Personal Data Protection Ordinance: A law that protects you from everyone except the state

Bangladesh's Personal Data Protection Ordinance has been amended and gazetted. It is a significant step toward digital sovereignty. However, in its eagerness to signal progress, it has left the citizen's door only half open.

Bangladesh's history of data governance began with the infamous Digital Security Act, which received massive criticism for empowering the government to take arbitrary actions against online dissent. Against this backdrop, the Personal Data Protection (Amendment) Ordinance came as a breath of fresh air, as it laid down a legal framework that treats every citizen's data as their own. Given the slow pace of enacting time-sensitive, fit-for-purpose laws in Bangladesh, the quick adoption of the Act deserves recognition before scrutiny.

The Personal Data Protection (Amendment) Ordinance was gazetted on 5 February 2026, cementing a revolutionary shift in data governance that few developing countries have achieved: personal data is recognised as a form of property.

What this entails is that citizens are "data subjects" who can enforce rights. They can access, amend, and erase their data, and refuse automated decision-making. The framework is consent-centric, with sensitive data subcategories covering financial, identifiable, genetic, biometric, and many other forms of data. The Act is also extraterritorial in nature, meaning global big tech companies can no longer outsource their compliance obligations; they must respect the laws of the jurisdictions in which they operate.

In my view, the amendment fixes the most concerning aspect of the 2025 ordinance: the removal of prison terms for company officers in cases of non-compliance. Instead, the amended ordinance introduces hefty financial penalties of up to 5% of annual company turnover for data protection violations, a similar approach to the European Union's GDPR regime. This also makes it more viable for big tech companies to open local offices in Bangladesh, which could be a significant win from an FDI perspective.

Furthermore, the ordinance strikes a balance by easing localisation rules, limiting them to critical sectors such as banking and healthcare. This is a more practical step compared to a blanket localisation requirement, which would have made the jurisdiction less attractive for foreign companies.

However, despite all the praiseworthy steps taken, there is a glaring flaw in this new Ordinance: a regulator that reports to the very authority it is meant to oversee can never be truly independent.

The biggest structural weakness of the Ordinance, despite its ambitious text, is the fact that the National Data Management Authority, tasked with enforcing data protection laws, reports directly to the Prime Minister's Office.

In comparison to global benchmarks such as the EU's GDPR, which mandates that regulatory bodies operate independently from government instructions, or Singapore's Personal Data Protection Commission, which functions as a statutory body independently anchored in parliamentary accountability, Bangladesh's Data Protection Ordinance falls short in granting the National Data Management Authority institutional autonomy.

An even deeper concern within the Ordinance is Section 24, which allows exceptions to data protection compliance on the grounds of national security, public order, or crime prevention. Without explicit definitions, these terms allow for broad interpretation, which can—and most likely will—override many of the protections offered by the Ordinance.

Let us again compare the Ordinance to globally accepted benchmarks in this sector, along with a South Asian example. The EU's GDPR imposes strict tests such as necessity and proportionality, along with judicial oversight. Our neighbour India's data protection framework is not perfect, but it does require government exemptions to be clearly stated and publicly disclosed. Bangladesh's Ordinance contains no such safeguards, which is a significant concern, as it could potentially be used as a tool for surveillance in the future—ironically, the very outcome this Ordinance was meant to prevent.

Another, less central but still important concern is that the Ordinance does not address artificial intelligence or provide guidance on how automated decision-making should be governed. Given the rapid pace of AI development and the growing adoption of autonomous agentic AI systems, these issues will eventually need to be addressed.

Despite these criticisms, the PDPO remains a significant step forward in the development of data governance law in Bangladesh. While the country has not yet fully moved away from a culture of surveillance, this Ordinance is a positive beginning toward securing citizens' personal data rights. One can only hope that this progress is carried forward through timely amendments that ensure both true data protection for citizens and the institutional independence of the National Data Management Authority.

Sketch: TBS

Shafqat Aziz is a Barrister-at-Law at the The Honourable Society of Lincoln's Inn. He has a Master of Laws from Nottingham Trent University. Email: barristershafqataziz@gmail.com 

Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions and views of The Business Standard.