Bangladesh Data Privacy Laws: The PDPO 2025 and Complete Legal Framework

Bangladesh enacted its first comprehensive data protection law with the Personal Data Protection Ordinance (PDPO) 2025, gazetted November 6, 2025. The ordinance, rooted in constitutional privacy rights under Article 43, requires explicit consent before any collection, storage, transfer, or use of personal data, with full enforcement activating around May 13, 2027.

Bangladesh crossed a historic threshold in 2025. For decades the country had no dedicated data protection statute, relying instead on scattered provisions in laws designed for other purposes. That gap closed when the interim government led by Chief Adviser Muhammad Yunus promulgated two landmark ordinances in November 2025: the Personal Data Protection Ordinance (PDPO) and the National Data Governance Ordinance. A further amendment followed in February 2026.

This guide covers the complete legal framework governing data privacy in Bangladesh: constitutional roots, the evolution of cyber legislation, the 2025 ordinances and their 2026 amendment, supervisory authority, data subject rights, cross-border and localization rules, penalties, the compliance timeline, and what businesses operating in or with Bangladesh need to do now.

Quick Answer: Where Does Bangladesh Stand Today?

As of May 2026, Bangladesh has a comprehensive data protection law on the books but not yet fully in force. The PDPO 2025 established core rights and obligations on enactment in November 2025. However, enforcement mechanisms, including the appointment of a Chief Data Officer by significant data fiduciaries and the formal complaint, investigation, and penalty procedures, are delayed by 18 months and will not activate until around May 13, 2027.

This means the transition window is open right now. Organizations processing Bangladeshi personal data should treat this period as their compliance runway, not as a grace period to ignore the law.

Constitutional Foundation: Article 43

The right to privacy in Bangladesh begins with the Constitution of the People's Republic of Bangladesh. Article 43, found in Part III (Fundamental Rights), provides two core guarantees.

Every citizen has the right to be secured in their home against entry, search, and seizure. Every citizen also has the right to privacy of correspondence and other means of communication.

These rights are not absolute. The Constitution permits reasonable restrictions imposed by law in the interests of state security, public order, public morality, or public health.

Judicial Expansion of Article 43

Bangladeshi courts have broadened the practical reach of Article 43 through interpretation. In the landmark case of Dr. Mohiuddin Farooque v. Secretary, Ministry of Commerce, the Supreme Court of Bangladesh held that Article 43 protects private phone calls. Obtaining phone records without due process constitutes a constitutional violation, the court concluded.

This ruling confirmed that constitutional privacy protection extends beyond physical correspondence to modern electronic communications. However, constitutional protection alone proved insufficient for the complexities of the digital age, driving successive legislative efforts.

The ICT Act 2006: First-Generation Digital Law

The Information and Communication Technology Act 2006 was Bangladesh's first major legislation addressing digital activities. Its primary contributions to data privacy are structural rather than substantive.

Confidentiality obligation. The Act requires that information declared confidential by law be protected through means appropriate to the mode of transmission, including on communication networks. This created a baseline obligation for digital confidentiality.

Interception powers under Section 46. The ICT Controller may direct law enforcement to intercept information transmitted through any computer resource and may order subscribers to assist in decrypting relevant data. No judicial oversight or time limit is specified.

Digital signatures and electronic records. The Act gives legal recognition to electronic records and digital signatures, making them equivalent to physical counterparts. This framework underpins the validity of electronic consent mechanisms used in data processing.

The ICT Act's controversial Section 57, which broadly criminalized online speech, was later repealed by the Digital Security Act 2018.

The Digital Security Act 2018: Data Privacy Enters the Picture

The Digital Security Act 2018 (Act No. 46 of 2018) replaced the speech provisions of the ICT Act and added Section 26, the first statutory data privacy protection in Bangladesh.

Section 26: Identity Information Protection

Section 26 defined "identity information" broadly as any external, biological, or physical information that can identify a person or system. The definition covered names, addresses, dates of birth, national identity card numbers, birth and death registration numbers, fingerprints, passport numbers, bank account numbers, driver's licenses, electronic and digital signatures, credit and debit card numbers, biometric data including voice prints and retina and iris images, and DNA profiles.

Section 26 imposed a strict consent requirement: unless the data subject expressly consented, collecting or processing identity information was prohibited. Once withdrawn, consent could not be overridden.

Section 8: Data Removal Powers

Section 8 granted the Bangladesh Telecommunication Regulatory Commission (BTRC) broad authority to remove or block data-information that threatened digital security. This provision gave the government expansive discretion over online content.

Why the Digital Security Act Failed

Despite its privacy provisions, the Digital Security Act became notorious for chilling free expression. ARTICLE 19 documented extensive misuse of the law to prosecute journalists, activists, and ordinary citizens. Many offenses were non-bailable, and the law was widely used by the Sheikh Hasina government against critics. It was repealed in September 2023.

The Cyber Security Act 2023: A Short-Lived Revision

The Cyber Security Act 2023 replaced the Digital Security Act in September 2023. The government described it as a reformed law. In practice, it retained most of the Digital Security Act's structure, including Section 26 on identity information.

Some previously non-bailable offenses became bailable. Certain penalties were reduced. Fines were increased. The provision for additional punishment for repeated offenses was removed. The prison term for publishing information that "hurts religious values" dropped from five years to two, and the transmission of "defamatory information" was replaced with a fine.

Criticism was swift and sustained. Amnesty International described the Cyber Security Act as a replication of the "draconian" Digital Security Act. The U.S. Embassy stated that the new legislation continued to criminalize free expression, retained non-bailable offenses, and could too easily be misused to silence critics.

The Cyber Security Act 2023 survived less than two years.

Political Context: The 2024 Student Revolution and Yunus Interim Government

Understanding the 2025 ordinances requires understanding the political rupture that made them possible.

On August 5, 2024, Prime Minister Sheikh Hasina fled Bangladesh after a student-led uprising that began over a government job quota system. Nobel Peace Prize laureate Muhammad Yunus was sworn in as Chief Adviser on August 8, 2024, heading an interim government.

The interim government inherited a body of digital laws that had been used extensively to suppress dissent under Hasina. Reforming that legal architecture was an early priority. The Cyber Security Ordinance 2025 and the data protection ordinances of November 2025 were products of this reform agenda.

In February 2026, elections returned a Bangladesh Nationalist Party government. The PDPO 2025 and the Amendment Ordinance of 2026 remain in effect under the new government.

The Cyber Security Ordinance 2025: Current Cyber Law

The Cyber Security Ordinance 2025, gazetted on May 21, 2025, replaced the Cyber Security Act 2023. The interim government concluded that the 2023 Act contained inadequate civil protection provisions, enabled abuse, and undermined fundamental rights including freedom of expression.

Nine Sections Removed

The most consequential change was the deletion of nine sections from the Cyber Security Act 2023:

• Section 21: Criminalizing criticism of the Liberation War, Bangabandhu, national anthem, or flag
• Section 24: Penalizing the use of fake or deceptive identity
• Section 25: Criminalizing offensive, false, or fear-inducing information
• Section 26: Prohibiting unauthorized collection or use of personal data
• Section 27: Punishing publication of information to harm reputation
• Section 28: Punishing publication of information hurting religious sentiments
• Section 29: Criminalizing defamatory information
• Section 31: Criminalizing content that undermines law and order
• Section 34: Hacking-related provisions

Automatic Case Dismissals

All ongoing or pending investigations, trials, and proceedings under the removed sections were automatically dismissed. No further legal action could be taken under those provisions, and sentences or fines already imposed were nullified. Because approximately 95% of existing cases had been filed under the repealed sections, the effect was a near-total clearing of the docket.

Remaining Provisions and Bail Status

All offenses related to speech or expression under the remaining sections are now bailable. The maximum punishment under the remaining provisions is two years' imprisonment. Offenses such as cyber fraud, e-transaction crimes, incitement of religious or ethnic hatred, sexual harassment, blackmail, and obscenity remain criminalized but are now bailable.

Impact on Data Privacy

The deletion of Section 26 created a temporary gap in statutory data privacy protection. That gap was filled by the Personal Data Protection Ordinance 2025, enacted several months later and providing far more comprehensive protections than Section 26 ever offered.

Personal Data Protection Ordinance 2025: Bangladesh's First Comprehensive Data Law

The Personal Data Protection Ordinance (PDPO) 2025 (Ordinance No. 61 of 2025) was approved on October 9, 2025, and gazetted on November 6, 2025. It is Bangladesh's first dedicated, comprehensive data protection legislation.

Scope and Extraterritorial Reach

The PDPO applies to all entities that process personal data within Bangladesh. It also reaches beyond Bangladesh's borders: organizations abroad that process data relating to Bangladeshi citizens fall within its scope. This extraterritorial application covers government agencies, autonomous bodies, state-owned enterprises, and private companies of any size.

Data Ownership Principle

The foundational premise of the PDPO is that citizens are the rightful owners of their personal data. Neither the government nor any organization holds primary ownership. Explicit consent is therefore mandatory before any entity may collect, store, transfer, or use personal data.

Valid consent must be voluntary, specific, explicit, and revocable. Data subjects may withdraw consent at any time, and withdrawal must be as simple as the original consent process. The burden of proof for establishing that consent was properly obtained lies with the data fiduciary, not the data subject.

Data Classification System

The PDPO divides personal data into four categories:

Public or open data carries no special processing restrictions.

Internal data encompasses general identifying information. It may be transferred abroad with consent or on a contractual basis, but only to countries with appropriate data protection standards.

Confidential personal data includes financial information, health records, biometric data, real-time location data, and other information whose disclosure could cause significant harm. It receives enhanced protection and is subject to heightened cross-border transfer scrutiny.

Restricted personal data covers information related to national security, public order, defense, and critical infrastructure. It faces the strictest controls, including mandatory data localization.

Sensitive Personal Data

Beyond the four-tier classification, the PDPO separately identifies categories of sensitive personal data that receive enhanced protection regardless of tier: biometric information, political or religious beliefs, health data, sexual orientation, criminal records, and real-time geolocation data. Processing these categories requires specific explicit consent except in narrow legal or emergency circumstances.

Children's Data

Special protections apply to personal data of minors (those under 18). Organizations must obtain verifiable parental or guardian consent before processing a child's personal data. Tracking, monitoring, profiling, and targeted advertising directed at minors is prohibited outright.

Rights of Data Subjects

The PDPO grants individuals four core non-waivable rights:

Right to access and portability. A data subject may request a copy of their personal data in an intelligible format. They may also request that their data be transferred to another data fiduciary.

Right to correction. Data subjects may demand correction of inaccurate or incomplete data. The ordinance includes a "primary source of truth mechanism" that allows system-wide corrections to flow through linked databases.

Right to consent withdrawal and deletion. Individuals may revoke consent for storage, processing, or automated decision-making, and may request erasure of their personal data under specified conditions.

Right to restrict automated decisions. Citizens may challenge and restrict decisions made solely through automated data processing.

Lawful Processing Grounds

Consent is the primary lawful basis, but the PDPO also permits processing without consent in limited circumstances:

• Performance of a contract with the data subject or pre-contractual steps taken at their request
• Compliance with a legal obligation
• Protection of vital interests such as life or health
• Employment, labor, or social security obligations
• Tasks carried out in the public interest

Data Controller and Processor Obligations

Organizations processing personal data must:

• Implement transparency and accountability measures
• Respect purpose limitation, collecting only what is necessary
• Apply pseudonymization and encryption where appropriate
• Maintain processing records for a minimum of five years
• Notify the authority and affected data subjects in the event of a significant data breach
• Conduct data audits and prepare data protection plans
• Not retain data beyond the period necessary for the original processing purpose

Significant Data Fiduciaries

The PDPO introduces a category of "significant data fiduciaries" subject to enhanced obligations. The Authority designates entities as significant based on the classification and volume of data they process and their potential impact on national sovereignty, economic stability, or public safety. Specific numerical thresholds will be set by regulations, which had not been issued as of May 2026.

Significant data fiduciaries must:

• Appoint a Chief Data Officer to represent the organization before the Authority, submit required reports, facilitate data subject rights, and handle complaints
• Undergo independent audits of their processing activities
• Pay higher administrative fines (2-5% of annual turnover rather than 1-2%)
• Obtain prior Authority permission before transferring large volumes of sensitive personally identifiable data abroad

Data Localization and Cross-Border Transfer Rules

This is one of the most complex areas of the PDPO, partly because the original provisions were amended within months of enactment.

Original Article 29 Requirements

When gazetted in November 2025, Article 29 of the PDPO required that any organization storing Bangladeshi personal data on foreign cloud infrastructure maintain at least one synchronized real-time copy within Bangladesh's borders. This applied broadly and created a significant compliance burden for technology companies.

Article 29 also granted the government authority to levy fees on commercial profits derived from Bangladeshi citizens' personal data, though the mechanics of that levy remained undefined.

The February 2026 Amendment: A Targeted Approach

On February 5, 2026, the President promulgated the Personal Data Protection (Amendment) Ordinance, 2026 (Ordinance No. 23 of 2026). The amendment made two significant changes.

First, it narrowed the data localization obligation. Under the amended Section 29(7)(b), the synchronized real-time copy requirement now applies only to:

• Restricted personal data, and
• Data processed by Critical Information Infrastructure (CII) as defined in the Cyber Security Ordinance 2025

General personal data, internal data, and confidential data stored on foreign cloud services are no longer subject to the mandatory local copy requirement. This substantially eased the compliance burden on technology companies and foreign cloud providers operating in Bangladesh.

Second, the amendment modified Section 48. The original ordinance imposed criminal imprisonment on managing directors of companies found to have violated data subject rights. The amendment replaced that imprisonment exposure with monetary fines only. Corporate officers remain personally liable, but the nature of that liability shifted from potentially criminal to financial.

Cross-Border Transfer Framework

The PDPO permits cross-border transfers of confidential and internal data to countries that maintain appropriate data protection standards. Transfers also require either data subject consent or contractual necessity. For restricted data, the localization requirement means a local copy must exist regardless of where else data may flow.

Transfers of large volumes of sensitive personally identifiable data by significant data fiduciaries require advance approval from the Authority before the transfer occurs.

National Data Governance Ordinance 2025

Alongside the PDPO, the government enacted the National Data Governance Ordinance 2025, also gazetted on November 6, 2025. The two laws form a paired architecture for Bangladesh's digital economy.

National Data Governance Authority

The National Data Governance Ordinance establishes the National Data Governance Authority as a statutory body attached to the Chief Adviser's Office (Prime Minister's Office under a regular government). Its responsibilities include:

• Designing and operating the national data architecture
• Formulating data policies and ensuring legal compliance
• Resolving complaints across all data management activities
• Guaranteeing security across national databases and software systems

Civil society organizations have raised structural concerns about the Authority. Its oversight committee consists of five members, all of whom are government officials or government appointees. The Authority simultaneously designs national data infrastructure, operates it, and enforces compliance, effectively serving as regulator, architect, and operator without independent oversight. Critics argue this concentration of power creates conditions for unchecked executive surveillance.

National Responsible Data Exchange

The Ordinance establishes the National Responsible Data Exchange (NRDEX) platform for secure data sharing between government agencies and approved private institutions. The platform is designed to reduce data duplication and improve interoperability. Participating organizations must meet security and data handling standards set by the Authority.

Unified Digital Identity

The National Data Governance Ordinance introduces a Unified Digital Identity system that connects a citizen's National ID, passport, tax identification number, and other key registers into a single authenticated identity layer. The system is intended to streamline access to government and digital services.

National Source Code Repository

To prevent vendor lock-in, the Ordinance requires all data processors and custodians working with government systems to deposit their source code in a National Source Code Repository. This ensures the government retains access to and control over its digital infrastructure.

Telecommunications Act 2001 and Surveillance Authority

The Bangladesh Telecommunication Act 2001 established the BTRC and governs telecommunications services. Its provisions interact with the data protection framework in important ways.

Section 97(Ka): Government Surveillance Powers

Section 97(Ka) grants the government broad surveillance authority. On grounds of national security and public order, the government may authorize intelligence agencies, national security agencies, investigation agencies, or law enforcement officers to:

• Suspend or prohibit the transmission of any data or voice call
• Record or collect user information relating to any telecom subscriber

The Act imposes no time limits on these powers. Interceptions may last indefinitely, with no mandatory judicial oversight or renewal requirement. This provision remains in force alongside the PDPO 2025 and creates ongoing tension between data protection rights and executive surveillance authority.

Supervisory Authority and Enforcement Structure

The PDPO designates the National Data Governance Authority as the supervisory body responsible for enforcement. Its powers include:

• Issuing binding instructions to data fiduciaries and processors
• Conducting inspections and directing data audits
• Imposing administrative fines
• Suspending cross-border data transfers

Enforcement Delay Until May 2027

While most substantive provisions of the PDPO took effect upon gazette publication in November 2025, the enforcement mechanisms face an 18-month delay. The sections governing Chief Data Officer appointments, complaint procedures, investigation authority, and penalty imposition are not operative until approximately May 13, 2027.

This delay reflects a recognition that both government capacity and private sector readiness need time to develop. It also represents an opportunity: organizations that build compliant structures during this window will be in a fundamentally stronger position than those who wait.

Penalties and Liability

Administrative Fines

For general data fiduciaries, administrative fines range from 1-2% of annual turnover for most violations. Additional fixed administrative fines range from BDT 300,000 to BDT 500,000 (approximately USD 2,500 to USD 4,200) depending on the nature of the violation.

For significant data fiduciaries, the fine range increases to 2-5% of annual turnover, reflecting the higher stakes of their processing activities.

For security failures, fines may reach up to BDT 2,500,000.

Criminal Penalties

Unauthorized collection, use, interception, extraction, or disclosure of personal data constitutes a criminal offense. Penalties range from 5 to 7 years' imprisonment depending on whether general or sensitive personal data was involved, along with fines of up to BDT 2,000,000 (approximately USD 17,000).

Violations involving children's data, fraudulent consent, and tampering carry strict penalties under separate provisions.

Corporate and Personal Liability

Corporate liability is built into the law. If an offense is committed by a company, directors, managers, and responsible officers face personal liability unless they can demonstrate that they exercised due diligence.

The February 2026 amendment modified the liability exposure for managing directors specifically: imprisonment was replaced with monetary fines, while personal financial liability remained.

The 2026 amendment also extended accountability to government officials. Section 48 now provides that if a government or statutory body violates the PDPO, the involved government employee is subject to administrative fines and faces tribunal proceedings. This marks a significant step toward applying data protection obligations symmetrically to both public and private sectors.

Civil Society Concerns and Ongoing Debates

The PDPO 2025 and the National Data Governance Ordinance have drawn sustained criticism from legal scholars, civil society organizations, and international bodies.

Government exemptions. Section 24 exempts government access to personal data for "national security, defense, public order," and similar grounds without defining these terms. Combined with other provisions granting the government broad directives over data storage and transfer, critics warn this effectively removes state actors from meaningful data protection constraints.

Concentrated regulatory power. The National Data Governance Authority sits within the executive branch and serves simultaneously as data infrastructure architect, operator, and compliance enforcer. The absence of independent oversight or judicial checks creates accountability gaps.

Accelerated drafting process. Legal scholars have noted that significant provisions changed between draft versions without documented public consultation. Mohammad Ershadul Karim observed that the ordinance "omits key principles considered the lifeblood of such laws."

Foreign enforcement gaps. Critics note that the practical mechanisms for enforcing the PDPO against foreign technology companies remain underspecified, creating potential liability evasion routes.

Surveillance infrastructure risk. Several organizations have noted that even in their narrowed post-amendment form, data localization requirements concentrate Bangladeshi personal data in storage environments that the government's broad surveillance powers can access without strong judicial controls.

The Tech Global Institute, ARTICLE 19, the Global Network Initiative, and the Robert F. Kennedy Human Rights Center have each issued statements urging stronger safeguards, clearer limits on government access, and independent oversight of the Authority.

Right to Information Act 2009: Counterbalancing Transparency

The Right to Information Act 2009 creates an important counterbalance. Sections 7(h), 7(i), and 7(r) exempt authorities from disclosing information that may reveal personal privacy, endanger life or physical safety, or is protected under other laws.

Section 3 gives the RTI Act supremacy over conflicting provisions in other laws. The PDPO 2025, however, asserts its own precedence over existing laws. Courts will likely need to resolve conflicts between the right to information and the right to data protection as both frameworks mature.

Business Compliance: What Organizations Need to Do

The 18-month enforcement delay gives organizations operating in or with Bangladesh a meaningful but finite window. Here is what compliance preparation should look like:

Determine applicability. The PDPO applies to any organization processing personal data within Bangladesh and to any organization abroad processing data about Bangladeshi citizens. The law covers companies of all sizes.

Audit your data. Map what personal data you hold about Bangladeshi data subjects. Classify it against the PDPO's four tiers (public, internal, confidential, restricted) and identify whether any data qualifies as sensitive personal data.

Review consent mechanisms. All existing data collection processes should be assessed against the PDPO's requirements for voluntary, specific, explicit, and revocable consent. Legacy opt-out or implied consent models will not satisfy the law.

Update privacy notices. Privacy notices must clearly explain what data is collected, why it is processed, how long it will be retained, and with whom it may be shared. Notices must also inform data subjects of their rights under the PDPO.

Assess data localization obligations. Identify whether your organization handles restricted personal data or processes data for Critical Information Infrastructure. If so, ensure a synchronized real-time copy is maintained within Bangladesh.

Evaluate significant data fiduciary status. Even though the Authority has not yet issued regulations defining numerical thresholds, large-scale data processors should anticipate designation. Significant data fiduciaries will need to appoint a Chief Data Officer and prepare for independent audits.

Implement security measures. The PDPO requires pseudonymization and encryption where appropriate, regular security testing, breach detection capabilities, and breach notification procedures.

Establish retention policies. Personal data must not be kept longer than necessary for its original processing purpose. Implement data retention schedules and deletion procedures.

Maintain processing records. Retain records of data processing activities for a minimum of five years.

Prepare for children's data. If your services may be accessed by minors, implement age verification and parental consent mechanisms before enforcement begins.

Note cross-border transfer requirements. For confidential and internal data, document that recipient jurisdictions meet appropriate data protection standards. Significant data fiduciaries must obtain advance Authority approval for large-volume sensitive data transfers.

For information on related laws, see the guide to Bangladesh recording laws.

Recent Developments

Several developments after the PDPO's November 2025 enactment are worth tracking.

The Personal Data Protection (Amendment) Ordinance, 2026 (Ordinance No. 23 of 2026), promulgated February 5, 2026, narrowed data localization to restricted and CII data and replaced managing director imprisonment with monetary fines. It also made government employees personally accountable for PDPO violations by their agencies.

The BNP government that took office in February 2026 has not announced plans to repeal or substantially revise the PDPO or the National Data Governance Ordinance.

The Authority has not yet issued implementing regulations setting thresholds for significant data fiduciary designation or detailed procedures for complaint handling. Those regulations are expected before the May 2027 enforcement date.

International observers continue to monitor whether the broad government exemptions in Section 24 will be used in ways that undermine the PDPO's stated rights protections.

This article is for informational purposes only and does not constitute legal advice. Bangladesh's data protection framework is evolving rapidly as implementing regulations are developed. Consult a qualified attorney licensed to practice in Bangladesh for guidance on specific compliance obligations.