1. DHLR Law Talk

An Examination of the ‘Personal Data Protection Ordinance 2025’ with Dr Md Toriqul Islam

Written by Posted on Less than 0 min read

Q1. In your opinion, does the Constitution of Bangladesh (Article 43) recognise privacy in a limited way? Does Personal Data Protection Ordinance (PDPO) 2025 meaningfully expand that protection in practice, or does the broad exemption clause in section 24 [national security, defence, public order, public interest] neutralise it?

Answer: Firstly, Article 43 of the Constitution of Bangladesh is narrow in scope, focusing on physical intrusion and secrecy of communication rather than broader notions of informational self‑determination or data protection. Bangladeshi constitutional jurisprudence has not yet articulated an autonomous doctrine of privacy comparable to the Indian Supreme Court’s decision in Puttaswamy case or European jurisprudence under Article 8 of the European Convention on Human Rights (ECHR). Consequently, privacy remains weakly entrenched at the constitutional level and depends heavily on legislative elaboration.

In contrast, the PDPO appears to expand protection by recognising different rights of data subjects, such as access, correction, erasure and portability, while imposing duties on data fiduciaries and extending obligations horizontally to private actors. This horizontal application marks a significant departure from Article 43, which primarily restrains state action. Formally, the PDPO operationalises privacy as a statutory right grounded in dignity, autonomy and informational control; aligning with contemporary data protection frameworks.

However, this expansion is undermined by the broad exemption regime in section 24. Processing without consent is permitted for purposes such as national security, defence, public order and the vague public interest. These categories lack precise statutory definitions, judicial authorisation or transparency obligations. International human rights law requires restrictions on privacy to meet legality, necessity and proportionality tests. Article 17 of the International Convention on Civil & Political Rights (ICCPR) prohibits arbitrary interference, while Article 8 of the ECHR allows interference only when ‘necessary in a democratic society’ and subject to safeguards. Convention 108+ similarly requires restrictions to be proportionate and accompanied by oversight by an independent supervisory authority.

By contrast, section 24 relies heavily on executive discretion. Although subsections reference proportionality and review by the National Data Governance Authority, that body itself remains institutionally dependent on the executive and subject to binding governmental directions. This weakens oversight and compromises independence. Moreover, the PDPO does not require prior judicial authorisation to invoke exemptions, nor does it mandate publication or reporting, thereby falling short of transparency norms. Moreover, the remedies are also deficient. While legal rights are recognised, individuals lack a strong pathway to challenge exemptions before the independent courts.

Unless section 24 is narrowed, subjected to judicial control, and coupled with transparency and remedies, the PDPO risks reproducing the structural weakness of Article 43 in statutory form, falling short of the standards set out by the ICCPR, the ECHR and Convention 108+.

Q2. The Ordinance contains several exemptions from its requirements as per section 24. Although it is required to apply these exemptions in a reasonable, proportionate manner to safeguard the fundamental rights and interests of the data subject, do you think there is a valid point of concern about the government agencies receiving broad powers to issue directions as they may consider necessary under interests such as state security, public order and diplomatic relations?

Answer: A substantial concern arises because sections 24, 49 and 54 of the PDPO collectively grant government agencies broad powers that can threaten data subjects’ rights, with limited safeguards. Section 24 permits processing without consent for vague interests such as national security or public order; section 49 authorises binding governmental directions to the authority on matters of sovereignty and foreign relations; and section 54 allows emergency orders without clear thresholds or limits. Although proportionality and review clauses exist, they are structurally weak because the authority itself is subordinate to government directives under section 49(2), leaving little room for independent oversight. The absence of judicial checks and the vagueness of terms such as ‘public interest’ render these exemptions expansive, raising concerns that the proportionality requirement is illusory and that these exceptions chill fundamental rights.

Q2.1. Do you think the provisions for the oversight mechanism given to the National Data Governance Authority on the occasion of exercising such exemptions under sections 24(4)-(6) are adequate to ensure transparency and accountability?

Answer: In my opinion, no, the oversight mechanism given to the National Data Governance Authority under sections 24(4)-(6) of the PDPO 2025 is not adequate to ensure transparency and accountability. This is because, although it nominally allows review of exemptions and requires proportionality, the authority itself is structurally subordinate to binding governmental directions under section 49(2). This subordination creates a conflict of interest, as the body tasked with reviewing exemptions lacks genuine independence from the very executive power issuing them.

Q3. As per section 29(5), the government will determine a fee or charge based on the annual profit of any entity benefiting from the use of data belonging to Bangladeshi citizens. What is your opinion on this? To what extent do you think it will be feasible to implement this against tech giants like Meta?

Answer: Implementing section 29(5) against major technology firms such as Meta would be highly challenging because, although the PDPO authorises the government to impose fees based on annual profits derived from the data of Bangladeshi citizens, enforcement depends on extraterritorial jurisdiction and the ability to compel disclosure of global revenue streams. In the absence of precise legal mechanisms and international cooperation, Bangladesh’s capacity to calculate and recover such fees remains severely constrained.

We need to remember that large technology companies, including Meta, Google and Amazon, have consistently challenged data-based and digital services taxation regimes across multiple jurisdictions, highlighting the political and legal complexities of revenue derived from user data.

In Italy, tax authorities issued significant VAT assessments, totalling €887.6 million against Meta, €12.5 million against X, and approximately €140 million against LinkedIn, on the basis that free user access in exchange for personal data could constitute a taxable transaction under Italian VAT law. Meta has appealed to these assessments, arguing that user registrations do not constitute a taxable event because services provided without monetary payment fall outside established VAT principles. If upheld, this case could transform the taxation of digital revenues across the EU.

Likewise, individual EU states such as France have retained digital taxes on the gross revenues of large digital platforms, including US-based firms, despite legal challenges. In September 2025, the French Constitutional Council upheld the so-called ‘GAFA tax’, rejecting claims of constitutional incompatibility and affirming national authority to tax digital revenues.

Beyond Europe, India’s experience illustrates tensions between data-based levies and international trade relations. India introduced equalisation levies on foreign digital advertising services to capture revenues generated from Indian users, but these measures drew objections from the United States on grounds of discrimination. This contributed to India’s withdrawal of the 6 per cent levy on digital advertising revenues in 2025, partly to ease trade frictions and align with emerging global tax standards.

These disputes demonstrate sustained resistance by multinational technology firms to unilateral digital taxes that attribute value to user data and digital interaction rather than physical presence. Companies such as Meta contend that such measures impose disproportionate burdens and risk double taxation, favouring multilateral solutions negotiated through the OECD’s global tax reform initiatives.

Q4. The Ordinance gives sweeping powers to the proposed National Data Management Authority, which will function under the Prime Minister’s or Chief Adviser’s Office as per section 8 of the National Data Governance Ordinance 2025. All entities will be legally bound to comply with the authority’s orders. Do you think this runs a risk of being used as a tool to silence dissent by political governments?

Answer: Yes, there is a clear risk that the National Data Management Authority could be used as a political instrument to silence dissent. Section 8 of the National Data Governance Ordinance 2025 establishes the authority as a body directly under the Prime Minister’s or the Chief Adviser’s Office, granting it binding directive powers over all entities. This design centralises immense Authority within the executive branch, with no parallel safeguards in the judiciary or parliament. Although the law presents the Authority as a statutory regulator with perpetual succession and legal personality, its attachment to the executive apex means its discretion could be exercised on broad grounds, such as ‘public order’ or ‘national security’, to suppress opposition or critical voices. Comparative experience shows that centralised data regulators with weak oversight often evolve into instruments of political control rather than neutral governance bodies, undermining transparency and rights protections.

The authority’s institutional design reflects extensive regulatory, supervisory, and coercive powers, combined with structural dependence on the executive. While it can acquire property, sue, and be sued, its lack of explicit autonomy, transparent appointment procedures, and judicially reviewable limits on its directive powers heighten the risk of politicisation. In contexts where data governance intersects with surveillance and enforcement, such concentration of power could chill dissent and erode informational self‑determination.

Q5. If we apply international standards, including legality, necessity, proportionality and independent oversight, how well does this ordinance do, in your opinion?

Answer: In my view, Bangladesh’s Personal Data Protection Ordinance 2025 makes a solid effort to align with international standards like the GDPR by explicitly incorporating principles of legality through clear definitions and processing rules, necessity and proportionality in consent exceptions and exemptions (eg sections 5 and 24, which require purpose limitation and bar disproportionate impacts on rights). However, it lacks independent oversight, which is crucial for accountability and trust, as the National Data Governance and Interoperability Authority remains heavily influenced by government approvals and directives (sections 24, 49, and 53), raising risks of arbitrary enforcement and inadequate checks on broad state exemptions for national security or public order, ultimately rendering it a step forward yet insufficiently robust to safeguard privacy without potential abuse fully.

Q6. Do you think the PDPO in its present form would meet the baseline of Convention 108+, or do the broad state exemptions and executive-controlled oversight structure mean that Bangladesh could not accede to 108+ if the PDPO remains in this form?

Answer: Based on an analysis of the Personal Data Protection Ordinance 2025 against the baseline requirements of Convention 108+ (the modernised Council of Europe Convention for the Protection of Individuals concerning Automatic Processing of Personal Data), it is doubtful that Bangladesh could accede to the Convention with the Ordinance in its present form. While the Ordinance aligns with the convention on several substantive points, such as its expanded definitions of sensitive data (including genetic and biometric data), the establishment of data subject rights (access, rectification, erasure and objection to automated decisions), and the imposition of data security and breach notification obligations on controllers and processors, it fundamentally diverges on three critical structural requirements.

The broad and vaguely defined state exemptions in section 24, which permit processing without consent for expansive grounds like ‘public interest’ and ‘national security’ without mandatory independent judicial oversight, directly contravene Article 11 of Convention 108+, which requires that such restrictions be necessary and proportionate measures in a democratic society and be provided for by law.

Moreover, the oversight structure, which places the National Data Management Authority under significant executive control, where the government can issue binding directions and the Authority’s regulations require government approval, fails to guarantee the independence from political interference required of a supervisory authority under Article 15 of the convention. These deficiencies collectively undermine the convention’s core pillars of fundamental rights protection, limited state powers, and independent oversight, rendering Bangladesh unable to accede to Convention 108+ without substantial amendments.

Dr Md Toriqul Islam is an Assistant Professor, School of Law, Independent University Bangladesh (IUB).

Interviewers: Samia Rahman, Zaid Ekram.

Member since
Contributor

More from Dr Md Toriqul Islam

  1. Court Corridor
  2. Court Corridor 2024

From the Court Corridor: August 2024 to December 2024

HCD rejects the writ petition that challenged the legality of shooting at protesters A writ petition challenging the detention of six coordinators of the Anti-Discrimination Student Movement in DB custody was filed in August 2024. The petition also raised the question of whether the use of live ammunition against protesters was valid. The HCD bench, […]
Written by
  1. Court Corridor
  2. Court Corridor 2022

From the Court Corridor: September 2022

This edition of ‘From the Court Corridor’ curates the notable pronouncements of the High Court Division (HCD) and the Appellate Division (AD) of the Supreme Court (SC) of Bangladesh in September 2022.  AD stays HCD verdict regarding taking prior permission before arresting government officials On 25 August 2022, following a writ petition by Human Rights […]
Written by
  1. DHLR Law Talk

A Critical Assessment of the CrPC Amendment Ordinances 2025 with Dr Muhammad Mahbubur Rahman

DHLR: Section 54 of The Code of Criminal Procedure, 1898 (CrPC 1898), as amended, tightens the scope of arrest without warrant by distinguishing between offences punishable with imprisonment for a term up to seven years and those punishable with more than seven years. In the former case, police may arrest without a warrant only if […]
Written by
  1. Case Comments
  2. Human Rights Law
  3. International Humanitarian Law

Deliberate Ambiguity of the ICJ in Occupied Palestinian Territory Advisory Opinion

The International Court of Justice gave its much anticipated advisory opinion on Legal Consequences arising from the Policies and Practices of Israel in the Occupied Palestinian Territory, including East Jerusalem, on 19 July 2024. The court has found Israel to be in violation of the law of Occupation and found the continued presence of Israel […]
Written by
  1. Case Comments
  2. Constitutional Law

The 15th Amendment Case before the High Court Division: An Analytical Perspective

Background On 17 December 2024, the High Court Division (HCD) of the Supreme Court of Bangladesh (SCOB) delivered a historic judgment regarding the Constitution (Fifteenth Amendment) Act, 2011 (Act No. XIV of 2011). The 15th Amendment removed the Non-Party Caretaker Government (NPCG) system for conducting general elections and made numerous other constitutional changes. This write-up […]
Written by
  1. Arbitration
  2. Investment Law

Towards a Bangladesh Model BIT: The Chevron Dues and the Case for Reform

In April 2025, Bangladesh’s state-owned gas company Petrobangla cleared all of Chevron’s outstanding gas bills from previous years. Within days of this payment, Petrobangla formally urged Chevron to resume work on the stalled $65 million Jalalabad compressor project. Petrobangla Chairman told the press, ‘…we have already cleared all outstanding arrear payments of Chevron Bangladesh.’ Chevron […]
Written by
  1. Expert's Write-up
  2. Human Rights Day Special

The Evolving Landscape of Transnational Business and Human Rights Law: Advocating for an Active Role of National Courts

Law-making in transnational Business and Human Rights Law (BHRL) denotes the process of “norm-setting” in this area. National courts, as the judicial organs of the States, are duty-bound to perform judicial functions, which do not include norm-setting but interpreting the existing laws, applying them in particular cases, creating a general practice, etc, rather than active […]
Written by
Next
No Comments
Leave a comment Cancel
Comments to: An Examination of the ‘Personal Data Protection Ordinance 2025’ with Dr Md Toriqul Islam

Your email address will not be published. Required fields are marked *