A Landmark Law, on Paper
Bangladesh's Personal Data Protection Ordinance, 2025 (Ordinance No. 61 of 2025) opens with real ambition. Promulgated by presidential order on 6 November 2025, while parliament stood dissolved, it declares that personal data is an individual's "property," conditions processing on freely given consent, and — in Section 17 — requires "appropriate technical and organizational measures," including encryption and pseudonymization, to secure it. This ordinance is the legal architecture underlying what industry trackers now refer to as the Personal Data Protection Act, 2026. For a country that had no general data protection statute before this, that is a genuine advance, and critics of the law should acknowledge it as one.
The strongest case for the law's cautious structure is straightforward: Bangladesh needed some statutory floor, and getting sovereign, sector-spanning data rules onto the books in under a year — with clauses on retention limits, mandatory audits, and a named regulator — is faster than most developing-economy legislatures manage. Phasing in enforcement muscle gradually, rather than importing GDPR-scale penalties overnight, is also a defensible sequencing choice in an economy where compliance costs land hardest on small digital businesses.
But an investigative report from The Daily Star, published 8 July 2026, argues the law's substance doesn't match its ambition — and two live cases make that argument concrete.
The Notification Gap
Section 20(1) of the ordinance does contain a breach clause: if a breach is "likely to cause significant damage" to a data subject, the controller "shall notify the Authority... in the form, manner and within the time limit prescribed by the regulations." Read closely, that clause has two holes. First, notification runs only to the regulator — the National Data Management Authority (NDMA) — with no parallel duty to tell the affected customers. Compare the EU's GDPR, which requires notice to the supervisory authority within 72 hours and, for high-risk breaches, direct notice to individuals "without undue delay." Second, the Bangladeshi timeline doesn't actually exist yet: it's deferred entirely to regulations the government has yet to issue.
That gap isn't theoretical. In 2025, hackers breached the customer database of Shwapno, one of Bangladesh's largest supermarket chains, exposing the names, phone numbers and purchase histories of roughly 40 lakh (4 million) registered customers. Shwapno was under no legal obligation to tell any of them — and didn't, until the stolen data surfaced publicly and the breach became a news story rather than a regulatory filing. Breach, silence, public leak, retroactive scandal: that is precisely the sequence mandatory notification regimes exist to prevent.
Enforcement That Can't Reach the State
The second failure is structural. The NDMA is not an independent regulator on the model of the EU's national data protection authorities; it is, per its enabling National Data Management Ordinance, an authority housed within the machinery of executive government, tasked with everything from drafting national data policy to running a "National Source Code Repository." An agency that answers up through the same executive branch it is meant to police has an obvious conflict of interest whenever the violator is a government body rather than a private company.
That conflict sits at the center of the second case the Daily Star cites. A Bangladesh Election Commission probe found that five organisations with authorised API access to the National Identity (NID) database — the Directorate General of Health Services, a private bank's mobile-money arm (UCB's Upay), the Chittagong Port Authority, the Department of Women Affairs, and the finance ministry's budget-accounting system — had passed citizens' NID data to third parties without the Commission's knowledge. The Commission issued show-cause notices and opened an inquiry into whether the leaks were negligent or deliberate. None of that response came from the NDMA, and none of it happened under the Personal Data Protection Act's breach provisions — because there is little reason to expect a Prime Minister's Office-housed authority to aggressively investigate a government health directorate or a ministry's own accounting system. Separate research from the Tech Global Institute mapped how the underlying problem runs deeper still: informal "shadow" copies of NID-linked data proliferate across agencies "outside robust logging, deletion schedules, and audit baselines" — a governance gap the Act does nothing to close.
The Fix Is an Arm's-Length Regulator, Not More Paperwork
None of this argues for scrapping the ordinance's cautious approach or grafting GDPR-scale fines onto Bangladeshi firms overnight — that would burden the same small digital businesses the law's drafters were right to shield from over-compliance. The fix is narrower: give the NDMA statutory independence comparable to the auditor role already written into Section 21 of the ordinance — insulated appointment terms, budget authority outside the PM's Office line, and explicit jurisdiction to investigate government data-fiduciaries — and add a direct-to-consumer notification trigger with a concrete deadline, rather than one deferred indefinitely to unwritten regulations. Bangladesh doesn't need to copy the EU's 72-hour rule verbatim, but it needs a number, and a regulator whose findings about a government leak carry the same weight as its findings about a supermarket chain. Right now, the law asks citizens to trust that the state will investigate itself; the Shwapno and NID cases show why that trust is currently unearned.