Technology and cyber Tier 3 regime · medium grounding verified

No comprehensive data-protection law; cross-border flows

Close Bangladesh's Data Sovereignty Gap: Enact a Data-Protection Law and Govern Cross-Border Flows

Diagnosis

Bangladesh has no comprehensive data-protection law, and personal and economic data move across borders without a governing framework. That is the core of the data sovereignty gap. The absence is not a technical footnote, it is a structural vulnerability. Without a statute, there is no enforceable standard for how government agencies, banks, telecoms, hospitals, and platforms collect, store, process, and transfer citizens' data, and no recourse when that data is exposed, sold, or moved offshore. Cross-border flows compound the problem: data generated in Bangladesh is routinely stored and processed in foreign jurisdictions whose laws Bangladesh cannot enforce, which means the country has limited legal claim over its own citizens' records, no leverage in a breach, and weak standing in trade and digital-services negotiations.

This matters now because the policy vacuum is the binding constraint. Every digital public service, every fintech rollout, and every AI or analytics initiative being built on top of citizen data is being built on unprotected ground. The longer the gap persists, the more entrenched ungoverned data practices become, and the harder retrofitting protection later will be. A law passed before the next wave of digitalization shapes that wave; a law passed after it merely cleans up.

Recommended actions

  1. Draft and table a comprehensive Data Protection Act. Owner: ICT Division (ICTD). Mechanism: a single primary statute defining personal data, lawful bases for processing, data-subject rights (access, correction, deletion), breach-notification duties, and penalties, drafted with the Ministry of Science and Technology and tabled in Parliament. Signal it is working: a published draft bill open for public consultation, then enactment.
  2. Establish an independent data-protection regulator. Owner: ICTD, with the regulator made statutorily independent in the Act itself. Mechanism: a dedicated authority with investigation, audit, and enforcement powers, not a unit inside a line ministry. Signal: the authority is constituted, staffed, and publishes its first enforcement guidance.
  3. Set rules for cross-border data transfers. Owner: ICTD. Mechanism: a transfer framework issued by circular under the Act, specifying which categories of data may leave the country, adequacy or contractual safeguards required for foreign processors, and localization for defined sensitive categories (citizen identity, health, financial). Signal: a published transfer schedule and a register of approved foreign processors.
  4. Set baseline security and classification standards for state-held data. Owner: Bangladesh Computer Council, under ICTD. Mechanism: mandatory data-classification and minimum-security standards for all government systems, enforced as a condition of system accreditation. Signal: agencies certify compliance and breach reporting begins flowing to the regulator.
  5. Make data-protection compliance a condition of Hi-Tech Park tenancy and incentives. Owner: Bangladesh Hi-Tech Park Authority, under ICTD. Mechanism: write compliance into tenancy agreements and fiscal-incentive eligibility for firms processing citizen data. Signal: compliance clauses appear in new and renewed agreements.

Sequencing (first 12 months)

Start with the draft Act, because nothing else is enforceable without it. ICTD leads drafting with the Ministry of Science and Technology and opens public consultation. In parallel, design the independent regulator's mandate inside the bill so the institution is born with the law, not bolted on years later. Once the statutory shell exists, the Bangladesh Computer Council can begin baseline security and classification standards for state systems, and the cross-border transfer framework can be drafted as implementing rules. The Hi-Tech Park Authority lever comes last in the year, once compliance obligations are defined enough to reference in contracts. Passing the enabling law first unlocks every downstream rule, regulator, and standard.

Risks and constraints

The binding constraint is political will to create a genuinely independent regulator. A statute that places enforcement inside a line ministry reproduces the gap under a new name. Cross-border localization rules will draw resistance from firms that depend on offshore processing and from trade counterparts, so the transfer framework must distinguish sensitive categories from routine flows to avoid blanket localization that raises costs without raising protection. Fiscally, standing up an independent authority with real audit capacity requires a dedicated budget line; an under-resourced regulator is a paper one.

Bottom line

Bangladesh's data sovereignty gap is fundamentally a legislative vacuum, not a technology problem, and the highest-leverage move is for the ICT Division to enact a comprehensive Data Protection Act with an independent regulator before further digitalization locks in ungoverned practices. Sequence the law first, the regulator inside it, and cross-border transfer rules and security standards as its implementing machinery.

Grounded facts

The figures and responsible bodies cited in this prescription are drawn from the platform's own data and the GovTwin registry listed below.

  • Lead responsible government body: ICT Division (ICTD) [GovTwin entity registry]

Drafted by an Opus writer grounded in the facts above. Where the prescription cites a figure, it is drawn from those facts. The diagnosis derives from the BDPolicyLab crisis taxonomy; the responsible body and budget from the GovTwin registry. Recommended actions are the think tank's policy judgment.