Implement Personal Data Protection Ordinance

The Personal Data Protection Ordinance, 2025 marks a paradigm shift from state-centric cyber control to citizen-centric digital autonomy. The right to privacy is not a novel concept in Bangladesh. Article 43(b) of the Constitution of the People's Republic of Bangladesh explicitly guarantees every citizen the right to the privacy of their correspondence and other means of communication. Yet, for decades, this constitutional promise lacked a dedicated statutory framework to protect citizens against the unchecked data-harvesting practices of both private corporations and state apparatuses. The 2025 Ordinance bridges this critical legal lacuna.

The most revolutionary aspect of the Personal Data Protection Ordinance, 2025 is its foundational premise: citizens are the absolute owners of their personal data. Under this framework, government and private entities are reclassified merely as "data fiduciaries" or "data controllers". This upends the traditional power dynamic in which tech platforms and agencies unilaterally monetised or utilised user information without oversight.

To operationalise this ownership, the Ordinance heavily emphasises the doctrine of informed consent. Businesses and agencies must now obtain voluntary, specific, explicit, and revocable consent before processing any personal data.

Furthermore, the Ordinance grants robust, enforceable rights to "data subjects". Citizens now possess the statutory right to access their processed data, request corrections to inaccuracies, restrict automated profiling, and invoke the right to demand data deletion. This represents a monumental leap for digital human rights in Bangladesh, aligning the nation with global standards such as the European Union's GDPR.

Despite its progressive text, the key legal challenge lies in its implementation. While the Ordinance took effect immediately upon publication, the enforcement of certain procedural sections has been delayed. In particular, Sections 31 through 46, which pertain to the filing of complaints and the establishment of regulatory mechanisms, require the formation of a fully functional regulatory authority. Without a robust grievance redressal mechanism and an appointed Chief Data Officer, the substantive rights granted by the Ordinance risk remaining merely aspirational.

Md Bayazid Sheikh

Law student

Gopalganj Science and Technology University