Bangladesh Data Privacy Laws: Current Framework & Reforms (2026)

Bangladesh has undergone a rapid transformation in its approach to data privacy regulation. For years, the country lacked a dedicated data protection law, relying instead on scattered provisions across multiple statutes. That changed significantly in 2025 with the enactment of two landmark ordinances that reshaped the legal landscape.

This guide covers the complete framework governing data privacy in Bangladesh, from constitutional protections to the newest legislation, and what individuals and businesses need to know about compliance.

Constitutional Foundation: Article 43

The right to privacy in Bangladesh has its roots in the Constitution of the People's Republic of Bangladesh. Article 43, found in Part III (Fundamental Rights), provides two core privacy protections.

First, every citizen has the right to be secured in their home against entry, search, and seizure. Second, every citizen has the right to privacy of correspondence and other means of communication.

These rights are not absolute. The Constitution allows reasonable restrictions imposed by law in the interests of state security, public order, public morality, or public health.

Judicial Interpretation of Article 43

Bangladeshi courts have expanded the scope of Article 43 through judicial interpretation. In the landmark case of Dr. Mohiuddin Farooque v. Secretary, Ministry of Commerce, the Supreme Court of Bangladesh established that Article 43 protects private phone calls. The court held that obtaining phone records without due process constitutes a constitutional violation.

This ruling confirmed that the constitutional right to privacy extends beyond physical correspondence to modern forms of electronic communication. However, constitutional protections alone proved insufficient to address the complexities of digital-era data privacy, leading to a series of legislative efforts.

The Digital Security Act 2018: Origin of Data Privacy Legislation

The Digital Security Act 2018 (Act No. 46 of 2018) was Bangladesh's first significant attempt to address personal data protection through legislation. It replaced parts of the controversial Information and Communication Technology (ICT) Act 2006.

Section 26: Identity Information Protection

Section 26 was the primary data privacy provision in the Digital Security Act. It defined "identity information" broadly to include any external, biological, or physical information that can identify a person or system. The definition covered:

• Name, address, and date of birth
• National identity card and birth/death registration numbers
• Fingerprints, passport numbers, and bank account numbers
• Driver's license and electronic or digital signatures
• Credit or debit card numbers
• Biometric data including voice prints, retina images, iris images, and DNA profiles

Section 26 imposed a strict consent requirement. Unless the data subject expressly gave consent or authorization, collecting or processing identity information was prohibited. The law interpreted consent narrowly, meaning that once consent was withdrawn, information could no longer be used or processed.

Section 8: Data Removal and Blocking Powers

Section 8 granted the Bangladesh Telecommunication Regulatory Commission (BTRC) the power to remove or block data-information that threatened digital security. This provision gave the government broad authority over online content.

Why the Digital Security Act Was Criticized

Despite containing data protection provisions, the Digital Security Act drew widespread criticism from human rights organizations. ARTICLE 19 and other groups flagged multiple provisions as threats to freedom of expression. The law was used extensively to prosecute journalists, activists, and ordinary citizens for online speech, with many cases involving non-bailable offenses.

The Digital Security Act was repealed and replaced in September 2023.

The Cyber Security Act 2023: A Short-Lived Replacement

The Cyber Security Act 2023 was passed by the Bangladesh Parliament in September 2023 to replace the Digital Security Act. The government described it as a reformed version that addressed criticisms of the previous law.

Changes from the Digital Security Act

The Cyber Security Act retained most provisions of the Digital Security Act, including Section 26 on identity information. However, it made several modifications.

Some offenses that were non-bailable under the Digital Security Act became bailable. Punishments for certain offenses were reduced, and fines were increased. The provision for additional punishment for repeated offenses was removed.

The prison term for publishing information that hurts "religious values" was reduced from five years to two years. Prison time for the transmission of "defamatory information" was replaced entirely with a fine.

Continued Criticism

Despite these changes, the Cyber Security Act faced sharp criticism. Amnesty International described it as a replication of the "draconian" Digital Security Act. The U.S. Embassy in Bangladesh stated that "the new legislation continues to criminalize freedom of expression, retains non-bailable offenses, and too easily could be misused to arrest, detain, and silence critics."

The Cyber Security Act 2023 lasted less than two years before being replaced.

The Cyber Security Ordinance 2025: Current Cyber Law

The Cyber Security Ordinance 2025, gazetted on May 21, 2025, replaced the Cyber Security Act 2023. The interim government enacted it after finding that the 2023 Act contained inadequate civil protection provisions, enabled abuse and oppression, and undermined fundamental rights including freedom of expression.

Nine Sections Removed

The most significant change was the removal of nine controversial sections from the Cyber Security Act 2023. The repealed sections include:

• Section 21: Criminalizing criticism of the Liberation War, Bangabandhu, national anthem, or flag
• Section 24: Penalizing the use of fake or deceptive identity
• Section 25: Criminalizing offensive, false, or fear-inducing information
• Section 26: Prohibiting unauthorized collection or use of personal data
• Section 27: Punishing publication of information to harm reputation
• Section 28: Punishing publication of information hurting religious sentiments
• Section 29: Criminalizing defamatory information
• Section 31: Criminalizing content that undermines law and order
• Section 34: Hacking-related provisions

Impact on Existing Cases

The ordinance mandates that all ongoing or pending investigations, trials, or proceedings under the removed sections be dismissed. No further legal action may be taken under those provisions. Any sentences or fines already imposed by courts under those sections are also nullified. This resulted in the automatic cancellation of approximately 95% of ongoing cases, as most had been filed under the repealed sections.

Remaining Provisions

All offenses related to speech or expression under the remaining sections are now bailable. The maximum punishment has been reduced to two years' imprisonment.

Impact on Data Privacy

The removal of Section 26 created a temporary gap in data privacy enforcement. However, this gap was addressed by the Personal Data Protection Ordinance 2025, enacted shortly afterward, which provides far more comprehensive data protection than Section 26 ever did.

Personal Data Protection Ordinance 2025: Bangladesh's First Comprehensive Data Privacy Law

The Personal Data Protection Ordinance (PDPO) 2025 was approved on October 9, 2025, and gazetted on November 6, 2025. It represents Bangladesh's first dedicated, comprehensive data protection legislation.

Scope of Application

The PDPO applies broadly to all entities that process personal data within Bangladesh. It also has extraterritorial reach, covering organizations abroad that handle information about Bangladeshi citizens. This includes government agencies, autonomous bodies, state-owned enterprises, and private companies engaged in any form of data collection or processing.

Data Ownership and Consent

The ordinance establishes a foundational principle: citizens are the rightful owners of their personal data, not the government or any organization. Explicit consent is mandatory before any entity can collect, store, transfer, or use personal data.

The law sets out requirements for valid consent, including that it must be freely given, specific, informed, and unambiguous. Data subjects can withdraw consent at any time, and organizations must make the withdrawal process as simple as the consent process.

Categories of Personal Data

The PDPO creates distinct categories of data with varying levels of protection.

General personal data includes basic identifying information such as name, address, and contact details. Sensitive personal data receives enhanced protection and includes financial information, health records, biometric data, and religious or political beliefs.

Special protections apply to children's data. Organizations must obtain parental consent before processing a minor's personal data. Targeted advertising aimed at minors is prohibited.

Rights of Data Subjects

Citizens have several enumerated rights under the PDPO:

• Right to access: Individuals can request copies of their personal data held by any organization
• Right to correction: Data subjects can demand correction of inaccurate or incomplete data
• Right to deletion: Individuals can request erasure of their personal data under specified circumstances
• Right to restrict automated decisions: Citizens can challenge and restrict decisions made solely through automated data processing

Data Localization Requirements

Article 29 of the PDPO introduces mandatory data localization provisions. Any organization storing Bangladeshi personal data on foreign cloud infrastructure must maintain at least one synchronized real-time copy within Bangladesh.

Following a January 2026 amendment to Section 29(7)(b), the cloud data localization obligation was narrowed. It now specifically applies to restricted personal data and Critical Information Infrastructure (CII) data. General personal data stored abroad is no longer subject to the mandatory local copy requirement, easing the compliance burden on technology companies.

Data Breach Notification

Organizations must notify the relevant authority and affected data subjects in the event of a data breach. The PDPO establishes timelines and procedures for breach notification, though specific timeframes are subject to implementing rules.

Penalties and Enforcement

The PDPO establishes a tiered penalty structure.

Administrative fines range from 1-2% of annual turnover for general violations to 2-5% for significant data fiduciaries. Additional administrative fines range from BDT 300,000 to BDT 500,000 (approximately USD 2,500 to USD 4,200) for various violations.

Criminal penalties apply to serious offenses. Unauthorized collection, use, interception, extraction, or disclosure of personal data can result in up to seven years of imprisonment, a fine of up to BDT 2,000,000 (approximately USD 17,000), or both.

Corporate liability is built into the law. If an offense is committed by a company, directors, managers, or responsible officers face personal liability unless they can prove they exercised due diligence.

Enforcement Timeline

While most PDPO provisions took effect upon publication in November 2025, the enforcement mechanisms face an 18-month delay. Sections covering the appointment of a Chief Data Officer and the complaint, investigation, and penalty procedures will not activate until approximately May 2027.

National Data Governance Ordinance 2025

Alongside the PDPO, the government enacted the National Data Governance Ordinance 2025, also gazetted on November 6, 2025. The two laws work together to create Bangladesh's data governance ecosystem.

National Data Governance Authority

The ordinance establishes the National Data Governance Authority as a statutory body attached to the Prime Minister's Office (or Chief Adviser's Office under the interim government). This authority is responsible for:

• Designing and operating the nation's data architecture
• Formulating data policies and ensuring legal compliance
• Resolving complaints regarding all data management
• Guaranteeing security across all national databases and software systems
• Enforcing compliance and imposing administrative penalties

National Responsible Data Exchange (NRDEX)

The ordinance establishes the NRDEX platform, which allows government and private institutions to share data securely for approved purposes. The platform is designed to reduce data duplication, improve interoperability between agencies, and simplify processes for both citizens and data custodians.

Unified Digital Identity

The law introduces a Unified Digital Identity system that enables citizens to access multiple government and digital services using a single ID. This system connects a citizen's National ID, passport, tax identification number, and other key registers into one authenticated identity layer.

National Source Code Repository

To prevent vendor lock-in and ensure accountability, the ordinance mandates a National Source Code Repository. All data processors and custodians working with government systems must deposit their source code, ensuring that the government retains access to and control over its digital infrastructure.

Telecom Regulations and Data Privacy

The Bangladesh Telecommunication Act 2001 established the Bangladesh Telecommunication Regulatory Commission (BTRC) and governs telecommunications services. While the Act primarily focuses on licensing, competition, and service quality, it contains provisions with significant data privacy implications.

Surveillance Powers Under Section 97(Ka)

Section 97(Ka) grants the government broad surveillance authority. On grounds of national security and public order, the government may empower intelligence agencies, national security agencies, investigation agencies, or law enforcement officers to:

• Suspend or prohibit the transmission of any data or voice call
• Record or collect user information relating to any telecom subscriber

The Act does not impose time limits on these surveillance powers. An interception may last as long as the implementing agency decides, with no mandatory judicial oversight or renewal requirement.

Consumer Protection Provisions

The Act mandates that telecommunications service providers offer transparent pricing, fair terms of service, and grievance resolution mechanisms. While these provisions do not directly address data privacy, they establish a baseline of consumer protection that extends to how telecom companies handle subscriber information.

ICT Act 2006: Legacy Provisions

The Information and Communication Technology Act 2006 was Bangladesh's first major legislation addressing digital activities. While much of its enforcement role has been superseded by newer laws, some provisions remain relevant.

Confidentiality Protections

The ICT Act requires that information declared confidential by law must be protected by means appropriate to the mode of transmission, including on communication networks. This provides a baseline obligation for maintaining data confidentiality in digital transactions.

Interception Powers Under Section 46

Section 46 authorizes the ICT Controller to direct law enforcement agencies to intercept information transmitted through any computer resource. It also empowers the Controller to order subscribers or persons in charge of computer resources to assist in decrypting relevant information.

Digital Signatures and Electronic Records

The Act provides legal recognition to electronic records and digital signatures, making them equivalent to physical records and handwritten signatures. This framework supports the validity of electronic consent mechanisms used in data processing.

Right to Information Act 2009

The Right to Information Act 2009 creates an important counterbalance to data privacy protections. While its primary purpose is ensuring public access to government-held information, it contains privacy exemptions that interact with data protection law.

Sections 7(h), 7(i), and 7(r) prevent authorities from disclosing information that may reveal personal privacy, endanger life or physical safety, or is protected by any other law. However, Section 3 gives the RTI Act supremacy over conflicting provisions in other laws.

The PDPO 2025 states that it will have precedence over all existing laws, creating a potential area of legal tension with the RTI Act. How courts resolve conflicts between the right to information and the right to data protection will be an evolving area of Bangladeshi law.

Compliance Requirements for Businesses

Organizations operating in Bangladesh or handling Bangladeshi citizens' data must prepare for the PDPO's full enforcement. Key compliance steps include:

Appointing a Data Protection Officer

The PDPO requires certain organizations to appoint a Data Protection Officer (DPO) responsible for overseeing data processing activities and ensuring compliance. The specific thresholds triggering this requirement are set through implementing rules.

Conducting Data Audits

Regular data audits are mandated to verify that processing activities align with the stated purposes and comply with the ordinance. Organizations should begin establishing audit procedures during the 18-month transition period.

Updating Privacy Notices and Consent Mechanisms

All data collection must be accompanied by clear, accessible privacy notices explaining what data is collected, why it is processed, how long it will be retained, and with whom it may be shared. Consent mechanisms must meet the PDPO's requirements for explicit, informed, and revocable consent.

Implementing Data Security Measures

Organizations must implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction. The standard of protection must be proportionate to the sensitivity of the data being processed.

Current Status and Future Outlook

As of early 2026, Bangladesh's data privacy framework is in a transitional phase. The PDPO 2025 has been enacted, but full enforcement mechanisms will not be operational until approximately May 2027.

The January 2026 amendments to data localization requirements signal that the government is receptive to industry feedback and willing to adjust provisions that may hinder business operations. However, concerns remain about the broad powers granted to the National Data Governance Authority and the potential for executive overreach.

Civil society organizations continue to push for stronger safeguards, more inclusive stakeholder engagement in the rulemaking process, and clearer limits on government data collection powers. The success of Bangladesh's data protection framework will depend on how effectively these concerns are addressed during the implementation phase.

This article is for informational purposes only and does not constitute legal advice. Data privacy laws in Bangladesh are evolving rapidly. Consult a qualified attorney licensed to practice in Bangladesh for guidance on specific compliance obligations.