Data Discipline: Bangladesh Enacts Law to Safeguard Citizens’ Privacy
Personal information has been misused in the past to carry out enforced disappearances and murders, while National ID cards have been fraudulently created using such data. Individuals have even been arrested through geolocation tracking. To ensure the protection of citizens and institutions, a new law has been enacted, said Faiz Ahmad Taiyeb, Special Assistant to the Chief Adviser in charge of the Posts, Telecommunications, and ICT Division.
He emphasized that no non-bailable provisions have been included in the law, and accountability has been ensured through the establishment of a quasi-judicial authority. Taiyeb made these remarks at an orientation meeting held on Sunday, September 12, at the ICT Tower.
He stated, “The Personal Data Protection Ordinance, 2025, National Data Management Ordinance, 2025, and Cyber Security (Amendment) Ordinance, 2025 have been harmonized to develop this new law collectively.”
Highlighting the unprecedented institutional linkage between law and policy, Taiyeb added, “Since the Data Protection Ordinance has been passed alongside the Personal Data Protection framework, we had to consider foreign stakeholders as well. Therefore, we held individual consultations with GDPR-compliant countries, the World Bank, the American-Bangladeshi business community, Meta, Google, Uber, and several tech platforms.”
He informed that such consultations continued for six months. “Through this long process of dialogue, we have developed this law and achieved a situational capacity within an ecosystem. We did not hire any foreign consultants to draft the policy,” Taiyeb noted.
Acknowledging Bangladesh’s lag in this sector, he said, “Bangladesh is 25 years behind Estonia in terms of data protection knowledge. To overcome the 25-year policy and knowledge gap, and the gap between knowledge, policy, and governance, we need to explore deep into our ecosystem. Anyone working with data must do so with the owner’s consent through compliance, and that is precisely why an authority has been established.”
Referring to this law as a pioneering step, he mentioned, “For the first time in Bangladesh, a Platform Liability Strategy has been ensured. Major tech giants such as Meta and Google are now held accountable under this law. However, if a software company has a total turnover of 1 million taka, it cannot be forced to buy 20 million taka worth of cybersecurity software. The authority has not been given unlimited power; rather, accountability is ensured through a quasi-judicial mechanism. The authority has only been granted the power necessary for its duties and will function as an overseeing institution between two entities, including overseas organizations.”
Criticizing earlier digital transformation initiatives, he remarked, “Laws enacted in the name of digital transformation in the past enabled citizens’ personal data to end up on the dark web. Our ministry’s assets, as well as BCC and data center information, were used and sold by others. Now is the time for us to understand and take control.”
The law, formulated by the ICT Division, was recently approved in principle by the Advisory Council. The orientation meeting was chaired by the ICT Division Secretary, Shish Haider Chowdhury, and attended by top officials of the division.
