Bangladesh's Personal Data
Protection Ordinance: A Landmark Law That Stops Just Short of the Mark
Bangladesh's Personal Data
Protection Ordinance has been amended and gazetted. It is a current step toward
digital sovereignty. But in its hype eagerness, it has left the citizen's door
only half-open.
Bangladesh’s history of Data
Governance began through the infamous Digital Security Act, an act which had
received massive criticism due to it empowering the government to take
arbitrary actions against online dissent. Against this backdrop, The Personal
Data Protection (Amendment) Ordinance came as a breath of fresh air as it laid
down a legal framework that treats every citizen’s data as their own. Given the
slow pace of enacting time sensitive fit for purpose laws in Bangladesh, the
quick adoption of the act deserves recognition before receiving scrutiny.
The Personal Data Protection
(Amendment) Ordinance was gazetted on 5th February 2026 cementing a
revolutionary shift towards data governance that few developing countries have
done: Personal Data is a property.
What this entails is, citizens
are a ‘data subject’ who can enforce rights. They can access, amend, erase and
say no to automated decision making. The framework is consent centric, with
sensitive data subcategories traversing financial, identifiable, genetic,
biometric, and many more forms of data. This act is also extraterritorial in
nature, because global big tech companies can no longer outsource their
compliance obligations, they have to respect the law of the lands they are
operating in.
In my view, the amendment fixes
the most red flaggable aspect of the 2025 ordinance which is the removal of
prison terms for company officers for non-compliance. Rather, the amended
ordinance entails hefty financial penalties upto 5% of annual company turnover
for data protection compliance violations which is a similar approach to the
European Union’s GDPR regime. This also makes it more viable for big tech
companies to open up local offices in Bangladesh which can be a big win from a
FDI perspective.
Furthermore, the ordinance
strikes a balance by easing localisation rules limited to critical sectors such
as banking & healthcare for example. This was a more practical step over a
blanket requirement for localisation which would make it less attractive for
foreign companies to operate in our jurisdiction directly.
However, despite all the praiseworthy
steps taken, there is a glaring flaw in this new Ordinance: A regulator
which reports to the hand it was meant to watch can never be truly independent.
The biggest structural flaw of
the Ordinance, despite it’s ambitious text is the fact the National Data
Management Authority tasked with
enforcing Data Protection laws reports directly to the Prime Minister’s office.
In comparison to data protection
law benchmarks such as the EU’s GDPR which mandates the regulatory body
operates independently from government instructions, or Singapore’s Personal
Data Protection Commission which functions as a statutory body independently
anchored by parliamentary accountability, our Data Protection Ordinance simply
lacks empowering the National Data Management Authority with institutional
autonomy.
An even deeper concern of the
Ordinance is Section 24 allows exceptions to Data Protection compliance under
the grounds of national security, public order or crime prevention. Without
express definition, these have a broad interpretation which can, and most
likely will override all forms of protection offered by the ordinance.
Lets again compare the ordinance
to some globally accepted benchmarks in this sector along with a South Asian example.
EU’s GDPR has strict tests such as necessity and proportionality along with
court mandated oversight. Our neighbour India’s data protection laws are not
perfect but it does require government exemptions to be clearly stated and
announced. Bangladesh’s Ordinance has no such safeguards which is a huge
concern as it can be used as a tool for surveillance in the future which is
ironic as that is exactly what this Ordinance was meant to prevent.
Another less important aspect,
which can become troublesome anytime now is the ordinance does not govern
anything related to artificial intelligence and how automated decision making
should be governed, given the pace of AI development and the fast adoption of autonomous
agentic AI, they will eventually have to be addressed.
Despite my criticisms, the PDPO
is still significant and a step in the right direction for Bangladeshi data
governance law development. While we still have not moved away from the culture
of surveillance completely, this ordinance is a good start towards ensuring
personal data rights of citizens. We can only hope that this start can be
carried forward in time with timely amendments which ensure true data
protection of our citizens and independence of the National Data Management
Authority.
Sketch: TBS
Written by:
Shafqat Aziz
Barrister (Lincoln's Inn)
LLM Corporate Law, NTU
Industry & Alumni Fellow, NTU
PGDL, UWE Bristol
LLB, BPP University
Accredited Civil-Commercial Mediator (ADR-ODR International)
https://www.linkedin.com/in/shafqat-aziz-29a3a5171/
Comments
Post a Comment