Victory Day and the Question of Data Sovereignty

December 16 marks the day of national sovereignty and victory—a day to raise the flag of territory and self-determination. Yet, as the state increasingly assumes a digital form, the meaning of sovereignty itself is evolving. Today, the question is no longer limited to maps or flags; it extends to the control of citizens’ digital identities, personal data, and information flows. More than half a century after independence, Victory Day now raises a new and pressing question: who controls citizens’ data?

In a digital state, a citizen’s existence is steadily being transformed into data. From birth registration and national identity cards to mobile connections, bank accounts, and social media activity—everything is stored, analyzed, and exchanged as data. In this reality, data is no longer merely an administrative asset; it is deeply intertwined with citizens’ rights, freedoms, and security. A state that controls citizens’ data effectively gains the capacity to influence a significant part of their lives. This is where the concept of data sovereignty acquires political and philosophical significance.

Data sovereignty broadly refers to whose laws, policies, and authority govern citizens’ data. It is not just about where data is stored, but about who decides how it is collected, how long it is retained, with whom it is shared, and who can delete it when necessary. In modern democratic states, citizens’ consent and rights should lie at the heart of data sovereignty. In practice, however, states often begin to see themselves as the primary owners of data.

In Bangladesh, this question is particularly sensitive. In recent years, incidents involving leaks of national identity data, allegations of citizens’ personal information being sold online, and concerns over insecure call records and communication data have all surfaced. While these may appear as isolated incidents, together they point to a deeper problem: a lack of accountability in data management at both state and private levels. The issue is not only data breaches, but also citizens’ uncertainty about where their data goes, who uses it, and where redress lies in cases of misuse.

Against this backdrop, two recently enacted laws come into focus: the Personal Data Protection Ordinance and the National Data Management Ordinance. On paper, these laws emphasize data protection, security, and coordination. Principles such as consent-based data collection, purpose limitation, and security safeguards are positive in theory. Yet, a closer reading of the language and structure of these laws leaves several fundamental questions unanswered.

First, the definition of “state interest” is broad and vague. Terms such as “national security,” “public interest,” or “state necessity” can, if loosely interpreted, override citizen protections. Second, concerns remain about the independence and accountability of the proposed data oversight authorities. Effective data protection requires independent regulators capable of monitoring both the state and private actors equally—a balance that remains unclear.

International experience offers useful contrasts. Frameworks such as the European Union’s GDPR place citizens’ rights at the center, binding even the state within strict limits on data use, overseen by independent courts and regulators. How closely Bangladesh’s legal framework aligns with such standards remains an open question—particularly in terms of enforcing principles like data minimization and purpose limitation. Ultimately, it is implementation, not legislation alone, that will determine outcomes.

The greatest risk lies in potential misuse. While robust data infrastructure can enhance service delivery, it can also enable surveillance, profiling, and the suppression of dissent. If call records, location data, or identity information remain weakly protected, citizens’ private spheres inevitably shrink. History shows that where the abuse of power is possible, it eventually occurs.

State vs Citizen: The Philosophical Tension of Data Sovereignty

From the state’s perspective, data is a new instrument of governance—essential for planning, service delivery, and security. From the citizen’s perspective, the same data can become a source of vulnerability. At its core, this is a struggle over power. If the state becomes the owner of citizens’ data, citizens risk being reduced to objects of observation. When individuals lose control over their data, freedom may exist on paper but not in practice.

Data sovereignty, therefore, is not about strengthening the state alone—it is about trust between the state and its citizens. December 16 reminds us that sovereignty is not solely for the state, but for the people. In a digital Bangladesh, the new form of that sovereignty is citizens’ rights over their own data. The question is unavoidable: are we building a state where citizens are digitally protected, or entering a system where freedom slowly turns into a log file?

Author: Ashfak Safal, IT professional; Joint General Secretary, Bangladesh System Administrators Forum (BDSAF)

Note: The views expressed are solely those of the author and do not reflect the position of the Digital Bangla Media authority. The article is published without editorial alteration as part of the media’s commitment to pluralism.