Same Speech Code, New Letterhead
On April 10, 2026, the Jatiya Sangsad passed 24 ordinances into permanent law in a single sitting — among them the Cyber Protection Act 2026. According to the state news agency BSS, most were waved through by voice vote, without amendment proposals or substantive debate. The Act, originally promulgated as the Cyber Protection Ordinance by the interim government, joins 90 other texts that Parliament ratified within the 30-day window Article 93 of the Constitution requires for its first session.
There is a real case for fresh national cyber legislation in Bangladesh. The Digital Security Act 2018 and its rebranded successor, the Cyber Security Act 2023, had become bywords for political prosecution — Amnesty International counted at least ten cases filed under the CSA against people who allegedly defamed former Prime Minister Sheikh Hasina within six months of enactment, and arrests of Facebook critics and cartoonists continued into mid-2024. Repealing those laws was an interim-government priority that civil society itself had asked for. A statute is also genuinely needed to prosecute CSAM, hacking of critical infrastructure, financial fraud, and identity theft.
The trouble is that the law Parliament has now codified retains most of the speech-restricting architecture of its predecessors while delivering little new firepower against the platform harms — coordinated harassment, deepfake-driven defamation, viral falsehoods — that actually plague Bangladeshi users.
What Survived the Rebrand
Amnesty's August 2024 audit of the Cyber Security Act 2023 found that 58 of 62 Digital Security Act provisions had been kept — 28 verbatim and 25 with cosmetic edits. The Cyber Protection Ordinance that became this Act trimmed a few further but, as Front Line Defenders documented on January 15, 2025, the most problematic sections remained:
- Section 25 criminalises transmitting information "with intent to insult, harass or defame" — language wide enough to swallow ordinary political commentary.
- Section 26 punishes content that hurts "religious sentiments," a standard the UN Human Rights Committee has repeatedly said is incompatible with ICCPR Article 19.
- Section 8 lets the Bangladesh Telecommunication Regulatory Commission order content takedowns on grounds of "national unity," "security," or "religious values" without prior judicial review.
- Section 35 permits warrantless searches and arrests, with only loose tribunal-reporting requirements.
- Section 46 designates several offences as non-bailable, mandating automatic pre-trial detention.
A June 2022 OHCHR Technical Note to the Government of Bangladesh had recommended repeal or substantial amendment of nine specific sections of the DSA — 8, 21, 27, 28, 29, 31, 32, 43, and 53 — most dealing with vague speech offences carrying disproportionate penalties, including life imprisonment for repeat offences. As Amnesty notes, only one of those nine recommendations was meaningfully adopted when the DSA was rebadged as the CSA, and the 2026 enactment carries that same scorecard forward.
A February 25, 2025 joint statement by Human Rights Watch, Access Now, ARTICLE 19, PEN International, RFK Human Rights, and Tech Global Institute pointed out that terms such as "obscene video" and "sexual harassment" — each carrying multi-year sentences — remain undefined in the ordinance. "Cyber terrorism" is drafted broadly enough to cover "accessing or obstructing digital systems" affecting national security, with up to ten years' imprisonment attached. Police can intercept communications or obtain traffic data on "reasons to believe" an offence has occurred. None of this was tightened before passage.
What's Missing on the Platform-Harms Side
What is most striking is what the new Act does not do. Local cyber experts told Dhaka's Daily Sun, in coverage of the April vote, that there is no specific offence for sustained, targeted cyberbullying of an individual; no liability framework for AI-generated impersonation or face-swap defamation; and no civil remedy when a coordinated rumour campaign destroys a business reputation. The cyberbullying definition that does exist — "harming reputation or mental health" by threats, intimidation, or "spreading rumours" — is so wide it works mainly as another speech offence than as a tool to shield users from genuine pile-ons.
The Act also offers little on platform accountability. There are no transparency-reporting duties, no systemic-risk assessment obligations for large platforms, no mandated user-redress channels, and no due-process scaffolding around takedown orders — the building blocks that the EU Digital Services Act, the UK Online Safety Act, and India's IT Rules have all (with their own flaws) attempted. Instead, BTRC and a new National Cyber Security Agency get content-blocking powers that operate against speech, not against platform design.
The Proportionality Test the Act Doesn't Pass
The right regulatory move in Bangladesh's position is the inverse of what got enacted: narrow the speech offences, expand the platform duties. A proportionate statute would decriminalise defamation as the UN Human Rights Committee has repeatedly urged, require judicial warrants for interception and takedown, define "cyber terrorism" tightly enough that it cannot reach a sarcastic Facebook post, and shift the regulatory load toward measurable, auditable obligations on dominant platforms — notice-and-action timelines, appeal mechanisms, periodic transparency reports.
Tech Policy Press has documented at least 34 internet shutdowns in Bangladesh since 2012, including the regime-ending blackouts of July–August 2024. A cyber law that leaves the legal basis for such shutdowns intact, and adds new content-blocking power to a new agency reporting to the Prime Minister, is moving the country the wrong way even when the current Prime Minister is a reformer. Laws outlast governments. The Cyber Protection Act 2026 was an opportunity to write one the next government cannot easily weaponise. Parliament chose, instead, to ratify the version the previous regime would have written for itself.