GENEVA (22 July 2021) — The UN Human Rights Committee has found that Mauritius’ 2013 National Identity Card Act violates its citizens’ privacy rights, as there are no
sufficient guarantees that the fingerprints and other biometric data stored on the identity card will be securely
protected.
The Committee’s decision responds to a complaint filed by M.M., a 67-year old Mauritius national, who claimed that the country’s smart identity
card system has contravened his privacy right under Mauritius’s Constitution and the International Covenant on Civil and Political Rights.
Mauritius launched the country’s first identity card scheme back in 1995. In order to prevent multiple applications for
an identity card with faked names and information, the authority amended its legislation in 2009 with additional
biometric data requirements and increased penalties for non-compliance. A new smart identity card was subsequently
launched in 2013 to replace the old identity card.
In addition to the printed information such as name, date of birth and gender, the new electronic ID card also contains
a microchip storing data including fingerprints that can be read by an e-reader. The government explained that the
fingerprint requirement was essential to tackle identity fraud.
M.M. refused to apply for the new smart ID card and took the Mauritius government to court, challenging the
constitutionality of the new ID card scheme. The Supreme Court in 2015 ruled that even though there was expert evidence
showing that biometric data retention was insecure and notoriously difficult to protect, the new ID card requirements
had been made “in the interests of public order”.
M.M then turned to the UN Human Rights Committee. In the course of the proceedings, Mauritius did not address the
security lacunae concerning the possibility that fingerprint data could be copied onto falsified cards if the smart
identity card was lost or stolen.
The Committee took note of M.M.’s argument, which was based on the expert evidence submitted to the Mauritius Supreme
Court, concerning the radio frequency identification (RFID) technology used to store the biometric data. The expert
explained that the biometric data can be copied, without physical contact of the card and without the card holder’s
knowledge, with RFID readers that can easily be bought online.
Given the lack of information provided by the authorities of Mauritius concerning the implementation of measures to
protect the biometric data stored on identity cards, the Committee found that M.M.’s right to privacy was violated.
“It is of paramount importance that any biometric identity scheme by any country is accompanied by robust safeguards to
protect the right to privacy of individuals,” said Photini Pazartzis, Chair of the Committee.
“We regret that Mauritius did not provide enough information about such measures and look forward to receiving
clarification in the framework of the implementation phase,” she added.
The Committee called on Mauritius to review the grounds for storing and retaining fingerprint data on identity cards
based on the existing data security concern and to provide M.M. with an effective remedy.