DEBATE over personal data protection in Bangladesh is not new. Work on the law began in 2019, and from the start, it was mired in controversy and concern. When the first draft was made public in 2021, the debate intensified. Critics argued that the law seemed less about safeguarding citizens’ rights and more about expanding state authority. Questions arose: is this law intended to protect individuals’ private lives or to establish a framework for surveillance and control?
In the following years, the draft underwent multiple revisions. Yet, under public pressure, objections from civil society, and concerns about international standards, the cabinet hesitated to enact it into law. It seemed as if the state itself was torn — should it protect privacy or retain the keys to privacy in its own hands?
Recently, the government issued two ordinances under the banner of personal data protection: the Personal Data Protection Ordinance and the National Data Management Ordinance. The objectives are appealing, promising to secure citizens’ personal information. Yet, the grandeur of these goals is often undermined in implementation. The true value of a law lies not merely in its wording, but in the transparency, accountability, and predictability of its application. A law becomes effective when its language is clear and its scope and enforcement are understandable to citizens.
However, when interpretation relies on vague concepts such as ‘authority discretion’, ‘permitted purpose’, or ‘extent of necessity’, the law risks being both ineffective and rights-infringing. Many provisions of the Personal Data Protection Ordinance are caught in this uncertainty. They promise citizens protection, yet entangle them in invisible webs of surveillance and power. If privacy is endangered in the name of protecting privacy, one must ask: who is the law really for, citizens’ security or controlling their silence?
Ìý
Data localisation: security or isolation?
ONE of the most debated aspects of the Personal Data Protection Ordinance is Section 29, which gives the state the power to control the transfer or storage of personal data outside Bangladesh. This clause will shape the future of our domestic data infrastructure, digital economy, and global internet connectivity.
The internet is inherently a global network. Many institutions — banks, healthcare providers, e-commerce companies, educational platforms, and cyber security services — store or process data on servers or cloud networks outside the country. The reasons are threefold: 1) to reduce infrastructure costs; 2) to ensure efficiency in data management; and 3) to maintain international standards of security and backup. Yet, imposing excessive restrictions could limit businesses, technology services, and even ordinary users. In a globalised world, keeping all data strictly within national borders risks digital isolation.
The government asserts that this is not a ‘strict’ or ‘comprehensive’ data localisation requirement. Yet, the vague language of sub-sections suggests that ultimate authority rests entirely with the government. Decisions on which data will be classified as ‘confidential’ or ‘restricted’ will be made solely by the authorities, without independent oversight, judicial review, or multi-stakeholder consultation.
As a result, routine data such as mobile numbers, IP addresses, vehicle registration numbers, and usage logs — if deemed ‘particularly sensitive’ — could affect international apps, cloud services, university research platforms, and digital transaction systems. Businesses will face uncertainty: what is permitted today may be prohibited tomorrow. A law that is unpredictable undermines long-term investment, threatening the sustainability of the technology sector.
The strength of data protection laws worldwide lies in transparency, stability, and predictability. When frameworks allow ‘one interpretation today, another tomorrow’, they risk both rights violations and economic disruption. The central question emerges: do we prioritise security or risk constraining connectivity and innovation? Protection is essential, but if all doors and windows are closed in the name of security, everyday life suffocates.
Ìý
Right to erasure: implementation challenges
SECTION 13(3) grants individuals the right to erase their personal data. Conceptually, this is modern and vital for personal freedom. On paper, it appears citizen-friendly, yet practical implementation faces several challenges:
Conflict with existing laws: For example, the banking sector must legally retain financial data, making immediate erasure impossible.
Multi-party data processing: Data often passes through multiple layers, involving numerous third parties. Even if the primary institution deletes it, erasing copies held by others may be technically impossible.
International experience: The EU’s GDPR has successfully implemented the right to erase, but that success rests on a long-established human rights framework, an independent judiciary, and robust administrative structures. Bangladesh’s system is still developing.
Effective implementation thus requires administrative reforms, clear data governance frameworks, enhanced technological capacity and stronger judicial and human rights structures. Without these, the right to erase will remain a promise on paper.
Ìý
Privacy and state accountability
A FUNDAMENTAL question remains: how transparent and accountable are state and law enforcement agencies? Several provisions exempt government agencies from effective accountability. In practice, citizens cannot always know how their data is used or where to complain in case of any misuse. Lack of accountability creates immunity, increasing the risk of abuse.
Past experiences, such as with the Right to Information Act, show that terms like ‘national security’, ‘state confidentiality’, or ‘strategic interests’ are often used to withhold information. The same reality is evident in surveillance systems. Operations of NTMC and DGFI remain opaque regarding judicial or parliamentary oversight. If the law exists only on paper, while state powers remain unchanged, citizens’ right to privacy cannot be effectively protected. A re-evaluation of state surveillance structures is therefore essential.
Ìý
Conclusion
DATA protection is necessary. But it cannot remain a passing trend or top-down announcement. Lawmaking and implementation must be grounded in realistic planning, well-thought-out strategies, and broad participation. Accountability mechanisms are crucial for the law’s effectiveness. Coordination with other sectoral laws is essential to realise rights such as the right to erase, and international alignment is necessary.
Ultimately, to genuinely safeguard citizens’ rights, the data protection law must be predictable, accountable, and implementable. Citizens must see the rights written on paper and realised in practice. If the law becomes a tool for centralising dissent or a tool to control, it undermines democracy. Only an effective, fair, and participatory law can truly protect citizens’ rights and freedoms.
Ìý
ÌýDr Jahangir Alam Sarker is an advocate and a researcher.