Bangladesh’s Cross-Border Data Transfer Regulation
The Framework
Bangladesh is preparing to adopt its Personal Data Protection Act (PDPA), which would restrict the transfer of personal data outside the country without government approval.[1] The draft law calls for a Data Protection Office (DPO) to oversee data governance and enforce safeguards for cross-border data flows, requiring “adequate protection” in recipient countries.[2] Certain sensitive or nationally important data may be subject to local storage mandates. Although not yet enacted, related regulations from the Bangladesh Telecommunication Regulatory Commission (BTRC) already impose limits on how foreign firms handle telecom and consumer data, signaling a growing trend toward data localization.
Implications for U.S. Technology Leadership
Bangladesh’s draft data protection framework reflects a growing trend toward data localization as a substitute for modern digital governance, posing structural challenges for U.S. technology firms. By restricting cross-border data flows without a clear adequacy mechanism or streamlined approvals, the policy would force U.S. companies to either deploy expensive local infrastructure or limit services, particularly difficult in a market that, while promising, may not justify such operational overhead. These kinds of requirements create legal uncertainty, raise the cost of doing business, and diminish the scalability that underpins most digital service models.
More fundamentally, localization mandates are based on a misguided belief that data security and sovereignty are determined by storage location, rather than legal agreements, technical standards, and institutional capacity.[3] U.S. firms operating across jurisdictions already manage compliance through robust security frameworks and legal processes. Forcing firms to fragment their infrastructure or comply with ambiguous domestic access rules not only discourages investment but also undermines the competitiveness of open, interoperable systems. As more emerging markets adopt rigid localization models, the U.S. risks losing ground in shaping global data governance and enabling its firms to lead in digital innovation.
Endnotes
[1] Government of Bangladesh, Data Protection Bill, 2022 (Unofficial Working Draft), July 16, 2022, https://ictd.portal.gov.bd/sites/default/files/files/ictd.portal.gov.bd/page/6c9773a2_7556_4395_bbec_f132b9d819f0/Data%20Protection%20Bill%20en%20V13%20Unofficial%20Working%20Draft%2016.07.22.pdf.
[2] Ibid.
[3] Nigel Cory, Luke Dascoli, and Ian Clay, The Cost of Data Localization Policies in Bangladesh, Hong Kong, Indonesia, Pakistan, and Vietnam (ITIF, December 12, 2022), https://itif.org/publications/2022/12/12/the-cost-of-data-localization-policies-in-bangladesh-hong-kong-indonesia-pakistan-and-vietnam/.
