Bangladesh Bangladesh digital security act platform

Bangladesh Swapped the Digital Security Act for Four Ordinances and Kept the Surveillance Hooks

At DRAPAC Bangladesh 2026, regulators, civil society, UNESCO, and Meta all said the post-2024 reform left executive takedowns and state carve-outs intact.

People of Internet Research Team · 2026-05-29
Bangladesh's 2025-26 digital reform: what stayed, wh… People of Internet Research · Bangladesh 3 days Initial CSO consultation window December 2024 draft window was ext… 100+ DRAPAC Dhaka attendees Cross-sector participants at the B… Section 24 PDPO state consent carve-out Exempts the state from consent rul… 24 Dec 2025 Telecom Amendment approval Council of Advisers approved the o… peopleofinternet.com

Key Takeaways

A reform that was supposed to close the chapter

When more than 100 stakeholders gathered at the Bangladesh-China Friendship Conference Center in Dhaka on April 28, 2026 for the DRAPAC Bangladesh National Convening, the framing in the room was unusually candid. The convening — co-hosted by Digitally Right Limited and EngageMedia under the theme "Meaningfully Inclusive Policy Making" — opened with a plenary featuring Transparency International Bangladesh executive director Dr. Iftekharuzzaman, UNESCO country representative Susan Vize, BTRC Commissioner Mahmud Hossain, and Meta public policy manager Ruzan Sarwar. Their joint message was uncomfortable for a government that came to power promising to dismantle the most-criticized surveillance apparatus in South Asia: large parts of that apparatus are still in the statute book, just under new names.

The reforms the interim government actually delivered

It is worth being fair to the record before assessing the criticisms. Sheikh Hasina's Digital Security Act 2018, and its 2023 rebrand as the Cyber Security Act, were used to jail journalists and dissidents under undefined "image of the state" offences for years. The Yunus administration retired both. The Cyber Security Ordinance 2025, promulgated in May 2025, scrapped nine of the most-criticized speech offences, narrowed Section 66A so that only direct incitement to violence is criminal, and — for the first time in Bangladeshi law — codified citizens' right to internet access. The Telecommunication (Amendment) Ordinance 2025, approved by the Council of Advisers on December 24, 2025 with Chief Adviser Muhammad Yunus presiding, went further: it abolished the National Telecommunications Monitoring Centre, banned blanket internet shutdowns under a new Section 97, and folded interception capability into a quasi-judicially supervised Centre for Information Support. These are real, measurable concessions to the open-internet camp.

What the Dhaka convening said had survived

The reform stopped short, however, of what regulators, platforms, and civil society had asked for. Three carve-outs were flagged repeatedly across the DRAPAC plenaries.

Executive-led content takedown. The Cyber Security Ordinance 2025 leaves the Director General of the National Cybersecurity Agency, the BTRC, and the new National Security Operations Center with overlapping authority to demand removal or blocking of content posing "cybersecurity risks" — without a prior judicial warrant. A February 2025 joint statement from the Global Network Initiative, whose members include Meta and Google, warned that this structure grants authorities "broad power to impose restrictions on content from a wide range of service providers." Tech Global Institute and the Bangladesh Legal Aid and Services Trust reached the same conclusion, noting that the National Cyber Security Council itself sits without independent experts or civil society representation.

State carve-outs in the data law. Section 24 of the Personal Data Protection Ordinance, gazetted on November 6, 2025, exempts the government from the consent requirements that apply to every other data controller whenever access is justified by "national security, defense, public order, or crime prevention" — terms the statute does not define. Transparency International Bangladesh has highlighted the same problem in subsection 15(4). The result, as one Dhaka commentator framed it, is a law that protects you from everyone except the state.

A regulator that reports to the Prime Minister's Office. Both data ordinances place the National Data Management Authority inside the PMO. That is structurally different from the GDPR's independent supervisory authorities or India's Data Protection Board, and it means that ministries — the largest single category of data controller in the country — are policed by a body sitting inside the executive that runs them.

The process question

All four instruments were issued under Article 93(1) of the Constitution while Parliament stood dissolved. The interim government's defenders argue that waiting for an elected parliament was not an option given the post-2024 transition, and the point has weight. The criticism is narrower: a three-day initial public consultation window in December 2024, later extended to two weeks under stakeholder pressure, is not "meaningful" engagement for a four-statute package that touches every digital business in the country. Joint statements signed in February 2025 by Human Rights Watch, Access Now, ARTICLE 19, PEN International, RFK Human Rights, and Tech Global Institute documented that draft revisions arrived without explanations of which earlier comments had been adopted or rejected.

Why this matters for the open-internet case

A proportionate-regulation lens does not require treating these laws as malicious. Several provisions — incitement-only speech offences, the shutdown ban, parliamentary review of interception — are objectively better than what they replaced. The problem is that the same package retains the structural features that made the Digital Security Act dangerous in the first place: undefined trigger terms, executive-controlled removal authority, and a national-security carve-out from data protection that has no clear edge.

For an economy that has staked considerable political capital on "Smart Bangladesh," the cost of leaving those hooks in place is not abstract. Business analysis of the Cyber Security Ordinance has flagged its extraterritorial reach and criminal penalties of up to 10 years for responsible officers — provisions that foreign cloud and SaaS providers will price into market-entry decisions throughout 2026 and 2027. Localization-style language in the National Data Management ordinance, even where the Chief Adviser's ICT office insists the policy is "cloud-first," compounds the uncertainty.

A narrower fix is available

None of the critiques voiced at DRAPAC 2026 require Bangladesh to rip up its new statutes. The fixes are surgical: a prior-judicial-warrant requirement for any content removal under the Cyber Security Ordinance, a statutory definition of "national security" and "public order" inside Section 24 of the Personal Data Protection Ordinance, an independent supervisory authority moved out of the PMO, and a sunset clause that forces an elected parliament to ratify or replace the four ordinances within a defined window. Those four amendments would preserve the genuine gains of the 2025–26 reform — and remove the surveillance hooks the reform was supposed to dismantle. The DRAPAC convening was, in effect, a reminder that the interim government's moral capital to make those changes does not last forever.

Sources & Citations

  1. Digitally Right — DRAPAC Bangladesh National Convening 2026
  2. BSS — Council of Advisers approves Telecommunication Amendment Ordinance 2025
  3. Human Rights Watch — Joint Statement on Emerging Digital Laws in Bangladesh (Feb 25, 2025)
  4. Global Network Initiative — Statement on Recent Digital Regulations in Bangladesh (Feb 3, 2025)
  5. Tech Global Institute & BLAST — Joint Statement on Cyber Security Ordinance 2025
  6. Prothom Alo — Personal Data Protection Ordinance: Section 24 misuse risk
  7. Mondaq — Cyber Security Ordinance 2025: Implications for Businesses in Bangladesh