Mauritius: Human Rights Committee finds Mauritian biometric identity scheme violates right to privacy
Background
The complainant, Mr Madhewoo, lodged a complaint with the United Nations Human Rights Committee (the Committee) regarding the introduction of a biometric identity scheme in Mauritius. Following various amendments to the law, a new section was added to provide for the collection and processing of biometric information.
The complainant challenged the implementation of the new biometric identity card, claiming a violation of his right to privacy. Before the Committee, the complainant argued that the National Identification Card Act, as amended, engaged his rights under article 17 of the International Covenant on Civil and Political Rights (ICCPR), given its involvement of the compulsory use and retention of sensitive personal data, which can be required to be produced to state officials.
Majority findings on the merits
The Committee noted that any interference with privacy and family must be proportionate to the legitimate ends sought and necessary in the circumstances of any given case. In this regard, the Committee also recalled that effective measures have to be taken by states to ensure that information concerning a person’s private life did not reach the hands of persons who were not authorised by law to receive, process and use it, and was never used for purposes incompatible with the ICCPR.
The state had argued that it needed to balance the protection of personal data with the pressing social need of preventing identity fraud. However, the Committee noted that the state had not explained how the storage and retention of fingerprint data on individual identity cards could effectively prevent identity fraud.
Furthermore, given the nature and scale of the interference arising out of the mandatory processing and recording of fingerprints, the Committee found that it would be essential “to have clear, detailed rules governing the scope and application of measures, as well as minimum safeguards concerning, inter alia, duration, storage, usage, access of third parties, procedures for preserving the integrity and confidentiality of data and procedures for its destruction, thus providing sufficient guarantees against the risk of abuse and arbitrariness”.
In the light of a lack of information provided by the state concerning the measures to protect the biometric data stored on the identity cards, the Committee could not conclude that there were sufficient guarantees against the risk of abuse and arbitrariness following from potential access to such identity cards.
Accordingly, the Committee held that the storage and retention of the complainant’s fingerprint data on an identity card would constitute an arbitrary interference with his right to privacy, contrary to article 17 of the ICCPR. The state was therefore ordered to provide sufficient guarantees against the risk of arbitrariness and abuse of the complainant’s fingerprint data as may arise from the issuance of an identity card to him, and to review the grounds for storing and retaining fingerprint data on identity cards. Additionally, it was ordered that the state is under the obligation to take steps to avoid similar violations in the future, and to report to the Committee within 180 days on the measures that it has taken.
Dissenting opinion of Mr Furuya
The dissenting opinion noted that it was clear that the complainant’s rights under the ICCPR had not been impaired, as he had not had his fingerprints taken or been accused of non-compliance with the relevant legislation. Accordingly, Mr Furaya would have taken the view that the complainant did not have victim status for the purpose of admissibility, and the communication would therefore be inadmissible in terms of article 1 of the Optional Protocol to the ICCPR.
Dissenting opinion of Mr Zyberi
The dissenting opinion noted that the Committee missed an opportunity to provide some guidance on issues concerning the inclusion of biometric data in personal identity cards and the right to privacy under article 17 of the ICCPR. According to this opinion, the Committee did not really explain why the storage and retention of the author’s fingerprint data on an identity card constituted an arbitrary interference with his right to privacy, and further failed to refer to any good practices concerning the inclusion or not of biometric data.
The dissenting opinion noted that it shared the general concern of the Committee that such technologies should be well-regulated to ensure that they are not misused by states or third parties, but was of the view that the overall finding by the Committee was an overbroad interpretation of article 17 of the ICCPR. Accordingly, Mr Zyberi would have taken the view that there was no violation of article 17 of the ICCPR.
The ruling is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].
