Storing biometric data on identity cards violates privacy – UN Human Rights Committee: Mauritius

OHCHR

The UN Human Rights Committee has found that Mauritius’ 2013 National Identity Card Act violates its citizens’ privacy rights, as there are no sufficient guarantees that the fingerprints and other biometric data stored on the identity card will be securely protected.

The Committee’s decision responds to a complaint filed by M.M., a 67-year old Mauritius national, who claimed that the country’s smart identity card system has contravened his privacy right under Mauritius’s Constitution and the International Covenant on Civil and Political Rights.

Mauritius launched the country’s first identity card scheme back in 1995. In order to prevent multiple applications for an identity card with faked names and information, the authority amended its legislation in 2009 with additional biometric data requirements and increased penalties for non-compliance.  A new smart identity card was subsequently launched in 2013 to replace the old identity card. 

In addition to the printed information such as name, date of birth and gender, the new electronic ID card also contains a microchip storing data including fingerprints that can be read by an e-reader. The government explained that the fingerprint requirement was essential to tackle identity fraud.

M.M. refused to apply for the new smart ID card and took the Mauritius government to court, challenging the constitutionality of the new ID card scheme. The Supreme Court in 2015 ruled that even though there was expert evidence showing that biometric data retention was insecure and notoriously difficult to protect, the new ID card requirements had been made “in the interests of public order”.

M.M then turned to the UN Human Rights Committee. In the course of the proceedings, Mauritius did not address the security lacunae concerning the possibility that fingerprint data could be copied onto falsified cards if the smart identity card was lost or stolen.

The Committee took note of M.M.’s argument, which was based on the expert evidence submitted to the Mauritius Supreme Court, concerning the radio frequency identification (RFID) technology used to store the biometric data. The expert explained that the biometric data can be copied, without physical contact of the card and without the card holder’s knowledge, with RFID readers that can easily be bought online.

Given the lack of information provided by the authorities of Mauritius concerning the implementation of measures to protect the biometric data stored on identity cards, the Committee found that M.M.’s right to privacy was violated.

“It is of paramount importance that any biometric identity scheme by any country is accompanied by robust safeguards to protect the right to privacy of individuals,” said Photini Pazartzis, Chair of the Committee.

“We regret that Mauritius did not provide enough information about such measures and look forward to receiving clarification in the framework of the implementation phase,” she added.

The Committee called on Mauritius to review the grounds for storing and retaining fingerprint data on identity cards based on the existing data security concern and to provide M.M. with an effective remedy.

Public Release. More on this here.