The enactment of Personal Data Protection Act, 2026 marks a significant development in data governance in Bangladesh. As digital technologies become increasingly integrated into everyday life, the collection, processing, and storage of personal data by both public and private actors have expanded considerably. The Act seeks to address these concerns by providing a legal framework for the protection of personal information and the recognition of individual privacy rights. In this regard, the Act constitutes an important step towards strengthening data governance in Bangladesh.
A major strength of the Act lies in its consent-centric approach to data processing. The legislation generally requires the consent of the data subject before personal data may be collected or processed. Furthermore, the introduction of financial penalties for non-compliance also reflects an effort to enhance accountability among entities handling personal information. Collectively, these provisions demonstrate a rights based approach to data protection and align Bangladesh more closely with contemporary international developments in privacy law. Nevertheless, in a context where digital literacy remains relatively limited, concerns may be raised regarding the extent to which consent can consistently be regarded as informed and meaningful.
Despite these advancements, important concerns remain regarding certain aspects of the Act. One of the principal concerns is the lack of institutional independence of the National Data Management Authority, which is responsible for the implementation and enforcement of the Act. The effectiveness of any data protection framework depends substantially upon the existence of an independent regulatory authority capable of exercising oversight free from political or administrative influence. However, the National Data Management Authority operates under the Prime Minister's Office. This institutional arrangement raises legitimate questions regarding its ability to function as an autonomous regulator, particularly in matters involving governmental agencies. The importance of regulatory independence is widely recognized in contemporary data protection frameworks. Under the European Union's General Data Protection Regulation (GDPR), supervisory authorities are required to act with complete independence in the performance of their duties.
Another significant concern relates to the exemptions provided under Section 24 of the Act. The provision allows personal data to be processed without the consent of the data subject on grounds such as national security, public order, public interest, and crime prevention. Although such exemptions are common in data protection legislation, the breadth of the language employed in Section 24 raises important concerns. In the absence of clearly defined limits and safeguards, there remains a risk that these exceptions may undermine the privacy protections that the Act seeks to establish.
The Personal Data Protection Act, 2026 lays an important foundation for
privacy protection in Bangladesh, but effective data protection requires
more than the legal recognition of rights. It requires strong
safeguards, clear limits on exceptions, and independent oversight to
ensure that privacy is protected in practice.
The concern becomes greater because the Act does not clearly explain when these exemptions can be used. Terms such as national security, public order, and public interest are broad and open to interpretation. Without clear definitions, it becomes difficult to determine the limits of these powers. The Act also does not provide strong safeguards, such as independent oversight or clear standards to ensure that exemptions are used only when genuinely necessary. This creates uncertainty and raises concerns that exceptions intended for limited situations could be applied more widely than intended. The absence of such protections creates a risk that the exceptions contained in Section 24 may, in practice, undermine the rights and guarantees established elsewhere in the legislation. While the provision includes certain restrictions intended to prevent misuse, these safeguards may be insufficient to ensure that exemptions remain exceptional in nature. Consequently, concerns persist that the broad discretionary powers afforded under Section 24 could weaken the overall effectiveness of the data protection framework.
However, The Personal Data Protection Act, 2026 lays an important foundation for privacy protection in Bangladesh, but effective data protection requires more than the legal recognition of rights. It requires strong safeguards, clear limits on exceptions, and independent oversight to ensure that privacy is protected in practice.
The writer is a student, Department of Law, Bangladesh University of Professionals
