Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

When Data Protection Fails to Protect: Law, Power, and Postcolonial Governance in Bangladesh

Pratyasha Saha, Anita Say Chan, Sharifa Sultana

Abstract

Rapid digitization across government services, financial platforms, and telecommunications has intensified the collection and processing of large scale personal data in Bangladesh. In response, the state has introduced multiple regulatory instruments, including the Personal Data Protection Ordinance, the Cyber Security Ordinance, and the National Data Governance Ordinance in 2025. While these initiatives signal an emerging legal regime for data protection, little scholarly work examines how these frameworks operate collectively in practice. This paper presents a legal and institutional analysis of Bangladeshs emerging data protection regime through a systematic review of these three ordinances. Through this review, the paper provides an integrated mapping of Bangladeshs evolving data protection framework and identifies key legal and institutional barriers that undermine the effective protection of citizens personal data. Our findings reveal that this emerging regime is constrained by limited institutional independence, uneven regulatory capacity, and the misaligned legal assumption of individualized, autonomous data subjects. Furthermore, these frameworks invisibilize prevalent sociotechnical layers, such as informal data flows and mediated access via human bridges, rendering formal protections difficult to operationalize. This paper contributes to HCI scholarship by expanding the concept of data protection as a complex sociotechnical design problem shaped by the informal infrastructures of the Global South.

When Data Protection Fails to Protect: Law, Power, and Postcolonial Governance in Bangladesh

Abstract

Rapid digitization across government services, financial platforms, and telecommunications has intensified the collection and processing of large scale personal data in Bangladesh. In response, the state has introduced multiple regulatory instruments, including the Personal Data Protection Ordinance, the Cyber Security Ordinance, and the National Data Governance Ordinance in 2025. While these initiatives signal an emerging legal regime for data protection, little scholarly work examines how these frameworks operate collectively in practice. This paper presents a legal and institutional analysis of Bangladeshs emerging data protection regime through a systematic review of these three ordinances. Through this review, the paper provides an integrated mapping of Bangladeshs evolving data protection framework and identifies key legal and institutional barriers that undermine the effective protection of citizens personal data. Our findings reveal that this emerging regime is constrained by limited institutional independence, uneven regulatory capacity, and the misaligned legal assumption of individualized, autonomous data subjects. Furthermore, these frameworks invisibilize prevalent sociotechnical layers, such as informal data flows and mediated access via human bridges, rendering formal protections difficult to operationalize. This paper contributes to HCI scholarship by expanding the concept of data protection as a complex sociotechnical design problem shaped by the informal infrastructures of the Global South.
Paper Structure (26 sections, 2 figures)

This paper contains 26 sections, 2 figures.

Table of Contents

  1. Introduction
  2. Background
  3. Privacy, Data Protection and AI Systems
  4. Data Protection and Governance
  5. Methodology
  6. Data Collection
  7. Data Analysis
  8. Development of Structural Failure Logics
  9. Findings
  10. Authority, Discretion, and the Fragility of Rights
  11. Regulator Independence as a Structural Constraint
  12. State Exemptions and Executive Overrides
  13. Surveillance Stack Interaction Risk
  14. Infrastructural and Institutional Limitations
  15. “Digital-by-design” rights, analog-by-reality institutions
  16. ...and 11 more sections

Figures (2)

  • Figure 1: Figure 1 models the structural failure logics of Bangladesh’s data protection regime. Rather than a single point of breakdown, failure emerges from the interaction of three systemic conditions: (1) unconstrained state authority that enables parallel access pathways, (2) weak institutional and infrastructural capacity that renders enforcement non-operational, and (3) a fundamental mismatch between individualized rights in law and socially mediated data practices in reality. Together, these conditions produce a regime in which data protection remains largely symbolic rather than a meaningful operational safeguard.
  • Figure 2: It illustrates the mismatch between formal data protection logics and their operational reality. Figure 2a shows the legal fiction of direct, rights-based interaction between an autonomous data subject and the data protection framework. Figure 2b demonstrates how this pathway breaks in practice: human intermediaries ("human bridges") and mediated access infrastructures intervene, collapsing consent, weakening accountability, and exposing data to unregulated flows. Consequently, data becomes vulnerable prior to, and often outside the reach of, formal legal protections.