Bangladesh finalizes comprehensive data protection ordinance draft
Interim government presents Personal Data Protection Ordinance 2025 to cabinet after multi-year development process.
Bangladesh's interim government presented the draft Personal Data Protection Ordinance 2025 to the cabinet on July 15, marking a significant milestone in the country's digital governance framework. The comprehensive 58-page ordinance represents Bangladesh's first cross-sectoral data protection legislation, establishing fundamental rights for data subjects and comprehensive obligations for organizations processing personal data.
According to the draft ordinance, "The draft of the Bangladesh Personal Information Protection Ordinance was presented to the cabinet by July 15." The document establishes extensive definitions covering various categories of personal data, including sensitive personal data such as genetic information, biometric data, health records, and data relating to ethnic minorities, religious beliefs, and sexual orientation.
Get the PPC Land newsletter ✉️ for more like this.
Summary
Who: Bangladesh's interim government, led by the Ministry of Posts, Telecommunications and Information Technology, developed the Personal Data Protection Ordinance 2025. The National Data Governance and Interoperability Authority will serve as the primary enforcement body.
What: A comprehensive 58-page data protection ordinance establishing fundamental privacy rights, consent requirements, data localization mandates, and enforcement mechanisms. The legislation covers personal data processing by organizations operating in Bangladesh or targeting Bangladeshi consumers.
When: The draft ordinance was presented to the cabinet on July 15, 2025, following a multi-year development process that began with initial drafts in 2021. Implementation will occur after final approval and enactment.
Where: The ordinance applies within Bangladesh and extraterritorially to organizations processing personal data of Bangladeshi residents or offering services to individuals located in Bangladesh, regardless of the organization's physical location.
Why: According to the government announcement, citizens' personal data represents their asset, requiring state protection. The ordinance addresses the absence of specific data protection legislation that previously allowed government and private institutions to use personal data at their discretion, aiming to align Bangladesh with international data protection standards while ensuring data sovereignty.
The ordinance introduces mandatory consent requirements for personal data processing. The legislation states that "consent means any specific indication of the data-subject, which is given willingly by a statement or a clear affirmative action, for processing his personal data." This requirement forms the foundation of the new regulatory framework, though the ordinance provides eleven specific exceptions where data processing may occur without explicit consent.
Data localization requirements reshape business operations
The ordinance implements a four-tier data classification system that will significantly impact how organizations handle personal data. According to the draft, personal data will be categorized as Public, Private/Internal, Confidential, and Restricted. The legislation specifies that "Public and Private/Internal should be cloud first and open. Restricted data from (1) must be localized."
This classification system reflects Bangladesh's approach to balancing economic development with data sovereignty concerns. The ordinance states its purpose is to facilitate "legitimate and useful transfer leading to economic development and societal growth compatible with cosmopolitan pace." However, organizations must navigate strict localization requirements for certain data categories.
The draft includes provisions for international data transfers under specific conditions. According to the text, "any personal data may be transferred to Bangladesh from other country, or to other country from Bangladesh under the principle of reciprocity where Bangladesh is a member state of a bilateral, regional or multilateral agreement, convention or forum."
Enforcement framework establishes substantial penalties
The ordinance creates the National Data Governance and Interoperability Authority as the primary enforcement body. This authority will oversee implementation, investigate complaints, and impose administrative fines ranging from 300,000 to 500,000 taka for various violations. The legislation specifically addresses foreign companies, stating that violations by foreign entities registered under the Companies Act 1994 may result in administrative fines "not more than 5% (five percent) of the total turnover of the company in Bangladesh for the preceding financial year."
The enforcement framework includes detailed provisions for data audits, breach notifications, and appointment of data protection officers. Organizations classified as having "major importance" must maintain comprehensive records of data processing activities and submit to regular audits by approved data auditors.
Rights framework mirrors international standards
The ordinance grants data subjects comprehensive rights including access to personal data, correction of inaccurate information, withdrawal of consent, data portability, and erasure under specific circumstances. According to the draft, "The data-subject shall have the right to receive his personal data processed by the data-fiduciary in a structured, commonly used and machine-readable format."
The legislation establishes strict timelines for responding to data subject requests. Organizations must acknowledge receipt of requests within prescribed timeframes and provide substantive responses within 30 days. The ordinance includes detailed procedures for handling disputes when organizations reject correction requests.
Children receive special protection under the ordinance, which defines a child as "a person below 18 (eighteen) years." The legislation requires that "personal data of a child or a person with incapacity to consent shall be processed in a manner that protects the rights and interests of the child or a person with incapacity to consent."
Technical requirements emphasize security measures
The ordinance mandates implementation of appropriate technical and organizational measures to ensure data security. According to the draft, these measures may include "pseudonymisation of personal data, encryption of personal data, processes to ensure security, integrity, confidentiality, availability and resilience of processing systems and services."
Organizations must implement data protection by design principles, ensuring that "organizational and business practices and standard technical systems are designed in a manner to anticipate, identify and avoid harm to the data-subject." The legislation requires regular testing and evaluation of security measures against current and evolving risks.
The ordinance includes specific provisions for personal data breach notifications. Organizations must notify the Authority regarding breaches "likely to result in significant harm to affected data-subjects" within prescribed timeframes and formats. The notification must include details about the nature of the breach, affected data categories, and mitigation measures.
Exemptions balance security with privacy
The ordinance provides several exemptions from its requirements, including processing for crime prevention, statistical research, court orders, regulatory functions, journalistic purposes, and personal household activities. However, these exemptions require that processing uses "reasonable, proportionate and effective measures to safeguard the fundamental rights and the interests of the data-subject."
Government agencies receive broad powers under the ordinance, with provisions allowing the government to "issue to the Authority such directions as it may think necessary in the interest of the sovereignty and integrity of Bangladesh, the security of the state, friendly relations with foreign states or public order or public health." This has raised concerns among civil society organizations about potential misuse of the legislation for surveillance purposes.
According to Article 19, an international freedom of expression organization, "without strong safeguards and alignment with international human rights standards, it risks enabling surveillance, censorship, and repression."
Marketing industry implications
The ordinance will significantly impact digital marketing operations in Bangladesh and internationally. Organizations targeting Bangladeshi consumers must implement comprehensive consent management systems, data subject request handling procedures, and potentially restructure data processing operations to comply with localization requirements.
The legislation's broad jurisdictional scope applies to any organization that "processes personal data within Bangladesh other than the mere transiting of personal data through Bangladesh" or "processes personal data outside Bangladesh in connection with any activity involving the offering of goods or services to, or monitoring or profiling of, data-subjects located within Bangladesh."
PPC Land has extensively covered the global trend toward privacy-first advertising solutions. Recent developments include the IAB Tech Lab's PAIR protocol for secure audience matching and Google's advancement in privacy-enhancing technologies for digital advertising. These technological solutions may help organizations comply with Bangladesh's new requirements while maintaining effective marketing capabilities.
The Proximic Report on privacy laws' impact revealed that 88% of advertisers expect significant changes due to privacy regulations, with contextual and first-party data strategies becoming primary alternatives to traditional tracking methods.
Implementation timeline and next steps
The ordinance establishes comprehensive rules and regulations development processes. The Authority may make regulations on matters designed in the ordinance provisions, while the government retains power to make rules for carrying out the ordinance's purposes. The legislation includes provisions for standard operations procedures covering consent terms, data processing measures, breach notification procedures, and international transfer protocols.
Organizations currently processing personal data in Bangladesh must bring their operations into compliance with the ordinance provisions once enacted. According to the draft, "where a data-fiduciary has processed personal data from the data-subject or any third party before the date of coming into operation of this Ordinance, such personal data shall be processed in accordance with the provisions of this Ordinance."
The ordinance represents a significant shift in Bangladesh's approach to digital governance, moving from minimal regulation to comprehensive data protection requirements aligned with international standards while incorporating specific provisions for data sovereignty and national security concerns.
Timeline
- 2021: Initial draft data protection act circulated for public consultation
- July 15, 2025: Draft Personal Data Protection Ordinance 2025 presented to cabinet
- May 27, 2025: Paraguay's Chamber of Deputies approves Personal Data Protection Bill
- April 14, 2025: EDPB publishes landmark report on LLM privacy risks
- April 13, 2025: Google advances privacy-enhancing technologies for advertising
- January 26, 2025: IAB Tech Lab releases PAIR protocol for secure data matching
- January 26, 2025: Google introduces privacy-focused advertising tools in DV360
- December 25, 2024: Ryanair faces GDPR complaint over facial recognition requirements
- December 7, 2024: EDPB unveils strategy for cross-regulatory cooperation