Bangladesh’s recently enacted data protection law does not include a mandatory breach notification provision, as highlighted by a recent report following the Shwapno supermarket ransom case that exposed data of forty lakh registered customers. The report from The Daily Star in Bangladesh pointed out that the public sale of the final voter list for the country’s 13th parliamentary election on Facebook revealed deficiencies in the law’s enforcement mechanisms.
An investigation by Dismislab uncovered numerous Facebook posts and paid ads offering the voter register for sale, containing sensitive information such as names, voter numbers, parents’ names, dates of birth, occupations, and addresses, priced between 30 taka and 250 taka. According to the report, a payment of 250 taka to a bKash number could grant access to a Google Drive folder categorized by division, constituency, and area, with no clear accountability for the breach.
Experts noted that Bangladesh’s data protection framework lacks a mandatory breach-notification requirement and entrusts enforcement to an entity without the necessary statutory independence and investigative authority to hold influential public or private entities responsible. The report emphasized that the law was crafted inadequately for a changing landscape and enforcement was delegated to an entity incapable of fully scrutinizing the government that established it.
In an earlier development in 2026, the Election Commission confirmed that five organizations with authorized API access to the NID system, including the Directorate General of Health Services, a major bank, and the Chittagong Port Authority, had exposed data to third parties. The report argued that the data breach at Shwapno supermarket was a result of the company amassing detailed customer behavioral data over years and storing it without sufficient safeguards. Despite facing a ransom demand, the company was not legally obligated to inform the affected individuals, as per the media report.
