Atlantic Council SOUTH ASIA CENTER
ISSUE BRIEF
Bangladesh Draft Data Protection Act 2023: Potential and Pitfalls BY CHRISTABEL RANDOLPH
T
he Bangladesh government’s updated draft data protection bill is a welcome revision of its 2022 attempt to address the country’s lack of a comprehensive data protection law, but there is still room for constructive change to heighten regulatory certainty. The Information and Communications Technology Division of the Ministry of Posts, Telecommunication, and Information Technology released the proposed Data Protection Act 2023 (DPA 2023 or the bill)1 on March 14—just days after the publication of the South Asia Center’s March issue brief2—and the revised version responds to some of the criticism of the digital protectionism and restrictive provisions on digital business activity in the 2022 draft.3
The South Asia Center serves as the Atlantic Council’s focal point for work on greater South Asia as well as relations between these countries, the neighboring regions, Europe, and the United States. It seeks to foster partnerships with key institutions in the region to establish itself as a forum for dialogue between decision-makers in South Asia, the United States, and NATO. These deliberations cover internal and external security, governance, trade, economic development, education, and other issues. The Center remains committed to working with stakeholders from the region itself, in addition to partners and experts in the United States and Europe, to offer comprehensive analyses and recommendations for policymakers.
Specifically, the proposed legislation reflects an operational sensibility based on stakeholder feedback on significant issues. It has incorporated more flexibility to frame rules to address changing situations, provided for a transition period, relaxed data localization requirements, and expressly recognized the importance of international cooperation and safeguard measures for facilitating data flows.
WHAT HAS CHANGED? The DPA 2023 retains the provisions of the prior draft with substantive changes in four areas. Transition Period The law provides for a transition period of three years. It goes one step further to guarantee that this period is a minimum or floor by prohibiting the fixation of an earlier date. This means that the Data Protection Agency cannot set an earlier effective date without an amendment in the law. This is a strong protection for entities impacted by this law, many of whom will need to build capacity to comply. It also gives stakeholders sufficient time to engage with the authorities on matters to be covered in the rules and the standards which will be framed by the agency to cocreate operating procedures that are implementable and aligned to the principles of data privacy.
1.
The Draft Data Protection Act 2023, Information and Communications Technology (ICT) Division, Ministry of Posts, Telecommunication and Information Technology, Government of the People’s Republic of Bangladesh, March 14, 2023, https://ictd.gov.bd/site/page/d05a8088-8272-49b4-883c-1698796dce3e/খসড়া-আইন,-বিধি-এবং-নীতিমালা. 2. Stephen Weymouth, “Bangladesh’s Draft Data Protection Act,” Issue Brief, South Asia Center, Atlantic Council, March 8, 2023, https://www.atlanticcouncil.org/in-depth-researchreports/issue-brief/inside-bangladeshs-new-data-protection-laws/. 3. Global Data Alliance, “Comments to the People’s Republic of Bangladesh on the Cross-Border Policy Implications of the Draft Data Protection Act of 2022,” September 2022, https://globaldataalliance.org/wp-content/uploads/2022/09/09072022gdabgdpa.pdf.
1
ATLANTIC COUNCIL