Law to ensure data security, privacy of citizens

In this data-driven digital age, the challenge of safeguarding personal information from unauthorized access and use is daunting. Reports of data breach leading to loss of sensitive data on financial transactions, medical history, biometric information, to name but a few, abound. Against this backdrop of various digital challenges to the citizens' data privacy, the interim government, in a bold move, has approved the drafts of Personal Data Protection Ordinance, 2025 and the National Data Governance Ordinance, 2025.

The interim government's Council of Advisers at a meeting on Thursday last unanimously approved the nation's first comprehensive legislation to safeguard restricted and confidential personal data making local and foreign media platforms and tech companies compliant with the national law. This is undoubtedly a decision long time coming by the interim government. Notably, the National Data Protection Ordinance will operate under the oversight of a data management authority. To that end, the advisory council did pass the Data Governance Ordinance. While the data protection law aims to ensure confidentiality, security and unlawful use of the citizens' personal data, concerns have been expressed by the Transparency International, Bangladesh (TIB), over what it said 'hasty approval' of the two ordinances 'without adequate expert consultation and stakeholders' engagement. Especially, the TIB pointed to the fact that the draft of the data protection law had been going through a prolonged phase of contention between the stakeholders and the former authoritarian government before its fall. The TIB further complained that the interim government through passing the two ordinances on personal data protection has ignored stakeholders' recommendations on critical weaknesses and risks in the drafts and that it 'secretly approved the latest drafts unilaterally without informing stakeholders'. These are no doubt serious allegations by the corruption watchdog against the very intention and spirit of the personal data protection and governance ordinances.

However, the CA's special assistant rejected the TIB's claim, asserting that extensive consultations have been arranged with local as well as international stakeholders including the technology companies, namely, Meta, Google and representatives from the business community. Of course, the issue of exercising legal control over the handling of restricted and confidential personal data by the social media and tech companies, both of local and international origin, is a matter of serious concern for governments across the world. So, there is no question, as demanded by certain quarters, of delaying the passage of the laws to protect the individual citizen's privacy and the data concerned under any pretext.

Even so, regarding the 'loopholes' as alleged by the TIB that certain section and subsections of the data protection ordinance contain and might create scope to exempt data controllers and processors from their duties and responsibilities, the government would be required to look into those alleged lacunae, if any, and try to address those at the earliest. Also, the fear that the exemptions under the ordinance would allow the data protection authority broad access to personal data in the name of 'crime prevention' should be duly allayed. To ensure that those sections of the ordinance, as alleged, might not turn into 'tools of control and surveillance', by any government in the future, the authorities would do well to clarify.