Analyzing Dhaka's AI Content Crackdown Through the Lens of Global Regulation, Press Freedom History, and the Deepfake Governance Challenge

Analysis | June 2026

The Announcement in Parliament

On June 8, 2026, Bangladesh's Home Minister Salahuddin Ahmed rose in the Jatiya Sangsad to announce what he framed as a necessary evolution of the country's digital security architecture. The government, he said, had that very morning begun drafting amendments to the Cyber Security Act — to be renamed the Cyber Security Act, 2026 — to address the rapid proliferation of harmful AI-generated content on social media platforms. The new law would redefine misinformation and defamatory content, introduce stricter penalties, empower the Bangladesh Telecommunication Regulatory Commission (BTRC) and other agencies to block content and demand user data from platforms, and impose mandatory takedown timelines on international technology companies, including Meta.

The trigger was real. Between 2024 and 2026, fact-checking organizations documented a tenfold increase in AI-generated political disinformation in Bangladesh, with over 800 synthetic political videos identified in the six weeks preceding the parliamentary election alone, produced through coordinated networks using commercially available generative AI tools at negligible cost. The minister specifically cited AI-generated fabricated images, videos, and audio targeting the prime minister, her family, and other prominent figures as a primary driver of the reform.

The problem is genuine. The solution proposed raises serious questions.

The Regulatory History That Haunts This Announcement

Bangladesh has the misfortune of approaching a legitimate governance challenge — AI-generated disinformation — with legislation whose predecessors have a documented record of being weaponized against the very people they were supposedly designed to protect.

The lineage is important. The Information and Communications Technology Act of 2006 was used to arrest a 15-year-old schoolboy for a Facebook post about telephone charges. The Digital Security Act of 2018 — which replaced it — was applied predominantly against journalists and opposition politicians rather than organized disinformation actors. A 2025 report by the Clooney Foundation for Justice and the Centre for Governance Studies analyzed 222 cases involving 396 journalists prosecuted under the DSA, documenting its systematic use as a tool of harassment and intimidation. Scholars studying the pattern noted that the country's principal cybercrime instruments had been "applied predominantly against journalists and opposition politicians rather than organised disinformation actors — a misuse pattern that renders further reliance on criminal law both constitutionally precarious and democratically counterproductive."

The Cyber Security Act of 2023 — which replaced the DSA — attracted immediate criticism for retaining the most problematic provisions of its predecessor. Article 19 and Transparency International Bangladesh described the law as an attack on freedom of expression. It was ultimately repealed in May 2025 and replaced by the Cyber Safety Ordinance 2025, which earned cautious praise for introducing AI-specific cybercrime provisions — the first in South Asia — while eliminating clauses that had criminalized criticism of the Liberation War, Bangabandhu Sheikh Mujibur Rahman, and national symbols. The Ordinance also affirmed citizens' right to uninterrupted internet access.

Now, barely a year after that reform, a new layer of legislation is being proposed — and the framing of the Home Minister's announcement should give pause to anyone who has watched this cycle play out before. The minister explicitly cited defamatory content targeting the prime minister and her family as a primary justification. The proposed law would empower not just courts but regulatory agencies — the BTRC and undefined "other authorised agencies" — to block content and demand user data without specifying the judicial safeguards that would constrain that power.

The AI Disinformation Problem Is Real — and Globally Recognized

To be clear: the underlying concern is legitimate and urgent. Bangladesh is not alone in facing it.

Globally, deepfake incidents surged 257% in 2024, with the first quarter of 2025 alone producing more incidents than the entire previous year. The financial and political damage is documented and growing: engineering firm Arup lost $25 million in January 2024 when an employee was deceived by a deepfaked CFO and AI-generated colleagues on a video call authorizing 15 wire transfers. Political deepfakes have targeted leaders across the globe, from EU member states to India to sub-Saharan Africa.

The international regulatory response has been substantial. The most important frameworks include:

The EU AI Act, which becomes fully applicable on August 2, 2026, introduces the most comprehensive framework globally. Its Article 50 requires that AI-generated content be marked in machine-readable, detectable, and interoperable formats, enabling identification of deepfakes and AI-generated text on matters of public interest. Penalties for serious violations can reach up to 6% of a company's global turnover. The EU's approach is technology-focused: mandate labeling and transparency rather than criminalizing content.

The US TAKE IT DOWN Act (Public Law 119-12), signed in May 2025, criminalizes the publication of non-consensual intimate deepfakes with penalties up to three years imprisonment for cases involving minors, and requires platforms to remove flagged content within 48 hours of a valid takedown notice. At the state level, 46 states have enacted deepfake legislation. The US approach combines criminal liability for perpetrators with platform-level takedown duties.

China's approach is the one Bangladesh appears most drawn to institutionally — a "control-first" model requiring that AI-generated content carry visible watermarks and invisible encrypted metadata, creating a closed loop in which all AI content is trackable. China mandates real-name verification for AI content platforms and gives regulators broad blocking authority. This is the "24-hour removal" model the Home Minister referenced when citing "neighbouring countries."

Denmark has taken a rights-based approach, amending its copyright law to treat a person's likeness — face, voice, body — as intellectual property, giving individuals the right to demand takedown of AI-generated imitations created without consent. This places citizens, not the state, as the primary complainants.

The critical distinction across these models is who the law primarily empowers: the citizen (EU, Denmark, US), or the state (China, and, implicitly, Bangladesh's proposed framework).

The Takedown Timeline Question: 24 Hours Is a Policy Choice, Not a Technical Necessity

The minister's comparison to countries requiring Meta to act within 24 hours deserves scrutiny. The EU's Digital Services Act and the US TAKE IT DOWN Act both set 48-hour windows — not 24 — for content removal following valid notices. The 24-hour threshold appears to reference models closer to India's IT Rules 2021 or Indonesia's regulatory framework, both of which have themselves been criticized by digital rights organizations as enabling state-driven content suppression under the guise of platform accountability.

The window matters because shorter mandatory removal timelines incentivize over-removal: platforms facing liability for non-compliance in tight windows will err on the side of taking down content even when it is contested, rather than risk regulatory penalty. In environments where defamation is broadly defined — and in Bangladesh, the proposed amendment would expand that definition — this creates structural pressure toward the suppression of legitimate political speech.

The EU's framework addresses this through careful procedural design: removal obligations apply to clearly illegal content (CSAM, terrorist content, NCII deepfakes), while disputed speech cases go through appeal mechanisms and independent oversight bodies. The proposed Bangladeshi framework — which would empower the BTRC and unspecified agencies to block content and demand user data — contains no visible equivalent safeguard.

The Platform Compliance Architecture: What Bangladesh Is Really Asking

Compelling Meta and other platforms to comply with national content takedown laws raises a fundamental question of global platform governance. Meta, X, YouTube, and TikTok do operate country-specific compliance frameworks — they respond to valid legal demands across jurisdictions. But these systems function best when the underlying laws meet international human rights standards for legality, necessity, and proportionality.

The UN Guiding Principles on Business and Human Rights and the Global Network Initiative — frameworks that major platforms have nominally adopted — specify that companies should only comply with government takedown requests that meet those standards, and should push back on requests that do not. In practice, platforms in markets the size of Bangladesh face commercial and regulatory pressure that makes principled resistance difficult. The result is that broadly drafted national laws tend to produce broad private censorship, without the accountability of either a court order or a public record.

Bangladesh's proposed framework would give the BTRC the authority to demand user data from platforms — raising additional concerns under data protection principles given that Bangladesh's draft Personal Data Protection Act remains unenacted. There is no independent data protection authority, no clearly defined data subject rights, and no limitation on secondary use of data obtained by regulators.

What Good AI Governance Looks Like for Bangladesh

The genuine regulatory challenge Bangladesh faces is not, ultimately, about Meta's response time. It is about building institutions and legal frameworks capable of distinguishing between:

Harmful AI-generated content — fabricated CSAM, non-consensual intimate imagery, coordinated political disinformation designed to deceive — which deserves robust enforcement responses.

Contested political speech — criticism, satire, opposition commentary, investigative journalism — which has historically been the primary target of Bangladesh's cybersecurity laws and which the proposed amendments risk sweeping up again.

Several design principles separate effective from abusive AI content regulation:

Judicial authorization for blocking and user data demands, rather than unilateral agency action. No democratic framework of comparable ambition — not the EU's DSA, not the US TAKE IT DOWN Act, not India's revised IT Rules — allows executive agencies to compel platform data disclosure without judicial oversight.

Narrow, precise definitions of prohibited AI-generated content, focusing on verifiable harm (fabricated CSAM, demonstrably fraudulent identity claims, NCII) rather than vague categories like "defamatory" or "misleading," which courts have historically applied expansively.

Complaint-driven, citizen-empowering models rather than state-initiated blocking authority. The EU and Danish approaches put the harmed individual at the center of enforcement, not the regulatory agency.

Mandatory transparency on removals — platforms should be required to publish government takedown requests, volumes, and compliance rates so that independent civil society can monitor abuse.

Enact the Personal Data Protection Act before expanding state authority to demand user data. Platform compliance with data requests is meaningless as a safeguard if users have no enforceable data rights against the requesting authority.

Deepfake detection investment — the technical capacity to identify synthetic media must precede criminal enforcement, otherwise broad laws will be applied to unverified claims. Bangladesh's National Cyber Security Council and forensic laboratories need resourcing commensurate with the mandate.

The Gambling Law and Narcotics Provisions: Context for a Broader Agenda

The minister's announcement also covered two ancillary legislative proposals: a new gambling law to replace the Gambling Act of 1867 — addressing online betting alongside offline offenses — and amendments to the Narcotics Control Act strengthening the Department of Narcotics Control.

These are legitimate regulatory updates. Online gambling has grown rapidly across South Asia, creating money laundering vulnerabilities (as Turkey's experience makes vivid) and consumer protection gaps that century-old colonial legislation cannot address. Bangladesh, like Uganda and Türkiye, is navigating the intersection of digital economic activity and regulatory frameworks designed for a pre-internet world. Updating both is overdue.

Their presence alongside the cybersecurity amendment in a single parliamentary package does, however, suggest a broader legislative agenda around digital social control — one where the AI content provisions are the politically most sensitive, and where the framing around the prime minister's family makes the free expression risk most visible.

Assessment: The Threat Is Real, The Tool Is Blunt

Bangladesh faces a genuine AI governance crisis. A tenfold increase in synthetic political disinformation ahead of elections is not a problem that can be wished away, and the demand for enforceable platform takedown mechanisms is not inherently unreasonable. The Home Minister is not wrong that Bangladesh's current legal framework lacks adequate enforcement mechanisms against organized AI-driven disinformation operations.

But the country is proposing to address that crisis with a legal instrument whose direct predecessors were systematically used to silence the press, persecute opposition figures, and criminalize teenage Facebook posts. The institutional memory of that abuse is less than two years old. The proposed expansion of BTRC blocking authority and platform data demands, without clearly specified judicial safeguards, is not a narrowly tailored anti-disinformation measure — it is a general-purpose censorship infrastructure with AI as its current justification.

The global regulatory frameworks that have emerged since 2024 — the EU AI Act's transparency mandates, the TAKE IT DOWN Act's targeted criminal provisions, Denmark's rights-based approach — offer Bangladesh a menu of better-designed alternatives. Each separates the genuine harm (synthetic media used to defraud or abuse) from the contested territory (political speech the government finds defamatory) through procedural safeguards Bangladesh's proposed framework conspicuously lacks.

If the Cyber Security Act 2026 is drafted with the care that the EU AI Act's five-year deliberative process embodied, Bangladesh has an opportunity to lead South Asia in genuine AI governance reform. If it is drafted with the speed its Home Minister implied — "this very morning we began" — it risks becoming the fourth iteration of a law that promises digital security and delivers digital control.

The technology is new. The pattern is not.

Sources: Bangladesh Parliament Proceedings, June 8, 2026; Dhaka Tribune; The Daily Star; The Business Standard; Clooney Foundation for Justice/CGS Press Freedom Report, 2025; ResearchGate — 'Between Criminalisation and Governance' (2026); bdnews24; EU AI Act and Official EU Commission Documentation; US TAKE IT DOWN Act (PL 119-12); Jones Walker LLP Deepfake Regulatory Analysis; New Age Bangladesh; The Financial Express Bangladesh.