Currently Applicable:

• The Constitution of the People's Republic of Bangladesh (the "Constitution"): Article 43 implicitly provides for the right to privacy of correspondence and other means of communication.
• The Cyber Security Ordinance, 2025 (the "CSO, 2025"): This is the primary legislation addressing cybercrimes and has provisions that indirectly impact data privacy, particularly concerning unauthorized access to data, identity theft, and online activities. It replaced the Cyber Security Act, 2023.
• The Information Technology Act, 2006 (the "ICT Act, 2006"): This act deals with various aspects of information technology, including cybercrimes. While some of its provisions related to offensive content were absorbed into the CSO, 2025, it still contains relevant sections on unauthorized access and data manipulation.

Yet to be Enacted/in draft stage:

• The Data Protection Act, 2022 (the "Draft DPA, 2022") / Personal Data Protection Ordinance, 2025: This is a comprehensive draft law (and more recently, an ordinance draft has been finalized) specifically aimed at data protection and privacy. If enacted, it would be the primary legislation in this area, distinct from cybercrime laws.

• Constitution: Judicial interpretations of Article 43 have affirmed the right to privacy, but specific landmark cases directly applying it to modern data protection are limited.
• ICT Act, 2006 & CSO, 2025: Cases under these acts primarily relate to cybercrime, defamation, and misuse of digital platforms. There are numerous prosecutions, and as with the CSO, 2025, specific "key decisions" setting broad data protection principles are well-defined. The new act focuses specifically on criminal offenses and their corresponding punitive measures, including the enforcement of comprehensive data privacy rights.

• ICT Act, 2006 & CSO, 2025: These acts do not explicitly define "personal data" or "sensitive data" in a comprehensive manner. However, Sections 2 (b) and 2(p) of the CSO, 2025, define “Database” and “Person” separately as follows, 
  
  • (b) “Database” means information presented in the form of text, images, audio or video, digital documents or electronic files, knowledge, facts, basic ideas or instructions, whether or not digitally signed, which-
    
    1. is or has been prepared in a formal manner by any computer, tablet, smartphone, digital wearables, or Internet of Things (IoT) device or computer system or computer network or artificial intelligence software agent, large language model or tool, etc.; and
    2. is prepared for use in any computer, tablet, smartphone, digital wearables, or computer system or computer network or artificial intelligence software agent, large language model or tool, etc.;
       And 
  • (p) “Person” means any individual or any organization, company, partnership, firm or other body corporate, including, in the case of a digital device, its controller and any entity created by law or any artificial legal entity;

This implicitly covers what might be considered personal data. Neither act specifically defines "sensitive data."

• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: "Personal data" and “sensitive personal data” are broadly defined as
  • “personal data” means any data relating to a person by which that person can be identified, such as name, parents' name, identification number, financial data, location data or any other similar online identifier or material comprising of the physical, physiological, genetic, economic characteristics of an individual, any other characteristic as may be prescribed by regulation.
  • “sensitive personal data” means any of the following personal data of a datasubject, namely:- (i) genetic or biometric data; (ii) data relating to ethnic minority or ethnic race and community; (iii) data relating to philosophical or political opinions, religious beliefs or similar other affiliations or beliefs; (iv) data relating to membership of a trade union; (v) health data; (vi) data relating to sexual life; (vii) data relating to any offense alleged to have been committed by the data-subject; and any other personal data as may be prescribed by rules.

• ICT Act, 2006 & CSO, 2025: Protection is primarily through the criminalization of unauthorized access, damage, or disclosure of data, and identity theft. These acts focus on punitive measures for cybercrimes rather than a holistic framework for data protection.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Aims to protect data through a set of data protection principles, requirements for lawful processing, data subject rights, and obligations on data controllers and processors, along with enforcement mechanisms and penalties.

• ICT Act, 2006 & CSO, 2025: Primarily individuals and entities involved in cybercrimes are subject to obligations and penalties. Any person who engages in unauthorized access, modification, or sharing of information can be held liable.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Would impose obligations on "data controllers" (those who determine the purposes and means of processing personal data) and "data processors" (those who process personal data on behalf of the controller), regardless of whether they are public or private entities. 

• ICT Act, 2006 & CSO, 2025CSO, 2025: These acts do not provide a specific definition of "data processing." Their focus is on unauthorized actions related to "computer systems" and "digital data."
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: "Processing" is broadly defined as any operation which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, transfer, adaptation or alteration, retrieval, consultation use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, destruction or erasure of the personal data.

• ICT Act, 2006 & CSO, 2025: These acts do not outline specific data protection principles.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: The draft is expected to establish principles similar to international standards, such as:
  
  • Lawfulness, fairness, and transparency: Data must be processed lawfully, fairly, and in a transparent manner.
  • Purpose limitation: Data collected for specified, explicit, and legitimate purposes should not be further processed in a manner incompatible with those purposes.
  • Data minimization: Data collected should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
  • Accuracy: Data should be accurate and, where necessary, kept up to date.
  • Storage limitation: Data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and confidentiality (security): Data should be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  • Accountability: The data controller should be responsible for and be able to demonstrate compliance with these principles.

• ICT Act, 2006 & CSO, 2025: Regulation is primarily through criminalizing misuse of digital systems and data, rather than establishing a comprehensive regulatory framework for data processing in general business operations.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Aims to regulate processing through:
  • Requiring a lawful basis for processing (e.g., consent, contractual necessity, legal obligation, vital interests, public interest, legitimate interests).
  • Setting out conditions for processing sensitive data.
  • Establishing rights for data subjects regarding their data.
  • Imposing obligations on data controllers and processors.

• ICT Act, 2006 & CSO, 2025: These acts contain general provisions against unauthorized access, damage, or destruction of data, which implicitly require security measures. However, they do not prescribe specific technical or organizational measures, nor do they detail retention periods.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Expected to include provisions on:
  
  • Security: Requiring data controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Retention: Mandating data retention only for as long as necessary for the purpose for which it was collected, with provisions for secure disposal.
  • Storage Location: Earlier drafts of the DPA, 2022 and ongoing discussions surrounding the Personal Data Protection Ordinance suggest the possibility of data localization requirements, especially for certain types of data, meaning data might have to be stored on servers within Bangladesh.

• ICT Act, 2006 & CSO, 2025: These acts do not explicitly define data subject rights in the modern sense. Protection is more about preventing harm from cybercrimes rather than empowering individuals with control over their data.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Envisages comprehensive data subject rights, likely including:
  
  • Right to be informed: About the collection and use of their data.
  • Right of access: To their personal data.
  • Right to rectification: To correct inaccurate or incomplete data.
  • Right to erasure (right to be forgotten): Under certain circumstances.
  • Right to restriction of processing: To limit how their data is used.
  • Right to data portability: To receive their data in a structured, commonly used, and machine-readable format.
  • Right to object: To certain types of processing.
  • Rights in relation to automated decision-making and profiling.

• ICT Act, 2006 & CSO, 2025: These acts implicitly require lawful authority for certain actions, such as sharing or accessing personal information (Section 63 of the ICT Act, 2006), but they do not have a formal definition or framework for data subject consent in the broader privacy context. 
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Is expected to require explicit, informed, specific, unambiguous, and freely given consent for the processing of personal data, particularly for sensitive data. It will likely detail conditions for valid consent and the right to withdraw consent.

• ICT Act, 2006 & CSO, 2025: Authorization is largely implied by the absence of "unauthorized" activity or the presence of "lawful authority" for actions involving digital data.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Authorization for data use will be governed by the lawful bases for processing, with consent being a primary mechanism. Other bases, like contractual necessity or legal obligation, would also constitute authorization.

• ICT Act, 2006 & CSO, 2025: Section 48 of the CSO, 2025, specifically regulates cross-border data transfers. There is no explicit restriction given, but in the investigation and prosecution of any offence committed under this Ordinance, if regional and international cooperation is required, the provisions of the Mutual Assistance in Criminal Matters Act, 2012 ("Act No. 4 of 2012") shall apply.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: The draft DPA, 2022 and recent discussions on the Personal Data Protection Ordinance indicate a strong intent to regulate cross-border data transfers. Potential restrictions include:
  • Government approval: Requirement for government authorization for certain transfers.
  • Adequacy decisions: Transfers might only be permitted to countries offering an adequate level of data protection, as determined by the Data Protection Agency.
  • Specific safeguards: Implementation of appropriate safeguards (e.g., standard contractual clauses, binding corporate rules) in the absence of an adequacy decision.
  • Consent of the data subject: In some cases, explicit consent of the data subject for the transfer.
  • Data localization: There are significant indications and concerns that the upcoming data protection law might include data localization requirements, especially for certain types of data, mandating storage on servers within Bangladesh.

• ICT Act, 2006 & CSO, 2025: These acts do not explicitly use the terms "data incident" or "data breach" but address actions that would constitute such events, such as unauthorized access, damage, alteration, or destruction of data, and the introduction of malware or viruses. The focus is on the criminal act itself.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: "Personal data breach" is defined as “personal data breach” means a breach of personal data security leading or likely to lead to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, personal data processed under this Ordinance. 

• ICT Act, 2006 & CSO, 2025: No explicit data breach notification requirements for affected individuals or a regulatory authority. Reporting is generally for cybercrimes to law enforcement.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Likely to introduce mandatory data breach notification requirements, obliging data controllers to notify the Data Protection Agency and, in certain cases, the affected data subjects, without undue delay after becoming aware of a personal data breach.

• Currently, there isn't a single, dedicated data privacy regulator in Bangladesh. Law enforcement agencies (e.g., police, Cyber Crime Unit) handle cases under the ICT Act, 2006, and CSO, 2025. The National Cyber Security Agency ("NCSA") itself, which is mentioned in section 5 of the CSO, 2025, has a role in monitoring online communication and countering cybercrimes. The Bangladesh Telecommunication Regulatory Commission ("BTRC") has some regulatory oversight over telecommunications data.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Proposes the establishment of a dedicated Data Protection Agency ("DPA"), which would be the primary regulatory and enforcement body for data protection.

• ICT Act, 2006 & CSO, 2025: The consequences include penalties such as imprisonment and/or fines for offenses like unauthorized access, damage to computer systems, or identity theft. 
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: In addition to potential criminal liabilities under other laws, the DPA is expected to introduce administrative fines and other enforcement actions by the Data Protection Agency for non-compliance with its provisions, including data breaches.

• Currently, electronic marketing is not specifically regulated by dedicated data privacy laws. General consumer protection laws or telecommunication regulations might apply to unsolicited communications.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: May introduce specific provisions regarding consent for electronic marketing and the right of data subjects to object to direct marketing.

• Currently: There are some implicit or explicit privacy considerations within sector-specific regulations, particularly in the telecommunications and financial sectors (e.g., for banks and mobile financial service providers regarding customer data confidentiality). However, these are not comprehensive privacy frameworks.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: While aiming for a general data protection law, it may also allow for sectoral regulators to frame their own rules on data transfers and other aspects within their remit, potentially leading to specific requirements for certain industries.

• Currently, there are no explicit statutory requirements for appointing Data Protection Officers ("DPOs") under the ICT Act, 2006 or CSO, 2025. Some organizations may appoint them based on internal best practices or compliance with international standards (e.g., GDPR, if they operate internationally). 
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Expected to introduce requirements for certain data controllers and processors to appoint a Data Protection Officer ("DPO") based on criteria such as the nature, scope, context, and purposes of processing, particularly for large-scale processing of sensitive data or regular and systematic monitoring of data subjects.

• Currently, limited to general corporate or industry-specific record-keeping requirements. No specific data protection-centric documentation obligations exist under the ICT Act, 2006 or CSO, 2025.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Likely to impose obligations on data controllers and processors to maintain records of processing activities, including details about the purposes of processing, categories of data processed, recipients, and security measures.

• Currently, no statutory requirement for DPIAs under the ICT Act, 2006 or CSO, 2025.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Expected to introduce requirements for conducting DPIAs when processing operations are likely to result in a high risk to the rights and freedoms of natural persons.

• Currently, no specific legal framework governing third-party vendor management or data sharing from a privacy perspective under the ICT Act, 2006 or CSO, 2025. General contractual principles and confidentiality agreements would apply.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Will likely introduce provisions requiring data controllers to ensure that data processors (third-party vendors) provide sufficient guarantees to implement appropriate technical and organizational measures for data protection, and that data processing is governed by a contract.

• ICT Act, 2006 & CSO, 2025: Penalties range from fines to imprisonment for various cybercrimes. Enforcement is through the regular judicial system, including Cyber Tribunals. The CSO, 2025, has adjusted some penalties, making them generally stricter compared to the CSA, 2023.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: Aims to establish a range of administrative penalties (fines) for non-compliance with its provisions, enforced by the Data Protection Agency. These could be substantial, potentially based on a percentage of turnover or fixed amounts. It would also likely provide for other enforcement mechanisms such as orders to cease processing, rectify data, or notify breaches.

• Currently, no specific ongoing data privacy compliance or audit requirements under existing laws like the ICT Act, 2006 or CSO, 2025.
• Draft DPA, 2022 / Personal Data Protection Ordinance, 2025: The establishment of a Data Protection Agency suggests that there will be ongoing compliance requirements, including potential audits by the Agency to ensure adherence to the law.

• Recent Developments: Yes, the most significant recent development is the repeal of the Cyber Security Act, 2023, and its replacement with the Cyber Security Ordinance, 2025 ("CSO, 2025"). Although the CSO, 2025 essentially changes the structure of its predecessor, making the offences more specific and increasing the penalties for them, it has yet to face significant criticism regarding its potential impact and its broad scope. On May 21, 2025, the interim government repealed the Cyber Security Act, 202,3 and introduced the Cyber Security Ordinance, 2025. This rapid change highlights the ongoing evolution and uncertainty in Bangladesh's digital legal landscape.
• Expected Changes: The enactment of a dedicated data protection law, either the Data Protection Act, 2022 ("Draft DPA, 2022") or the recently finalized Personal Data Protection Ordinance, 2025, remains the most anticipated change. If passed, it would fundamentally transform the data privacy landscape in Bangladesh by introducing a comprehensive framework. The precise final form, specific provisions (especially concerning data localization), and effective date are still subject to finalization. These changes are expected to align Bangladesh more closely with international data protection standards.