New data laws in Bangladesh: A critique

Bangladesh has entered a new phase in its digital governance story with two Ordinances, namely, The Personal Data Protection Ordinance 2025 (PDPO) and the National Data Management Ordinance 2025 (NDMO). Their appearance, almost devoid of public discussion, invites reflection: are we witnessing the long-delayed codification of digital rights, or the rise of a data-centric State?

Firstly, section 3 of the NDMO declares that its provisions shall take precedence over any other law, contract or instrument in matters relating to the collection, storage, processing, security and identification of persons of personal data, and the overall management and interoperability of national data. In one sweep, the NDMO asserts primacy across virtually the entire domain of data governance. Contrast this with Europe, where the General Data Protection Regulation (GDPR) operates under the Charter of Fundamental Rights, which enshrines respect for private life and protection of personal data as fundamental rights. The Court of Justice of the European Union (CJEU) has struck down legislation that intruded too far into those rights, notably in Digital Rights Ireland and Tele2 Sverige AB. In the European model, secondary legislation bends to rights; in ours, the NDMO begins with a supremacy clause.

Institutional design reinforces that contrast. Under section 8(2) of the NDMO, the National Data Management Authority is established as a statutory body attached to the Prime Minister's Office. Under section 23, it designs and operates the nation's data architecture, including digital interoperability systems and an identity layer linking core registers, and also enforces compliance and imposes administrative penalties under sections 42–45. Under the GDPR, by comparison, Member States must create independent supervisory authorities that act "with complete independence" in monitoring the law's application. In Commission v Germany (ECJ C-518/07) and Commission v Hungary (C-288/12), the CJEU held that such authorities must act with complete independence from any external influence, including direct or indirect influence of the State. Bangladesh's new Authority, however, sits within the executive branch. It is simultaneously an architect, operator and enforcer, effectively acting as the referee and a player at once.

Perhaps the most ambitious feature lies in the identity layer mandated by section 23 of the NDMO and its Schedule. This unified system is designed to connect a citizen's National ID, passport, tax identification number and other key registers. The intended benefits are administrative efficiency and easier access to public services. Yet technical unification also brings constitutional risk. When every register speaks to every other, the State gains the capacity to reconstruct a person's entire life-trajectory – where one lives, travels, works, banks and interacts online.

Under GDPR Articles 5 and 25, personal data must be collected for specific, explicit and legitimate purposes and be limited to what is necessary. By contrast, the Ordinances contain no explicit, general-purpose duties of purpose-limitation and data-minimisation binding on State processing. What promises frictionless governance could, without constraint, evolve into frictionless surveillance.

Then there is also the question of how these far-reaching measures arrived. Both Ordinances were promulgated under Article 93(1) of the Constitution, authorising the President to issue ordinances when "circumstances exist which render immediate action necessary". Parliament stands dissolved; yet through this route, Bangladesh has now enacted the most comprehensive data-governance regime in its history. A potent query thereby arises: was there truly an extraordinary necessity justifying the use of that power for something this foundational?

Bangladesh now stands at a crossroads. We can treat these Ordinances as the culmination of our digital-governance journey, or as its beginning – a chance to craft, through public debate, a data regime that protects citizens not only from corporations but from the overreach of the State itself.

A framework that will shape the country's digital constitution deserves the full sunlight of parliamentary debate. The GDPR took years of public consultation and legislative negotiation before it was argued into existence through committees, parliaments and courts – proposed in 2012, adopted in 2016, effective in 2018. Our twin Ordinances arrived in one November gazette by executive fiat. While Ordinances are constitutionally valid, they are simply not constitutionally deliberative. The difference matters when the legislation in question defines the relationship between citizen and State in the digital era.

Furthermore, the Authority's remit effectively makes the Bangladeshi State the most consequential data controller in practice. Under the NDMO, it manages citizen-data life cycles, coordinates integration across ministries and enforces compliance. Section 24(1) of the PDPO creates consent exemptions covering, inter alia, national security, crime control, taxation, public interest, and public-health emergencies. Though sections 24(2) and (4)– (6) limit pure blanket use, their sheer scope risks leaving much state data-processing subject to internal rather than independent oversight.

Hence, for instance, when a private bank mishandles data, the Authority may sanction it. But when a ministry misuses citizen data, will an Authority seated in the Prime Minister's Office do the same? The combination of broad statutory exemptions and executive-controlled enforcement produces a paradox: Big Tech may now face tighter rules, but Big State remains largely self-regulated. This is not to deny the potential gains of improved service delivery and data localisation. But these are infrastructural advantages, not rights guarantees. The Ordinances give citizens the right to access their data, but not always the right to refuse its use.

However, several correctives are still possible. The Authority's independence should be entrenched in statute, modelled on GDPR-style safeguards. Purpose-limitation and data-minimisation rules should bind state agencies as firmly as they bind private controllers, and the Ordinances should advance to Parliament as full Acts preceded by consultation with technologists, civil society and the legal community. A modern data-protection framework should operationalise privacy as a core civil right, not subordinate it to infrastructural convenience.

Bangladesh now stands at a crossroads. We can treat these Ordinances as the culmination of our digital-governance journey, or as its beginning – a chance to craft, through public debate, a data regime that protects citizens not only from corporations but from the overreach of the State itself. The difference between a GDPR moment and a data-state moment lies not in the technology we adopt, but in the constitutional temperament with which we wield it.

The writer is an Advocate specialising in corporate, commercial and technology law.