October 13, 2025— We commend the Interim Government of Bangladesh for its significant and timely initiative in considering the draft Personal Data Protection Ordinance, 2025 (the “Draft PDPO”) and the draft National Data Management Ordinance, 2025 (the “Draft NDMO”) to strengthen privacy protection, enhance data governance, and promote responsible innovation within Bangladesh’s growing digital ecosystem. However, we are concerned that these drafts were reportedly recently approved, despite repeated concerns raised by civil society and industry stakeholders, and reflects a broader pattern of an accelerated policy process without sufficient and transparent public consultation. Rather than representing a comprehensive, evidence-based legislative reform strategy, both drafts suffer from several structural and procedural weaknesses that risk rendering them ineffective and abusive in practice.
Our preliminary assessment identifies a number of significant policy design and implementation gaps, including extraterritorial overreach, expansive exemptions for state authorities, excessive executive discretion in issuing rules and orders, unclear data localization and cross-border transfer controls, a disproportionate penalty regime, and serious capacity deficits coupled with the absence of an implementation roadmap. Collectively, these shortcomings are likely to generate uncertainty, weaken enforcement and accountability for both public and private data handlers, enable arbitrary application and potential state abuse, and discourage innovation. As such, in their current form, these frameworks are not yet ready for adoption without substantial revision and meaningful stakeholder engagement.
Our observations are set out more fully below.
- Extraterritorial overreach invites uncertainty, implementation challenge, and arbitrary enforcement. Overbroad and vague extraterritoriality provision extends application of the Draft PDPO to all Bangladeshi citizens, both within and outside the country, and to all foreign data controllers or processors dealing with individuals in Bangladesh, without requiring any substantial nexus (see ss. 1(2) and 4, Draft PDPO). This expansive provision risks overextending Bangladesh’s criminal and civil jurisdiction well beyond its ordinary limits, and potentially lead to ineffective enforcement, conflicting proceedings across jurisdictions, and criminal liability for technical non-compliance. Absent safeguards against double jeopardy or forum shopping, and mechanisms for coordination with foreign authorities, the provision invites uncertainty and arbitrary enforcement, and could ultimately deter investment in Bangladesh and participation by Bangladeshi nationals in global supply chains.
- Expansively framed exemptions and ambiguous qualifications vis-à-vis state authorities undermine public accountability and risk entrenching impunity. Exemptions accorded for the collection and processing of personal data on broad grounds such as national security, public order, law enforcement, and other administrative functions (along with additional grounds definable by the government), effectively remove state institutions from the scope of the statute (see s. 24, Draft PDPO). In addition, broad “necessity” provisions allowing data processing for compliance with legal obligations, public interest functions, or the exercise of official authority exclude most public administration activities from accountability mechanisms (see s. 5, Draft PDPO). Under the Right to Information Act, 2009, exemptions have similarly been used to avoid accountability. As our research demonstrates, these exemptions and necessity provisions would likely enable law enforcement, regulatory, or intelligence agencies to continue surveillance under, for instance, a secondary legislation or telecom licensing guidelines, effectively operating outside the Draft PDPO’s framework. Moreover, the authority to impose administrative fines on public officials for violations of citizens’ data privacy rights (see s. 48, Draft PDPO) sits uneasily with these sweeping exemptions and blurs the boundaries of compliance and accountability for state actors: if the law shields entire categories of state action from scrutiny, penalizing officials for such actions risks becoming a symbolic gesture devoid of enforceable accountability. Contradictions exist between the two laws as well, with officials insulated from liabilities for actions taken in good faith under the Draft NDMO. As such, in the absence of clear and enforceable standards, thresholds, and oversight mechanisms, these provisions risk legitimizing expansive and unchecked state surveillance and data processing without meaningful accountability.
- Discretionary localization and data transfer controls risk state abuse and consumer harm. The government retains sweeping authority to classify personal data without clear criteria or justification, invoking broad and ambiguous grounds—ranging from national security and sovereignty to the protection of individual rights and reputation—and to impose requirements for local storage or conditional cross-border data transfers (see ss. 29 and 30, Draft PDPO). For example, data deemed critical to national security must be stored within Bangladesh, while data affecting rights or reputation may only be transferred conditionally. Additionally, prior state approval is required for the cross-border transfer of large volumes of sensitive personal data. Such unconstrained classification and rule-making powers risk establishing de facto, discretionary barriers to cross-border data flows. This could expand opportunities for unwarranted state access and surveillance, increase compliance costs for domestic and foreign enterprises reliant on cost-efficient global infrastructure, and limit consumer access to secure, high-quality international digital services.
- Disproportionate penalty regime inconsistent with domestic and global norms. The proposed criminal penalties—providing for up to seven years’ custodial term and a fine of BDT 2 million (see ss. 36-44, Draft PDPO), and —are manifestly disproportionate to the nature and gravity of data protection violations. Under existing Bangladeshi law, a seven-year sentence is reserved for serious and inherently violent or subversive offences, such as assaulting the President, or kidnapping, robbery, and burglary, or abetting crimes punishable by death. Placing data protection offences within the same punitive bracket distorts the principle of proportionality in sentencing. Comparable frameworks adopt similar approaches: India’s Digital Personal Data Protection Act, 2023 imposes capped administrative fines; meanwhile, the EU’s General Data Protection Regulation imposes fines based on a percentage of an entity’s turnover, a model replicated in the Draft PDPO, which prescribes graduated penalties of up to 1-5% of annual global or local turnover. The combination of criminal liability and administrative sanctions therefore risks double punishment for the same act, undermining both fairness and legal consistency. Even jurisdictions that recognize custodial sanctions, such as Australia under the Privacy Act 1988, confine imprisonment to procedural non-compliance (e.g., refusal to attend a dispute-resolution conference) and limit such penalties to a maximum of one year. Accordingly, the proposed custodial term and fine are excessive and incongruous with domestic sentencing standards and international best practices in data protection enforcement.
- Individual liability for corporate misconduct risks abuse and discourages innovation. Similar to other digital laws, both laws contain provisions that allow the corporate veil to be pierced by extending civil and criminal liability beyond the company to its individual agents, directors, managers, secretaries, partners, and employees responsible for its operations (see s. 49, Draft PDPO; s. 51, Draft NDMO). Effectively, these laws presume the involvement or negligence of those in charge unless they can prove that the offence occurred without their knowledge or despite the exercise of due diligence. While this approach seeks to prevent decision-makers from evading responsibility, it risks functioning as a form of “hostage-taking”—imposing personal liability on individuals often with little or no direct involvement in the alleged misconduct. Such a framework may deter capable professionals from assuming leadership roles and foster overly risk-averse behavior, thereby stifling innovation and effective decision-making.
- Excessive executive discretion in issuing rules and orders risks unchecked power and regulatory overreach. Discretionary powers are conferred upon state agencies to issue executive orders, rules, regulations, and other instruments as they deem necessary, for instance, for reasons of “public interest,” “national security,” “sovereignty,” or “public order” (see ss. 50, 53, and 55, Draft PDPO; ss. 65-67, Draft NDMO). Such provisions, couched in vague and expansive terms and lacking clear legislative limits or procedural safeguards, effectively enable the executive to exercise unfettered authority over the regulatory framework. In the Bangladeshi context, where the abuse of discretionary powers and executive impunity have been recurrent concerns, these open-ended authorizations heighten the risk of misuse and arbitrary interference, and open avenues for justifying extra-legal actions on such grounds. Further compounding the problem are broad exemptions granted to law enforcement and intelligence agencies, which are seemingly insulated from meaningful scrutiny under the law, and by the absence of robust accountability mechanisms or judicial oversight over the exercise of these powers. Without clear procedural checks, transparency requirements, and independent review, such provisions risk enabling government overreach, politicized enforcement, and the erosion of fundamental rights under the guise of administrative necessity or national security.
- Absence of statutory standards for assessing compensatory damages to result in inconsistent and unpredictable outcomes. Although the Draft PDPO permits compensation claims for violations, it provides no baseline, cap, or methodology for calculating damages, leaving courts with broad discretion (see s. 35, Draft PDPO). Comparative frameworks adopt more structured approaches: the California Consumer Privacy Act 2018 specifies the greater of actual damages or a fixed range of US$100-750 per affected individual and outlines clear guideposts for assessing harm, while Australia’s Privacy Act 1988 caps compensatory and exemplary damages at the greater of AU$ 478,550 or the maximum amount awardable for non-economic loss in defamation proceedings. To promote consistency, proportionality, and fairness, the statute should establish clear parameters and objective criteria for determining damages, including minimum and maximum thresholds.
- Capacity deficits and absence of an implementation roadmap to result in enforcement gaps. Ambitious legislative vision of the Draft PDPO and Draft NDMO is not matched by the institutional, technical, or infrastructural capacity required for its effective implementation, nor are they supported by a phased implementation roadmap, sustained investment in regulatory infrastructure, and the development of context-specific codes of practice tailored to Bangladesh’s digital environment. For example, the provision on protecting children and persons with disabilities (see s. 19, Draft PDPO), while mirroring global best practices, exemplifies this broader gap between aspiration and practicality. Bangladesh currently lacks the capacity and mechanisms necessary to verify parental consent, prevent profiling or targeted advertising of minors, and manage compliance transitions as individuals reach adulthood, yet this provision is intended to take effect immediately. Likewise, the proposed National Data Governance and Interoperability Authority (see ss. 23-26, Draft NDMO) is endowed with an unprecedentedly broad and complex mandate, combining the roles of policymaker, regulator, standards-setter, certifier, and technical operator without clear coordination mechanisms or defined implementation sequencing. These statutory frameworks presuppose an integrated public–private ecosystem for authentication, monitoring, and enforcement that does not yet exist. In the absence of procedural guidance, skilled personnel, and strategic planning, they remain normatively ambitious but operationally weak, risking inconsistent enforcement, bureaucratic overlap, and policy fragmentation.
- Institutional designs of new bodies mirror existing unaccountable and opaque structures. Although on paper the composition of the National Data Management Policy Formulation Board appears balanced—comprising, within a predominantly government-represented body, one parliamentary opposition member, three experts, and one representative from a human rights or civil society organization—in practice, all members are appointed by the government without any prescribed or transparent procedure, while the Prime Minister retains ultimate authority over the decision-making process (see ss. 6-7, Draft NDMO). Additionally, the establishment, composition, and appointment procedure of the National Data Management Authority largely mirror those used for other statutory bodies, such as the Bangladesh Telecommunication Regulatory Commission under the Bangladesh Telecommunication Regulation Act, 2001. This model is characterized by government-dominated appointments, positions filled primarily by bureaucrats and officials lacking independent mandates, opaque operations with minimal external oversight, and, notably, and complete governmental control over both policy and administration.
While these drafts represent commendable efforts to advance data protection and governance in Bangladesh, their current form reflects an ambitious but underprepared approach to legislative reform. They require a more deliberate, participatory, and evidence-driven process to ensure that Bangladesh’s data governance framework is effective, future-ready, and rights-respecting. Without addressing these concerns and ensuring meaningful public participation, the drafts risk remaining symbolic rather than substantive. The government should therefore adopt a phased and consultative reform process—grounded in evidence, transparency, and accountability—before moving toward enactment and implementation.