Data are what a piece of information is made of. So, it is important that data on any subject are well-preserved and protected; and the information they generate is also well-preserved and protected. In this Digital Age, which started from the mid-20th century and is ongoing, protection of data is an issue of central concern for persons, organisations as well as the States. Since data and information are now easily accessible through computers, networks and the internet and its various platforms including the social media, they also run the risk of being changed and manipulated as easily as they can be accessed. In that case, unless the data are effectively protected, the information and the knowledge that go with them can become corrupted to the detriment of the interest of their users-persons, organisations or the States.
Against this backdrop, the government issued the Personal Data Protection Ordinance (PDPO) 2025 and the National Data Protection Ordinance (NDPO) 2025 in November last year (2025). The Personal Data Protection Ordinance (PDPO) 2025 was considered to be a landmark step to acknowledge the citizens' right to the ownership of their personal data as well as protection of their privacy. Since according to the ordinance, individuals are recognised as the rightful owners of their data, any entity willing to collect and use the data would be required to have the explicit consent of their owner. The law also establishes the frameworks for data protection and governance.
That the government could come up with these laws is undoubtedly a step forward towards digital governance. However, it has come under criticism from different concerned quarters. The common criticism is that the process of framing the laws lacked transparency as it did not follow consultations with different stakeholders and a public debate. The PDPO has been critiqued for its broad powers, vague definitions of, for instance, the term, 'cyber terrorism'. It paves the way for mass surveillance and, despite its good intention of protecting individuals' rights, it is feared that misuse of the law might curb public dissent, critics argue. The provisions also allow for extensive data collection and the power to intercept communications by the authorities including the police. Certain sections of the law have drawn the attention of legal experts who think it smacks of too much of state control. For instance, the section (3) of the NDMO states that its provisions take precedence over any other law, contract or instrument in matters relating to the storage, processing security and identification of persons, personal data and the overall management and interoperability of national data. The ordinance contrasts with similar digital laws of advanced systems of the West. The General Data Protection Regulation (GDPR) of the European Union (EU)/European Economic Area (EEA), for example, does not give supreme powers to the data protection law, but works under the Charter of Fundamental Rights. Or in other words, respect for private life and protection of personal data are considered as fundamental rights. Some critics, on the other hand, consider our data protection laws as outdated, restrictive and counterproductive as they risk constraining the country's digital economy. The data protection ordinances of Bangladesh, in their views, isolate the country from the global digital ecosystem. As a result, the laws are obstructive of not only investment, but also go against the welfare of the citizens. Especially, to those critics, the ordinances' data localisation mandates are too aggressive as they compel companies to store multiple categories of personal data within the national borders and any act of noncompliance with the provision risks being penalised. As such, those ordinances impose an impractical burden on the global service providers like the social media and the content platforms including Meta, Google and others. The Meta owns the popular social media platforms Facebook and Instagram. Google, on the other hand, owns the Youtube, which is a huge video-sharing platform. The data localisation mandate, therefore, might force the global social media companies to duplicate infrastructure, raise operational costs and provide low quality service to the users. Bangladesh cannot afford this as digital commerce using these social media platforms generate around US$1.5 billion in annual transactions. Moreover, this digital commerce creates job for around two hundred thousand young entrepreneurs. Obviously, the localisation provision of the data regulatory laws poses a potential risk of job loss for many youths engaged in e-commerce.
However, the good news is that the Advisory Council of the interim government has responded positively to the critics and on Thursday (January 8, 2026) approved the Personal Data Protection (Amendment) Ordinance 2026. The revised ordinance, particularly addressed concerns regarding mandatory data storage. Now, the requirement for technology companies to keep local copies of user data has been relaxed. Henceforth, the requirement (of keeping local copies) will be applicable only to such data as are deemed as 'critical infrastructure (CII)'. The other positive aspect of the revised data protection ordinance is that it has removed the provision of imprisonment for non-compliance, keeping financial penalties as the only form of punishment. With this amendment, the government hopes, the country will now be able to attract more investment in data and cloud-related services. Notably, cloud refers to remote data centres that provide on-demand computing services on the internet.
The personal data to still remain under restriction refer to those that might impact national security, public order, defence, critical infrastructure or an individual's fundamental rights and freedoms. The jurisdiction of the restriction may also include classified datasets, critical health, or security-related information, or any other personal data designated as 'restricted' by the authority or the government. Expectedly, the amendment to the data protection ordinance (PDPO2025), would at the same time help promote investment in digital commerce, facilitate cross-border data flow and enhance citizen rights which cover consent, access and deletion as well as protection of minors. Overall, the Personal Data Protection (Amendment) Ordinance 2026 promises to create a unified rights-based data governance framework. However, the challenges to the implementation of the data protection ordinance and the potential for the law's misuse remain. Since no law has ever been perfect at its inception, but improved through trial and error over the course of time, the present data law would also, it is hoped, attain perfection over time. But in the final analysis, whether a law is good or bad will depend on the goodwill of the political power who implements the law.
sfalim.ds@gmail.com
© 2026 - All Rights with The Financial Express
