Bangladesh Enacts Data Protection Law with Localization Rules

Bangladesh has joined the growing number of nations implementing comprehensive data protection legislation. On November 6, 2025, the country's president formally enacted the Personal Data Protection Ordinance (PDPO), establishing a regulatory framework that borrows from European models while incorporating distinctive requirements tailored to local priorities.

The ordinance took immediate effect on its publication date, with limited exceptions. Provisions concerning the Chief Data Officer appointment and certain enforcement mechanisms will activate 18 months later, giving authorities time to establish the necessary institutional infrastructure.

Jurisdictional Reach and Scope

The PDPO applies extraterritorially, extending beyond Bangladesh's physical borders in ways that mirror the European Union's General Data Protection Regulation (GDPR). Domestic data processing activities fall under the law's purview, naturally. More significantly, foreign entities also face compliance obligations when their processing activities involve offering goods or services to individuals located in Bangladesh, or when they monitor or profile such individuals.

One unusual feature distinguishes the PDPO from most comparable legislation: its definition of data subject encompasses deceased individuals. Personal information belonging to someone who has died remains protected under the ordinance, with heirs or legal representatives potentially exercising rights on behalf of the deceased. This approach reflects cultural values around posthumous dignity but creates practical complications for long-term data retention and deletion obligations.

Age Thresholds for Minors

The ordinance sets the threshold for childhood at 18 years, requiring parental consent for processing minors' data below that age. This represents a more protective stance than the GDPR, which establishes 16 as the default digital consent age while permitting member states to lower it to 13.

Organizations operating across multiple jurisdictions must now navigate varying age requirements—16 in most EU countries, 13 in some, 18 in Bangladesh. This fragmentation complicates global platform operations and necessitates jurisdiction-specific consent mechanisms.

Legal Bases for Processing

Article 5 of the PDPO establishes consent as the primary lawful basis for processing personal data. However, the law enumerates specific scenarios where processing may proceed without consent: contractual necessity, establishing legal claims or defenses, vital interests protecting life or health, employment and social security obligations, and information the data subject has voluntarily made public.

This contrasts with the GDPR's approach. European law lists six distinct legal bases with relatively equal standing: consent, contract, legal obligation, vital interests, public interest, and legitimate interests. That final category—legitimate interests—functions as a flexible catch-all allowing organizations to process data when they can demonstrate a valid business reason that doesn't override individual rights.

The absence of a comparable legitimate interests provision in Bangladesh's framework means organizations will rely more heavily on explicit consent or must fit their activities within the narrower statutory exemptions. This shift could prove operationally challenging for businesses accustomed to GDPR's more flexible approach.

Automated Data Correction Mechanism

Perhaps the most technically ambitious provision appears in Article 14, which establishes an automated synchronization system for data corrections. When a data subject updates core information—an address change, for instance—the correction must propagate automatically across all secondary data trustees (analogous to GDPR data processors) who maintain copies of that information.

Moreover, all such changes must be recorded in an immutable ledger, with blockchain technology explicitly mentioned as a suitable implementation. This requirement envisions a national-scale technical infrastructure that doesn't currently exist. If a person updates their address with one government agency, that change should cascade to banks, utilities, and other organizations maintaining their records.

The GDPR guarantees a right to rectification and requires controllers to notify recipients of corrected data, but it imposes no obligation to build interconnected technical systems for automatic propagation. Bangladesh's approach is far more prescriptive and technologically deterministic.

Whether this vision proves achievable remains uncertain. Building and maintaining such infrastructure demands substantial investment and technical coordination across public and private sectors. The timeline for implementation and the consequences of non-compliance remain unclear.

Sensitive Data Categories and Processing

The PDPO's definition of sensitive data extends beyond traditional categories. While it includes biometric information, genetic data, health records, and political beliefs—standard fare in most data protection regimes—it also encompasses real-time geolocation and criminal allegations.

Article 7 requires explicit consent for sensitive data processing but carves out exceptions for contractual necessity, employment law obligations, medical emergencies, legal requirements, and information the data subject has disclosed publicly.

The GDPR adopts a more restrictive default position, prohibiting processing of special category data unless specific conditions apply, such as explicit consent, vital interests, or public health purposes. The two frameworks reach similar outcomes through different architectures—one permissive with exceptions, the other prohibitive with exemptions.

Data Localization Requirements

Article 29 introduces mandatory data localization provisions that diverge sharply from the GDPR's approach. Any organization storing Bangladeshi personal data on foreign cloud infrastructure must maintain at least one synchronized real-time copy within Bangladesh's borders.

Furthermore, the government reserves authority to order cessation of foreign cloud services within 60 days if authorities determine such services threaten national interests. This provision grants considerable discretionary power with limited procedural safeguards or appeal mechanisms.

Cross-border transfers face additional scrutiny. While the ordinance permits international data flows when the data subject consents, when transfers are contractually necessary, or when they serve the subject's interests in education, commerce, or immigration, bulk transfers of sensitive identifiers require advance regulatory approval.

Sensitive identifiers subject to this heightened scrutiny include fingerprints, DNA profiles, national identity card numbers, and passport numbers. Organizations planning large-scale international transfers of such data must notify and obtain permission from regulatory authorities before proceeding.

The GDPR contains no localization mandate. It permits cross-border transfers to jurisdictions deemed adequate, or when appropriate safeguards like standard contractual clauses are implemented, or under specific derogations for particular situations.

Bangladesh's approach reflects concerns about data sovereignty and national security common among emerging digital economies. However, localization requirements impose infrastructure costs, potentially disadvantage smaller players lacking resources for duplicate systems, and may conflict with cloud computing's fundamental architecture.

Data Tax Provision

Article 29 also introduces a novel concept: government authority to levy fees on commercial profits derived from Bangladeshi citizens' personal data. The specifics remain undefined—how profits will be calculated, what rates will apply, and how enforcement will function.

This represents uncharted territory in data protection law. While the concept of data having economic value is widely recognized, few jurisdictions have attempted to directly tax that value. The provision could be interpreted as recognizing citizens' collective ownership stake in their aggregated data or as simply a revenue-generation mechanism.

Implementation challenges are considerable. Determining what portion of corporate profits derives specifically from Bangladeshi user data, as opposed to technology, infrastructure, human capital, or users in other jurisdictions, presents thorny accounting questions. Multinational platforms may face incentives to attribute profits elsewhere.

Mandatory External Audits

The PDPO requires certain categories of data trustees to engage independent, government-authorized auditors to conduct reviews within timeframes specified by authorities. This mandates third-party verification rather than leaving compliance monitoring solely to regulatory inspection.

The GDPR encourages but doesn't mandate external audits, instead requiring internal data protection impact assessments for high-risk processing and maintaining records of processing activities. Codes of conduct and certification mechanisms exist but remain voluntary.

Mandatory auditing could enhance compliance transparency and identify issues before they escalate into breaches. However, it also raises questions about auditor qualifications, potential conflicts of interest, and costs that may disproportionately burden smaller organizations.

Delayed Enforcement Provisions

While most PDPO provisions took effect immediately upon publication, enforcement mechanisms face an 18-month delay. Sections covering the Chief Data Officer appointment and the complaint, investigation, and penalty procedures won't activate until May 2027.

This grace period acknowledges that institutional capacity must be built before enforcement begins. Authorities need time to appoint leadership, establish processes, hire staff, and develop operational procedures. Organizations gain a window to achieve compliance before facing potential penalties.

However, the split implementation timeline creates an awkward interim period where obligations exist but enforcement mechanisms don't. The practical implications remain to be seen—whether this fosters voluntary compliance or creates a temporary enforcement vacuum.

Implications for Global Operations

Organizations with Bangladeshi users or operations face new compliance obligations that may conflict with approaches optimized for GDPR or other frameworks. Key challenges include:

Technical infrastructure: The automated correction synchronization and localization requirements demand architectural decisions and potentially significant investment.

Legal basis mapping: The absence of legitimate interests as a catch-all legal basis requires more careful analysis of specific statutory exemptions or greater reliance on consent mechanisms.

Cross-border data flows: Localization mandates and approval requirements for bulk sensitive data transfers complicate cloud architecture and international business processes.

Audit preparation: Organizations must identify whether they fall into categories requiring mandatory external audits and budget accordingly.

The emerging pattern is clear: data protection law continues fragmenting along national lines despite common ancestry in European models. What began as convergence around GDPR principles is evolving into divergence as countries adapt frameworks to local priorities, capacities, and concerns.

For multinational organizations, this means increasing compliance complexity, higher operational costs, and difficult tradeoffs between global efficiency and local requirements. The days of one-size-fits-all approaches to data governance are definitively over.

Source: ICTD