Bangladesh data protection law fails on breach notification, report finds
Synopsis
Key Takeaways
Bangladesh's newly enacted data protection legislation contains no mandatory breach notification requirement — a critical gap that has come into sharp focus following the Shwapno supermarket ransomware case, which reportedly compromised personal data of 40 lakh registered customers, according to a new report by The Daily Star. The findings raise serious questions about the country's ability to safeguard citizen data at a time when sensitive electoral and identity records are being traded openly online.
Voter Data Sold Openly on Facebook
A Dismislab investigation uncovered hundreds of Facebook posts and paid advertisements offering Bangladesh's final voter list for the 13th parliamentary election — available for as little as 30 taka and as much as 250 taka. The data on offer included names, voter numbers, parents' names, dates of birth, occupations, and permanent addresses.
'A 250 taka payment to a bKash number could get you access to a Google Drive folder organised by division, constituency, and area,' the report noted, adding that no one appeared to know who was legally accountable for the breach.
Enforcement Body Lacks Statutory Independence
Analysts cited in the report argue that Bangladesh's data protection framework assigns enforcement to a body that lacks the statutory independence and investigatory reach needed to hold powerful public or private actors accountable. The report put it bluntly: 'Bangladesh drafted an imperfect law for a shifting scenario. Then, it handed enforcement to a body that, by its own statute, cannot fully investigate the government that created it.'
This structural conflict of interest means that even when breaches are confirmed, the enforcement mechanism is ill-equipped to pursue accountability up the chain.
Election Commission Confirms API Leaks
Earlier in 2026, the Bangladesh Election Commission confirmed that five organisations with legitimate API access to the National Identity (NID) system — including the Directorate General of Health Services, a major bank, and the Chittagong Port Authority — had leaked data to third parties. The disclosure underscores that the vulnerability is not confined to private sector actors; it runs through state-adjacent institutions as well.
The Shwapno Case: A Test the Law Failed
The Shwapno supermarket data leak is particularly illustrative. According to the report, the company had accumulated years of detailed behavioural data on millions of customers and stored it without adequate protection. When a ransom demand arrived, Shwapno had no legal obligation under the current framework to notify the affected customers — and reportedly did not do so. The absence of a mandatory breach notification clause means victims may never know their data has been compromised.
What the Gap Means Going Forward
The combination of weak enforcement architecture, no breach notification mandate, and state-linked data leaks paints a troubling picture for Bangladeshi citizens ahead of a critical electoral cycle. Analysts argue that without legislative amendments to introduce notification requirements and grant the enforcement body genuine independence, the law risks being little more than a paper shield. How Bangladesh responds — and how quickly — will determine whether its data protection regime can keep pace with the scale of its digital exposure.