Bangladesh finally has a data protection law but enforcement will be the real test

Laws are not born perfect, and the introduction of major legislation is rarely met with universal acclaim. 

Even a theoretically flawless law is destined to fail if its implementation is crippled by political obstruction, bureaucratic inefficiency, or a lack of necessary resources. The success of any legislation depends not just on the text on paper but on the commitment to its execution and its ability to evolve with society. 

It is commendable that the interim government has finally stepped in to establish a framework for data privacy in Bangladesh. 

As a lawyer with a vision to bridge the gap between law and technology, I have dreamt of this day ever since the State of California signed the pioneering California Consumer Privacy Act (CCPA). Enacted in June 2018 and enforced from January 2020, the CCPA marked a historic milestone in data protection.

In Bangladesh, the unofficial draft of the Data Protection Act was first published in July 2022, followed by another version in September 2023. Then, in November 2023, a cabinet-approved draft was released. When the law was finally ready for enactment—and the timing aligned perfectly for me—I dared to plan the first-ever "Data Privacy Awareness Week" in Bangladesh. Widely acknowledged and appreciated across the industry, this week is celebrated globally every January. 

The nation witnessed its first seven-day campaign featuring seminars, workshops, and webinars with regulatory bodies, members of the judiciary, the legal fraternity, the IT industry, and youth groups. 

The initiative even included awareness programmes for children in slum areas and visits to students at Jagoo School. While the early momentum was filled with optimism and high energy, it gradually faded, and no one seemed to know how to carry it forward.

Now, after almost two years, the interim government has passed the Personal Data Protection Ordinance (PDPO) 2025. Some describe it as "slow," while others call it "a bold and necessary step."

The PDPO signals Bangladesh's digital and ethical maturity, establishing the nation's first true digital social contract. To ensure its success, we must examine global precedents—particularly the journey of California, the world's first major jurisdiction to implement a comprehensive state privacy law. 

The events in California, from legislative necessity to high-profile enforcement, offer critical lessons on why laws like the PDPO are absolutely essential.

California's emergence as the global leader in digital privacy regulation was, arguably, an act of self-defense driven by economic geography. The data reveals a simple truth: approximately 67% of the 18 largest US technology companies are headquartered in the state. Giants like Apple, Alphabet (Google), Meta, and Nvidia all call California home.

This massive concentration of data collection and processing power—referred to under the PDPO as "data handlers"—created an environment where legislation became inevitable. The state had to proactively define and defend its citizens' rights against the corporations shaping the digital world. This led to the California Consumer Privacy Act (CCPA) in 2020 and its stronger successor, the California Privacy Rights Act (CPRA) in 2023.  

For Bangladesh, the lesson is clear: legal frameworks cannot wait until tech industries fully mature. A law's true impact is measured by its enforcement. The PDPO 2025 must act now to define the terms of Bangladesh's commitment to a digital social contract.

The landmark $1.2 million settlement with the cosmetics company Sephora serves as a powerful demonstration of digital accountability and a warning to the industry. The violations included selling consumer data without proper notification, failing to process user opt-out requests, and failing to "cure" (fix) the violations within the grace period after receiving an official warning.

This case powerfully reinforces core compliance requirements, particularly the need for a lawful processing basis (explicit consent) and user empowerment and rights (including the right to opt out and the right to erase data). High-profile enforcement, once the Authority is established, will be crucial for building public trust in this new digital contract.

From advanced chatbots to medical diagnostics, Artificial Intelligence is now integrated into daily life, making compliance strategies no longer optional. The PDPO 2025 provides a long-overdue structure for managing personal data. It ensures that an individual's most private information—whether sensitive medical history, financial transactions, or private communications—cannot be collected, used, or shared without explicit consent and adequate safeguards. The Ordinance clearly sets out the non-negotiable obligations for data handlers and the rights of data subjects (the citizens).

The PDPO imposes stringent compliance requirements on all organisations operating within Bangladesh or handling the data of Bangladeshi citizens. These requirements prioritise transparency, user rights, and security by regulating how personal information is gathered, stored, and shared. They apply equally to both public and private entities, with heightened protections for vulnerable groups, including minors and marginalised communities.

This is not simply administrative overhead; it is a dedicated compliance mechanism designed to protect the privacy and rights of real people. The law mandates the appointment of a Data Protection Officer (DPO) for any institution managing sensitive personal information. To truly uphold digital dignity—particularly in the sectors prioritised by the PDPO, such as Finance, ICT, and Healthcare—organisations must adhere to the principles outlined in Sections 12–33 of the Ordinance.

Journalists and media professionals, who handle vast amounts of sensitive data, now face additional legal and ethical responsibilities. The PDPO 2025 provides specific guidelines for this sector, balancing the public interest with individuals' right to privacy. Voice data, when used for identification purposes, is classified as sensitive biometric data.

This means it is subject to the highest level of scrutiny: it must be collected with explicit, informed consent, stored with exceptional security, and never broadcast without permission. Improper sharing—such as uploading private phone recordings to social media—is not merely unethical; it is now legally punishable under Bangladeshi law. 

Public interest justification can only be invoked when genuinely warranted by overwhelming public interest (e.g., exposing corruption), and internal access to sensitive data must be strictly limited.

Not everyone will agree with every clause of the PDPO 2025. That is inherent to democracy and the legislative process. However, we cannot let the pursuit of perfection prevent us from achieving the necessary good. As a nation, we required a legal framework to protect personal data—and now we have one. The immediate task for all stakeholders is to move beyond debate toward focused awareness, compliance, and responsible implementation.

At its core, the PDPO 2025 empowers individuals, granting them control over how their personal data is collected, used, stored, and shared. Every legal professional must immerse themselves in this law to advise clients on data transfer policies, proper consent mechanisms, and the complexities of AI-driven compliance. Organisations, in turn, must prepare for regulatory audits and risk assessments. As the digital economy accelerates, so do the risks—from widespread data breaches to algorithmic bias.

Compliance is not a constraint; it is the indispensable foundation for innovation, safety, and human dignity in the digital era. Bangladesh is not merely reacting to digital change; it is proactively defining its digital rights. The journey starts now.

Barrister Tasnuva Shelley is an advocate at the Supreme Court of Bangladesh and the Founder of Legalized Education.

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.