There are no statutes that expressly allow the collection and processing of identification information.

The CA 2023 came into force in full on 18 September 2023 repealing the Digital Security Act 2018. The provisions of the CA 2023 closely mirror those of the Digital Security Act 2018, with the only modifications being a decrease in penalties for specific offenses. Section 26 of the CA 2023 has been drafted in very wide terms. The contents of this provision would appear to provide, inter alia, that if anyone without lawful authority collects, sells, keeps possession of, supplies or uses identification information of another person, it would constitute an offence¹. The punishment for violation of Section 26 of the CA 2023 is imprisonment of a term not exceeding two years or a fine not exceeding Taka 5,00,000 (approx. US$ 4,545 as of 3 January 2023 ) or both.

Please note that the CA 2023 does not contain any exceptions to the Section 26 requirement. However, identification information may be, among other things, collected and stored by a person if he has lawful authority. The term "lawful authority" has not been defined in the CA 2023. The Government of Bangladesh has not yet issued any clarification as to what would constitute 'lawful use' and has provided no guidance on what would satisfy the 'lawful authority' requirement. It is for these reasons (among others) that the legislation has been widely criticised.

In our opinion, a person will be deemed to have lawful authority if they are authorized by statute or contract to collect and store such identification information.