Over the last several months, the Tunisian government has been advancing three major digitization programs that are aimed at facilitating people’s access to government services, but in fact threaten the privacy, personal data protection, and digital security of millions. All three — the Biometric ID project, the Mobile ID program, and the subsidies’ compensation platform — have been developed without sufficient transparency or civil society input. Unless the government takes the necessary steps to safeguard human rights, we could see programs meant to benefit people pave the way for mass surveillance, identity theft, data exploitation, and other rights violations and abuse.
The Biometric ID project: a sleeping monster
Even though there have been plans to replace the National Identity Card with chip-enabled biometric cards since 2016, lawmakers have not adopted the Biometric ID bill, and there is no publicly available copy of the actual draft. Currently, the Ministry of Interior argues that advancing the bill is necessary to fulfill Tunisia’s obligation to adhere to the International Civil Aviation Organization requirements for machine readable documents (Doc 9303) by the end of 2024. But this standard only applies to passports and travel documents, not national ID documents. Nevertheless, the Ministry insists on linking the two.
This push to pass legislation no one has seen raises civil society fears that there will be forced implementation of a Biometric ID card, without sufficient public input or oversight. This is especially disturbing given the fact that Tunisians would be legally obliged to provide their biometric data to the authorities, which will store them in a database.
Establishing a database like this fails basic security logic. Tunisia has a very weak data protection framework. The Data Protection Law of 2004 is obsolete and is not properly enforced. There have also been numerous cyberattacks on important Tunisian institutions. All of these factors make it clear the biometric database would be an ideal target for criminal attacks or improper access, increasing the risk that millions of people’s personal data will be stolen, leaked, or misused. In addition, the government’s budget for 2023 does not have a clear allocation for the project, which means lack of resources that could add another layer of insecurity.
The Mobile ID: a digital black box
Tunisian authorities are so eager to move forward with digital identity programs and online public services, they have already created a legal electronic identity based on the mobile phone number.
The government launched Mobile ID, translated into “e-identity” in Arabic (e-houwiya), in August 2022. It enables people to access some government services, such as obtaining an online birth certificate or undertaking a paperless transfer of vehicle property. Authorities plan to add other capabilities progressively, depending on the digital transformation projects they adopt.
The problem? The government has not yet answered important questions related to the project’s technological and legal challenges. For example, we don’t know whether the ICT Ministry conducted data protection and human rights impact assessments before effectively implementing the program. It’s also not clear who manages the Mobile ID database and how. No one knows if this database has been shared with private or international institutions.
We submitted these questions, and others, to the ICT Ministry in December 2022, but we have yet to receive an answer. Civil society has been excluded from the design of the project through to its effective implementation, and the lack of transparency raises deep concerns about how people’s data are being collected and processed, especially since the administrative services people are accessing deal with large amounts of sensitive information. Additionally, the combination of the outdated and poorly enforced data protection framework, and new state powers under the new Anti-Cybercrime Decree-law 54 that enable mass collection of all electronic communications could turn the Mobile ID from a program that is supposed to benefit people to a vehicle for digital invasion of privacy. The very low subscriber numbers could be a direct result of citizens’ lack of trust.
The subsidies compensation platform: when the state violates its own laws
The Tunisian government’s negligence regarding protection for citizens’ data may have reached its peak with the announcement of plans for the launch of the online subsidies compensation platform. As part of ongoing economic reforms, authorities are planning to lift state subsidies on commodities such as bread and sugar, and money will be directly transferred to the relevant people, who represent approximately 70% of the population. In order to assess a citizen’s eligibility for financial compensation, this platform would gather all the necessary information related to employment, income, and familial and health situations.
As we and our partners point out in our joint-statement urging authorities to postpone the launch, the ministries leading this project have failed to abide by the Organic Law 2004-63 on Personal Data Protection, as they did not submit a prior declaration to the data protection authority, the INPDP, as required by Article 7 of the law: “Before processing personal data, a prior declaration must be deposited at the HQ of the National Authority for Protection of Personal Data.” They also did not consult the INPDP, as required in Article 76 of the same text. This clear infringement of the law is deeply concerning, as the massive amount of information to be collected lacks the legal safeguards necessary for personal data protection.
In addition to this critical failure, authorities have not specified a precise launch date. So far, two ministers have provided contradictory information, as the Minister of Finance announced the launch would take place in November 2022, and the Minister of Trade and Exports said it would be January or February 2023. Due to the absence of accurate data, Access Now submitted four access to information requests to the ministries of Finance, Trade and Exports, ICT, and Social Affairs.
As it stands, we have not received a substantive response regarding the progress made, the launch date, or whether or not human rights and data protection impact assessments have been conducted. The only feedback we received came from the Ministry of Finance, informing us that the ministries in charge are ICT and Social Affairs. To address this opaque situation, on March 28, 2023, we made an appeal to the Access to Information Authority, which should issue its judgment on the release of relevant information within 45 days.
Tunisia must prioritize privacy and data protection
The three systems in question are supposed to help bridge the digital transformation gap, and provide the people of Tunisia with modern tools for accessing necessary public services. But as we detailed above, they could easily form the foundation of a large privacy-harming ecosystem, developed without public oversight and without the necessary data protection and human rights safeguards — paving the way for mass surveillance or other rights violations.
This is why Tunisian authorities must act quickly to protect Tunisians’ privacy and personal data. We call on the new Parliament to update the 2004 Data Protection Law to meet Tunisia’s international commitments, and urge Tunisian authorities to actively engage with civil society and independent experts to ensure these digital government solutions are rights-respecting and people-centric by design.