Bangladesh Enforces Personal Data Protection Ordinance with Local Storage Mandate
The interim government of Bangladesh has issued the Personal Data Protection Ordinance, 2025, aimed at strengthening the security of personal data and simplifying legal enforcement. The amended ordinance mandates that a real-time copy of data from Critical Information Infrastructure (CII) must be stored within the country.
A significant revision has been introduced in Section 29 of the amended ordinance. Under the new provision, for the ‘critical information infrastructures’ defined under the Cybersecurity Ordinance, 2025, at least one synchronized real-time copy of cloud-stored data must be kept within Bangladesh’s geographical boundaries. The same requirement also applies to restricted personal data.
Changes have also been made to the penalty clause in Section 48 of the original ordinance (Ordinance No. 61 of 2025). The amendment replaces the phrase “imprisonment or fine, or both” with only “fine,” meaning that offenses under this section will now be punishable exclusively with financial penalties.
Dr. Md. Rezaul Karim, Public Relations Officer of the Ministry of Law, informed on Saturday, February 7, that the legislative and departmental wing of the Ministry of Law, Justice and Parliamentary Affairs had issued the notification regarding the amendment on February 5.
The ordinance, titled “Personal Data Protection (Amendment) Ordinance, 2026,” comes into immediate effect. It was issued by the President under the authority granted by Article 93(1) of the Constitution.
DBTech/DTO/EK/OR
