Support Centre



Law: There is no general personal data protection law.

Regulator: There is no data protection authority.

Summary: Whilst there is no general data protection law in Bangladesh, the Constitution of the People's Republic of Bangladesh provides a right to privacy of correspondence and other means of communication. In addition, the Information Communication Technology Act 2006 (only available in Bengali here) ('the ICT Act'), and Digital Security Act 2018 contain provision related to cybersecurity and data protection including personal information protection in relation critical information infrastructure, digital devices, and computer systems. Sectoral legislation in the field of finance also provides data retention requirements, restrictions on data transfers, and data localisation requirements.

On July 24, 2023, the Department of Information and Communication Technology released, a draft Data Protection Act 2023 (only available in Bengali here) ('Draft Law') which applies to the processing of personal data of the residents of Bangladesh and to data processing that is not carried out in Bangladesh, but offers goods and services to the residents of Bangladesh. In addition, the Draft Law establishes obligations for data controllers and processors such as requirements associated with data security, conducting Data Protection Impact Assessments ('DPIA'), and Data Protection by Design. Furthermore, the Draft Law outlines data processing principles, provisions on data collection, data retention requirements, rights of data subjects, data transfers, data storage, penalties, among other things.


In this Insight article, Asif Hasan and Alfaed Salahuddin, from Tanjib Alam and Associates, explore the key provisions of the proposed draft Data Protection Act, 2023 (the Bill), emphasizing its aim to address the longstanding need for robust supervision of individual data protection and processing within and outside Bangladesh.

The Department of Information and Communication Technology released, on 16 July 2022, the draft Data Protection Act, 20221 ('the Act'). The Act introduces consent requirements, data subject rights, data localisation requirements, and rules on cross-border data transfers, as well as a new independent agency to act as a data protection supervisory authority, called the Data Protection Office. In this Insight article, OneTrust DataGuidance spotlights what businesses should be aware of, and outlines the key provisions of the Act, with expert commentary and insights provided by Tanim Hussain Shawon, Partner at Dr Kamal Hossain & Associates, as assisted by Saraf Farhin Choudhury, Research Associate at Dr Kamal Hossain & Associates.

Bangladesh has yet to enact a comprehensive data protection or privacy legislation with a general scope. While the Bangladesh Telecommunication Regulatory Act 2001, the Information and Communication Technology Act 2006 ('the ICT Act'), and the Digital Security Act 2018 ('DSA') contain sporadic provisions on protection of personal data preserved in an electronic form, a law to govern data protection issues generally is still in the process of being formulated. Tanim Hussain Shawon, Partner at Dr. Kamal Hossain & Associates, discusses these initiatives and their progress.