When Data Protection Fails to Protect: Law, Power, and Postcolonial Governance in Bangladesh

TL;DR

This paper analyzes Bangladesh's emerging data protection laws, revealing institutional and legal barriers that hinder effective citizen data protection amid rapid digitization and informal data practices.

Contribution

It provides a systematic review of Bangladesh's data protection ordinances and highlights the sociotechnical complexities affecting their implementation.

Findings

Limited institutional independence undermines enforcement.

Legal frameworks overlook informal data flows.

Formal protections are difficult to operationalize due to sociotechnical layers.

Abstract

Rapid digitization across government services, financial platforms, and telecommunications has intensified the collection and processing of large scale personal data in Bangladesh. In response, the state has introduced multiple regulatory instruments, including the Personal Data Protection Ordinance, the Cyber Security Ordinance, and the National Data Governance Ordinance in 2025. While these initiatives signal an emerging legal regime for data protection, little scholarly work examines how these frameworks operate collectively in practice. This paper presents a legal and institutional analysis of Bangladeshs emerging data protection regime through a systematic review of these three ordinances. Through this review, the paper provides an integrated mapping of Bangladeshs evolving data protection framework and identifies key legal and institutional barriers that undermine the effective protection of citizens personal data. Our findings reveal that this emerging regime is constrained by limited institutional independence, uneven regulatory capacity, and the misaligned legal assumption of individualized, autonomous data subjects. Furthermore, these frameworks invisibilize prevalent sociotechnical layers, such as informal data flows and mediated access via human bridges, rendering formal protections difficult to operationalize. This paper contributes to HCI scholarship by expanding the concept of data protection as a complex sociotechnical design problem shaped by the informal infrastructures of the Global South.