Mauritius ‘Identity Cards Act’ violates privacy – UN Human Rights Committee

The Geneva-based UN Human Rights Committee has found that Mauritius’ 2013 National Identity Card Act violates its citizens’ privacy rights, as there are no sufficient guarantees that the fingerprints and other biometric data stored on the identity card will be securely protected.

A statement just released by the Office of the High Commissioner said the UN Human Rights Committee’s decision responds to a complaint filed by Dr Maharajah Madhewoo, a 67-year old Mauritius national, who claimed that the country’s smart identity card system has contravened his privacy right under Mauritius’s Constitution and the International Covenant on Civil and Political Rights.

Mauritius launched the country’s first identity card scheme back in 1995. In order to prevent multiple applications for an identity card with faked names and information, the authority amended its legislation in 2009 with additional biometric data requirements and increased penalties for non-compliance.  A new smart identity card was subsequently launched in 2013 to replace the old identity card. 

In addition to the printed information such as name, date of birth and gender, the new electronic ID card also contains a microchip storing data including fingerprints that can be read by an e-reader. The government explained that the fingerprint requirement was essential to tackle identity fraud.

Dr Madhewoo refused to apply for the new smart ID card and took the Mauritius government to court, challenging the constitutionality of the new ID card scheme. The Supreme Court in 2015 ruled that even though there was expert evidence showing that biometric data retention was insecure and notoriously difficult to protect, the new ID card requirements had been made “in the interests of public order”.

Dr Madhewoo then turned to the UN Human Rights Committee. In the course of the proceedings, Mauritius did not address the security lacunae concerning the possibility that fingerprint data could be copied onto falsified cards if the smart identity card was lost or stolen.

The Committee took note of Dr Madhewoo’s argument, which was based on the expert evidence submitted to the Mauritius Supreme Court, concerning the radio frequency identification (RFID) technology used to store the biometric data.

The expert reportedly explained that the biometric data can be copied, without physical contact of the card and without the card holder’s knowledge, with RFID readers that can easily be bought online.

Given the lack of information provided by the authorities of Mauritius concerning the implementation of measures to protect the biometric data stored on identity cards, the Committee found that Dr Madhewoo’s right to privacy was violated.

“It is of paramount importance that any biometric identity scheme by any country is accompanied by robust safeguards to protect the right to privacy of individuals,” said Photini Pazartzis, Chair of the Committee.

“We regret that Mauritius did not provide enough information about such measures and look forward to receiving clarification in the framework of the implementation phase,” she added.

The Committee called on Mauritius to review the grounds for storing and retaining fingerprint data on identity cards based on the existing data security concern and to provide Dr Madhewoo with an effective remedy.

Earlier in February, the Mauritian Government announced its intention to revamp the Mauritius National Identity Card System (MNIC) – on the claim that the “existing hardware and software of the whole system have reached their end-of-support and end-of-life”.

On April 23, despite heated objections to the proposed changes and inclusion of biometric data, the Cabinet gave its green light to the setting of a Steering committee chaired by the Minister of Information Technology, Communication and Innovation.

The terms of reference were described by the Opposition parties as ‘shockingly wide’ .

UPDATED ON JULY 24

The Mauritian government has  now six months to submit a report to the United Nations Human Rights Committee on corrective measures it intends to implement.

According to Erickson Mooneeapillay (right), lawyer of Dr Maharajah Madhewoo, who disputed the lack of security around the storage of fingerprints and other biometric data, said the ruling was a “World first”.

Dr Madhewoo (middle) said the State must reimburse him the sum of Rs 1.4 million that he spent to take the case before the UN Human Rights Committee.  “It is not allowed to take someone’s fingerprints without the person’s consent,” he added.

Meanwhile, there has reportedly been no comment from the Government on the issue, except two lines in Cabinet papers of July 23 which stated:

“Cabinet has taken note of the pronouncement of the UN Human Rights Committee on the storage of biometric data on national identity cards of Mauritius.”

Some reports claimed the introduction of a new National ID card system in 2023 has been announced “as the Government was aware it would lose the case.”

To read the original press release of the UN Human Rights Commission, click here