Data protection & privacy laws in Bangladesh (2026)

The Ordinance (No. 61/2025) was approved 9 October 2025 and officially gazetted by the Law, Justice and Parliamentary Affairs Ministry on 6 November 2025, replacing the earlier draft Data Protection Acts of 2022–2024 that never passed parliament. Most provisions took immediate effect; obligations requiring organisational readiness apply 18 months after gazette (~May 2027).

The National Data Governance Authority (NDGA), created under the companion National Data Governance Ordinance 2025 (also gazetted 6 November 2025), serves as the primary enforcement body. It registers and classifies data fiduciaries, conducts audits, issues guidelines, investigates complaints, and imposes penalties.

Individuals have rights to access and data portability (receive data in intelligible format), correction of inaccurate data, withdrawal of consent, and erasure under specified conditions. Citizens are legally recognised as the owners of their personal data.

Personal data is classified into four tiers: public/open, internal, confidential, and restricted. Confidential and restricted data must be stored within Bangladesh. Internal and confidential data may be transferred abroad only with data-subject consent or for contractual purposes and only to jurisdictions with adequate protections.

Significant data fiduciaries must appoint a qualified Chief Data Officer responsible for regulatory liaison, reporting, and handling data-subject complaints. All controllers must implement appropriate technical and organisational security measures proportionate to data volume, sensitivity, and processing scope.

Administrative fines range from 1–2% of annual turnover for general violations and 2–5% for significant data fiduciaries. Criminal penalties for serious violations can reach 5–7 years imprisonment and fines up to 20 lakh taka (~USD 18,000). Civil society has raised concerns about unchecked executive powers in the enforcement structure.