The UN Human Rights Committee on Thursday found that Mauritius’ amendments to the National Identity Card Act 1985, which introduced a new ID card containing biometric information of the cardholder, violated the privacy rights of Mauritian citizens. The Committee held that there were no sufficient guarantees against the risk of abuse and arbitrariness following from potential access to such data on identity cards.
The Committee’s decision comes as a result of a complaint filed by Maharajah Madhewoo, a Mauritian national, who claimed that the Country’s smart National identity card system, adopted in 2013, had contravened his privacy right under Article 9 of the Mauritian Constitution and Article 17 of the International Covenant on Civil and Political Rights (ICCPR).
The Mauritian government had initially amended its ID card legislation in 2009, which had expanded the amount of information required to be provided on an application for an identity card, including fingerprints and other biometric information, and had further provided for increased penalties for non-compliance with the law. In 2013, the government, hoping to tackle identity fraud, launched a new Smart ID card initiative, which comprised of an ID card containing a microchip that stored the data of the cardholder, including fingerprints, and which could be read by an e-reader.
In response to the new scheme, Madhewoo challenged the constitutionality of the smart ID card in the Mauritian Courts, claiming that the government’s initiative breached his right to privacy protected under the Mauritian Constitution. In a 2016 judgment, the Judicial Committee of the Privy Council, the highest court of appeals in Mauritius, dismissed Madhewoo’s appeal. It further affirmed the 2015 judgment of the Mauritian Supreme Court which held that the smart ID card scheme had been made “in the interests of … public order” and was, therefore, a “permissible derogation” from the right to privacy under the Mauritian Constitution.
Having failed in the Mauritian Courts, Madhewoo filed a complaint at the UN Human Rights Committee, claiming that the National Identification Card Act, as amended, violated his privacy rights under Article 17 of the ICCPR, due to the law mandating compulsory use and retention of sensitive personal data and further requiring production to State officials when asked. He further argued that the Act “failed to conform to the requirements of legality, proportionality, and necessity.” He supported his arguments with expert evidence, which demonstrated that the smart ID card was not secure and could easily allow for the copying of biometric data “without physical contact of the card and without the card holder’s knowledge.”
Faced with such concerning evidence, the Committee found that the National ID card law did breach the complainant’s privacy rights. The Committee could not conclude that potential access to identity card data would be protected from the risk of abuse and arbitrariness. Hence, the Committee held:
In light of the above mentioned concerns about the ability of the scheme to help prevent identity fraud, the Committee considers that the security concerns cannot be regarded as reasonable. Therefore, (…) storage and retention of the author’s fingerprint data on an identity card, as prescribed by the National Identity Card Act, would constitute an arbitrary interference with his right to privacy, contrary to article 17 of the Covenant.