Bangladesh

Domestic law and policy

Bangladesh does not currently have a comprehensive legal framework for its digital ID system.[39]The National Identity Registration Act (NIR Act), enacted in September 2023 includes plans to switch management and implementation of the NID system from the Election Commission to the Home Ministry. However, this transition has raised concerns that doing so would not be effective.[40] Election Commission officials, who believe the 2023 NIR Act should be canceled, have argued that it has had jurisdiction over the system for over a decade, meaning that it has the manpower and experience to operate it where the Home Ministry does not and that switching the system would be financially burdensome.[41] With increasing opposition from civil society and the Election Commission, the interim government repealed the NIR Act on 16th of January, 2025.[42]

In absence of the NIR Act, the National Identity Registration Act (2010) remains the primary legislation governing the NID system.[43]

The 2010 NIR Act provides that only citizens who are registered voters can obtain an NID card, and that not having a national ID card shall not infringe on the rights of citizens.[44] While this is a positive safeguard against exclusion for citizens, it does not prevent exclusion or protect the rights of stateless persons who do not have access to the digital ID system in Bangladesh and therefore, are unable to access the services attached to it.[45] To improve Bangladesh’s legal framework on digital ID, existing legislation should “be amended to include all significant facets of the ID system”.[46] To achieve this, the legislation should reflect mechanisms for addressing grievances, guidelines for government bodies and potential private actors, and details of “the rights and obligations of data subjects and administrators”.[47]

Data Protection

Under the 2010 NIR Act, biometric information collected for the voter ID database included fingerprints, hand geometry, palm prints, iris scans, facial recognition, DNA, signature, and voice.[48] The collection of DNA specifically has been widely criticized as “unjustifiable risks to privacy and discrimination,” going outside of the necessary means to achieve the purposes of the system. [49]

Currently there is no data protection law enacted in Bangladesh. The draft of the Personal Data Protection Act (PDPA) (2024), which was approved by the cabinet in November 2023 but did not get enacted, was criticized by civil society for failing to ensure the protection of personal data.[50] Rather than prioritizing the privacy and rights of users, the draft “continued to be a potential tool to legalize control of personal data by the Government”, creating space for increased government surveillance.[51]For instance, the draft Act included a list of exemptions for the protection of personal data including “for the prevention or detection of crime or for the purpose of investigations”.[52]This would have allowed for access to personal data with no “judicial controls or oversight, or without the requirement to provide justification for” access to the data, which raises serious data privacy concerns for data subjects.[53]In 2025, the Interim Government currently proposed another draft Data Protection Ordinance, 2025 which still contains vague and an expanded definition of “data fiduciary”,[54]continuing to provide discretionary powers to the National Data Governance and Interoperability Authority,[55]and suggesting a lack of judicial oversight over different government entities accessing personal data which could lead into potential misuse of personal data.[56]The wide scope delineated for the potential use of personal data by the government, as stipulated under section 28 [57]has raised concerns that the government will have unchecked and arbitrary access to personal data which could be used to control dissent.[58]In order to improve the protective elements of the legislation, the purpose of the law should clearly be to ensure rights are upheld rather than to create room for greater government control over personal data.[59]Further, in order to access data, judicial approval should be mandatory for access requests.[60].

In July 2023, 50 million Bangladeshi citizens’ personal data, including names, phone numbers, emails and national ID numbers, collected in the NID database were breached and publicly accessible on one of the websites of the 171 government partner organizations that use the data.[61]After two weeks of the data being accessible, the Bangladeshi government secured the website and database.[62]The data was reportedly leaked from Bangladesh’s Birth and Death Registration Information System.[63]In October 2023, another data breach occurred, with users’ names, parents names, gender, phone number, addresses, NID numbers, and other data made publicly available through a Telegram bot, which threatened some users’ personal safety.[64]To prevent this, information, communication and technology experts recommended that the Election Commission consistently surveil the 174 organization websites which use the NID server as well as regularly “conduct vulnerability and penetration assessments”.[65]Concerns have been raised by the former Election Commission Secretary, Shafiul Azim, that users’ data may be breached during the transition of the NID system from the Election Commission to the Home Ministry.[66]

International Commitments

As a party to the ICCPR, Bangladesh is obligated to protect the right to freedom of movement [67], which has not been upheld in the case of requiring NID cards in order to purchase rail tickets.[68]Similarly, the disproportionately low rates of birth registration among the Rohingya community [69]goes against the protection of the right of every child to be registered at birth under Article 24 of the ICCPR, which Bangladesh is a party to.[70]Consequently, since the laws related to digital ID are still under the parliamentary process, it is imperative that Bangladesh adheres to its human rights obligations under ICCPR, ICESCR, ICERD, CRC, and CEDAW .

References
54.^

Personal Data Protection Ordinance, 2025 (Draft), Section 2 (d) <https://ictd.portal.gov.bd/sites/default/files/files/ictd.portal.gov.bd/page/6c9773a2_7556_4395_bbec_f132b9d819f0/%E0%A6%AC%E0%A7%8D%E0%A6%AF%E0%A6%95%E0%A7%8D%E0%A6%A4%E0%A6%BF%E0%A6%97%E0%A6%A4%20%E0%A6%89%E0%A6%AA%E0%A6%BE%E0%A6%A4%E0%A7%8D%E0%A6%A4%20%E0%A6%B8%E0%A7%81%E0%A6%B0%E0%A6%95%E0%A7%8D%E0%A6%B7%E0%A6%BE%20%E0%A6%85%E0%A6%A7%E0%A7%8D%E0%A6%AF%E0%A6%BE%E0%A6%A6%E0%A7%87%E0%A6%B6%2C%E0%A7%A8%E0%A7%A6%E0%A7%A8%E0%A7%AB%20%E0%A6%8F%E0%A6%B0%20%E0%A6%87%E0%A6%82%E0%A6%B0%E0%A7%87%E0%A6%9C%E0%A6%BF%20%E0%A6%AD%E0%A6%BE%E0%A6%B0%E0%A7%8D%E0%A6%B8%E0%A6%A8%20%E0%A6%8F%E0%A6%B0%20%E0%A6%95%E0%A6%AA%E0%A6%BF%E0%A5%A4.pdf>

55.^

 Personal Data Protection Ordinance, 2025 (Draft), Section 2 (e)
<https://ictd.portal.gov.bd/sites/default/files/files/ictd.portal.gov.bd/page/6c9773a2_7556_4395_bbec_f132b9d819f0/%E0%A6%AC%E0%A7%8D%E0%A6%AF%E0%A6%95%E0%A7%8D%E0%A6%A4%E0%A6%BF%E0%A6%97%E0%A6%A4%20%E0%A6%89%E0%A6%AA%E0%A6%BE%E0%A6%A4%E0%A7%8D%E0%A6%A4%20%E0%A6%B8%E0%A7%81%E0%A6%B0%E0%A6%95%E0%A7%8D%E0%A6%B7%E0%A6%BE%20%E0%A6%85%E0%A6%A7%E0%A7%8D%E0%A6%AF%E0%A6%BE%E0%A6%A6%E0%A7%87%E0%A6%B6%2C%E0%A7%A8%E0%A7%A6%E0%A7%A8%E0%A7%AB%20%E0%A6%8F%E0%A6%B0%20%E0%A6%87%E0%A6%82%E0%A6%B0%E0%A7%87%E0%A6%9C%E0%A6%BF%20%E0%A6%AD%E0%A6%BE%E0%A6%B0%E0%A7%8D%E0%A6%B8%E0%A6%A8%20%E0%A6%8F%E0%A6%B0%20%E0%A6%95%E0%A6%AA%E0%A6%BF%E0%A5%A4.pdf>

57.^

 Personal Data Protection Ordinance, 2025 (Draft), Section 28.
<https://ictd.portal.gov.bd/sites/default/files/files/ictd.portal.gov.bd/page/6c9773a2_7556_4395_bbec_f132b9d819f0/%E0%A6%AC%E0%A7%8D%E0%A6%AF%E0%A6%95%E0%A7%8D%E0%A6%A4%E0%A6%BF%E0%A6%97%E0%A6%A4%20%E0%A6%89%E0%A6%AA%E0%A6%BE%E0%A6%A4%E0%A7%8D%E0%A6%A4%20%E0%A6%B8%E0%A7%81%E0%A6%B0%E0%A6%95%E0%A7%8D%E0%A6%B7%E0%A6%BE%20%E0%A6%85%E0%A6%A7%E0%A7%8D%E0%A6%AF%E0%A6%BE%E0%A6%A6%E0%A7%87%E0%A6%B6%2C%E0%A7%A8%E0%A7%A6%E0%A7%A8%E0%A7%AB%20%E0%A6%8F%E0%A6%B0%20%E0%A6%87%E0%A6%82%E0%A6%B0%E0%A7%87%E0%A6%9C%E0%A6%BF%20%E0%A6%AD%E0%A6%BE%E0%A6%B0%E0%A7%8D%E0%A6%B8%E0%A6%A8%20%E0%A6%8F%E0%A6%B0%20%E0%A6%95%E0%A6%AA%E0%A6%BF%E0%A5%A4.pdf>

67.^

International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 (ICCPR) art 12.

69.^

Committee on the Elimination of Discrimination against Women, Concluding observations on the eighth periodic report of Bangladesh, 25 November 2016, CEDAW/C/BGD/CO/8, available at: https://tbinternet.ohchr.org/_layouts/15/treatybodyexternal/Download.aspx?symbolno=CEDAW%2FC%2FBGD%2FCO%2F8&Lang=en

70.^

 International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 (ICCPR) art 24.

Footer design