Communication
3163/2018
Submission: 2017.12.15
View Adopted: 2021.03.24
The author, a national of Mauritius claims that the State party violated his rights under article 17 of the Covenant. An identity card scheme was introduced in Mauritius by the National Identity Card Act, under which a registrar was required to keep a record of all Mauritian citizens under the authority of the minister responsible for the civil status. The Finance (Miscellaneous Provisions) Act of 2009 expanded upon the information required on an application of an identity card to include fingerprints and other biometric information, and the information on the card itself to include full names et al and “other such information as may be prescribed.”
A number of amendments followed, pursuant to the relevant minister’s mandate to make regulations, stipulating that a person empowered by law to ascertain the identity of a person could request the sight of one’s identity card and require the production thereof. Further, a section was added to make collection and processing of biometric information subject to the Data Protection Act of 2004. Moreover, it required the information gathered to be recorded on the register. The author challenged the constitutionality of the implementation of the new biometric identity card as stipulated under the amended Act, claiming, inter alia, a breach of article 9 of the Constitution of Mauritius, on the basis that it violates his right to privacy.
On 29 May 2015, the Supreme Court held that the indefinite storage and retention of biometric data under the Data Protection Act was disproportionate to the aim (ending identity theft) pursued and was not reasonably justified in a democratic society and therefore, the level of protection provided by the Act was insufficient and it was unlawful for the State party to store biometric data beyond the purposes of the issuance of the identity card. In response, the authorities omitted the criterion of logging full biometric information on the register and the scheme was changed to shift the retention from the authorities' system to the individual, by requiring the data to be included on the identity card itself instead of abandoning the collection or rectifying the shortcomings as identified by the court. According to the author, the modification renders ineffective the aim of the Act and it exacerbates the shortcomings, given that now citizens compulsorily retain sensitive data in a vulnerable form for the State party’s authorities, hence, violating his right to privacy.
The 2015 Regulations amended its predecessor to add the following statement to add a no objection clause stating that fingerprint minutiae can be recorded for producing an identity card and will be erased once the card is printed. The author claims that this addition is inappropriate, given that non-application is a criminal offence, therefore one does not have a choice to object without incurring criminal sanctions. The Judicial Committee of the Privy Council dismissed the author’s appeal on 31 October 2016. The author claims that the amendment of the domestic act violates his right under article 17 of the Covenant, given its involvement in the compulsory use and retention of sensitive data, whose production to the State officials can be required. He submits that the Act fails to meet the requirements of legality, proportionality and necessity. Further changes have been made under which, the prescription of data to be included on the identity card remains a power of the executive. The author claims that this delegation is arbitrary and far too open- ended and uncertain to comply with article 17 of the Covenant.
The Committee notes that the State party does not contest admissibility of the communication yet claims that the author is not in a position to claim violation of his rights under the Covenant as he has not had his fingerprints taken. The Committee considers that the author has substantiated his victim status, as he is a Mauritian national and is subject to the statutory obligation to have an identity card requiring the taking and recording of fingerprints, non- compliance with which amounts to a criminal offence. Hence, the Committee is not precluded from examining the communication under article 1 of the Optional Protocol. As the matter is not being examined under any other procedure and there is no information on file regarding failure of exhaustion of domestic remedies, article 5 (2) (a-b) of the Optional Protocol does not preclude the Committee from examining the communication. Finally, the author has sufficiently substantiated his claims under article 17 of the Covenant and so, the communication is admissible.
According to the Committee’s general comment no. 16, interference authorized by States can only take place on the basis of law, which itself must comply with the provisions, aims and objectives of the Covenant. Hence, gathering and holding personal information must be regulated by law and that ‘an interference is not “unlawful” under article 17 of the Covenant if it complies with the relevant domestic law’ was previously held by the Committee in Van Hulst v. Netherlands (para 7.5). The Committee takes note of the author’s claim that the amended National Identity Card Act violates his right under article 17 of the Covenant because it is unlawful and arbitrary. However, it states that the interference in the present complaint in the form of processing and recording of fingerprints is provided by the domestic law of Mauritius and even the Supreme Court reiterated this legal basis. Hence, the committee cannot conclude that the interference with the author’s privacy is unlawful.
Paragraph 4 of GC No. 16 states that the concept of arbitrariness is intended to guarantee that even interference governed by law “must comply with the provisions, aims and objectives of the Covenant and should be reasonable in the particular circumstances.
Recalling its prior jurisprudence in Toonen v. Australia (para 8.3) and Vandom v. Republic of Korea (para 8.8), the Committee considers that any interference with family life must be proportionate to the legitimate end sought and necessary in the circumstances of any given case. In this regard, the Committee takes note of the State party’s observation of the need to balance the protection of personal data with the pressing social need of preventing data theft. It also notes the proactiveness with which the State party authorities have shifted the retention of fingerprint data from the authorities’ system to individual card holders by requiring such data to be included on the card itself after the Supreme Court’s finding that indefinite storage and retention of fingerprint data in a central database was unconstitutional. The author and Judicial Committee of the Privy Council have remarked that this change renders the previously submitted biometric data ineffective and thus affects the State’s ability to prevent fraud. The Committee states that the State party has failed to respond to the author’s counter that such retention of fingerprint data on individual cards exacerbates the security lacunae identified by the Supreme Court.
In S. and Marper v. The United Kingdom (para 7.5), the Court’s view that it is essential to have clear, detailed rules governing scope and application of measures as well as providing minimum guarantees against the risk of abuse and arbitrariness was reiterated in the present case. However, the case was in the context of telephone tapping, secret surveillance and covert intelligence gathering which is in contrast to the present circumstance where the Committee for the first time has addressed issues concerning inclusion of biometric data in personal identity cards and the right to privacy under article 17 of the Covenant. In the case at hand, the Committee stated that (a) given the lack of information by the State party concerning the implementation of measures to protect biometric data stored on identity cards and (b) the nature and scale of interference arising out of mandatory processing and recording fingerprints, it cannot conclude that there are sufficient guarantees against the risk of abuse and arbitrariness of the interference with the right to privacy following from the potential access to such data on identity cards. Hence, the storage and retention of the author’s fingerprint data, as prescribed by domestic law would constitute an arbitrary interference with the right to privacy, contrary to article 17 of the Covenant.
The State party is obligated to,
provide sufficient guarantees against the risk of arbitrariness and abuse of the author’s fingerprint data as may arise from the issuance of an identity card to him and to review the grounds for storing and retaining fingerprint data on identity cards, in the light of the present Views.
In addition, the State party is under the obligation to take steps to avoid similar violations in the future.
Deadline is 20th September 2021.
By Aakrishti Kumar
