October 24, 2025
DHAKA – Bangladesh is set to enter a new era of digital governance with the introduction of the Personal Data Protection Ordinance 2025. The draft ordinance, which was approved by the cabinet on October 9, 2025 and awaiting gazette notification, seeks to protect individuals’ rights while ensuring that data processing by public and private entities remains transparent, fair, and accountable.
The 23-page draft ordinance outlines a set of obligations for data controllers and processors, safeguards for data subjects, and mechanisms for enforcement through the establishment of a national data authority. It comes at a time when digital transactions, online services, and cross-border data exchanges have grown rapidly, making data governance a national priority. Once enacted, the ordinance will serve as Bangladesh’s first comprehensive legal framework for data protection, aligning national policy with international standards.
WHY IT MATTERS
In a world increasingly defined by data, Bangladesh’s Personal Data Protection Ordinance 2025 arrives at a crucial moment. Countries across Asia are racing to establish privacy laws as digital economies expand and surveillance risks grow. India passed its Digital Personal Data Protection Act in 2023 after years of debate, while Singapore had its own Personal Data Protection Act since 2012. Several other countries like Japan, South Korea, Thailand, Sri Lanka, and Nigeria already have laws regarding personal data protection. The European Union’s General Data Protection Regulation (GDPR) remains the gold standard, influencing legislation across the globe.
Bangladesh’s digital footprint has expanded rapidly in recent years, from online banking and healthcare systems to social media, biometric registration, and e-commerce. Yet, in the absence of a unified data protection law, citizens have had limited recourse against data misuse. The ordinance fills this long-standing gap by treating data privacy as a fundamental right connected to individual dignity, security, and national sovereignty.
Without a similar framework, Bangladesh risked falling behind in protecting citizens from data exploitation and losing credibility with global investors demanding compliance with international privacy norms. This ordinance therefore matters not just for protecting individual rights, but also for enabling cross-border trade, cloud computing, and fintech partnerships – areas that increasingly require robust data protection as a precondition for international cooperation.
SCOPE OF THE PERSONAL DATA PROTECTION ORDINANCE
The preamble to the ordinance states that protecting the confidentiality, integrity, and security of personal data is essential to maintaining trust in digital systems.
According to the ordinance, personal data refers to any information that can identify an individual – including names, addresses, financial information, location, health details, genetic and biometric data, and any other information capable of identifying an individual.
The Personal Data Protection Ordinance 2025 applies to all entities that process personal data within Bangladesh and to those abroad handling information about Bangladeshi citizens. It extends to government agencies, autonomous bodies, state-owned enterprises, and private companies engaged in any form of data collection or processing.
The ordinance also recognises the need to align data protection with constitutional rights, national security, and public interest.
The ordinance also recognises that certain exemptions may apply in cases concerning state security, public order, or compliance with legal obligations, provided that such actions are proportionate and necessary.
KEY DEFINITIONS
The ordinance defines several critical terms central to data protection. A data fiduciary is described as any person or organisation that determines the purpose and means of processing personal data, while a data processor refers to anyone who processes personal data on behalf of a data fiduciary.
It also introduces the concept of significant data fiduciaries – entities whose activities may have implications for national sovereignty, economic stability, or public safety. These entities are subject to additional obligations and oversight due to their potential impact.
Sensitive personal data is described as information relating to biometrics, religion, caste, political affiliation, trade union membership, sexual orientation, health, legal affairs, and geo-location. Processing such data requires explicit consent and heightened security measures.
A data subject is defined as the individual to whom the data relates — the person whose privacy and rights the law seeks to protect.
CONSENT AND LAWFUL DATA PROCESSING
The ordinance mandates that data processing must be based on lawful, fair, and transparent practices. Individuals must provide informed and explicit consent before their personal data is collected or processed. The consent must be specific, freely given, and clearly communicated.
According to the ordinance, data subjects must be made aware of why their information is being collected, how it will be used, who will access it, and how long it will be stored.
Data can only be processed for legitimate purposes and to the extent necessary for fulfilling those purposes. The law prohibits the collection of data unrelated to the stated objective and limits retention to the period required to achieve that purpose.
The ordinance also mentions that individuals may withdraw consent at any time, and once consent is withdrawn, data controllers must immediately stop processing the relevant information.
There are some exceptions. The ordinance outlines circumstances under which personal data may be processed without explicit consent. This includes matters concerning public interest, legal obligations, contractual necessity, or national security.
PROTECTING CHILDREN AND VULNERABLE INDIVIDUALS
The ordinance places strict limitations on the processing of data belonging to children and individuals unable to provide informed consent. In such instances, consent must be obtained from a parent or legal guardian.
The new ordinance explicitly prohibits profiling, behavioural tracking, or targeted advertising directed at minors, recognising the potential risks of digital exploitation. Automated decision-making based on children’s data is also restricted to prevent manipulation or bias. These measures align Bangladesh with international standards on child data protection, similar to the European Union’s GDPR and UNICEF’s global principles on children’s digital rights.
INSTITUTIONAL FRAMEWORK WITH NDGA
To ensure effective implementation, the ordinance calls for the National Data Governance Authority (NDGA) which is to be established under the section 8 of the National Data Governance Ordinance 2025. This independent body will be tasked with monitoring compliance, issuing guidelines, conducting investigations, and handling grievances.
The NDGA will also have the power to register and classify data fiduciaries, conduct audits, and impose penalties for non-compliance. It will also develop sector-specific codes of practice and promote public awareness of data protection principles.
LEGAL REPERCUSSIONS
The ninth chapter of the Personal Data Protection Ordinance 2025 establishes the legal consequences for violations of personal data rights. It criminalises unauthorised collection, use, interception, extraction, or disclosure of personal data, as well as non-compliance with orders issued by the data authority or courts.
Under this section, individuals or entities found guilty may face up to seven years of imprisonment, a fine of up to BDT 20,00,000, or both. The imprisonment time and fine amount may vary given the magnitude of the crime.
Corporate bodies are not exempt: if an offence is committed by a company, the directors, managers, or responsible officers will be held personally liable unless they can prove due diligence. Moreover, anyone aiding, approving, or encouraging a data offence will be treated as a co-offender and punished identically.
This section represents one of the ordinance’s strongest enforcement tools, signalling that data misuse or negligence will carry tangible legal risks.
The law also requires that any data breach compromising personal information be reported promptly to the NDGA. Such incidents must include details of the breach, potential risks to affected individuals, and remedial measures taken.
An appellate tribunal under the Information and Communication Technology Act 2006, will hear appeals against NDGA’s decisions. The tribunal will ensure that disputes are resolved transparently and in line with legal and procedural fairness, as per the new ordinance.
CROSS-BORDER DATA TRANSFER AND SOVEREIGNTY
As global data flows expand, the ordinance also sets conditions for cross-border data transfer. Personal information may be transferred outside Bangladesh only if the receiving country or organisation guarantees equivalent protection standards.
However, “equivalent protection” standards are not clearly stated in the new ordinance which is understandable as the tech world is rapidly changing and cybersecurity practices are changing alongside.
The cross-border measures are intended to make the tech giants accountable in processing data of Bangladeshi citizens as the country’s internet users and social media users are increasing at a steady pace. Transfers for law enforcement or international cooperation must take place under formal agreements.
This provision reflects Bangladesh’s effort to protect data sovereignty while enabling its integration into global digital trade networks.
IMPLEMENTATION TIMELINE
International organisations and banks will need time to adjust to the new compliance rules, so certain sections of the Personal Data Protection Ordinance 2025 will take effect 18 months after its official publication in the government gazette. During this transitional period, organisations will be expected to align their internal systems with the new law.
The NDGA will issue detailed regulations, compliance codes, and technical standards to support the transition. Companies and government agencies will need to review their consent mechanisms, appoint data protection officers, strengthen cybersecurity infrastructure, and train employees in responsible data handling.
Failure to comply after the grace period will lead to administrative fines, penalties, or other enforcement measures as prescribed by the authority.
The ordinance makes little mention of artificial intelligence (AI) and algorithmic accountability which is expected to be presented with the AI policy scheduled to be published later this year.
SIGNIFICANCE AND EXPECTED IMPACT
The introduction of the Personal Data Protection Ordinance 2025 represents a turning point in Bangladesh’s approach to digital governance. It replaces fragmented practices with a unified, rights-based system that treats data privacy as a national and individual priority.
By creating a legal foundation for data accountability, the ordinance is expected to enhance public confidence in digital platforms, foster innovation, and attract international investment. It also positions Bangladesh alongside countries adopting comprehensive data protection laws, such as India, Singapore, and members of the European Union.
On paper, this is the most comprehensive privacy protection measures Bangladesh has ever attempted. But in practice, its success will depend on how effectively it is implemented, and whether the state can balance security interests with citizens’ rights to privacy.