MitKat Special Report –

Bangladesh’s Data
Protection Act and
its Implications

28 April 2023
MitKat Advisory Services Pvt. Ltd.
Contents
Introduction ....................................................................................................................................................... 3
Background ........................................................................................................................................................ 4
Why is the Data Protection Act Necessary in Bangladesh? ............................................................................ 5
Core Principles of Data Processing Under DPA ............................................................................................... 6
What is at Stake? Analyzing the Concerns of DPA .......................................................................................... 7
Scope and Applicability ................................................................................................................................ 7
Data Localization and Surveillance .............................................................................................................. 8
Independence of Data Authority ................................................................................................................. 8
Effects on the Free Flow of Data and Development .................................................................................. 8
Global Concerns ........................................................................................................................................... 8
Human Rights and Freedom of Expression ................................................................................................. 9
Increasing Authority of the Executive .......................................................................................................10
Comparative Analysis of Bangladesh’s DPA and India's Digital Data Protection Bill 2022 (DDPB) .............11
Impact of Data Protection Act on 2023 Presidential Elections .....................................................................12
Impact on businesses ......................................................................................................................................13
Conclusion .......................................................................................................................................................15
Author Profile .............................................................................................................................................16
Contact Us........................................................................................................................................................17

Bangladesh Data Protection Act and its Implications Page 2 of 17

Introduction
Over the past decade, Bangladesh has made significant strides in its goal of becoming a ‘digital’ economy.
The Digital Bangladesh Vision, declared on 12 December 2008 by Prime Minister Sheikh Hasina brought
about significant improvements for the economic, educational, and social inequality factors that
determine the digital divide, including income, access to digitized services, and socioeconomic factors.
Since then, Bangladesh has implemented a set of policy initiatives for a thriving digital economy. The
2022 Draft Data Protection Act (DPA), which establishes new restrictions related to the processing,
storage, and transfer of data, appears to move digital governance in a different direction.

The concept of data privacy and the underlying rights and requirements for data protection are new in
Bangladesh. However, they have never been more crucial than in the current era of fast technological
advancement, social networking, cybercrime, artificial intelligence, electronic communication, and rising
consumer/user awareness. Data protection is the body of privacy laws, rules, and practices designed to
reduce the invasion of one's privacy by collecting, storing, and disseminating personal information.
Privacy rights set out the fundamental parameters for data protection and privacy. The Information
Communication Technology Act of 2006 (the Technology Act), the Digital Security Act of 2018 (the Digital
Security Act), and the Constitution of Bangladesh provide the fundamental framework for such data
protection and privacy.

The Government of Bangladesh has drafted a data protection and localization law (draft data protection
act, DPA), which, once enacted, will be the first data privacy law in Bangladesh. Broadly, the draft DPA
sets out the rights and obligations of data subjects, data controllers and data processors, with provisions
on notice-and-consent requirements, collection methods, recordkeeping, data correction and erasure,
data breach notifications, and data audits.

Bangladesh's digital governance is approaching a different path due to the 2022 Draft Data Protection
Act (DPA), which places additional constraints on processing, storing, and transferring data. The DPA is
the first proposed data privacy law in Bangladesh and comes following several years of new digital
privacy regulations being implemented globally. The bill's provisions have drawn criticism because of
their limitations on e-commerce and the lack of safeguards built for the government's enforcement
authority. The proposed Data Protection Act (DPA) has also caused significant domestic and international
business and human rights concerns. Data classification is poorly defined in the current law, and privacy
is not defined following international norms.

Bangladesh Data Protection Act and its Implications Page 3 of 17

Background
The official purpose of the DPA is to provide enhanced data security in Bangladesh through new provisions
on the processing of their data. The key features of the 2022 draft bill include the introduction of consent
requirements and other data-subject rights, mandates for local data storage, restrictions on personal-data
transfers outside of Bangladesh, and the establishment of a data-protection office. However, despite the
stated objective of data privacy provision, the draft DPA lacks an explicit definition of the data to which it
applies. The ambiguous outline for data is likely to lead to business uncertainty regarding compliance,
which might affect foreign investment opportunities.

Further, some of the costliest provisions in the DPA concern data-localization requirements and data-flow
restrictions. Section 42 of the Act mandates that all consumer (“user created”) data be stored on servers
within Bangladesh. This requirement is likely to create cost burdens for foreign firms that are providing
services to Bangladesh’s fast-growing consumer market. Additionally, Section 43 of the Act prohibits the
transfer of consumer data outside of Bangladesh without the authorization of the government, a
requirement that significantly impedes many forms of digital trade.

DPA grants the government extraordinary enforcement powers through interconnected regulatory bodies
previously established by the controversial Digital Security Act of 2018. Under Section 35 of DPA, the Data
Protection Office which is the enforcement body of the DPA can be established. However, the Digital
Security Agency, established under the Digital Security Act of 2018, will exert direct control over the Data
Protection Office, with the director general of the Digital Security Agency acting as the head of the Data
Protection Office. Besides these provisions, concerns regarding the government’s enforcement authority
are also due to the ambiguous terms in the draft law. This is because under Section 63 of the draft, it has
been stated that the government has the power to issue directions to the director general of the Data
Protection Office “in the interest of the sovereignty and integrity of Bangladesh, the security of the State,
friendly relations with foreign States or public order”. The terms “sovereignty and integrity,” “security,”
and “friendly relations” are again ambiguous and not defined in the act, which means that the government
has the authority to effectively enforce the DPA as per their convenience.

A report published by United Nations Conference on Trade and Development (UNCTAD) stated that
Bangladesh's information and communication technology (ICT) industry has experienced a remarkable
yearly growth rate of 40 percent since the start of the Digital Bangladesh program in 2010. The local ICT
market is now estimated to be worth USD 1.54 billion. Currently, the industry employs more than 400,000
individuals and around 4,500 businesses. ICT exports doubled to USD 1.4 billion in 2019–2020, according
to the Bangladesh Association of Software & Information Services (BASIS), over the previous five years.

Bangladesh's government is attempting to regulate the ICT industry to safeguard the interests of many
stakeholders, including individuals, the government, and law enforcement agencies (LEA), mainly through

Bangladesh Data Protection Act and its Implications Page 4 of 17

privacy and data protection laws as the country's digital economy and trade continue to grow. Such
regulatory measures demand, among other things, that the data be gathered, transferred, processed, and
stored in a way that protects the privacy of the individuals to whom that data belongs. To achieve this,
many governments worldwide view data localisation as one such provision. This need implies limiting data
transfers to foreign nations while requiring data storage and processing inside of national borders.

The Bangladeshi government has been steadily adopting data control over the past few years through laws
like the Digital Security Act of 2018 and the ICT Act of 2018. The Bangladesh government has proposed a
Draft Data Protection Act. The Act aims to protect people's rights to their lives, property, freedom of
expression, and conscience, focusing on their right to secrecy, privacy, and identification. This law will serve
as a statutory framework for data protection and privacy in the nation.

Why is the Data Protection Act Necessary in

Bangladesh?
As social and economic activities in Bangladesh are being carried out online with the success in
digitalization, concerns over the collection, use and sharing of personal information to third parties without
the notice or consent of consumers have equally grown. The United Nations Conference on Trade and
Development's (UNCTAD) tracker data revealed that 137 out of 194 countries have put in place legislation
to secure the protection of data and privacy.

Cyberlaw adoption in developed, developing and least developed countries, 2020

Source: UNCTAD Calculations

Bangladesh Data Protection Act and its Implications Page 5 of 17

Bangladesh is one of the countries with no personal data protection law. However, the 2022 Data
Protection Act (DPA) which establishes new restrictions to the processing, storage, and transfer of data
appears to move digital governance of Bangladesh in a new direction.

Broadly, the draft DPA outlines the rights and obligations of data subjects, data controllers and data
processors, with provisions on notice-and-consent requirements, collection methods, recordkeeping, data
correction, data breach notifications, and data audits. As the preamble of the draft DPA recapitulates, the
law is intended to safeguard personal data as to life, property, freedom of thought, expression, conscience,
with special regard to their right to privacy, secrecy, personal identity. Besides, the law is stimulated by the
global developments in privacy rules, which in turn is being shaped by the constantly evolving technologies
and the exponential growth in data generation and online activity all over the world.

Core Principles of Data Processing Under DPA

While a definition for personal data is lacking from the Act, ‘sensitive data’ has been mentioned including
financial, commercial, health, genetic, biometric data, and any other data as may be prescribed. The
sensitive data, user created or generated data and classified data will be stored in Bangladesh and will
remain beyond the jurisdiction of any court and law enforcers other than Bangladesh. Furthermore, there
are certain core principles of the Act laid down for data controllers:

• Data will be processed with consent and accountability.

• Data collection should be fair and reasonable.
• Data collection, processing, and storage will have to be done with ‘integrity’ and data
processors and controllers ‘must take reasonable steps to ensure that the data is accurate,
complete, not misleading and kept up to date [through record-keeping]’.
• Data can be retained for the period authorized by the Act and destroyed afterwards.
• Data subjects will have access to their data and be able to correct any errors within it.
• No data should be processed for purposes other than what it was collected for without the
consent of the data subject.
• Data will be protected securely. In the event of breaches, the data controller can immediately
notify the Director General of the Data Protection Office established under the Act.
• Most importantly, processing policies will have to incorporate privacy by design.

Bangladesh Data Protection Act and its Implications Page 6 of 17

 Moreover, there are certain types of data which have been exempted from the Act’s provisions
including:

• Data processed to prevent or detect crime.

• Data related to health if applying the provisions would harm the subject or another person.
• Data for research or statistical studies.
• Data related to a court order or judgment.
• Data for the ‘purpose of discharging regulatory functions’ if applying the provisions would
hinder these functions.
• Data only for ‘journalistic, literary, artistic, or academic purposes.
• The government can notify further exemptions if it sees fit.

What is at Stake? Analyzing the Concerns of DPA

Bangladesh is at a critical policy juncture. It can gain from merging into the global digital economy,
connecting its growing consumer population and its businesses to online platforms, and businesses
abroad. Or it can prioritize control over the flow of information and data by implementing restrictions on
cross-border transactions and mandating data localization. The proposed DPA has raised some human
rights and business-related concerns in Bangladesh and by the global actors.

Scope and Applicability

The Act does not clarify data that directly or indirectly identifies an individual. Protecting virtually all types
of data may not lead to the significant improvement of the protection of individual privacy. The definition
of sensitive data has also not been defined extensively, as opposed to inclusively, to protect user privacy.
Moreover, the draft DPA will apply domestically and extraterritorially to all companies or individuals who
collect or process data from within Bangladesh or relating to its citizens or any services or outside the
country. The law will have a worldwide application, irrespective of the location of the data controller or its
link with the data subject. Such global application of the law can be considered disproportionate, especially
considering that the law stipulates burdensome requirements. For instance, the law obligates all data
controllers to appoint a data protection officer and conduct annual audits, irrespective of its location, size
of operations or volume of data being processed; this can be expensive and therefore compel non-resident
service providers to pre-emptively restrict access to its services in Bangladesh.

Bangladesh Data Protection Act and its Implications Page 7 of 17

Data Localization and Surveillance

There is a concern that data of citizens can be accessed by the government. This expands the scope for
state-sponsored surveillance of citizens, especially given that the Act applies to the processing of
Bangladeshi citizens anywhere in the world and gives the government authority to request data for
national security. In case of government restrictions, this may lead non-Bangladesh based companies to
geo-block some or all their services and resources so that they will not be accessible to Bangladeshi users,
as a precautionary step to avoid inadvertently infringing the law.

Independence of Data Authority

The Data Protection Office (DPO) under the Act will be headed by a Director General. The General also
leads the country’s Digital Security Agency, which is authorized to further implement Bangladesh’s
proposed laws governing over-the-top (OTT) and social media platforms. This may question the notion of
an ‘independent’ regulator overseeing data protection complaints in Bangladesh. Additionally, the
government’s power to issue directions to the Director General may require foreign providers to provide
user data to the government,’ which may cause disagreement with the privacy laws of the countries they
are incorporated in.

Effects on the Free Flow of Data and Development

Additionally, the law is open to data being transferred out of Bangladesh—as long as a serving copy is kept
in the country. However, it does not clarify how or where this data should be stored in Bangladesh before
being transferred abroad, potentially hampering with the operations of much sought-after foreign
businesses. Such provisions may increase the cost and time of doing business in Bangladesh and impact
digital trade in case of decline in digital services export depending upon the severity of cross-border data
flow restrictions and retaliatory measures.

Global Concerns
The United Nations (UN) pointed out that the definition of sensitive data in the draft DPA was limited
without the disclosure of information related to race or color, political opinion, trade association
membership, religious or other beliefs, sexual orientation, etc. Amnesty International further stated that
the legislation would put individuals’ privacy at risk. The law, if passed, will permit extensive government
surveillance in the guise of data governance and interference with individuals’ privacy rights. The US
Ambassador to Bangladesh also expressed concern that if the draft DPA was passed with the condition of
strict coherence to data localization requirements, few American companies currently operating in
Bangladesh might face disruptions including 2,000 start-ups.

Bangladesh Data Protection Act and its Implications Page 8 of 17

Human Rights and Freedom of Expression
The draft of the proposed Data Protection Act as a law seeks to infringe on Bangladeshi citizens' right to
privacy. The proposed draft has caused significant human rights concerns domestically and internationally.
The classification of data is ill-defined, and privacy is not defined following international norms. The Bill
takes advantage of ambiguous and overboard provisions to allow and justify intrusive government
measures, such as physically or virtually allowing access to encrypted communications on personal devices.
It infringes on a person's freedom of expression only because it prevents a decline in law and order without
sufficient justification. The Bill shields the government from being held accountable for harm done to
people due to its acts in civil, criminal, and other legal procedures. The major human rights concern under
the DPA are:

• The DPA has expressed concerns and observations about possible human rights abuses. The
measure, according to Amnesty International, risks people's privacy. If the law is passed, it will
permit extensive government surveillance under the pretense of data governance, interfere
with people's right to privacy, and widen the scope for abuse of power. It will defend the
interests of the government rather than those of the people, according to Transparency
International Bangladesh (TIB) and local experts.

• Another major concern is DPA's definition of "sensitive data" has somewhat limited and
excluded disclosure of information like race or color, political opinion, membership in a trade
association, religious or other convictions, sexual orientation, etc. Personal data is not defined
explicitly in the draft, and the description of data protection principles needs to be revised.

• According to the UN, the localization of data, as proposed by the draft bill, would significantly
increase the risks of monitoring and human rights breaches. Any private data would be available
to law enforcement agencies without restriction. The government is given the authority to
exempt law enforcement and intelligence agencies from the act's requirements under Section
33 of the DPA, which may include monitoring servers and data centres in Bangladesh. Pressure
to reveal proprietary information may be applied to public and private organizations,
undermining democratic government.

• Under the framework, non-compliant corporate executives may also be subject to liability.
While administrative fines for data privacy violations are appropriate, imposing criminal liability
is inconsistent with international standards and the fundamentals of criminal law. Data
protection, not regulation, should be the goal of this legislation. The UN urges the removal of
data localization obligations because it is worried about gathering, using, and keeping data on
Bangladeshis living overseas.

Bangladesh Data Protection Act and its Implications Page 9 of 17

 • Concerns about the DPA also arise from its connection to the Digital Security Act (DSA), which
some view as a method of suppressing opposition to the government. Some organizations
worry that the DPA may be used in a similar manner to monitor and prosecute future
government opponents.

• The proposed law is the most recent example of an ominous trend in which the government
seeks to regulate people's digital lives, especially since previous legislation like the Digital
Security Act has resulted in severe human rights violations.

Increasing Authority of the Executive

Although the government's new draft data protection law has somewhat relaxed the requirement that
data be kept within its borders, other concerns remain, such as the executive's unrestricted power, their
right to collect data, and several other matters that run counter to human rights and the freedom of
speech. The draft Data Protection Act is very restrictive. Additionally, a more precise description of the
data is required. Further, the draft does not refer to the notion of privacy standards. The major concerns
regarding increased authority of the executive are –

• The localization of data, or storing the data domestically, is mentioned in the new law. However,
there is also room for data transfer in cases involving global commerce, global relations, or any
other matters listed by the government. Additionally, it has been said that the government will
have the power to join an international coalition or multilateral organization if necessary.

• With the revised draft of the data protection law, the director general will have the power to
direct those involved in data processing and other concerned parties to provide him with any
data he requires. The controller or data analyst must follow the directive. Therefore, the federal
government can access any data whenever it wants. Per the draft's section 10/A, the parties
concerned may obtain information from the analysts in the event of a threat to the nation's
security, to reduce crime, identify offenders, and for investigative purposes.

• The data saved on the server or in the data centre will always be under government scrutiny,
and the United Nations expressed worry over this provision. Private businesses will be under
pressure to reveal sensitive information. This portion of the proposed data protection law may
therefore compromise the democratic governance of the nation.

• Additionally, the new draft stipulates that the director general will be required to provide any
reports requested by the government on any data handled following this law. Per the draft's

Bangladesh Data Protection Act and its Implications Page 10 of 17

 section 10/A, the parties concerned may obtain information from the analysts in the event of a
threat to the nation's security, to prevent crimes, identify offenders, and for investigative
purposes.

• In addition, the rules contained in the new draft state that no one can immediately object to
the court if their right to privacy is violated.

Comparative Analysis of Bangladesh’s DPA and

India's Digital Data Protection Bill 2022 (DDPB)
India’s Digital Data Protection Bill 2022 consists of provisions for processing digital personal data in a
manner that recognizes both the right of individuals to protect their personal data and the need to
process personal data for lawful purposes, and for matters connected therewith. In this Bill, ‘data’ is
referred to as “a representation of information, facts, concepts, opinions or instructions in a manner
suitable for communication, interpretation or processing by humans or by automated means”.
Additionally, “personal data” is referred to as “any data about an individual who is identifiable by or in
relation to such data”.

The territorial scope of India’s DDPB is not limited to India and is also applicable to digital personal data
processed outside India, provided such processing is undertaken for the purpose of:
 ‘profiling’ or processing personal data specifically to ‘analyze or predicts aspects concerning the
behavior, attributes or interests’ of an individual in India;
 offering of goods or services to individuals in India.
Similarly, the draft DPA of Bangladesh will apply domestically and extraterritorially to all companies or
individuals who collect or process data from within Bangladesh or relating to its citizens or any services
or outside the country. The law will have a worldwide application, irrespective of the location of the data
controller or its link with the data subject.

Further, the revised draft, ‘India's Digital Data Protection Bill 2022’, aims to relax data localization
requirements. It is likely to help companies maintain parity in the cost of running their businesses in India.
Whereas Bangladesh’s DPA comes with the condition of strict coherence to data localization
requirements. According to Bangladesh’s DPA, data shall be stored in Bangladesh, and shall remain
beyond the jurisdiction of any court and law enforcers other than Bangladesh. This requirement is largely
not cost-effective for foreign entities, big tech and companies that use cloud computing for data storage.
India’s Digital Data Protection Bill eases the free movement of data to trusted geographies and has
proposed simplified and business-friendly procedures. These geographies will be periodically defined by
the Indian government and are likely to be dependent on the "reciprocity" of these geographies with

Bangladesh Data Protection Act and its Implications Page 11 of 17

India.

Additionally, the new draft of India’s Digital Data Protection Bill does not provide for any criminal liabilities
or penalties directly linked to the turnover or revenue of the erring entity that decides the “purpose and
means of the processing of an individual’s personal data.” Whereas, under the framework of Bangladesh’s
DPA, non-compliant corporate executives may also be subject to liability and criminal penalties.

Impact of Data Protection Act on 2023

Presidential Elections
The government of Bangladesh is rushing to enact two crucial aspects of legislation on social media
regulation and data privacy that would significantly impact how the country's 170 million internet users
access the internet. Activists and attorneys claim that the forthcoming 2023 elections are the critical factor
driving the administration to expedite the planned legislation. The Bangladesh Telecommunication
Regulatory Commission Regulation for Digital, social media, and OTT Platforms, 2021 and the proposed
Data Protection Act, 2022, are ostensibly promoted as initiatives to safeguard citizen information against
American tech companies. Still, both the draft regulations give Bangladeshi authorities broad authority to
control everything on the Bangladeshi internet.

According to the proposed data protection law, citizens' personal information must be kept in Bangladesh.
Amnesty International commented on the proposed bill that, given Bangladesh's history of serious human
rights violations, "the localization of the data within Bangladesh gives authorities broad powers to access
people's data without judicial oversight and accountability for any violation of people's right to privacy."

The introduction of this measure should be seen considering the forthcoming 2023 election and the
potential harm it could create. Though the precise date of implementation of DPA is unknown, these laws
would probably take effect before the December 2023 national elections in Bangladesh. The Bangladesh
government has a history of introducing digital legislation just before elections, giving the government easy
access to harass and control the media, civil society, and political opposition. The ruling Awami League
used the Digital Security Act (DSA), introduced in 2018, months before the general elections, to control
Facebook Messenger and restrict internet access in Rohingya refugee camps. Over 200 journalists who
were critical of the administration have been detained by the ruling party since January 2020 due to the
DSA.

The news of the proposed law coincides with claims that the Awami League, the current government, has
begun training "tens of thousands of cadres to wage a propaganda war on social media in preparation for

Bangladesh Data Protection Act and its Implications Page 12 of 17

the next general election." The idea of an online army dedicated to monitoring social media is quite
frightening, considering how the Digital Security Act 2018 has been used to suppress and crack down on
government critics. The Awami League appears to be turning its attention to the digital realm before the
2023 elections to strengthen its surveillance capabilities and control over data and technology in
Bangladesh, as shown by the DSA, reports of the "online propaganda army," and this draft data protection
act.

Impact on businesses
By restricting development factors, the DPA risks reversing some of Bangladesh's hard-earned economic
accomplishments over the years.

• Cross-border data flows are necessary for digital services transactions, yet the DPA restricts the
transfer of data categories. By mandating companies to purchase servers in Bangladesh, the
DPA also raises the price of digital services in that nation. Additionally, Bangladesh is still a small
market; therefore, expensive barriers to reaching Bangladesh's consumers may prompt some
businesses to leave the market and others to avoid entering at all.

• The DPA's regulations requiring data localization and limiting data flow are the most onerous
and expensive. All consumer data must be kept on servers located in Bangladesh, according to
Section 42. This restriction may increase the cost of supplying services to Bangladesh's rapidly
expanding consumer market for foreign businesses. Additionally, data localization often
increases compliance costs for firms, disrupts global supply chains, functions as a non-tariff
barrier, and puts obstacles in the way of digitally enabled growth.

• With a few exceptions, Section 43 forbids the transmission of customer information outside of
Bangladesh without the government's consent, a restriction that severely restricts a variety of
digital transactions. The measure gives Bangladesh's government extraterritorial enforcement
authority through related regulatory organizations previously set up by the contentious Digital
Security Act of 2018.

• The new DPA applies to all organizations, regardless of size or turnover. There currently needs
to be more varied conglomerates in Bangladesh. In Bangladesh, there are 79,00,000
establishments (or roughly 98 per cent of all businesses), of which 93.6 per cent are small
businesses and 6.4 per cent are medium-sized enterprises (SMEs). Therefore, most enterprises
the rule will impact will be small businesses, which face common challenges such as limited
capital access and technological capabilities.

Bangladesh Data Protection Act and its Implications Page 13 of 17

 • According to the drafted DPA, non-compliance is punishable by a fine or confinement. The
offences are both cognizable (meaning that arrests can be made without a warrant) and non-
bailable. Additionally, it aims to hold liable corporations and their executives, workers,
directors, and agents. Such harsh penalties are unreasonable, discourage foreign investment,
and lead non-residents to restrict access to its services in the nation as a preventative measure.

• The free flow of data encourages innovation by encouraging idea sharing, concept propagation,
and collaboration between people and businesses. Since data localization obstructs the very
fuel for their development, restricting the data flow could make it more difficult to fully utilize
the quickly expanding data analytics and methodologies, machine learning systems, and fraud
prevention measures. Restricted flow could lead to the limited or sluggish application of
cutting-edge worldwide approaches for information analysis.

• Data localization may promote regional economic interests if it is well-planned. However,

backup storage and disaster recovery are equally crucial for data giants like Google, Facebook,
Microsoft, OpenAI, and others. Additionally, in order to serve consumers more quickly, they
geolocate data centers and then deploy their servers in several nations, maintaining copies of
the same data in each place. In the event of technical difficulties, it serves as a disaster recovery
backup in addition to a sourcing backup. As a result, a nation can make the necessary provisions
for the construction of a sufficient number of data centres within its borders in order to
facilitate the creation of jobs and the flow of investment, but it is not technically possible to
mandate that all data be localized within its borders.

Bangladesh Data Protection Act and its Implications Page 14 of 17

Conclusion
The Bangladesh market is attractive to foreign investors and businesses. Almost all data centres in
Bangladesh are developed and maintained by foreign contractors and engineers including Bangladesh
Bank’s SWIFT software, commercial banking software, driving license system, and income tax digitization
projects are mainly maintained and troubleshooted by foreign engineers. However, if passed with strict
data localization requirements, the Data protection act may force many companies operating in
Bangladesh to leave the market.

The DPA regulations and law will similarly dissuade companies from investing in business if they face
criminal liability for user content. The consequences could have very adverse effects on Bangladesh. New
technologies including cloud computing, artificial intelligence and machine learning have the potential to
create new markets and drive prosperity in Bangladesh. However, with the enactment of DPA, Bangladesh
may face risk if a foreign business cannot access international tools, which are essential for doing business.

To strengthen Bangladesh's position as an appealing location for the ICT/ITES sector and, most
importantly, realize the full potential of Digital Bangladesh and Vision 2041, the legislature can include a
separate right to personal data protection, or general privacy right under the constitution. Moreover, the
judiciary can enhance the current constitutional protection related to privacy to cover data protection
rights by its ruling. It is, therefore, vital for the public to understand and be aware of data privacy rights,
limitations, and risks. The relevant stakeholders will have to take initiatives to build awareness among
people and establish data protection behavior. The concept of data privacy and the underlying rights and
requirements for data protection are new in Bangladesh. However, they have never been more crucial
than in the current era of fast technological advancement, social networking, cybercrime, artificial
intelligence, electronic communication, and rising consumer/user awareness.

*****End of the Report*****

Bangladesh Data Protection Act and its Implications Page 15 of 17

Author Profile
Ishka Yadav
Geopolitical Intelligence Analyst

Ishka Yadav is a Geopolitical Risk Analyst with MitKat’s Predictive Risk

Intelligence (PRI) team. She holds a Master’s in International Studies from
Symbiosis School of International Studies Pune, with a keen interest in organized
crime, illegal trade, and terror financing.

Sakshi Mishra
Geopolitical Intelligence Analyst

Sakshi Mishra is a Geopolitical Intelligence Analyst with the Predictive Risk

Intelligence of MitKat Advisory. She has a Master's in Geopolitics and
international Relations from Manipal Academy of Higher Education with keen
interest in border studies, foreign policy, geopolitical analysis, and security
studies.

Deeplaxmi Patil
Corporate Intelligence Intern

Deeplaxmi Patil is a Corporate Intelligence Intern at Mitkat Advisory. She holds a

master's degree from Symbiosis School of International Studies with a keen
interest in geopolitics, cultural relations and soft power diplomacy.

Bangladesh Data Protection Act and its Implications Page 16 of 17

Contact Us
Mumbai Delhi Bengaluru Singapore

511, Ascot Centre, Suite #008, 4th Floor, C/O WeWork, 36, 101 Cecil Street,
Near International Times Square, Infantry Rd, Tasker #23-12, Tong Eng
Airport, Andheri (E), Sushant Lok – 1, Town, Shivajinagar, Building,
Mumbai - 400 099 Gurgaon - 122 002 Bengaluru - 560001 Singapore - 069 533
+91 22 2839 1243 +91 124 455 9200 + 91 95265 63359 +65 9452 1622

Follow Us On

©2023 All rights reserved. The information contained herein is the Intellectual Property of MitKat Advisory Services Pvt. Ltd. Any unauthorized use of this
content, in any form, violates our rights.

DISCLAIMER: The contents of this E-mail (including the contents of the enclosure/(s) or attachment/(s) if any) are privileged and confidential material of
MitKat Advisory Services Pvt. Ltd. and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee/(s). If thisE-
mail (including the enclosure/(s) or attachment/(s) if any) has been received in error, please advise the sender immediately and delete it from your system.

Bangladesh Data Protection Act and its Implications Page 17 of 17