Civil society advocates and government experts are raising concern about a new bill that would require all Tunisian citizens to carry a national ID card encoded with a rich combination of personal biometric data including one’s photograph, digitized fingerprint, social security number, and home address.
Under the proposed legislation, the ID card will have a public key system according to international standards hence the necessity for change. Although the bill includes no details on the matter, experts suspect that this information will be aggregated under one unique identifier [a multi-functional card that serves as identifier for national ID, health insurance and social security numbers].
The bill would amend a 1993 ID law, passed during the regime of Zine El Abidine Ben Ali, under which identification cards listed the occupation of the card holder, and cards belonging to married and widowed women were required to include the name of their husband.
The current bill would eliminate these two requirements, and update language concerning the technical sophistication of the system. It would also lower the age at which citizens are required to carry these IDs, from 18 to just 15 years old, and introduces a 15-day prison sentence against those refusing to show their ID card upon police control.
The Tunisian government's plan to introduce biometric IDs has been met with resistance from experts and civil society.
Several human rights organizations including the Tunisian League for Human Rights and the Tunisian Forum on Social and Economic Rights signed a statement by Access Now urging the Tunisian parliament to reject a new ID bill [AR] (62/2016), set to amend Law No. 27 of 1993 on the national identity card.
Tunisian netizens have also followed it closely, and warily, for years. Tunisian net freedom advocate Dhouha Ben Youssef tweeted about the topic in October 2014:
— Dhouha Ben Youssef (@_dby_) October 18, 2014
Smile, you are under surveillance! New measures for the development of the information and communication system
— Dhouha Ben Youssef (@_dby_) October 18, 2014
Even the new ID card will be biometric, video surveillance etc…let's forget about privacy for the sake of security.
Government agencies in Tunisia are not required to obtain court approval before accessing citizens’ data.
Post-revolution governments in Tunisia have continuously assured the public that they will only seek private information following judicial orders (p 248). That being said, the now-obsolete Tunisian criminal law does not have modified provisions for Information and Communication Technology crimes committed by the government or otherwise.
This makes the bill more worrisome for activists, and even for the data protection authority. The National Authority For the Protection of Personal Data (known by its French acronym, the INPDP) expressed skepticism about the bill at a November 3 press conference in Tunis. INPDP President Chawki Gaddes emphasized the lack of clarity in the bill regarding who would have access to citizens’ data obtained through the system, and how this access would be granted.
He also called for the deletion of the address component from ID cards since this information does not pertain to someone's identity. In the past, address information has been used by police who appear to have targeted youth from poor neighborhoods commuting in other parts of the city or the country.
In a statement published on 1 November, the data protection authority denounced the fact that the government did not consult with them when drafting the bill. Under Article 76 of the personal data protection law of 2004, the authority is entitled to give its supervisory opinion on matters related to personal data protection, including draft laws.
Established under the ancien regime of Zine El Abidine Ben Ali, the INPDP is a commission within the Ministry of Justice. It regulates the use of private information according to Article 7 of Law n°63 of 2004:
Article 7 – Toutes opérations de traitement de données à caractère personnel est soumis à une déclaration préalable au siège de l'instance nationale de protection des données à caractère personnel contre récépissé ou notifiée par leur recommendée avec accusé de réception ou par tout autre moyen laissant une trace écrite.
Article 7 – Any processing of personal data shall be subject to a prior declaration [PDF] from the seat of the national body for the protection of personal data against receipt or notification by their authorized representative with acknowledgment of receipt or by any other means leaving a Written trace.
The same decree includes a punishment of one year in prison and a fine 5,000 Tunisian Dinars ($2,173) for unauthorized processing of personal data by the private sector in Article 90.
But the authority remains powerless when it comes to supervising public authorities’ collection and processing of personal data. In fact, state companies and government agencies are not subject to prior authorization from the national authority. Under the same law, public institutions are not required to obtain verbal and written consent from data subjects when collecting and processing data. Data subjects are also barred from accessing information held about them by public authorities.
Advocates want greater guarantees of transparency and due process.
The Tunisian Pirate Party released a statement (in Arabic) on 19 October warning of the risks of storing massive amounts of citizen data in a centralized database. The statement argues that the bill does not provide sufficient detail regarding the security of citizens’ data, which once collected could be vulnerable to cyberattacks or breaches. They also raised concern about the bill lacking information about how the cards will be used and what rights, if any, citizens will have to access their own data within the system.
كما يستنكر حزب القراصنة كل ما ورد في نص القانون من عقوبات جزرية بالسجن و يعتبرها نصوص قسرية لا تتماشى مع مناخ الحريات و تكريس لعودة الاستبداد و تناقض مع حق النفاذ الى المعلومة، و يحذر حزب القراصنة من عودة الهرسلة البوليسية من خلال ءاجراء مطابقة البصمة لبيانات الشريحة بواسطة قارءات البصمات الالكترونيّة الجوالة.
The Pirate Party denounces the jail sentences in the bill and consider such verdicts restrictive and unmatching with the new era of liberties as a well a prime precedent for the return of dictatorship and a contradiction to the right to access information. The Pirate Party warns against renewed police harassment through the procedure of verifying fingerprints with data on [biometric ID] chips through electronic mobile ID card readers.
The Pirate Party expressed concern that the bill would make it illegal to decrypt one’s card encryption.The current language of the bill does not explicitly address this issue. However, a proposed provision makes it illegal to “forge” data stored on the card and the ID's electronic chip in accordance with Article 193 of the Penal Code, which criminalizes “fraudulently altering” identification documents with five years’ jail time.
Tunisian human rights activists are not particularly opposed to the biometric ID card in principle; rather, they are concerned about the lack of clarity from the government concerning which data they wish to collect, and the lack of independent supervision of such collection.
Poll conducted on Tunisians’ attitudes toward privacy
77.5% of respondents approve of the government’s plan to introduce biometric IDs
60% do not believe that the use of biometric IDs restricts freedoms
88.7 said they would allow the government to collect more personal information on them to fight terrorism
Source: the Tunisian Data Protection Authority, May 2016
The bill forms part of a 2014 national strategic plan for a “Digital Tunisia“, a partnership program between the government and private sector that aims to digitize numerous pubic services that will cater to citizens’ needs with just a few clicks, and to create 80,000 new jobs in the ICT sector by 2018. While novel for Tunisia, national identification and biometric databases are nothing new — more than 100 countries in the world now issue biometric ID documents to its citizens. Publicly posted invoices indicate that the program will cost a total of 5,200 million dinars. The new law will also cost taxpayers unnecessary expenditures during a third year of economic recession.
The parliamentary Commission on Rights, Liberties and External Relations is currently reviewing the bill — if it receives the Commission’s approval, it will advance to an assembly vote.
Almost three years after the adoption of a constitution that guarantees privacy rights, Tunisia remains without a strong data protection authority that could ensure protection to these rights. The Tunisian constitution protects private life and private data in its 24 article.
Article 24 of the Tunisian Constitution: The state protects the right to privacy and the inviolability of the home, and the confidentiality of correspondence, communications, and personal information.
Draft amendments to Law n°63 of 2004 on personal data protection, expected to consolidate the authority's independence and reinforce its supervisory role over government authorities’ handling of personal data are yet to be submitted to the parliament.
If approved by the parliament, a provisional commission established by the constitution to review the constitutionality of draft laws (until the future constitutional court is put in place) may find the new ID law to be unconstitutional. However, this can only happen if the president, the prime minister or at least 30 MPs, challenge the law within seven days of its adoption.
In the meantime, the question remains whether Tunisian netizens and civil society will step up their advocacy strategies in opposition to the bill, in a country where awareness about risks to privacy are lacking.