Law: There is no general personal data protection law.

Regulator: There is no data protection authority.

Summary: Whilst there is no general data protection law in Bangladesh, the Constitution of the People's Republic of Bangladesh provides a right to privacy of correspondence and other means of communication. In addition, the Information Communication Technology Act 2006 (only available in Bengali here) (the ICT Act) and the Digital Security Act 2018 contain provisions related to cybersecurity and data protection including personal information protection in relation critical information infrastructure, digital devices, and computer systems. Sectoral legislation in the field of finance also provide data retention requirements, restrictions on data transfers, and data localization requirements.

On July 24, 2023, the Department of Information and Communication Technology released a draft Data Protection Act 2023 (only available in Bengali here) (the Draft Law) which applies to the processing of personal data of the residents of Bangladesh and to data processing that is not carried out in Bangladesh, but offers goods and services to the residents of Bangladesh. In addition, the Draft Law establishes obligations for data controllers and processors such as requirements associated with data security, conducting Data Protection Impact Assessments (DPIA), and Data Protection by Design. Furthermore, the Draft Law outlines data processing principles, provisions on data collection, data retention requirements, rights of data subjects, data transfers, data storage, and penalties, among other things.