This study examines Bangladesh’s 2025 data protection legislation, arguing that its three newly enacted laws fail to effectively safeguard citizens’ data due to a fundamental misalignment between institutional design and the country’s sociotechnical realities. Through systematic legal text analysis and institutional critique, complemented by a human-computer interaction (HCI) lens, the paper reconceptualizes data protection as a sociotechnical challenge shaped by informal infrastructures prevalent in the global South—thereby challenging dominant, individual-centric legal paradigms. The research identifies critical constraints in Bangladesh’s data governance framework, including insufficient regulatory independence, uneven enforcement capacity, and a systemic neglect of informal data flows. These factors collectively undermine the implementation of formal mechanisms, offering a critical theoretical framework and practical insights for data governance in other global South contexts.

Rapid digitization across government services, financial platforms, and telecommunications has intensified the collection and processing of large scale personal data in Bangladesh. In response, the state has introduced multiple regulatory instruments, including the Personal Data Protection Ordinance, the Cyber Security Ordinance, and the National Data Governance Ordinance in 2025. While these initiatives signal an emerging legal regime for data protection, little scholarly work examines how these frameworks operate collectively in practice. This paper presents a legal and institutional analysis of Bangladeshs emerging data protection regime through a systematic review of these three ordinances. Through this review, the paper provides an integrated mapping of Bangladeshs evolving data protection framework and identifies key legal and institutional barriers that undermine the effective protection of citizens personal data. Our findings reveal that this emerging regime is constrained by limited institutional independence, uneven regulatory capacity, and the misaligned legal assumption of individualized, autonomous data subjects. Furthermore, these frameworks invisibilize prevalent sociotechnical layers, such as informal data flows and mediated access via human bridges, rendering formal protections difficult to operationalize. This paper contributes to HCI scholarship by expanding the concept of data protection as a complex sociotechnical design problem shaped by the informal infrastructures of the Global South.