We need a data privacy law that serves the people, not power
Bangladesh stands on the cusp of a defining choice for its digital future. On October 9, the interim government approved the long-anticipated Personal Data Protection Ordinance 2025, aimed at protecting citizens' data privacy and creating a comprehensive legal framework to regulate the collection, storage, processing, and sharing of personal information in the digital sphere. The ordinance promises consent, transparency, and accountability, gesturing towards the gold standard set by the EU's General Data Protection Regulation (GDPR). However, a proposed draft circulating online shows that the ordinance has deviated at least in certain respects. The draft sketches a regulator, data breach duties, and individual rights. Yet beneath the headline goals lie structural flaws that highlight the need for further checking control reflexes and turning policy slogans into enforceable guarantees.
Let's begin with exemptions. Section 28 of the draft creates a wide escape hatch for crime-fighting, investigations, regulatory work, statistics, and even open-ended categories that regulators can later expand. Interestingly, the proposed version did not include the terms "national security" or "public order" under the exemption category, but these have been included into the approved ordinance. Given the country's history of legal abuse, such exemptions risk legitimising arbitrary surveillance, discriminatory profiling, and control over information, particularly in situations involving political dissent or journalistic work. Without clear safeguards and effective independent oversight, activists, journalists, and minority communities may remain exposed to abuse and retaliation. The solution is straightforward: every exemption must comply with the principles of legality, necessity, and proportionality—supported by judicial approval, clearly defined purposes, independent audit mechanisms, and regular public transparency reports.
For all latest news, follow The Daily Star's Google News channel. 
Regulatory independence is the second fault line. The draft grants the National Data Governance and Interoperability Authority broad powers, yet tethers its major actions to prior government approval, including for standard operating procedures and core classifications. The remedy for this is both boring and vital: appointment by parliament with cross-party consent, fixed terms, protected budgets, and transparent rule-making that cannot be vetoed by the Cabinet Division. Such administrative hygiene is also enshrined in Article 52 of the GDPR, which hardwires independence into the supervisory model.
Cross-border data transfers are the third trouble spot. Section 34 ties data flows to a new state-run taxonomy and hints at fees on data generated in Bangladesh, while Section 35 enables transfers for trade and reciprocity without a clear risk assessment framework. That is an invitation to rent-seeking, forum shopping, and regulatory arbitrage. A credible system needs a simple ladder—adequacy decisions for trusted destinations, standard contractual clauses for everyone else, binding corporate rules for global groups, and explicit risk assessments for high-impact processing. The policy shelf already has these tools. They are tested, interoperable, and predictable. Use them.
Localisation deserves a reality check. Data residency can be legitimate for certain categories such as defence or critical registries. Mandating wholesale localisation through broad classifications is not a good strategy. Bangladesh should localise where risk demands it, and otherwise optimise for secure, lawful, and fast transnational data flows. If the government still wants an industrial policy dividend, tie any localisation to clear technical benchmarks and measurable service gains rather than symbolic flags on servers.
Infrastructure matters. The country already runs a tier-4 National Data Centre at Bangabandhu Hi-Tech City (which has been renamed after the 2024 uprising) and has a sovereign government cloud. Private-sector builds are coming online. These are serious assets that can anchor a privacy-first economy if they meet global standards and deliver reliable uptime at competitive price points. That means formal certification, independent audits, smart peering, and energy-efficient operations. It also means aligning operator practices with international reliability norms.
Connectivity is a multiplier. The new SEA-ME-WE 6 cable will expand capacity and improve path diversity, reducing the fragility we saw when previous systems went dark and traffic had to limp through terrestrial routes. The policy task is to accelerate landing timetables, streamline repairs, and guard against single-vendor choke points. Meanwhile, caches and content delivery networks should be encouraged, not disrupted by ad hoc directives. Local edge keeps costs down and speeds up the internet for everyone. So, publish a cache policy, make it stable, and get out of the way.
Satellite communication is no longer a side quest. With Starlink now in the market, the government can require open peering and transparent quality metrics while removing regulatory frictions that block enterprise and rural adoption. A satellite backbone that rides above terrestrial politics raises the cost of network shutdowns and creates redundancy during disasters. Write those expectations into licensing and procurement so that resilience becomes a deliverable.
Rights without remedies are just vibes. The final law should give citizens fast redress. That includes a clear path to complain, statutory deadlines for decisions, meaningful compensation, and collective actions for systemic abuse. Timely breach notification is part of that social contract. Seventy-two hours to the regulator is a sensible default already supported by global practice. Pair it with a duty to notify affected users when the risk is real.
The government has already drawn criticism for the hurried approval of the ordinance. What it should do is put the text through a real public feedback mechanism, publish a dispositions memo showing what has changed and why, and invite external security testing of the regulatory machinery before it goes live. What should an ideal situation look like? A regulator that can say no to executive overreach. Exemptions that are narrow, time-bound, and court-supervised. Cross-border rules that companies can implement without guesswork. Local infrastructure that competes on reliability and price, not proximity to a ministry. Connectivity that is diverse by design. Breach duties that actually inform people. A playbook that treats citizens as rights holders, not data sources for administrative convenience.
Bangladesh can still choose that path. Build a regulator that can stand up to politics. Replace vague exceptions with hard tests and hard logs. Swap fuzzy localisation for practical safeguards that travel across borders. Double down on world-class infrastructure and stable connectivity policy. We must remember that a privacy theatre will not age well; a proper rights law will.
Barrister Khan Khalid Adnan is advocate at the Supreme Court of Bangladesh, fellow at the Chartered Institute of Arbitrators, and head of the chamber at Khan Saifur Rahman and Associates in Dhaka.
Azfar Adib is senior member at the Institute of Electrical and Electronics Engineers (IEEE) and PhD candidate at Concordia University, Canada.
Views expressed in this article are the authors' own.
Follow The Daily Star Opinion on Facebook for the latest opinions, commentaries and analyses by experts and professionals. To contribute your article or letter to The Daily Star Opinion, see our guidelines for submission.
Comments