New data laws put state power above people’s privacy
The interim government, since its inception, has been driven by two intertwined impulses: a mantra of reformist fervour on one hand, and populist politics and public pressure on the other. The resulting tension has often played out as a kind of political theatre, yielding outcomes that range from well-intentioned legal reforms to more symbolic gestures and stopgap policy measures—and the latter is nowhere more visible than in the proposed Personal Data Protection Ordinance, 2025 (PDPO) and the National Data Management Ordinance, 2025 (NDMO).
Strictly speaking, what these laws represent is not evidence-based, participatory, or rights-respecting policymaking, but rather what can be described as an illusion-stasis nexus. Within this nexus, the government's rush to legislate these statutes has aligned with popular calls for accountability and its own reformist narrative, creating the optics of progress without the implementation roadmap or institutional preparedness needed to sustain it. This approach reflects the traditional legislative reform playbook in Bangladesh: reactive, top-down, insular, and politically motivated, following a familiar pattern of "legislate first, deliberate later."
For all latest news, follow The Daily Star's Google News channel. Yet, the arc of this reform could have bent another way. With insights from earlier draft proposals of the previous government and comparable frameworks from the European Union and their localised versions in Brazil, India, Singapore, and Sri Lanka, the government had a rare opportunity to craft laws grounded in the country's realities and responsive to its needs. It was almost a preconfigured success, a politically cost-free win.
However, the political calculus for the interim government is understandable: pass something, anything, and quickly, to dispel the deeper anxiety of inaction, trusting that the veneer of reform will outweigh deficiencies in legal design. Questions of implementation or effectiveness, after all, are for the next administration to confront before an expectant electorate.
Although the laws gesture towards global best practices by incorporating certain general data protection provisions, they reportedly stop short of fully internalising basic principles such as lawfulness, fairness, transparency, purpose limitation, data minimisation, confidentiality, and accountability. However, both laws are built on a misdiagnosis of deeper structural issues and, worse, on misaligned solutions.
Accountability for all, except the state
A study by Tech Global Institute shows that law enforcement, regulatory, and intelligence agencies have spent at least $190 million on surveillance technologies and spyware deployed against citizens. Despite commitments for transparent investigations, no meaningful actions involving wider stakeholder engagement or legislative amendments have followed.
One might reasonably expect the new data protection regime to curb such unaccountable and unrestrained state data practices. Instead, section 24 of the PDPO carves out sweeping exemptions on broad grounds such as national security, public order, law enforcement, and any other functions later defined by the government, effectively removing public institutions from legal scrutiny. Even where not explicitly exempted, ambiguous "necessity" provisions in section 5 allow data processing for compliance with legal obligations, public interest, or official authority, similarly shielding most public administrations from accountability. This means that while citizens and corporations are bound by statutory obligations, state agencies operate in a parallel universe of impunity—unbound by the same legal and procedural constraints and answerable to no one but themselves. This is engineered by design, not born of oversight.
First, sections 19 and 26 of the PDPO require all domestic and overseas data handlers to preserve personal data and surrender it to regulatory agencies without a warrant or other procedural safeguards. Secondly, section 29 of the PDPO confers broad discretion upon state authorities to designate undefined categories of personal data as "critical" or "confidential," effectively handing the government a blank cheque to impose mandatory localisation and cross-border restrictions. Once designated, the data must be housed within Bangladesh in a swiftly expanding web of state-monitored data centres. Exempt from legal compliance and empowered by vague provisions such as section 97A of the Bangladesh Telecommunications Regulation Act, 2001, the state apparatus can reach into these domestic vaults of information at will, surveilling, intercepting, and appropriating personal data with virtually no oversight or due process.
The government claims that an accountability mechanism for state abuses exists in section 48 of the PDPO, allowing administrative actions against state officials for privacy violations. But this provision is structurally unsound: if entire classes of state action are shielded from scrutiny, penalising officials for those same actions is unenforceable in practice and symbolic at best; at worst, it functions as a political manoeuvre designed to confuse rather than constrain.
Compounding this weakness is the strikingly disproportionate treatment of non-state actors, who face a penalty regime that reads like a checklist of everything the drafters could not decide between: criminal, administrative, and civil sanctions cobbled together without implementation guidance. Custodial terms of up to seven years place data offences on par with armed robbery or kidnapping, while corporate fines of 1-5 percent of turnover far exceed regional and global standards. Crucially, no comparable penalties apply to the state itself, rendering any supposed state accountability mechanism little more than a fig leaf.
Effectively, these provisions serve as a lever for state surveillance and other privacy-invasive behaviour without any meaningful accountability and, if historical patterns are any indication, risk entrenching impunity and enabling gross human rights abuses—ranging from arbitrary arrests and detention to enforced disappearances and extrajudicial killings.
Past patterns, repackaged
Admittedly, the proposed framework is not without merit, mirroring internationally recognised best practices in data governance and protection. But this resemblance stems less from thoughtful, consultative policymaking than from a cut-and-paste exercise detached from a democratic deliberation, feasibility analysis, or human rights impact assessment.
Take, for instance, the apex policymaking body and its implementing counterpart—the National Data Management Policy Formulation Board and the National Data Management Authority, respectively, created under the NDMO. Both are composed exclusively of government or government-appointed representatives, with hierarchical, executive-controlled structures that operate without independent oversight. This is similar to the executive committee of the National Economic Council and the Bangladesh Telecommunication Regulatory Commission. Without robust checks and accountability mechanisms embedded within these institutions, there can be no credible safeguard against the abuse of state power or the violation of citizens' fundamental rights to privacy, expression, and due process.
However progressive these laws may appear on paper, Bangladesh has historically lacked the infrastructural, administrative, and technological systems to operationalise, monitor, or enforce them. Meanwhile, companies can conveniently invoke overbroad extraterritorial provisions and an incoherent penalty regime to cite legal and compliance uncertainty or conflicting international obligations to evade accountability. The state, meanwhile, remains accountable to no one but itself. Ordinary citizens, as ever, have little practical recourse to hold either companies or the government to account—an enduring reminder that human rights protections in Bangladesh are more promise than practice.
What the government has produced is normatively ambitious but operationally hollow: a framework that aspires to modernity yet is likely to collapse under its own contradictions. These are but simulacra of reform that conceal an underlying incapacity, where policymaking is outsourced to appearances rather than grounded in citizens' fundamental rights. Bangladesh's digital future deserves more than another round of political posturing. For that, the blueprint must change. Ambition must be matched by a future-proof framework, rhetoric by a clear implementation roadmap, and authority by accountability.
Until the cycle of performative policymaking is broken, and until policy is reimagined as a social contract co-created with citizens rather than a sovereign decree imposed upon them, the state will continue to legislate for itself. The time has come to move from rule by reflex and fiat to governance by consent and consensus—for the people, by the people.
Shahzeb Mahmood is head of Research at Tech Global Institute.
Views expressed in this article are the authors' own.
Follow The Daily Star Opinion on Facebook for the latest opinions, commentaries and analyses by experts and professionals. To contribute your article or letter to The Daily Star Opinion, see our guidelines for submission.
Comments