instance, suitable regulatory frameworks could enable each country to supercharge growth of its technology sector and enable it to capitalize on opportunities through greater digital linkages and trade with large markets such as the United States and the European Union. Conversely, each country’s immense potential risks being negatively affected by limitations in its regulatory frameworks in areas such as extraterritorial scope and governance of personal data sharing with governments.
In this context, the Atlantic Council’s project resulted in the following main observations and recommendations to policymakers and other stakeholders in the three countries.
- Bangladesh: Bangladesh’s most recent draft of the Personal Data Protection Act, 2024, contained measures that were welcomed by stakeholders, such as the narrowing of the act’s scope to personal data. The government could continue to refine the draft based on consultations, including, for instance, to permit an appropriate transition period. The government could also continue to remain open to inputs from key stakeholders for future data protection legislation. However, recent developments in Bangladesh’s political climate have brought new uncertainties to the trajectory of policy making in the country.
- India: India’s consultative and iterative approach with the DPDP Act was welcomed by many, as were some of the main updates incorporated into the final act. Industry, civil society, and other stakeholders would welcome a similarly consultative and iterative approach toward ongoing and future data regulations, including the work-in-progress draft E-Commerce Policy.
- Pakistan: Pakistan’s new government could consider slowing down the pace of data protection legislation and could prioritize inputs and consultations with key stakeholders from the private sector and civil society. In addition, the government could seize the opportunity to review and refresh the latest version of the Personal Data Protection Act and welcome inputs from stakeholders to that end.
More broadly, all three governments—and governments across the world—could choose to adopt more nimble and flexible approaches to policymaking in this complex and rapidly evolving context. A “regulatory sandbox” approach, while undoubtedly complex politically and administratively, could enable policymakers to learn, adapt, and customize regulations over time.
About the authors
Mark Linscott is a nonresident senior fellow with the Atlantic Council’s South Asia Center. Prior to joining the Atlantic Council, Linscott was the assistant US trade representative (USTR) for South and Central Asian Affairs.
Gopal Nadadur is a nonresident senior fellow at the Atlantic Council’s South Asia Center and is also vice president for South Asia at The Asia Group.
Related content
Our work
The South Asia Center is the hub for the Atlantic Council’s analysis of the political, social, geographical, and cultural diversity of the region. At the intersection of South Asia and its geopolitics, SAC cultivates dialogue to shape policy and forge ties between the region and the global community.