The case of Maharaja Madhevoo v. Mauritius. Views of the Human Rights Committee of March 24, 2021. Communication No. 3163/2018.
In 2018, the author of the communication was assisted in preparing a complaint. Subsequently, the complaint was communicated to Mauritius.
As follows from the text of the Considerations, the author argued: The Law on National Identity Card, as amended, affects his rights under article 17 of the Covenant, since it provides for the mandatory use and preservation of confidential personal data, the provision of which may be required by public officials. He also noted that this law did not meet the requirements of legality, proportionality and necessity (paragraph 3.1 of the Considerations).
The Committee's legal position is that interference authorized by States can only be carried out on the basis of law, which must, in turn, comply with the provisions, goals and objectives of the Covenant. Similarly, the law should regulate the collection and storage of personal information by public authorities or private individuals or bodies in computers, data banks or otherwise. The Committee recalls that interference is not "unlawful" within the meaning of article 17, paragraph 1, of the Covenant if it is consistent with applicable domestic law as interpreted by the national courts (paragraph 7.3 of the Views) (See: Van Hulst v. the Netherlands, communication No. 903/2000, paragraph 7.5.).
The Committee notes that the introduction of the concept of arbitrariness is intended to ensure that even interference permitted by law "must comply with the provisions, aims and objectives of the Covenant and in any case must comply with the principles of reasonableness in specific circumstances." Consequently, any interference with personal and family life must be proportionate to the legitimate aim pursued and necessary, taking into account the circumstances of each specific situation (See: the case of Tunen v. Australia, communication No. 488/1992, paragraph 8.3; and the case of Vandom v. Republic of Korea (CCPR/C/123/D/2273/2013), paragraph 8.8.). The Committee recalls that States should take effective measures to ensure that information relating to a person's private life does not fall into the hands of persons who do not have permission to receive, process or use it, and to ensure that such information is never used for purposes incompatible with the purposes of the Covenant (paragraph 7.4 of the Considerations).
Given the nature and extent of the interference arising from the mandatory processing and registration of fingerprints, the Committee considers it necessary to have clear, detailed rules governing the scope and application of measures, as well as minimum guarantees regarding, inter alia, storage, including its duration, use, access by third parties and integrity procedures and confidentiality of data, as well as procedures for their destruction, thereby providing sufficient guarantees against the risk of abuse and arbitrariness (paragraph 7.6 of the Considerations).
The Committee's assessment of the factual circumstances of the case: the interference that became the subject of the communication in the case of this complaint, i.e. the processing and registration of fingerprints, was provided for in section 4 (2 c) of the National Identity Card Act. This section reads as follows: "Every person applying for an identity card must ... (c) allow fingerprints and other biometric information about themselves to be taken and registered." The Committee also noted that the Supreme Court of Mauritius had established: "There is a law providing for the recording and preservation of fingerprints and other biometric data relating to a person's identity." The Committee considered that the author's argument regarding the scope of certain provisions of the Law did not allow him to draw the following conclusion - the processing of his fingerprints was not provided for by law. Therefore, the Committee was unable to conclude that the interference with the author's private life was unlawful (paragraph 7.3 of the Views).
In the present case, the Committee took note of the State party's observation on the need to ensure a balance between the protection of personal data and the urgent public need to prevent fraudulent use of personal data. He noted that the Supreme Court of the State party had rightly ruled: fingerprinting is justified in order to prevent fraud. The Committee also pointed out that the State party's authorities had transferred the function of storing fingerprint data from government systems to individual identity card holders, requiring that such data be included in the identity card itself. The author, as well as the Judicial Committee of the Privy Council, noted that this change makes the purpose of comparison with previously submitted biometric data ineffective and thus affects the ability of the authorities of the participating State to prevent fraudulent use of personal data. The Committee stressed that the State party had not answered this specific question and had not explained how recording and storing fingerprint data on individual identity cards could effectively prevent fraudulent use of personal data (paragraph 7.5 of the Views).
In this regard, the author referred to the conclusion of the Supreme Court that the indefinite recording and preservation of fingerprint data in a central database is unconstitutional. As a result, the authorities of the State party stopped recording and storing fingerprint data in this way. However, the State party has not responded to the author's claim that the retention of fingerprint data on individual identity cards exacerbates the security gaps identified by the Supreme Court. In particular, the author pointed out that assigning responsibility for such storage to identity card holders is fraught with risks of loss and theft of fingerprint data, given the ease of copying them to fake cards. Given the lack of information provided by the State party regarding the implementation of measures to protect biometric data stored on identity cards, the Committee was unable to conclude that there were sufficient safeguards against the risk of abuse and arbitrary interference with the right to privacy as a result of potential access to such data on identity cards. In light of the above-mentioned concerns about the system's ability to help prevent fraudulent use of personal data, the Committee considered that [security measures] could not be considered [appropriate]. Therefore, despite the possibility that there may be grounds and circumstances in which the processing of biometric data would not lead to arbitrary interference within the meaning of article 17 of the Covenant, the Committee found that in the specific circumstances of the case, recording and storing the author's fingerprints on an identity card, as prescribed by the National Identity Card Act, would constitute arbitrary interference with his right to privacy, which is contrary to article 17 of the Covenant (paragraph 7.6 of the Views).
The author refers to the expert opinion presented during the internal proceedings regarding the technology of radio frequency identification (RFID), with which biometric data is stored. The expert explained that biometric data can be easily copied without physical contact without the knowledge of the identity card holder using RFID readers, which can be easily purchased on the Internet information and telecommunications network.
The Committee's conclusions: The facts presented indicated a violation by the State party of the author's rights under article 17 of the Covenant.