United Nations

CCPR/C/131/D/3163/2018

International Covenant on Civil and Political Rights

Distr.: General

16 September 2021

Original: English

Human Rights Committee

Views adopted by the Committee under article 5 (4) of the Optional Protocol, concerning communication No. 3163/2018 * , ** , ***

Communication submitted by:Maharajah Madhewoo (represented by counsel, Pete Weatherby, Erickson Mooneapillay and Sanjeev Teeluckdharry)

Alleged victim:The author

State party:Mauritius

Date of communication:15 December 2017 (initial submission)

Document references:Decision taken pursuant to rule 92 of the Committee’s rules of procedure, transmitted to the State party on 26 March 2018 (not issued in document form)

Date of adoption of Views:24 March 2021

Subject matter:Collection and retention of biometric data on identity cards

Procedural issue:Victim status

Substantive issue:Privacy

Article of the Covenant:17

Article of the Optional Protocol:1

1.The author of the communication is Maharajah Madhewoo, a national of Mauritius born in 1954. He claims that the State party has violated his rights under article 17 of the Covenant. The Optional Protocol entered into force for the State party on 23 March 1976. The author is represented by counsel.

Facts as submitted by the author

2.1An identity card scheme was introduced in Mauritius by the National Identity Card Act of 1985. Under that law, a registrar was required to keep a register of all Mauritian citizens under the authority of the minister responsible for civil status. The information logged on the register included the individual’s sex, name and other such details as were considered “reasonable or necessary”. Every citizen was required to apply for the identity card within six months of reaching 18 years of age, upon which they were obliged to allow themselves to be photographed. Each card had a number, a photograph, the holder’s signature and the date of issue. In “reasonable circumstances”, any person could request the production of an identity card, but there was no requirement to produce it. The Act also provided for fines of 10,000 Mauritian rupees and up to six months’ imprisonment as penalties for wilful misuse of identity cards.

2.2The Finance (Miscellaneous Provisions) Act of 2009 expanded upon the information required to be provided on an application for an identity card, to include fingerprints and other biometric information, and the information on the card itself, to include full names, maiden names where applicable, date of birth and “such other information as may be prescribed”. The Act increased the penalties for non-compliance to 100,000 Mauritian rupees and up to five years’ imprisonment.

2.3A number of additional amendments followed, pursuant to the relevant minister’s mandate to make regulations on smart identity card readers and their use by public and private entities. The National Identity Card (Miscellaneous Provisions) Act of 2013 amended the National Identity Card Act of 1985, stipulating that a person empowered by law to ascertain the identity of a person could request the sight of one’s identity card and require the production thereof. A new section was added to make the collection and processing of biometric information subject to the Data Protection Act of 2004. Moreover, the National Identity Card (Particulars in Register) Regulations of 2013 provided for information gathered from the applicant to be recorded on the register.

2.4The author challenged the constitutionality of the implementation of the new biometric identity card as stipulated under the National Identity Card (Miscellaneous Provisions) Act, claiming, inter alia, a breach of article 9 of the Constitution of Mauritius, on the protection of privacy. In its judgment of 29 May 2015, the Supreme Court held that the new scheme interfered with the rights protected under article 9 (1) of the Constitution. However, the Supreme Court considered the law providing for the scheme concerning fingerprints and other biometric data to be sufficiently precise and accessible to be “under the authority of any law” as required by article 9 (2) of the Constitution. It also considered that the provision had been made “in the interests of … public order” and was therefore a “permissible derogation” from article 9 (1) of the Constitution, based on evidence from State officials that the provision of fingerprints prevented an applicant from making multiple applications for an identity card. The Court considered that the author had not shown that the introduction of the requirement for all persons applying for an identity card to allow their fingerprints and other biometric data to be taken and recorded was not reasonably justifiable in a democratic society, given the pressing social need of protection against identity fraud, which was considered “vital for proper law enforcement” in Mauritius. The author had argued before the Court that, despite the legitimate aim, there were insufficient reasons to establish that the negative impacts of the indefinite storage of such data were proportionate to the benefits thereof. He had argued that other exemptions in the Data Protection Act allowed for an alarming degree of access, including for the mere purpose of obtaining legal advice, and the lack of provision of any judicial oversight of such access. The Court considered that there was also a public order justification for storing and retaining such data. However, examining whether such storage and retention was reasonably justifiable in a democratic society, the Court considered expert evidence showing that biometric data retention was insecure and notoriously difficult to protect, even if the present technical challenges were rectified. The Court therefore held that indefinite storage and retention of biometric data under the Data Protection Act was disproportionate to the aim pursued and was not reasonably justified in a democratic society.

2.5In response, the authorities issued the National Identity Card (Civil Identity Register) Regulations of 2015, revoking the National Identity Card (Particulars in Register) Regulations of 2013 and omitting the addition of logging full biometric information on the register. According to the Ministry of Technology, Communication and Innovation, all biometric data were destroyed and deleted from the register in September 2015, and fingerprint data are now retained only as long as it takes to issue the identity card, after which they are deleted.

2.6The National Identity Card (Amendment) Regulations of 2015 amended the National Identity Card Regulations of 2013 to add the following statement to the declaration to apply for an identity card: “I have no objection that my fingerprint minutiae be processed and recorded for the purpose of producing my identity card. I understand that this information will be erased permanently from the register once the identity card has been printed.” According to the author, the addition of the statement was inappropriate, given that non-application is a criminal offence, and therefore one does not have a choice to object without incurring criminal sanctions.

2.7The Judicial Committee of the Privy Council dismissed the author’s appeal of the Supreme Court’s judgment on 31 October 2016. However, it noted that the destruction of biometric data after the issuance of identity cards might affect the ability to prevent identity fraud through multiple applications using other identities and documents. It also noted that future requirements by the executive of other biometric data to be added to the identity card might raise new issues of proportionality.

2.8Further changes have been made pursuant to the Finance (Miscellaneous Provisions) Act of 2017, which were not yet in force at the time of submission of the present communication. Under the Act, the prescription of data to be included on the identity card remains a power of the executive.

Complaint

3.1The author claims that the National Identity Card Act, as amended, engages his rights under article 17 of the Covenant, given its involvement of the compulsory use and retention of sensitive personal data, whose production to State officials can be required. He submits that the Act fails to meet the requirements of legality, proportionality and necessity.

3.2The author acknowledges that the identity card scheme is provided for by domestic law, but submits that the domestic provisions are not concordant with the aims and objectives of the right protected under the Covenant. Certain provisions enable the minister to expand the requirements of the National Identity Card Act without further oversight. The author argues that the delegation to the executive of the prescription of what sensitive data is collected and recorded on the register and the identity card is arbitrary and far too open-ended and uncertain to comply with the aims and objectives of article 17 of the Covenant. The State party has been planning to enlarge the ambit of the identity card scheme without further legislative scrutiny, despite the importance of considering the risks to privacy. According to the author, the proposed expansion of the smart card system to cover health records is cause for particular concern.

3.3There is no judicial or other independent supervision of the workings of the identity card scheme, the additional prescription of private information or the collection, destruction and recording of, or access to, information recorded on the register or the identity card.

3.4The collection and recording of private information is subject only to the safeguards of the Data Protection Act. In the present case, the Supreme Court concluded that the level of protection provided by the Act was insufficient and that it was unlawful for the State party to store biometric data beyond for the purposes of the issuance of the identity card. The scheme was changed to shift the retention of fingerprint data from the authorities’ systems to the individual, by requiring the data to be included on the identity card itself, instead of abandoning the collection and retention of fingerprints and biometric data or rectifying the legislative and technical shortcomings identified by the Court. That modification, according to the author, renders ineffective the aim of the Act to prevent multiple applications, by comparing biometric data with previous applications. Moreover, the modification exacerbates the shortcomings identified by the Court, given that citizens now compulsorily retain sensitive data in a vulnerable form for the State party’s authorities.

3.5The author contends that the public benefits of the scheme are not proportionate to the detrimental effects on the right to privacy. He argues that the sole justification by the State party for making the provision of fingerprint data compulsory, and for requiring citizens to produce the identity card to a State official, is public order. He accepts that the scheme has the legitimate aim of preventing identity fraud and, possibly, of assisting with the verification of identity. However, in justifying the effectiveness of the scheme, the State party’s authorities referred primarily to the ability to check applications against the database of biometric data, which is the very aspect that the Supreme Court found to be unlawful. The inclusion of biometric data on the identity card therefore does not prevent applications for multiple identity cards with the same fingerprints in any way. Inclusion of fingerprints on a fraudulently obtained identity card indeed lends it greater legitimacy. Even with the advantage of rendering it more difficult for stolen or lost identity cards to be used, a simple database of identity cards lost or stolen would achieve a similar objective without the intrusion of collecting and storing biometric data. Moreover, the carrying of an identity card and the assignation of the responsibility for storage of the biometric data to citizens has the security weaknesses identified by the State party’s authorities in their justification of the scheme itself, namely, the loss or theft of a significant number of identity cards. Expert evidence was submitted to the Court showing that fingerprint data could likely be copied onto falsified identity cards.

State party’s observations on admissibility and the merits

4.1By note verbale of 1 June 2018, the State party informed the Committee that it did not wish to contest the admissibility of the communication.

4.2By note verbale of 21 September 2018, the State party submitted its observations on the merits of the communication. It observes that the author cannot claim an infringement of his rights, because he has not had his fingerprints taken.

4.3The State party observes that the right to the protection of personal data, including in the context of processing fingerprints, is not absolute and must be considered in relation to its function in society. It also observes that the Supreme Court held that the provisions on the processing of fingerprints disclosed an interference with the author’s rights under article 9 (1) of the Constitution. However, the Court considered that such provisions were permissible under article 9 (2) of the Constitution as being in the interest of public order. It also considered that the author had failed to show that the interference was not reasonably justifiable in a democratic society. The Court found that the taking of fingerprints was necessary and proportionate to the aims of establishing a secure identity protection system and of protecting against identity fraud. The Judicial Committee of the Privy Council, noting that it would be slow to interfere with an evaluation of the justification of an interference with a fundamental right by a local court which was more familiar with the circumstances in its society than it could be, upheld the Court’s reasoning.

4.4The State party submits that the taking and storing of fingerprints is warranted to achieve the pressing social need of protecting against identity fraud, by assisting authorities in verifying citizens’ identities, eliminating fraudulent practices and maintaining law and order. The State party argues that the Supreme Court, in the light of the need to balance all interests involved when restricting rights, struck a fair balance between the public interest and the prejudicial effects on the author’s private life. It argues that the Court rightly held that the interference in the present case was motivated by a legitimate aim, was not disproportionate or intolerable interference on the author’s right to privacy and was therefore justified in the circumstances. The State party concludes that the interference is not manifestly without reasonable foundation.

4.5The State party disputes that the restriction is not provided for by law. It notes that the author had challenged the implementation of the biometric identity card under the National Identity Card Act before the Supreme Court, but that the latter dismissed his challenge. The State party argues that the author’s apprehensions are based on hypothetical considerations and that he would be free to bring a case to the Court again, should the scheme be expanded in the future.

Author’s comments on the State party’s observations on admissibility and the merits

5.1On 20 December 2018, the author submitted his comments on the State party’s observations on admissibility and the merits. He notes that his claim of a violation relates to a statutory obligation under the National Identity Card Act, to which he is subject as a national of Mauritius. The Act criminalizes the failure to apply for an identity card, and the author is thereby subject to arrest and conviction in the event of non-compliance. The author argues that he is therefore a victim under article 1 of the Optional Protocol.

5.2The author argues that the State party confuses judicial oversight with access to courts to challenge the constitutionality of the National Identity Card Act. He notes that it was the Supreme Court that found that the lack of provision for judicial oversight to control access to data within the scheme was “objectionable”. He also notes that, in several of its concluding observations on the reports of States parties under the Covenant, the Committee has referred to the importance of safeguards in schemes in which interference with privacy may be permitted as proportionate to the legitimate aim pursued.

5.3On proportionality, the author does not contest that the Committee should show respect to the approach of the national authorities and courts, but argues that domestic law and policy is not determinative and that the level of scrutiny depends on the context. He argues that the State party’s invocation of the judgment of the European Court of Human Rights in Şahin v. Turkey is misplaced, given that that case concerned respect for religious freedom. The balance of rights between those practising various religions or none was found to be highly dependent on location, leading the Court to accord a wide margin of appreciation to the national authorities. The author submits that the present case is different, because it concerns a measure to combat identity fraud, which occurs the world over. He submits that the other cases cited by the State party concern schemes that are either non-compulsory or relate to very specific and pressing legitimate aims, or both. However, the present case concerns a blanket, general and compulsory provision, whose proportionality must, by definition, be far more difficult to establish than a specific or narrowly targeted interference. Moreover, the State party’s authorities have publicly stated that they aim to extend the scheme and thereby the interference with privacy.

Issues and proceedings before the Committee

Consideration of admissibility

6.1Before considering any claim contained in a communication, the Committee must decide, in accordance with rule 97 of its rules of procedure, whether it is admissible under the Optional Protocol.

6.2The Committee notes that the State party does not contest the admissibility of the communication. It takes note, however, of the State party’s argument that the author cannot claim a violation of his rights under the Covenant, on the grounds that he has not had his fingerprints taken. The Committee also takes note of the author’s argument that, as a Mauritian national, he is subject to a statutory obligation to have an identity card requiring the taking and recording of fingerprints, non-compliance with which amounts to a criminal offence. The Committee considers that the author has substantiated his victim status, for the purposes of admissibility, and that article 1 of the Optional Protocol does not preclude it from examining the communication.

6.3The Committee has ascertained, as required under article 5 (2) (a) of the Optional Protocol, that the same matter is not being examined under any other procedure of international investigation or settlement.

6.4The Committee notes that the author brought a claim to the Supreme Court of Mauritius and appealed to the Judicial Committee of the Privy Council and that there is no information on file concerning remedies that the author failed to exhaust. Accordingly, the Committee considers that article 5 (2) (b) of the Optional Protocol does not preclude it from examining the communication.

6.5The Committee considers that the author has sufficiently substantiated his claims as raising issues under article 17 of the Covenant and takes note of the State party’s observation that it does not contest the admissibility of the communication. Accordingly, the Committee declares the communication admissible and proceeds with its consideration of the merits.

Consideration of the merits

7.1The Committee has considered the present communication in the light of all the information made available to it by the parties, as provided under article 5 (1) of the Optional Protocol.

7.2The Committee notes that it appears undisputed between the parties that the mandatory taking and recording of the author’s fingerprints would constitute an interference with his privacy. The Committee takes note of the author’s claim that the amended National Identity Card Act violates his rights under article 17 of the Covenant, because it is unlawful and arbitrary. It also takes note of the fact that the State party disputes the author’s allegations.

7.3The Committee recalls that interference authorized by States can only take place on the basis of law, which itself must comply with the provisions, aims and objectives of the Covenant. Likewise, the gathering and holding of personal information on computers, in data banks and on other devices, whether by public authorities or private individuals or bodies, must be regulated by law. The Committee recalls that an interference is not “unlawful”, within the meaning of article 17 (1) of the Covenant, if it complies with the relevant domestic law, as interpreted by the national courts. The Committee notes that the interference in the present complaint, i.e. the processing and recording of fingerprints, is provided for by section 4 (2) (c) of the National Identity Card Act. The Committee also notes that the Supreme Court found that “there is a law providing for the storage and retention of fingerprints and other biometric data regarding the identity of a person”. The Committee considers that the author’s argument concerning the scope of certain provisions of the Act does not allow it to conclude that the processing of his fingerprints is not provided for by law. The Committee therefore cannot conclude that the interference with the author’s privacy is unlawful.

7.4The Committee recalls that the introduction of the concept of arbitrariness is intended to guarantee that even interference provided for by law “must comply with the provisions, aims and objectives of the Covenant, and should be, in any event, reasonable in the particular circumstances”. Accordingly, any interference with privacy and family life must be proportionate to the legitimate end sought and necessary in the circumstances of any given case.The Committee recalls that effective measures must be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process or use it and is never used for purposes incompatible with the Covenant.

7.5In the present case, the Committee takes note of the State party’s observation of the need to balance the protection of personal data with the pressing social need of preventing identity fraud. It notes that the State party argues that the Supreme Court had rightly held that the taking of fingerprints was warranted to prevent fraud. The Committee also notes that the State party’s authorities have shifted the retention of the fingerprint data from the authorities’ systems to individual identity card holders by requiring that such data be included on the card itself. The author, as well as the Judicial Committee of the Privy Council, have noted that the change renders the objective of making comparisons with previously submitted biometric data ineffective and thereby affects the ability of the State party’s authorities to prevent identity fraud. The Committee notes that the State party has not responded to that specific point, nor explained how the storage and retention of fingerprint data on individual identity cards can effectively prevent identity fraud.

7.6Moreover, given the nature and scale of the interference arising out of the mandatory processing and recording of fingerprints, the Committee finds that it is essential to have clear, detailed rules governing the scope and application of measures, as well as minimum safeguards concerning, inter alia, the storage, including the duration thereof, usage, access for third parties and procedures for preserving the integrity and confidentiality of data and procedures for its destruction, thereby providing sufficient guarantees against the risk of abuse and arbitrariness. The Committee notes that the author refers, in that regard, to the Supreme Court’s finding that the indefinite storage and retention of fingerprint data in a central database was unconstitutional. As a result, the State party’s authorities have ceased storing and retaining fingerprint data in that particular way. Nevertheless, the State party has not responded to the author’s claim that the retention of fingerprint data on individual identity cards exacerbates the security lacunae identified by the Court. Specifically, the author has pointed out that the assignation of responsibility for such storage to card holders carries with it risks of loss and theft of fingerprint data, given the ease with which they could be copied onto falsified cards. Given the lack of information provided by the State party concerning the implementation of measures to protect the biometric data stored on identity cards, the Committee cannot conclude that there are sufficient guarantees against the risk of abuse and arbitrariness of the interference with the right to privacy following from potential access to such data on identity cards. In the light of the above-mentioned concerns about the ability of the scheme to help to prevent identity fraud, the Committee considers that the security concerns cannot be regarded as reasonable. Therefore, and notwithstanding the possibility of grounds and circumstances in which the processing of biometric data would not give rise to an arbitrary interference in the sense of article 17 of the Covenant, the Committee considers, in the particular circumstances of the present case, that the storage and retention of the author’s fingerprint data on an identity card, as prescribed by the National Identity Card Act, would constitute an arbitrary interference with his right to privacy, contrary to article 17 of the Covenant.

8.Accordingly, the Committee, acting under article 5 (4) of the Optional Protocol, is of the view that the facts before it disclose a violation by the State party of the author’s rights under article 17 of the Covenant.

9.In accordance with article 2 (3) (a) of the Covenant, the State party is under an obligation to provide the author with an effective remedy. Accordingly, the State party is obligated to provide sufficient guarantees against the risk of arbitrariness and abuse of the author’s fingerprint data as may arise from the issuance of an identity card to him and to review the grounds for storing and retaining fingerprint data on identity cards, in the light of the present Views. In addition, the State party is under the obligation to take steps to avoid similar violations in the future.

10.Bearing in mind that, by becoming a party to the Optional Protocol, the State party has recognized the competence of the Committee to determine whether there has been a violation of the Covenant and that, pursuant to article 2 of the Covenant, the State party has undertaken to ensure to all individuals within its territory or subject to its jurisdiction the rights recognized in the Covenant and to provide an effective and enforceable remedy when it has been determined that a violation has occurred, the Committee wishes to receive from the State party, within 180 days, information about the measures taken to give effect to the Committee’s Views. The State party is also requested to publish the present Views and disseminate them broadly in the languages of the State party.

Annex I

Individual opinion of Furuya Shuichi (dissenting)

1.I am unable to concur with the Committee’s conclusions that the author has substantiated his victim status for the purposes of admissibility and that article 1 of the Optional Protocol does not preclude the Committee from examining the communication.

2.According to article 1 of the Optional Protocol, the Committee can receive and consider communications from individuals who claim to be victims of a violation of any of the rights set forth in the Covenant. In that respect, the Committee has settled its jurisprudence that a person can only claim to be a victim in the sense of article 1 of the Optional Protocol if he or she is actually affected. It is a matter of degree how concretely that requirement should be taken. However, no individual can in the abstract, by way of an actio popularis, challenge a law or practice claimed to be contrary to the Covenant. If the law or practice has not already been concretely applied to the detriment of that individual, it must in any event be applicable in such a way that the alleged victim’s risk of being affected is more than a theoretical possibility. Accordingly, any person claiming to be a victim of a violation of a right protected under the Covenant must demonstrate either that a State party has, by act or omission, already impaired the exercise of his or her right or that such impairment is imminent, basing his or her arguments for example on legislation in force or on a judicial or administrative decision or practice.

3.In applying that principle, the Committee has accepted the communication at the stage that the author’s rights have not yet actually been impaired, but are only at risk of being impaired by certain legislation. However, even in such cases, it has recognized that where an individual is in a category of persons whose activities are, by virtue of the relevant legislation, regarded as contrary to law, they may have a claim as victims. In fact, the Committee has acknowledged the victim status only for the defined category of persons, such as Muslims and non-Western migrants, sexual minorities, language minorities and women having foreign husbands, even if a piece of legislation in question may be in theory applied to all the nationals of the State party.

4.In addition, the Committee has requested authors to demonstrate the specific consequence of the legislation which would personally affect them. For instance, in Toonen v. Australia, the Committee found the communication admissible because the author had made reasonable efforts to demonstrate that the threat of enforcement and the pervasive impact of the continued existence of the provisions on administrative practices and public opinion had affected him and continued to affect him personally. On the other hand, in Andersen v. Denmark, it found the communication inadmissible in the light of the fact that the author had failed to establish that the statement made had specific consequence for her or that the specific consequences of the statements were imminent and would personally affect her.

5.In the present case, it is clear that the author’s rights under the Covenant have not yet been impaired, given that the author has not had his fingerprints taken or been accused of non-compliance with the relevant legislation. Nevertheless, the Committee has found that the author has substantiated his victim status, due to the fact that as a Mauritian national, he is subject to a statutory obligation to have an identity card requiring the taking and recording of fingerprints, non-compliance with which amounts to a criminal offence (para. 6.2 of the decision). In my view, however, the author has not demonstrated that he belongs to a defined category of persons whose activities are, by virtue of the relevant legislation, regarded as contrary to law, nor has he made every effort to demonstrate the specific consequence of the legislation for him or the personal effect on him. Without such a demonstration, granting victim status merely because of his Mauritian nationality is tantamount to accepting an actio popularis, which undoubtedly deviates from the jurisprudence of the Committee.

6.Accordingly, I must conclude that the author does not have victim status for the purposes of admissibility and therefore the communication should be found inadmissible under article 1 of the Optional Protocol.

Annex II

Individual opinion of Gentian Zyberi (dissenting)

1.I do not agree with the conclusions of the Committee, finding a violation of article 17, in the present case. I find the decision to be a missed opportunity to provide some guidance, given that, to my knowledge it is the first case where the Committee has addressed issues concerning the inclusion of biometric data in personal identity cards and the right to privacy under article 17.

2.The gist of the Committee’s rationale for the decision is contained in paragraph 7.6 thereof. The Committee notes that, given the lack of information provided by the State party concerning the implementation of measures to protect the biometric data stored on identity cards, it cannot conclude that there are sufficient guarantees against the risk of abuse and arbitrariness following from potential access to biometric data on identity cards. Then, and without much explanation, the Committee holds that, in the particular circumstances of the case, the storage and retention of the author’s fingerprint data on an identity card, as prescribed by the National Identity Card Act, would constitute an arbitrary interference with his right to privacy contrary to article 17 of the Covenant.

3.The Committee does not explain why the storage and retention of the author’s fingerprint data on an identity card constitutes an arbitrary interference with his right to privacy, nor has it, in its brief analysis, referred to any good practices concerning the inclusion or exclusion of biometric data, including fingerprints, on national identity cards. Given the complexity of the matter, it would have been prudent for the Committee to ask for third party submissions, to elucidate the key issues put before it. Article 17 was drafted at a time when advanced biometric technology was not available and national identity documents did not include personal biometric digital data. In more recent years, many countries have been including biometric data, including fingerprints, in personal identity card programmes. That inclusion serves various purposes, including the prevention of identity fraud, countering terrorism and other public security purposes. At the same time, several challenges have arisen, which include issues of accountability, privacy, data management, enrolment, coverage, cost and harmonization with regard to such programmes.

4.Although the new biometric identification technologies are increasingly being used by many States, there are no firm guarantees that such identity cards cannot be falsified or potentially misused. While acknowledging some of the problems, the State party’s authorities have emphasized the need to balance the protection of personal data included in identity cards with the pressing social need of preventing identity fraud and ensuring public security. Section 9, Offences, of the National Identity Card Act contains provisions to protect against abuse and arbitrariness following from potential access to biometric data on identity cards by making such offences punishable by a fine not exceeding 100,000 Mauritian rupees and imprisonment for a term not exceeding five years. That part of the law is intended to protect individuals, such as the author, from potential misuse by criminals of personal identity cards or the biometric data contained thereon. Cases that have been decided by the European Court of Human Rights concern the retention of personal data, such as fingerprints, DNA and photographs, in databases for an indefinite period of time, or after the discontinuation of criminal proceedings. To date, there have been no cases decided relating to the storage and retention of fingerprints in relation to identity cards, despite many States parties to the Convention for the Protection of Human Rights and Fundamental Freedoms having national identification systems that include fingerprints on such cards.

5.While I share the general concern of the Committee that such technologies should be well regulated, in order to ensure that they are not misused by a State or third parties, by concluding that the simple storage and retention of the author’s fingerprint data on an identity card, as prescribed by the National Identity Card Act, would constitute an arbitrary interference with article 17 of the Covenant, the Committee has interpreted article 17 in an overbroad manner.

6.The complaint was seemingly moot, given that the author was not forced to give his fingerprints. Several aspects of the case had been decided at the domestic level by the Supreme Court and the Judicial Committee of the Privy Council and identified shortcomings had been subsequently addressed by the State authorities. Moreover, it is not clear whether certain issues that the author raised before the Committee had been adequately raised and exhausted at the domestic level. The better course for the Committee, given the facts of the case, would have been to find no violation of article 17.