UN finds storing biometric data on Mauritius ID cards violates privacy
The United Nations Human Rights Committee has found that the legislation which Mauritius passed in 2013 for its biometric smart ID cards does not provide sufficient guarantees for securely protecting the biometrics of cardholders and therefore violates citizens’ privacy rights, according to the Committee’s release.
The Committee stated that Mauritius did not provide enough information on protection measures and calls on the country to review its grounds for storing fingerprint data on the smart ID card chips.
The UN Committee had gathered to consider a complaint filed by Maharajah Madhewoo, a Mauritian national, who claimed his country’s smart ID card system contravened his right to privacy both under Mauritius’s Constitution and the International Covenant on Civil and Political Rights, to which Mauritius is a signatory.
In 2009 Mauritius amended legislation to require biometric data for ID card holders to tackle identity theft. It also increased penalties for non-compliance to a fine of 100,000 rupees (roughly US$2,325) and up to five years in prison. Mauritians are required to apply for a card within six months of turning 18. When the smart ID card was introduced in 2013 it contained a chip for storing fingerprint data which could be accessed by an e-reader. The 2013 regulations also made data processing subject to the Data Protection Act and established a basis for details to be recorded on a register.
Madhewoo refused to apply for the smart ID card an instead took the government to court to challenge the scheme’s constitutionality, claiming it breached privacy as protected in Article 9. In 2015 the Supreme Court held that the new scheme interfered with rights as protected by Article 9, but that as provision for biometric capture and storage was made “in the interests of public order” the law was a “permissible derogation” from Article 9 based on evidence from the State that holders’ provision of fingerprints prevented a person from making multiple applications for an ID card.
According to the document from the UN Committee on the case, the Supreme Court also considered a public order justification for storing the data, but when it considered expert evidence into the problems of protecting stored biometric data, it found that its indefinite storage and retention of biometric data was not reasonably justified in a democratic society.
In 2015 the authorities updated to 2013 regulations, removing the part where biometric data is added to the Register and announced that all government-held biometric data would be destroyed. Fingerprint data would only be kept for as long as it takes to get a card.
Madhewoo then turned to the UN Human Rights Committee to complain that under the International Covenant on Civil and Political Rights, Mauritius’s National Identification Card Act fails the requirements of legality, proportionality and necessity.
He claims there is no judicial overview of the scheme, that it is too arbitrary in what data is recorded and where it is kept, that data is insufficiently protected and that making fingerprint data collection compulsory for public order is not proportional.
The claimant also provided an expert witness to explain how biometric data can easily be copied from the smart cards without physical contact or holder knowledge with RFID readers bought online.
Mauritian authorities did not provide information on measures to protect the biometric data stored on the smart ID cards and so the Committee found that Madhewoo’s privacy was violated.
“It is of paramount importance that any biometric identity scheme by any country is accompanied by robust safeguards to protect the right to privacy of individuals,” said Photini Pazartzis, chair of the Committee.
“We regret that Mauritius did not provide enough information about such measures and look forward to receiving clarification in the framework of the implementation phase.”
The Committee called on Mauritius to review the grounds for storing and retaining fingerprint data on identity cards based on the existing data security concern and to provide Madhewoo with “an effective remedy.”