Paraguay vetoes biometrics bill, but still needs better laws to protect data

The president of Paraguay, Horacio Cartes, has vetoed legislation that would have forced everyone using a cell phone to provide a fingerprint to activate their cell phone lines. Even though this dangerous and disproportionate requirement is no longer under consideration, more needs to be done in Paraguay to protect personal data and fundamental rights.

Biometrics in exchange for the right to communicate?

Congress in Paraguay recently passed a bill purportedly to avoid the “use of false personal data” in the activation of cell phone lines. The legislation mandates that all mobile providers and re-sellers should require a copy of the national ID and other unspecified personal information in order to activate new lines and re-register existing ones. This was already harmful in itself, but the new rules would also have required vendors to collect fingerprints from every customer. Those failing to provide all the information wouldn’t have been able to access a SIM card. And in the case of existing customers, their numbers would have ceased to function.

Fortunately, after advocacy efforts from several groups including our letter with Paraguayan NGO TEDIC, president Cartes decided to veto the bill, rendering it without effect. We welcome the decision of the presidency, specially in a context where harmful legislation is hurting the right to privacy of internet users in Paraguay.

More risks than benefits

Having a registry of cell phone users associated with their numbers might sound like a reasonable idea, but it’s not. Proponents argue that it would help law enforcement identify the people behind illegal activity, but there is no empirical evidence of the utility of registration systems for solving crimes. Those involved with organized or complex crime will use phones registered to other people, and criminals who are not careful enough are likely to be found anyway.

When a government, mobile operators, or third-party vendors amass large databases of users’ personal information, it also creates a security risk in itself. The collection of data, if it is shown to be necessary, should be reduced to the minimum possible in order to reduce the damage arising from any eventual data breaches. Those databases could also be exploited by their custodians illegitimately, especially in absence of data protection regulation.

The potential harm for users is even more serious when it comes to collecting biometric data. A fingerprint is unique in this world, even more unique than DNA. Identical twins can share the same DNA, but not the same fingerprints. A single fingerprint contains a lot of information. Some studies reveal that fingerprints may contain ethnicity information. Also, people are now using fingerprints to lock accounts or devices, such as cellphones or laptops. If a fingerprint database ends up in the wrong hands, it could cause severe incidental damages. Possible unintended consequences range from making discriminatory practices easier to facilitating unauthorized or unlawful access to personal information and devices. For that reason, laws around the world consider fingerprints sensitive data, and impose restrictions on their collection and treatment.

Finally, storing biometric data is expensive, since it requires critical care and high-end technology for gathering, protecting, and storing the information. Who will pay for the extra costs? As in many other situations, mobile operators might very well transfer the cost to the users, thus raising barriers to access to communication.

Public policy objectives, such as the fight against crime, require measures that respect the rights of the population, including keeping personal data safe. The bill that the president of Paraguay vetoed did not even have a background study to measure the impact of unregistered SIM cards on criminal activity, to justify it. And even if it did, lawmakers would still have a duty to first consider other, less risky solutions to the problem.

The data protection crisis in Paraguay

The proposal for forced collection of biometric data points to a pressing issue for human rights: to date, there is no comprehensive data protection regulation in Paraguay. There is only some insufficient data protection mechanisms in legislation on other issues and some basic constitutional remedies for harm. The lack of clear regulation on data protection creates space for multiple interpretations that harm people’s fundamental rights and leave many important questions unanswered. There are no simple or accessible mechanisms to allow people to inquire about their personal data in the hands of third parties, nor are there standards and requirements that data collectors must follow.

As the Paraguayan digital rights group TEDIC has shown, there are plenty of threats to privacy and data protection in Paraguay that demand an immediate legislative response. These threats include illegitimate government access to mobile user data and the sale of personal information databases.

Data protection legislation is the way forward

The only way to correct the wrongs and provide effective protections for citizens and their personal information is through a comprehensive data protection law. The veto of this bill by President Cartes could be a start to correcting the abuse of digital rights that are unfortunately common in Paraguay today.

Congress has now an opportunity to move forward through dialogue and consensus with diverse stakeholders, including civil society, academics, and the private sector. In the meantime, decision-makers should abstain from passing regressive legislation such as the cell phone registration law that we analyzed in this post.

If you’re interested in following the debate on this issue, we encourage you to follow and support Paraguayan digital rights group TEDIC, and stay tuned for updates.