Bangladesh data protection law fails on breach notification, report finds

Share:
Audio Loading voice…
Bangladesh data protection law fails on breach notification, report finds

Synopsis

Bangladesh's data protection law has no mandatory breach notification clause — and the enforcement body it created cannot fully investigate the government that made it. With 40 lakh Shwapno customers exposed and voter data from the 13th parliamentary election selling on Facebook for 30 taka, the law's gaps are no longer theoretical.

Key Takeaways

Bangladesh's data protection law contains no mandatory breach notification requirement , according to a report by The Daily Star .
Data from the 13th parliamentary election voter list was found on Facebook , priced between 30 taka and 250 taka , in a Dismislab investigation.
The Shwapno supermarket ransomware case compromised data of 40 lakh registered customers ; the company had no legal obligation to notify them.
The Bangladesh Election Commission confirmed in 2026 that five organisations with NID system API access — including the Directorate General of Health Services and Chittagong Port Authority — leaked data to third parties.
Analysts warn the enforcement body lacks the statutory independence to investigate the very government that created it.

Bangladesh's newly enacted data protection legislation contains no mandatory breach notification requirement — a critical gap that has come into sharp focus following the Shwapno supermarket ransomware case, which reportedly compromised personal data of 40 lakh registered customers, according to a new report by The Daily Star. The findings raise serious questions about the country's ability to safeguard citizen data at a time when sensitive electoral and identity records are being traded openly online.

Voter Data Sold Openly on Facebook

A Dismislab investigation uncovered hundreds of Facebook posts and paid advertisements offering Bangladesh's final voter list for the 13th parliamentary election — available for as little as 30 taka and as much as 250 taka. The data on offer included names, voter numbers, parents' names, dates of birth, occupations, and permanent addresses.

'A 250 taka payment to a bKash number could get you access to a Google Drive folder organised by division, constituency, and area,' the report noted, adding that no one appeared to know who was legally accountable for the breach.

Enforcement Body Lacks Statutory Independence

Analysts cited in the report argue that Bangladesh's data protection framework assigns enforcement to a body that lacks the statutory independence and investigatory reach needed to hold powerful public or private actors accountable. The report put it bluntly: 'Bangladesh drafted an imperfect law for a shifting scenario. Then, it handed enforcement to a body that, by its own statute, cannot fully investigate the government that created it.'

This structural conflict of interest means that even when breaches are confirmed, the enforcement mechanism is ill-equipped to pursue accountability up the chain.

Election Commission Confirms API Leaks

Earlier in 2026, the Bangladesh Election Commission confirmed that five organisations with legitimate API access to the National Identity (NID) system — including the Directorate General of Health Services, a major bank, and the Chittagong Port Authority — had leaked data to third parties. The disclosure underscores that the vulnerability is not confined to private sector actors; it runs through state-adjacent institutions as well.

The Shwapno Case: A Test the Law Failed

The Shwapno supermarket data leak is particularly illustrative. According to the report, the company had accumulated years of detailed behavioural data on millions of customers and stored it without adequate protection. When a ransom demand arrived, Shwapno had no legal obligation under the current framework to notify the affected customers — and reportedly did not do so. The absence of a mandatory breach notification clause means victims may never know their data has been compromised.

What the Gap Means Going Forward

The combination of weak enforcement architecture, no breach notification mandate, and state-linked data leaks paints a troubling picture for Bangladeshi citizens ahead of a critical electoral cycle. Analysts argue that without legislative amendments to introduce notification requirements and grant the enforcement body genuine independence, the law risks being little more than a paper shield. How Bangladesh responds — and how quickly — will determine whether its data protection regime can keep pace with the scale of its digital exposure.

Point of View

Stored carelessly, and when breached, neither the law nor the regulator compels disclosure. The voter data market on Facebook is not a loophole — it is the logical outcome of a framework designed without teeth. Bangladesh's digital governance credibility, particularly ahead of a major election, now depends on whether legislators are willing to amend what they have already passed.
NationPress
8 Jul 2026

Frequently Asked Questions

What is the key flaw in Bangladesh's data protection law?
The law contains no mandatory breach notification requirement, meaning companies and institutions that suffer data breaches are not legally obligated to inform affected citizens. Analysts also note that the enforcement body lacks the statutory independence to investigate powerful public or private actors.
What is the Shwapno supermarket data leak?
The Shwapno supermarket data breach involved a ransom demand targeting the company, which had stored years of detailed behavioural data on millions of customers without adequate protection. Because Bangladesh's law has no breach notification mandate, the company had no legal obligation to alert the 40 lakh registered customers whose data was reportedly compromised.
How is Bangladesh's voter data being sold online?
A Dismislab investigation found hundreds of Facebook posts and paid advertisements offering the final voter list for Bangladesh's 13th parliamentary election. The data — including names, voter numbers, dates of birth, and addresses — was being sold for between 30 taka and 250 taka, with buyers receiving access via a Google Drive folder.
Which organisations leaked NID system data in Bangladesh?
The Bangladesh Election Commission confirmed in 2026 that five organisations with legitimate API access to the National Identity system had leaked data to third parties. These included the Directorate General of Health Services, a major bank, and the Chittagong Port Authority.
Why can't Bangladesh's data enforcement body hold the government accountable?
According to the report, the enforcement body created under Bangladesh's data protection law lacks the statutory independence and investigatory reach to pursue the government that established it. This structural conflict means state-linked data breaches may effectively go unpunished under the current framework.
Nation Press
The Trail

Connected Dots

Tracing the thread behind this story — newest first.

8 Dots
  1. Latest 2 weeks ago
  2. 1 month ago
  3. 2 months ago
  4. 4 months ago
  5. 4 months ago
  6. 4 months ago
  7. 4 months ago
  8. 7 months ago
Google Prefer NP
On Google