Personal data protection ordinance: Risk of misuse due to unchecked executive powers

The draft of the Personal Data Protection Ordinance 2025, approved by the interim government, includes provisions on individuals’ rights over their personal data and its use. However, despite being one of the most talked-about legislative initiatives, the approved draft retains broad executive powers, raising fears of potential misuse.

The draft also lacks clarity on data storage mechanisms, and its implementation on foreign organisations could pose significant challenges.

The interim government approved the draft on Thursday. It defines various forms of personal data and specifies citizens’ rights regarding their use.

Efforts to enact a personal data protection law began in 2019 under the ousted Awami League government, which produced several drafts, including the most recent one in April 2024.

After taking office, the interim government revived the initiative and included definitions and rules for data collection and processing. The ordinance is set to take effect 18 months after its promulgation, though experts say more time will be needed for implementation.

The ordinance will apply to any person, data controller, processor, or individual performing related functions, including those operating outside Bangladesh who process data belonging to Bangladeshi citizens—meaning tech giants like Meta and Google will fall within its scope.

While the draft allows for penalties against foreign companies that violate its provisions, experts note loopholes that could enable them to evade liability.

Unlike the Awami League’s final draft, which excluded criminal penalties, the new version introduces imprisonment and administrative fines, meaning even global companies like Meta and Google could face punishment for violations.

The draft gives sweeping powers to the proposed National Data Management Authority, which will function under the Prime Minister’s or Chief Adviser’s Office. All entities will be legally bound to comply with the authority’s orders.

Under Section 21(5), if the authority finds that a data controller’s activities may harm a data subject, it can issue any directive it deems necessary, and the controller must comply.

Section 23 requires all “significant data controllers” to appoint a Chief Data Officer (CDO). However, it remains unclear how “significant controllers” will be defined or whether CDOs in private entities will be accountable to government authorities, potentially granting the state access to private data.

According to Section 26, the authority may enter any premises, system, or facility where personal data is stored or processed. Experts warn this could open the door to abuse, and applying such powers to foreign tech firms could create jurisdictional conflicts.

Discussions about forming an independent data protection body have surfaced repeatedly since previous governments, but no administration has included such a provision. Experts fear this could allow future political governments to weaponise the law against dissenters.

Section 24 exempts the government from seeking consent when accessing personal data for national security, defense, public order, or crime prevention and investigation—without clearly defining these terms, increasing the risk of misuse.

Section 50 authorises the government to issue directives to the authority concerning sovereignty, security, public order, or foreign relations, while Section 55 allows it to issue any order related to data storage or transfer in cases of urgent necessity.

Experts argue these provisions grant the executive unchecked power without judicial oversight, heightening the potential for abuse.

Under the approved draft, if a cyber tribunal, after hearing a complainant, finds a case admissible, it will proceed to investigation. However, the draft remains unclear on whether there will be any scope for judicial appeal if a person disagrees with the decision of the tribunal or the authority.

Section 49 states that in case of a violation, any member of a company’s board, managing director, office holder, or employee may face administrative fines and imprisonment.

However, Section 15 provides an exemption, stating that if compliance by a data controller or processor involves “disproportionate effort or expense,” certain obligations may not apply.

Commenting on this, Associate Professor Mohammad Ershadul Karim of the University of Malaya’s Department of Law and Emerging Technologies said the provision is contradictory. He said, on one hand, it allows anyone in a company to be held liable; on the other, it offers an easy escape through the clause of disproportionate effort or expense. This alone raises questions about the intent and clarity of the law.

According to Section 29, the government will determine a fee or charge based on the annual profit of any entity benefiting from the use of data belonging to Bangladeshi citizens. This raises several questions—such as whether local companies that already pay taxes will have to pay this additional fee, or how the government will determine the annual profits of global firms like Facebook and Google. Collecting such fees from foreign corporations may prove highly challenging.

Experts also point out that the relationship between this ordinance and existing financial laws remains undefined, which could create overlapping jurisdictions and legal confusion.

The approved draft requires government approval for transferring sensitive personal data—such as national ID, passport and TIN numbers, biometric and genetic data, or criminal records—outside Bangladesh. The government will classify and, if needed, revise categories of data.

Although data localisation is not explicitly stated, it is implied. The ordinance specifies that domestic or restricted personal data must be stored and maintained within the jurisdiction of Bangladeshi courts. Such data may only be transferred abroad under certain conditions.

Shahzeb Mahmud, Head of Research at the Tech Global Institute, warned that forcing mandatory storage of data deemed nationally important without sufficient legal safeguards could heighten risks of surveillance and human rights violations. He added that extending the law extraterritorially to Bangladeshis abroad and global data controllers may create enforcement problems and make the law ineffective.

He further noted that granting broad exemptions to government authorities for national security or administrative purposes reduces accountability and encourages a culture of surveillance and impunity.

The draft also introduces a maximum seven-year prison sentence depending on the severity of data-related offences. In Australia, the maximum penalty is only one year,” Shahzeb said. “Punishment should be proportionate to the offence. The justification behind setting such a high penalty in Bangladesh is questionable.”

Section 48 states that regardless of what is mentioned in the Government Service Act or any other law, if a government or statutory body or institution violates any provision of this ordinance, the involved government employee will be subject to administrative fines and will face trial by the tribunal. However, the government will frame rules for implementing these provisions.

Experts have welcomed the initiative to bring government employees under legal accountability but raised concerns about how and by whom offenders will be identified. They pointed out that no one acts without an official order, meaning that, in principle, even a ministry head or the head of government could be held responsible.

Commenting on the approved draft, Ershadul Karim said the government had described a draft as final in May, but the newly approved version shows significant changes. Key principles—considered the lifeblood of such laws—have been omitted. Where did the feedback from stakeholders go? The process of formulating this ordinance does not seem transparent, he observed.

The ordinance gives broad powers to the implementing authority, raising concerns about potential surveillance and misuse. Based on past experience, analysts fear that political governments could exploit this scope.

The ordinance places enforcement provisions in one law, while the structure of the authority is defined in another. The authority will be formed by the government itself, but its accountability remains unclear, and there is no provision for judicial oversight.

Although the approved draft of the National Data Management Ordinance includes a provision for a five-member selection and review committee, all of its members will either be government officials or appointed by the government.

The academic noted that such a law should not be implemented wholesale but introduced gradually, sector by sector. He said Malaysia, for instance, first applied similar laws to selected sectors due to their extensive scope. People and relevant sectors need time to prepare and understand the implications. It seems businesses will face considerable difficulties, he added.

The approved draft is heavily dependent on rules and regulations, meaning its effectiveness and potential risks hinge on how those are framed. No one is against such a law—it is necessary, he said. But it must be developed considering our realities and in line with international standards, he added.