The Bangladesh government’s draft Cybersecurity Ordinance 2024 has reignited debates around digital rights and governance. Intended to strengthen cybersecurity and fight crime in cyberspace, the order has been heavily criticized for its vague provisions, unchecked powers and lack of guarantees against misuse. Many experts say that in some ways the proposed law is more regressive than its predecessors, including the Digital Security Act, the Cybersecurity Act and the ICT Act.

Scope and Intent of the Order

The draft ordinance is structured into nine chapters and 52 sections, covering a wide range of issues such as preventive measures, crimes and sanctions, as well as the establishment of the National Cybersecurity Agency and the National Cybersecurity Council. Cyberspace is defined broadly, encompassing digital networks, telecommunications systems and physical infrastructure. The stated goal is to ensure cybersecurity, protect digital assets and prosecute cybercrimes. While the bill attempts to rationalize non-bailable offenses and claims to protect individual liberties and freedom of expression, critics point to significant gaps and ambiguities.

Vague provisions and broad discretionary powers

One of the most controversial aspects of the order is the broad authority it grants to the director general of the National Cybersecurity Agency. Under clause (8), the Director General can request the Bangladesh Telecommunications Regulatory Commission (BTRC) to remove or block information deemed harmful, with the BTRC empowered to act in “appropriate cases”. Critics argue that the term “appropriate cases” is not defined, leaving room for subjective interpretations and potential misuse to suppress dissent.

The order also entrusts the National Cybersecurity Council, chaired by the head of state and supported by the government and intelligence agencies, with decision-making powers regarding the “development of cybersecurity”. However, the lack of clarity on what constitutes “cybersecurity development” raises concerns about overreach and liability. Provisions for data collection for “global threat intelligence” further exacerbate fears, as they lack procedural safeguards and could facilitate surveillance and repression under the guise of regional and international cooperation.

Structural gaps and enforcement issues

Several structural weaknesses of the project have been identified, particularly with regard to censorship, surveillance and the consolidation of state power. Section (36) authorizes warrantless searches, seizures and arrests, requiring reports to be submitted to a court, but without a defined time limit. This lack of reporting deadline increases the risk of harassment and abuse by the authorities. Similarly, paragraph (3) of Article (48) allows for the confiscation of legitimate digital materials if found alongside prohibited content, a provision that critics say could unfairly shut down businesses or organizations.

The order fails to address the growing threats posed by artificial intelligence, particularly in crimes involving deepfake technology, where victims’ voices, images and videos are manipulated to cause harm. It also lacks provisions to protect whistleblowers, leaving those who report cybercrimes vulnerable to retaliation. Additionally, the draft does not require organizations to notify customers or the public after cyberattacks, even when citizens’ data, finances, or digital assets are compromised.

Symbolic clauses and unrealistic guarantees

One provision grants citizens the right to 24/7 Internet access, a seemingly progressive step. However, experts say the clause is largely symbolic, as existing laws allow for state-sanctioned grid disruptions. Without addressing the legal framework that allows such interference, the guarantee is deemed unrealistic and unrealistic.

Criticism of the legislative process

The government’s decision to give the public only three days to respond to the draft order has drawn widespread criticism. Stakeholders deplore the lack of meaningful dialogue and transparency, calling the process disrespectful of citizens’ rights to participate in the development of legislation that affects their digital rights. This rushed approach reflects badly on the government’s commitment to reform and undermines confidence in its intentions.

Neglected critical sectors

The order neglects key sectors vulnerable to cyberattacks, including transportation and healthcare, which are essential to public safety. Experts recommend including the ministries responsible for these sectors in the Cybersecurity Council to ensure comprehensive protection against potential threats.

A step forward or a step back?

While the order addresses some of the weaknesses of its predecessors, such as the attempt to streamline non-bailable offenses, it retains and introduces provisions that raise serious concerns about civil liberties and digital rights. The lack of transparency, the absence of procedural guarantees and the broad discretionary powers granted to the authorities make the ordinance a potential tool of abuse rather than protection.

Critics point to the need for substantial amendments to ensure the order complies with global standards on digital rights and cybersecurity. Without these changes, the Cybersecurity Ordinance 2024 risks perpetuating the same problems that have plagued Bangladesh’s digital governance for years, leaving citizens vulnerable to state surveillance, censorship, and overreach.