Event Summary
On 9 October 2025, the Government of Bangladesh approved two major data laws as part of a broader digital governance reform agenda: the Personal Data Protection Ordinance and the National Data Governance Ordinance. The new laws were officially gazetted on 6 November, with the government describing them as key steps toward ensuring data sovereignty, digital resilience, and cyber accountability.
However, civil society groups as well as business leaders have raised concerns that the new laws could be abused by the state and could threaten privacy and innovation. For instance. Transparency International Bangladesh highlighted broad exemptions in subsection 15(4) and Section 24 of the Personal Data Protection Ordinance, warning that without judicial oversight the law could become a tool of state control. Daily newspaper Prothom Alo reported that allowing government agencies access to lot of personal data without a court’s permission based on “national security” or “crime prevention”, raise fears of potential misuse. Business leaders also flagged economic risks, with the CEO of Pathao also arguing that unclear data localisation rules could deter investment and burden startups.
Responding to these criticisms, the Chief Adviser’s Special Assistant for ICT, insisted in an open letter that claims of mandatory data localisation were completely incorrect and based on an outdated draft. He said the government follows a cloud-first policy aligned with international standards. The Ministry of Posts, Telecommunications, and Information Technology said in a press release that the ordinances aims to protect privacy and data security.
However, experts remain concerned that provisions enabling broad state access to personal information and maintaining government control over data governance could lead to misuse. By expanding state access to personal data without independent oversight, the laws undermine trust, weaken protections for civic actors, and restrict the space for open, secure engagement online.