The 2025 Bangladesh Data Protection Ordinance is a significant step toward regulating personal data in the digital age, with the potential to advance privacy, freedom of expression, and access to information. However, without strong safeguards and alignment with international human rights standards, it risks enabling surveillance, censorship, and repression. ARTICLE 19 urges the Bangladesh Government to adopt a rights-respecting approach grounded in legality, necessity, and transparency.
As digital technologies become ever more embedded in daily life across Bangladesh, from biometric ID systems and mobile financial services to social media platforms and e-governance, regulating how personal data is collected, used, and protected is essential. This is crucial not only to safeguard individual privacy, but also to uphold the rights to freedom of expression, access to information, and the broader framework of democratic participation. When grounded in international human rights law, data protection laws can uphold human dignity, promote equality and non-discrimination, and protect marginalized and at-risk communities including women, journalists, human rights defenders, and ethnic and religious minorities from data-driven harms such as profiling, unlawful surveillance, and targeted repression. These laws can also foster transparency and accountability in public institutions and ensure that individuals have meaningful control over their personal information. However, if poorly designed or abused, such laws risk legitimizing censorship, enabling unchecked state surveillance, and silencing dissent.
To ensure the 2025 Bangladesh Data Protection Ordinance fulfills its potential as a protective, not punitive, legal instrument, a closer examination of its provisions is essential. The following chapter-by-chapter analysis identifies critical strengths and shortcomings of the draft law, highlighting where reforms are necessary to uphold privacy rights, protect freedom of expression, and guarantee meaningful access to information in Bangladesh’s evolving digital landscape.
In Chapter II, the Ordinance, introduces basic principles such as fairness, purpose limitation, and consent. These are crucial to ensuring data is processed responsibly and with respect to individual autonomy. Yet the absence of internationally recognized principles, such as lawfulness, data minimization, and the right to object to certain processing, limits the scope of protection. Critically, the failure to define key terms and the lack of a rights-based understanding of consent weaken the safeguards needed to prevent data misuse. Without recognizing categories of sensitive data such as political beliefs, health, or biometric information, the Ordinance risks enabling discriminatory profiling or targeted surveillance, particularly of vulnerable communities, activists, and journalists. Viewed through a freedom of expression lens, the lack of meaningful safeguards may create a chilling effect: individuals may refrain from engaging in public discourse if they fear their data will be misused or surveilled.
Consent is central to personal autonomy. However, Chapter III of the Ordinance penalizes individuals for withdrawing consent, violating international standards that require consent to be freely given and revocable without detriment. This provision could be used to coerce compliance, undermining personal dignity and control over one’s information. The vague legal bases for non-consensual processing such as “public interest” or “operational necessity” grant overly broad powers to both private actors and state bodies. Without safeguards or definitions, such terms could be manipulated to justify surveillance, censorship, or retaliation against dissenting voices. Additionally, the Ordinance provides insufficient protections for sensitive data, including data about children or individuals unable to consent, groups often at heightened risk of exploitation. Classifying certain data fiduciaries without objective criteria could lead to political misuse, particularly against independent media and civil society actors. The Ordinance must reaffirm that consent is a right, not a liability, and must include explicit protections for freedom of expression and association in the processing of personal data.
Rights such as access, correction, erasure, and objection are essential to enabling individuals to challenge data misuse and protect their freedom to seek, receive, and impart information. However, in Chapter IV, the lack of procedural clarity, defined timelines, and appeals processes undermines these rights in practice. Of particular concern is the requirement for individuals to prove harm to object to harmful processing. This reverses the burden of proof, disproportionately affecting those without legal resources such as journalists, minority groups, and whistleblowers, who are often the targets of intrusive surveillance. Individuals must be empowered to prevent unjustified processing without first having to demonstrate harm, especially where data misuse could threaten safety, reputation, or the ability to speak freely.
Chapters V and VI of the Ordinance includes exemptions for law enforcement, taxation, research, and media activities. While certain exemptions are necessary, the broad, undefined carve-outs in the current draft are deeply problematic. In the absence of judicial oversight or transparency requirements, law enforcement could invoke these provisions to conduct mass surveillance or target political opponents under vague “public interest” justifications. The lack of safeguards risks turning the law into a tool for repression rather than protection. While the exemption for journalistic and academic expression appears to support freedom of expression, it is not accompanied by standards to balance privacy with the public’s right to know. This opens the door to misuse of personal data in public discourse without proper ethical scrutiny. Exemptions must be narrowly defined, proportionate, and subject to independent oversight. The rights to privacy and free expression must be carefully balanced, not traded off.
An effective data protection authority is a cornerstone of a democratic data governance regime. While Chapter VII establishes such an authority, its lack of institutional independence due to executive control over its rulemaking and operations undermines its legitimacy. The authority is empowered to investigate violations and issue fines, but without due process safeguards or transparency obligations, enforcement could become selective or politicized. The absence of a complaint-handling mechanism further denies data subjects meaningful redress. From a freedom of expression viewpoint, this undermines the trust necessary for individuals to challenge data misuse, particularly in cases involving government surveillance or politically sensitive data processing.
Creating a public register of data fiduciaries promotes transparency and accountability. However, as evident in Chapter IX, without clear criteria or public consultation, the process risks arbitrary or discriminatory designations. Small organizations, particularly in civil society or independent media, may face disproportionate regulatory burdens. Public access to the register must also be balanced with privacy and security considerations to avoid inadvertently exposing sensitive information. The Ordinance should ensure participatory rulemaking and proportional obligations to avoid stifling dissenting voices or grassroots organizations.
In Chapter X, the Ordinance establishes a complaints process, administrative fines, and compensation rights. However, the lack of detail on procedural timelines, appeal mechanisms, and criteria for sanctions limits access to justice. Without clear rules, enforcement risks being slow, inconsistent, or vulnerable to political interference. Additionally, individuals harmed by misuse of their data, particularly in speech-related contexts, may lack the tools or support to seek redress. The Ordinance, should embed human rights-based enforcement mechanisms, including protections for whistleblowers and victims of data-related retaliation.
In Chapter XI, the appeals framework provides a mechanism for challenging decisions made by the data authority, which is crucial for ensuring fairness and accountability. However, key procedural elements such as how appeals are filed, the qualifications of appellate members, and public awareness measures are absent. This lack of transparency and access could deter individuals from pursuing redress, especially in cases involving sensitive speech or dissent. The Ordinance should detail that appeals must be timely, transparent, and accessible to all, with special attention to protecting journalists, activists, and marginalized groups.
Chapter XII grants the government broad powers to intervene in data regulation, including to overrule the authority and manage international data cooperation. Without judicial or legislative oversight, these powers could be used to suppress free expression or limit access to information under national security pretexts. International cooperation on data flows is essential but must be governed by human rights-based agreements that protect individuals’ data when transferred abroad. The Ordinance should establish limits and oversight mechanisms on government powers. Rulemaking should be participatory and aligned with human rights norms to prevent abuse.
The 2025 Bangladesh Data Protection Ordinance presents a timely and critical opportunity to strengthen the protection of digital rights in an increasingly data-driven society. If implemented with a robust rights-based framework, it has the potential to enhance individual privacy, promote accountability in both public and private data handling, and support the democratic values of transparency and participatory governance. However, in its current form, the draft Ordinance raises significant concerns. The lack of clear definitions, inadequate procedural safeguards, and the concentration of unchecked powers, particularly within government and law enforcement agencies, create the risk that the Ordinance could be used to legitimize arbitrary surveillance, enable discriminatory profiling, and suppress dissent. The absence of strong protections for consent, insufficient oversight of data processing activities, and vague exemptions for state actors threatens to erode data subject autonomy and the right to informational self-determination. Moreover, without clear constraints and independent regulatory oversight, the Ordinance could become a mechanism for controlling expression online, rather than protecting it. In such an environment, individuals including journalists, activists, and members of marginalized communities, may self-censor or disengage from public discourse due to fear of reprisal, thereby chilling freedom of expression and weakening democratic participation.
As such ARTICLE 19 calls for the 2025 Bangladesh Data Protection Ordinance to be fundamentally grounded in international human rights law, with particular emphasis on the rights to privacy, freedom of expression, and access to information. This includes:
- Embedding strong legal safeguards to prevent arbitrary or disproportionate surveillance, and ensuring that any restrictions on rights are lawful, necessary, and proportionate;
- Clarifying vague or overly broad terms such as “public interest” and “operational necessity” to prevent their misuse as justifications for intrusive or discriminatory data processing;
- Ensuring the independence and transparency of the Data Protection Authority, including through secure tenure, financial autonomy, and freedom from political interference;
- Protecting the right to freely given and revocable consent without penalty, particularly in contexts involving vulnerable or marginalized groups;
- Guaranteeing procedural safeguards and redress mechanisms that are accessible, timely, and effective for individuals whose rights have been violated;
- Narrowing and precisely defining exemptions, especially those related to law enforcement and national security, and subjecting them to independent judicial or parliamentary oversight;
- Affirming the right to freedom of expression in all data governance processes, ensuring that data protection is not weaponized to suppress journalism, public criticism, or civil society advocacy;
- Establishing participatory and transparent rulemaking processes that involve civil society, technical experts, and affected communities in shaping how data protection is implemented.
ARTICLE 19 Bangladesh calls for the 2025 Bangladesh Data Protection Ordinance to be restructured to place human rights including the rights to privacy, freedom of expression, and access to information at its core. Only then can Bangladesh build a trustworthy, democratic, and rights-affirming data governance framework that serves its people.