Data frontiers : Where does Bangladesh fit in the global privacy debate?

Data has become the raw material of modern power. It fuels artificial intelligence, guides advertising, shapes credit decisions, and underpins everything from ride hailing to national identity systems. Yet the same data can also be weaponised, mishandled, leaked or quietly traded. Around the world, governments are trying to answer a question that sounds technical but is deeply political: who gets to collect data, who gets to use it, and what rights do ordinary people have when their lives are reduced to records, profiles and predictions?

Bangladesh is stepping into this debate at a moment of unusual intensity. In late 2025, the country moved towards its first comprehensive privacy framework with a Personal Data Protection Ordinance and a National Data Governance Ordinance, both gazetted in November. And in early January 2026, the government approved amendments that, largely removed broad data localisation requirements for technology companies and dropped jail terms for violations by tech firms.

That combination tells us almost everything about where Bangladesh sits in the global privacy argument. It is trying to build a modern data regime quickly, under pressure from citizens who want protections and businesses that need workable rules. It is also doing so in a world where privacy law is increasingly tied to trade, geopolitics, national security and the question of whether data should flow freely across borders or be kept at home.

The result is a genuine crossroads: Bangladesh can become a credible, rights-based player in the global data economy, or it can drift into a model where “protection” is promised but “control” becomes the lived experience.

Image: Lianhao Qu/ Unsplash

A world splitting into privacy blocs

The global privacy debate is no longer about whether privacy matters. Most governments now accept, at least rhetorically, that it does. The argument is about the model.

Europe has tried to set the standard with the General Data Protection Regulation, which builds privacy around rights and obligations. The European Commission presents the GDPR as technology-neutral and applicable across sectors, focusing on how data is processed rather than what tools are used. Its principles, including lawfulness, fairness, transparency and purpose limitation, have become a reference point for regulators worldwide.

The United States, by contrast, has tended to rely on a patchwork of sector rules and state laws, with enforcement and consumer remedies often varying depending on where someone lives. California’s consumer privacy regime has become one of the most influential US examples, with the state attorney general’s office setting out rights such as opting out of sale or sharing and requesting corrections to inaccurate data. In early January 2026, California launched a government-run tool designed to help residents request deletion of personal information held by data brokers, underlining how the US debate is increasingly focused on the commercial trade in personal data.

China’s approach sits in a different category, shaped by a strong emphasis on sovereignty and state oversight, especially for cross-border transfers. The direction of travel has been towards more structured compliance pathways for exporting personal information, including certification regimes and, in some cases, assessments and contractual tools. Reuters reported in October 2025 that Chinese regulators announced new rules for certifying cross-border transfers of personal data, scheduled to take effect on January 1, 2026.

Then there are the bridge models, including India’s, which combine individual rights with a strong state role and a growing desire to manage strategic data without cutting off global commerce. In November 2025, India notified its Digital Personal Data Protection Rules, presented by the government as operationalising the Digital Personal Data Protection Act and creating a citizen-centric privacy framework.

Beneath these headline models sits the real battleground: cross-border data. Modern economies run on global cloud infrastructure, international payments, outsourced processing, and multinational platforms. But governments also worry about surveillance, foreign access, and dependence on overseas infrastructure. Data localisation measures have

multiplied globally, with the OECD noting that some localisation is viewed as useful and uncontroversial, while other forms are seen as barriers to the digital economy. The WTO has also pointed to the continued rise in data regulation measures, including increases in data localisation, framing it as part of a broader policy shift affecting trade.

This is the global stage on which Bangladesh is writing its rules.

Bangladesh’s new data regime and the promises it makes

Bangladesh’s Personal Data Protection Ordinance was gazetted in November 2025, according to the Bangladesh Government Press archive, marking a formal milestone after years of debate. DataGuidance, which tracks privacy developments, described the ordinance as effective from 6 November 2025, positioning it as a nationwide framework for personal data processing.

Public-facing explanations of the new laws emphasised rights. Bangladesh Sangbad Sangstha reported that citizens would have rights including access, correction and deletion, and it also highlighted a right to restrict automated decisions made using personal data. Prothom Alo reported that a national data management authority would be established under the National Data Governance Ordinance to formulate data policies, ensure compliance and resolve complaints, while also guaranteeing security across national databases and software systems.

The Daily Star, in its early coverage of the ordinances, highlighted the idea that people are owners of their data, while the state and companies act as custodians or processors. In principle, that is a significant shift in framing. Ownership language, even if contested by lawyers in other jurisdictions, signals that the individual is not meant to be treated as a passive resource.

Yet the practical impact of any privacy law depends not on slogans but on details: who the regulator answers to, how exemptions are written, whether cross-border rules are workable, and what enforcement looks like when powerful actors breach the rules.

Those questions quickly became central to the Bangladeshi debate.

Control, consultation, and the fear of executive overreach

From the start, civil society groups and some legal analysts warned that Bangladesh’s new framework risked being too concentrated in executive hands. Transparency International Bangladesh criticised what it described as a hasty approval process without expert consultation and questioned whether the proposed authority would be independent and aligned with global practices. The Daily Star reported similar concerns, including criticism that key international data protection principles were missing or weak, and that the structure could create a crippled regime if not amended.

A further worry has been the scope of government direction. Prothom Alo reported expert concerns about provisions that would allow the government to issue directives to the authority on grounds such as sovereignty, security and public order, and to issue orders related to data storage or transfer in urgent cases, which critics argued could grant unchecked power without judicial oversight. Article 19 has repeatedly argued Bangladesh should adopt a data protection regime grounded in international human rights law, warning against structural weaknesses that could enable surveillance rather than protection.

Image: Tobias Tullius/ Unsplash

These arguments do not occur in a vacuum. Bangladesh’s recent history of digital regulation has been shaped by controversy around laws used to police speech and online activity. Reuters reported in 2023 that Bangladesh would tone down parts of the Digital Security Act after long-standing criticism that it was draconian and could curb dissent. Separately, debate around cybersecurity law has continued, with proposals to recognise internet access as a civic right receiving attention in regional coverage.

Privacy law, in other words, is being built in a context where trust must be earned, and where people have reasons to scrutinise any broad state discretion.

Data localisation and the economics of being plugged into the world

The most explosive technical issue in Bangladesh’s privacy debate has been data localisation. For governments, localisation can seem like a straightforward response to sovereignty concerns. Keeping data in-country can make it easier to enforce local laws, compel access, and build domestic data centres. It can also be sold politically as a way of preventing foreign surveillance.

For businesses, especially those using global cloud infrastructure, strict localisation can be expensive and destabilising. It can force companies to rebuild systems, complicate cybersecurity strategies, and create fragmentation where data that needs to move across borders for fraud detection, customer support or resilience is boxed in by law.

That tension appears to be driving rapid adjustment in Dhaka. In early January 2026, The Daily Star reported that the government removed broad localisation requirements for technology companies and scrapped jail terms for violations by tech firms, including global platforms, through amendments approved by the advisory council. Other reporting suggested localisation would apply more narrowly, such as to critical information infrastructure, rather than to all categories of data by default.

The speed of this shift matters. It suggests the government is attempting to reconcile two goals at once: signalling sovereignty and citizen protection, while avoiding rules that could scare off investment or break the architecture that modern services rely on.

Globally, that balancing act has become the norm. The EU promotes strict rights protections while still permitting cross-border transfers through adequacy decisions and legal mechanisms. The United States has focused on enabling data flows for commerce while negotiating safeguards in specific contexts. 

from page 34

The EU-US Data Privacy Framework is one example, with the official programme overview explaining that the adequacy decision enables transfers of EU personal data to participating organisations consistent with EU law. China has tightened oversight while still building pathways for compliant exports. India’s DPDP Rules are framed as enabling responsible data use within a new governance structure.

Bangladesh’s challenge is that it is trying to land this balance while its Globally, that balancing act has become the norm. The EU promotes strict rights protections while still permitting cross-border transfers through adequacy decisions and legal mechanisms. The United States has focused on enabling data flows for commerce while negotiating safeguards in specific contexts. The EU-US Data Privacy Framework is one example, with the official programme overview explaining that the adequacy decision enables transfers of EU personal data to participating organisations consistent with EU law. China has tightened oversight while still building pathways for compliant exports. India’s DPDP Rules are framed as enabling responsible data use within a new governance structure.

Bangladesh’s challenge is that it is trying to land this balance while its own regulatory capacity is still developing, and while public trust in digital governance remains fragile.

So where does Bangladesh fit?

Bangladesh is unlikely to become a full replica of the European rights-first model overnight, because the GDPR depends on strong supervisory authorities, mature court oversight, and deep institutional capacity. It is also unlikely to adopt the looser US approach, because Bangladesh’s political and security context pushes strongly towards state discretion, and because citizens are demanding clearer protections as data becomes embedded in everyday services.

Instead, Bangladesh is positioning itself as a hybrid, a country seeking legitimacy through rights language and modern governance architecture, while retaining broad levers for state intervention. The question is whether those levers will be narrowed and supervised enough to win credibility internationally and domestically.

To fit into the global privacy debate in a way that strengthens Bangladesh’s future economy, three tests matter.

The first is independence and enforcement. A privacy regime that cannot constrain powerful institutions will not build trust, and it will not reassure foreign partners. The concern raised by TIB and Article 19 about consultation and executive influence points to a basic requirement: a regulator that can enforce rules fairly, whether the violator is a small business, a multinational platform or a state agency.

The second is cross-border realism. Bangladesh wants to scale digital exports, attract investment, and support startups that serve global markets. That cannot be done with rules that treat every data transfer as inherently suspicious or that force costly duplication without a clear security rationale. The amendments reported in January 2026 suggest policymakers recognise this, but the final shape of the regime will determine whether Bangladesh is seen as open for business or trapped in uncertainty.

The third is the AI connection. Privacy is no longer only about preventing leaks or stopping spam. It is about whether automated systems can profile people, deny them opportunities, or nudge them politically without transparency. Bangladesh’s ordinance, as described by BSS, includes the idea that citizens can restrict automated decisions made using their data, which aligns with a wider global shift towards algorithmic accountability. The challenge will be turning that right into something meaningful: requiring explanations, creating appeal mechanisms, and ensuring that both public and private AI systems are auditable when they have serious impacts.

Bangladesh’s data frontier is therefore not only about catching up. It is about choosing a global identity. Does Bangladesh want to be seen as a country where personal data is protected in practice, where rules are stable enough for innovation, and where state powers are constrained by law? Or does it want to prioritise rapid control over data flows even if that risks trust, investment and the legitimacy of the framework itself?

The most realistic answer is that Bangladesh will continue to negotiate between these poles, because that is what almost every country is now doing. But there is still a difference between negotiation and drift. The coming year, with amendments already on the table, will show whether Bangladesh can turn its new laws into a credible social contract rather than a contested instrument of power.

Zarif Faiaz is a journalist at The Daily Star and a tech policy fellow at Tech Global Institute.