In a landmark move to modernise its digital governance framework, the interim government of Bangladesh has formally approved the Personal Data Protection Ordinance, 2025, the nation’s first comprehensive legislation dedicated to safeguarding individual privacy in the digital age.
The ordinance was unanimously endorsed during a meeting of the Council of Advisers, the country’s interim cabinet, on Thursday, October 9, chaired by Chief Adviser Professor Muhammad Yunus.
The decision signals Bangladesh’s commitment to aligning with global data protection norms such as the EU’s GDPR and India’s Digital Personal Data Protection Act while tailoring safeguards to its own socio-legal context.
At an afternoon press briefing held at the Foreign Service Academy in Dhaka, Faiz Ahmed Tayyab, Special Assistant to the Chief Adviser for the Ministry of Posts, Telecommunications and Information Technology, unveiled the ordinance’s architecture, calling it “a cornerstone for responsible digital transformation.”
“This is not just a privacy law, it is a foundation for trust in our digital economy,” Tayyab said. “By ensuring data confidentiality, integrity and lawful use, we are creating an environment where innovation can thrive without compromising citizens’ fundamental rights.”
A rights-based approach to data governance
At its core, the 57-section ordinance establishes that individuals own their personal data—a principle that shifts power from data-hungry platforms back to citizens. It introduces a robust framework of data subject rights, including:
• The right to be informed about how, why and for how long their data will be used.
• The right to access copies of their processed data.
• The right to withdraw consent at any time, either fully or partially.
• The right to request correction or deletion of inaccurate or unlawfully held data.
Consent must be explicit, informed and freely given. Organisations—referred to as “data controllers”—must clearly disclose the purpose of data collection, retention timelines, third-party sharing arrangements, and procedures for withdrawal before processing begins.
Special protections are extended to vulnerable groups. For children and individuals lacking legal capacity, processing is permitted only with the prior consent of a parent, legal guardian or court-appointed representative.
Sensitive data under strict guard
The law defines sensitive personal data including information on race, religion, health, biometrics, financial status, sexual orientation and criminal records and subjects its handling to heightened safeguards. Such data may only be processed under specific conditions, such as explicit consent, legal obligation, or vital public interest, and always with enhanced security measures.
Balancing privacy and public interest
Recognising that absolute privacy can sometimes conflict with national priorities, the ordinance includes limited, clearly defined exemptions. Consent is not required when data processing is necessary for:
• National security, defence or public order
• Prevention, detection or investigation of crime
• Protection of public health
• Prevention of tax evasion or misuse of public funds
• Academic, statistical, journalistic, artistic or literary purposes
However, even in these cases, data use must remain proportionate, lawful and non-discriminatory, and cannot override fundamental rights without judicial or statutory oversight.
Four-tier data classification system
In a novel approach, the government has categorised personal data into four distinct tiers to enable risk-proportionate regulation:
1. Public or open data – Information already in the public domain (e.g., professional directories).
2. Internal data – Used within organisations for administrative purposes.
3. Confidential data – Private information requiring standard protection (e.g., contact details, employment records).
4. Restricted data – Highly sensitive information (e.g., medical histories, financial transactions) subject to the strictest controls.
This tiered model allows businesses and public agencies to apply graded security protocols, improving efficiency without compromising safety.
Enforcement and accountability
To ensure compliance, the ordinance establishes an independent Data Protection Authority, which will oversee implementation and appoint certified data auditors. These auditors will conduct regular, unannounced inspections of data-processing activities across public and private sectors.
Violations carry significant consequences. Organisations that breach data subjects’ rights may face:
• Administrative fines (amounts to be specified in subsequent rules)
• Mandatory compensation to affected individuals
• Criminal penalties for intentional misuse, unauthorised access, data tampering or malicious processing—especially involving sensitive data
Additionally, data minimisation and storage limitation are now legal requirements. Controllers cannot retain personal data longer than necessary for the stated purpose—a move expected to curb indefinite data hoarding by tech platforms and government databases.
Global integration and digital trade
Crucially, the ordinance empowers Bangladesh to enter bilateral and multilateral agreements on cross-border data flows. This paves the way for participation in regional digital economies and facilitates international business, cloud services and research collaborations—provided partner jurisdictions offer “adequate” data protection standards.
Experts hail the ordinance as a transformative step for the “Digital Bangladesh” vision. By embedding privacy by design, promoting ethical innovation, and fostering citizen trust, the law aims to turn data from a commodity of exploitation into a pillar of empowerment.
Also present at the briefing were Shafiqul Alam, Press Secretary to the Chief Adviser, and Shish Haider Chowdhury, Secretary of the Ministry of Posts, Telecommunications and Information Technology, who affirmed that the ordinance will be promulgated immediately and followed by detailed rules within 90 days.
As Bangladesh joins over 140 countries with dedicated data protection laws, the Personal Data Protection Ordinance, 2025, marks not just regulatory progress—but a cultural shift toward a more respectful, transparent and secure digital society.