Bangladesh eases data rules, drops jail terms for tech

Bangladesh’s Advisory Council has approved amendments to the country’s Personal Data Protection Ordinance, easing data localisation rules and removing jail terms for violations by technology firms.

Chief Adviser’s Press Secretary Shafiqul Alam disclosed the information at a briefing at the Foreign Service Academy in Dhaka on Thursday (January 8).

Under the revised provisions, only data linked to government-designated Critical Information Infrastructure (CII)—as defined under the Cyber Security Ordinance—must be stored within Bangladesh.

The change also softens a broader requirement introduced under the ordinance gazetted in November last year. 

Previously, technology companies were required to keep at least one synchronised, real-time copy of user data inside Bangladesh. 

Under the amendment, that requirement will apply only to “restricted personal data”, meaning cloud-stored data classified under the strictest controls.

The amended framework also revises punishment provisions. Whereas the earlier ordinance allowed for both imprisonment and financial penalties for breaches of personal data or infringements of users’ rights, the revised version removes imprisonment, leaving monetary fines as the sole form of sanction.

Press Secretary Shafiqul Alam said that the changes were made in response to concerns raised by major service providers widely used in Bangladesh, including Meta and Alphabet, regarding specific provisions of the ordinance. 

The government expects the updated rules to help attract investment in data and cloud-based services, he added.