10 February 2017
The main objective of this analysis is to comment on the new National Biometric Identity Card Bill
, which was proposed by the Tunisian government. This bill was criticized by legal experts as well as civil society activists through a position paper
that was signed by Access Now, Friedrich Ebert Stiftung Tunis, IWatch, Nawaat, the Tunisian Human Rights League (LTDH), the Tunisian Forum for Economic and Social Rights (FTDES), the Tunisian Independent National Coordination for Transitional Justice, Psychologues du Monde Tunisia, and Doustourna Network.
The most important points to focus on in this bill are:
- The motivations and objectives;
- The lack of transparency on the legislative procedure;
- The nature and scope of the personal information collected and stored along with the biometric data;
- Uncertainties and risks related to the technical and administrative procedures;
- The legal definition of the collected data, the national database where the data will be stored and managed, and the measures of the data’s security;
- The need to establish an independent authority with the mission to collect and process personal data in addition to guarantee personal data protection;
- The measures to take in case of the loss, theft, or destruction of the biometrical card;
- The security measures that will ensure the protection of the stored data;
- The way the owner of a biometrical National identity card access and check information stored in the biometrical card (the encrypted part).
The iGmena community in Tunisia proposes an analysis of the weaknesses of the proposed bill and recommendations to assist the government in drafting a more inclusive law that corresponds to end users’ expectations while preserving the protection of personal data and the respect of the fundamental rights and freedoms of Tunisian citizens.
This proposed bill attempted to clarify numerous questions but did not touch upon various legal, technical, and security aspects. Citizens should be more aware of the importance of this new biometrical identity card, but we want to guarantee a democratic process, the respect for human rights and especially the protection of personal data and privacy. This analysis can be reinforced by a survey and more robust investigation into the impact of the possible violations of personal data on citizens. This analysis also leads to the proposition that the bill needs to be further analyzed while a version of the bill that takes into account this article’s proposed recommendation should be developed by the government, which is recommended to focus on the measures and procedures to resolve the loopholes that exist in the current bill.
1.The biometrical card
The card is meant to collect data that identifies a person. The data needed for that purpose are name and surname, date and place of birth, and the biometric data (picture and fingerprints). Unique data can be added such as the name of the mother and a signature; however, the residential address does not count as a criterion that identifies a person. Regarding its importance for the fiscal and penal systems. The encrypted part includes personal data information that is stored on an electronic chip, which will help access other information such as social insurance, a citizen’s e-signature for online authentication, and the unique identifier (UID). While we call for the endorsement of such digital projects that enhance the electronic system of the Tunisian government, at the same time, we caution about the risks associated with data breaches that could affect the rights of citizens and the protection of private data because the personal information of individuals is protected by the constitution.
.Collected files and database
The file, which will gather all possible personal data about a citizen, has no legal framework. This will lead to creating multiple files of the same person in different ministries (sometimes within the same institution). Not only can the files be duplicated, but they also run the risk of getting lost (the case of higher education and scientific research institutions). This can create problems with organization, data storage, and management. In addition to that, this does not ensure the effectiveness and the protection of personal data.
iGmena’s recommendation is to create a legal framework for file collection and the nature of collected data. This will facilitate coordination and sharing of the information stored in a national database. For the same database, a clause dedicated to this issue has to be integrated into the law to guarantee the non-duplication of the stored data and the security of the exchanged data between collection centers. Moreover, the independence of the structure that accesses the management of this database must be guaranteed.
Expert recommendations regarding the management of big data and ensuring the cybersecurity of the technical management required for this database will guarantee the protection of personal data in different stages (collection, management, verification, exchange, storage, and destruction). We should take into consideration that this database will also collect sensitive personal data.
3.Citizens’ access to their personal data
The bill does not ensure that citizens are entitled to access their personal data. This is an unconstitutional procedure if we take into consideration that the new Constitution established human rights as a supreme guiding principle. Article 24 enshrines the right to privacy, making the State responsible for protecting the privacy and inviolability of the home and confidentiality of correspondence, communications and personal data".Thus, in order to ensure transparency, we recommend that citizens have the right to access their personal data stored in the national database at least within the framework of an administrative procedure (directly or through a written request) to check the accuracy of the data.
4.Administrative and technical procedures
The bill does not clearly mention the administrative procedures related to personal data collection and storage. While the bill describes the collection procedure in the transition from the old card to the new one and the procedure in case the card is lost or stolen, the bill does not clarify the procedures for storage, destruction, and accessing the data. We recommend including a detailed explanation of this procedure in order for the bill to fulfill the legal aspects of ensuring the clear and transparent processing of personal data.
Regarding the technical aspects, the bill only mentions the security infrastructure that will be implemented (PKI) without any details on the motivation of either the bill or its legal aspects. This raises questions about the nature of the technology that will be used (a card with or without contact) as well as the role of the Ministry of Communications Technologies and Digital Economy in the process. We recommend the clarification of these technical aspects in cooperation with the ministry as well as digital security and information and communications technology (ICT) experts to solve this issue.
5.Other aspects to consider
We recommend the following aspects to be taken into consideration as well:
- Convert the motivations mentioned in the bill into objectives during the lawmaking process, which do not only focus on the penal aspects;
- Define the authority that will oversee the collection and management of the biometric card data. There is a fundamental need to take into consideration transparency, independence, and non-abuse of power.
We propose that this commission or authority will be composed of representatives from the Ministry of the Interior, the Ministry of Communications Technologies and the Digital Economy, local technology experts, the National Authority for Protection of Personal Data (INPDP), the Tunisian Human Rights League (LTDH), and representatives of civil society to ensure the respect of online human rights and freedoms.
Hafeth Yahmadi, an ICT expert, and civil society activist offered his perspective on the biometric national identity card draft organic law number 2016/62 bill, specifically on the new biometric electronic national identity electronic chip.
We condemn the lack of involvement of civil society in this project, which is considered a violation of the principles of multistakeholder governance in the policy development process. After studying the proposed legal text, we hope that the Commission on Human Rights, Liberties, and Foreign Relations will pay attention to the following observations:
- The weaknesses of the current legislative framework and legal aspects concerning the personal data protection and the process of electronic exchange of digital identity elements.
- The lack of specification on the protection guarantees for the database holding information about citizens and the legal responsibilities of the entity that will be responsible for the management, operations, protection, and monitoring of this data. Therefore, we advise applying high-level, international security standards.
- The legal texts are punitive and directly sanction citizens with no mention of any sanctions or legal responsibility held by government entities in case of the violation of the citizen’s privacy by misusing confidential data.
- Adjust the application of the special access to personal data provisions, which cannot be without a court order (as it is stated in article 2, according to basic law involved in the drafting of judicial and legislative powers and civil society).
Written by Mr. Houssem Kaabi, IPA author, network engineer, & civil society activist
Revised by Mr. Hamza Ben Mehrez, Senior Policy Analyst (iGmena)
- Due to the sensitive nature of the digital information stored in the biometrical card, we must have a guidance booklet of specific conditions and usage to prevent the use of real data, both during the stages of development of the project or during any kind of related services, directly or indirectly, during or after completion of the draft law.