Data & Privacy ยท Bangladesh
Data protection & privacy law in Bangladesh (2026)
Bangladesh shaded by its data & privacy status
Data protection in Bangladesh: comprehensive law, under Personal Data Protection Ordinance, 2025 (Ordinance No. 61/2025), gazetted 6 November 2025; enforced by the National Data Governance Authority (NDGA) established under the companion National Data Governance Ordinance, 2025.
Bangladesh enacted its first comprehensive personal data protection law via the Personal Data Protection Ordinance, 2025, approved by the Council of Advisers on 9 October 2025 and gazetted on 6 November 2025. The Ordinance recognises citizens as owners of their personal data, mandates explicit consent for collection and processing, and establishes the National Data Governance Authority as the supervisory body. Full enforcement mechanisms are phased in over 18 months from gazette, making the regime fully operational around May 2027.
Key points
The Ordinance (No. 61/2025) was approved 9 October 2025 and officially gazetted by the Law, Justice and Parliamentary Affairs Ministry on 6 November 2025, replacing the earlier draft Data Protection Acts of 2022-2024 that never passed parliament. Most provisions took immediate effect; obligations requiring organisational readiness apply 18 months after gazette (~May 2027).
The National Data Governance Authority (NDGA), created under the companion National Data Governance Ordinance 2025 (also gazetted 6 November 2025), serves as the primary enforcement body. It registers and classifies data fiduciaries, conducts audits, issues guidelines, investigates complaints, and imposes penalties.
Individuals have rights to access and data portability (receive data in intelligible format), correction of inaccurate data, withdrawal of consent, and erasure under specified conditions. Citizens are legally recognised as the owners of their personal data.
Personal data is classified into four tiers: public/open, internal, confidential, and restricted. Confidential and restricted data must be stored within Bangladesh. Internal and confidential data may be transferred abroad only with data-subject consent or for contractual purposes and only to jurisdictions with adequate protections.
Significant data fiduciaries must appoint a qualified Chief Data Officer responsible for regulatory liaison, reporting, and handling data-subject complaints. All controllers must implement appropriate technical and organisational security measures proportionate to data volume, sensitivity, and processing scope.
Administrative fines range from 1-2% of annual turnover for general violations and 2-5% for significant data fiduciaries. Criminal penalties for serious violations can reach 5-7 years imprisonment and fines up to 20 lakh taka (~USD 18,000). Civil society has raised concerns about unchecked executive powers in the enforcement structure.
Timeline - major decisions & events
Bangladesh's first standalone, comprehensive data-protection law was gazetted on 6 November 2025, having been approved by the interim Council of Advisers on 9 October 2025. It recognises citizens as owners of their personal data, mandates explicit consent before any collection or processing, imposes strict rules on sensitive data and cross-border transfers, and has extra-territorial reach over foreign entities handling Bangladeshi citizens' data; most operative sections take effect 18 months after gazette.
Bangladesh Sangbad Sangstha (BSS โ official state news agency) โThe Cabinet approved in principle the proposed Personal Data Protection Act 2023 on 27 November 2023, following iterative drafts since 2022 and inter-ministerial consultations. The bill was never put to a parliamentary vote before Parliament was dissolved in August 2024, but it directly informed the content of the eventual 2025 Ordinances.
Bangladesh Sangbad Sangstha (BSS โ official state news agency) โPassed by Parliament on 13 September 2023, the Cyber Security Act (Act No. 46/2023) replaced the widely criticised Digital Security Act 2018. It retained the consent-based identity-information protection from DSA Section 26, added critical information infrastructure (CII) provisions, and reorganised cybercrime offences, but civil-society groups noted it preserved many of the DSA's speech-suppression mechanisms under new numbering.
Legislative Division, Ministry of Law, Justice and Parliamentary Affairs, Bangladesh โSecurity researcher Viktor Markopoulos discovered that an unsecured Bangladesh government website had inadvertently exposed names, addresses, phone numbers, and national ID numbers of over 50 million citizens, data indexable via Google. The government took the records offline by 10 July 2023, but leaked NID data subsequently circulated on Telegram channels. The incident became the single strongest political catalyst for dedicated data-protection legislation.
TechCrunch โThe ICT Division published the first publicly circulated working draft of a standalone Data Protection Bill (Version 13, dated 16 July 2022), launching formal civil-society and expert consultation. The draft proposed a Data Protection Office, cross-border transfer restrictions, and consent requirements, Bangladesh's first structured attempt to create a GDPR-influenced data-privacy framework.
ICT Division, Government of Bangladesh โGazetted on 8 October 2018 as Act No. 46/2018, the DSA was Bangladesh's dominant digital-security law for five years. Section 26 introduced the country's first statutory data-protection provision: collecting, storing, selling, supplying, or using anyone's 'identity information' without their explicit consent was criminalised. The Act was simultaneously condemned for enabling suppression of online speech through vague criminal provisions, driving its eventual repeal in 2023.
ICNL (hosts official Parliament Act No. 46/2018 text) โA 2013 amendment to the ICT Act increased the maximum sentence under Section 57 (publishing 'fake, obscene or defamatory' digital content) from 10 to 14 years and eliminated the need for arrest warrants or prior prosecutorial permission. While not a data-protection measure per se, the amendment established the template of broad governmental authority over citizens' digital information that shaped all subsequent privacy and cybercrime debates.
Laws of Bangladesh โ Ministry of Law, Justice and Parliamentary Affairs โBangladesh's RTI Act came into force on 1 July 2009, guaranteeing citizens access to government-held information. Sections 7(h), 7(i), and 7(r) carved out exemptions protecting personal privacy, the first statutory recognition of a privacy interest in state-held data. The Act's supremacy clause (Section 3) now creates legal tension with the PDPO 2025, which asserts its own precedence over all existing laws.
Laws of Bangladesh โ Ministry of Law, Justice and Parliamentary Affairs โBangladesh - other topics
Data & Privacy in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ