With the publication of the draft Personal Data Protection Ordinance (PDPO) and National Data Governance Ordinance (NDGO) in 2025, Bangladesh signalled its intent to regulate the digital frontier — joining a growing list of nations seeking to assert control over the flow of data and information. 

The ambition was clear: to protect citizens' privacy, assert data sovereignty, and build a legal framework for the age of AI. But ambition without architecture can lead to collapse. 

As critics — from civic technologists to global rights groups — have warned, the current drafts risk isolating Bangladesh from the very digital ecosystem it seeks to govern.

The PDPO mandates strict data localisation, requiring personal data to be stored within national borders unless explicit permission is granted. The NDGO asserts extraterritorial jurisdiction, claiming authority over foreign companies that process Bangladeshi data. 

Together, these laws introduce harsh penalties, vague definitions and sweeping surveillance powers. The result is a legal regime that may protect privacy in theory but undermine innovation, interoperability, and civic trust in practice.

This is not a rejection of regulation. It is a call for ethical architecture. Bangladesh must not choose between privacy and progress; it must choose civic interoperability — a framework that protects dignity, fosters innovation, and reflects the plural soul of the Global South.

To build that framework, we must look east, not west. Japan, South Korea, and Singapore offer ethical models of data governance that balance sovereignty with openness, consent with innovation, and law with civic trust.

Japan's Act on the Protection of Personal Information (APPI) is rooted in minimisation and transparency. It does not mandate data localisation. Instead, it allows cross-border transfers with contractual safeguards and sector-specific flexibility. 

Individuals have the right to access, correct, and delete their data, and companies are held accountable through clear breach-reporting rules. Japan's model shows that privacy need not be a fortress; it can be a bridge.

South Korea's Personal Information Protection Act (PIPA) emphasises consent and proportionality. It requires explicit consent for data collection but allows the use of behavioural data for safety and personalisation. 

The law mandates Chief Information Security Officers in major firms and enforces breach notifications. Korea's approach embeds ethics into operations — not just enforcement. It recognises that civic trust is built not only through punishment but through proactive stewardship.

Singapore's Personal Data Protection Act (PDPA) is anchored in trust and innovation. It permits cross-border data flows with contractual safeguards, promotes data portability, and encourages sectoral codes of practice. 

The law includes a Do Not Call Registry and empowers users to control how their data is used. Singapore's model shows that privacy can empower users, not restrict ecosystems.

These are not perfect laws, but they offer lessons in ethical pragmatism. They show that data protection need not come at the cost of participation. They offer a blueprint for the Global South — one that aligns with local cultures, plural ethics, and civic dignity.

Bangladesh must adapt these lessons to its own soil. That means recognising the communal, familial, and religious contexts in which consent operates. It means empowering local cooperatives, unions, and civic bodies to manage data — not just state or corporate actors. 

It means allowing contextual behavioural tracking for youth safety, with transparent opt-outs and cultural filters. And it means joining South–South dialogues to co-author ethical standards that reflect our realities, not merely replicate Silicon Valley.

The current draft laws do not reflect these principles. They risk turning privacy into isolation, sovereignty into surveillance, and protection into punishment. 

As Fahim Ahmed, CEO of Pathao, warned in a recent column, these laws could drive up costs, degrade service quality, and push global platforms to suspend operations in Bangladesh. That is not sovereignty; it is self-sabotage.

To avoid that fate, Bangladesh must reform its digital laws with civic clarity. That means:

These reforms are not technical tweaks; they are ethical pivots. They reflect a deeper truth: that privacy is not just a legal right — it is a civic relationship. It is the trust between citizen and state, between user and platform, between data and dignity.

The Global South must lead this ethical AI movement — not by replicating Silicon Valley, but by offering a different blueprint. One rooted in plural values, inclusive design, and civic safeguards. One that sees data not merely as a commodity, but as a mirror of our collective soul.

Bangladesh has the talent, the urgency, and the civic imagination to lead this movement. But it must act now. The servers of the future are humming. The laws that govern them must not silence the voices of the South.

Privacy without isolation. Sovereignty without surveillance. Innovation without exclusion. That is the civic blueprint we must write — together.

Sahadat Hossain is an ICT entrepreneur, business strategist and creative writer

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.

ICT