Photo by Kristin Hardwick at stocksnap, under public domain.

Mexico has approved a plan to register biometric data, names, and addresses of cell phone users in a database, in what activists say is an alarming decision. The Mexican government has already failed several times to protect personal data.

The Senate of the Republic of Mexico approved and then published on April 16 a decree that modifies the Mexican law on telecommunications and broadcasting to create the National Registry of Mobile Telephony Users (Padrón Nacional de Usuarios de Telefonía Móvil, PANAUT, in Spanish).

The registry is a database that includes information about the subscribers of cell phone services, managed by telephone operators. This is what the decree establishes:

Registration of the cell phone number in the National Registry of Mobile Telephony Users will be mandatory for the users, who will have to provide official identification, proof of address and biometric data for the activation of the cell phone services (…)

This means that cell phone users in Mexico are required to register their SIM cards along with their personal and biometric data, such as fingerprints and facial features. The telephone operators will be in charge of collecting and managing these records. It is estimated that the creation of the registry will cost 700 million pesos, or &35.4 million U.S. dollars.

The justification for making these legislative changes, according to the Mexican Senate, is the “collaboration with the competent authorities in matters of security and justice in matters related to the commission of unlawful acts.” By 2019, an estimated 22.3 million people were victims of crime, according to national data. Achieving “peace and security” was one of the most important core promises of Mexican President Andrés Manuel Lopez Obrador when he was elected in 2018.

Criticisms arose during the legislative procedure and after its approval. The civil society organization Network for the Defense of Digital Rights, or R3D, warned in the early stages that there is no evidence this type of mechanism contributes to the reduction of crimes. They also said these mechanisms are easy to evade. Meanwhile, the database would also violate fundamental rights such as privacy and could jeopardize the security of individuals due to the possibility of unauthorized access or leakage of personal data. The organization states that it would affect the presumption of innocence since “the reform establishes that all legal acts performed from a cell phone number [will be attributed] to the person registered into the registry,” meaning that people would have to prove that they cannot be held responsible in the event of theft or impersonation, for example.

One sector of the electronic telecommunications industry, which comprises 1,000 companies, asked the legislators to reject the bill. They argue that it would be difficult to create a database in an environment where each operator uses different technologies and that this initiative would discourage further investment, in addition to the claim that it would not reduce crime levels.

In Mexico, while there is an increase in trust in the federal government according to official figures, Mexicans also reported a 7.5 percent increase in the number of corruption victims, according to the 2019 National Survey on the Quality and Impact of the Government. Organizations fear that the list of personal data will be lost and fall into the hands of malicious individuals, thus increasing the feeling of insecurity.

Several cases were documented in Mexico where government institutions have failed to protect personal data, according to the federal agency in charge of personal data protection. One of the most recent examples is the Ministry of Public Function, which disclosed the data of 830,000 civil servants of the federal administration.

Another similar case occurred in the health sector. In 2018, 2.3 million clinical records were leaked and released from the state of Michoacán. Federal authorities determined that the “potential responsibility” lay with the technology company Hova Health. Within the same sector, in 2020, an investigation revealed that personal data of patients employed by the State were available on internet search engines.

The creation of a similar registry was attempted in 2009, the so-called National Registry of Mobile Telephony Users (Registro Nacional de Usuarios de Telefonía Móvil, or RENAUT, in Spanish). It had been operational for only two months before it was discontinued after it was reported that the database was for sale. In 2013, the electoral registry was also for sale online.

Citizens have taken legal action against the creation of the cell phone registry, but the majority of these actions were dismissed by the judges. For its part, the National Institute for Transparency, Access to Information and Protection of Personal Data (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales in Spanish) decided to file an action for lack of compliance with the Constitution because it considers that the registry violates the protection of personal data and access to information. The Federal Telecommunications Institute (Instituto Federal de Telecomunicaciones, or IFT, in Spanish) also joined these actions, on the grounds that it could not allocate resources for the creation and operation of the registry, since no budget was approved, and it could also affect freedom of expression and access to telecommunications services.

For its part, the initiative #NoALPadrón (#NoToTheRegistry), made of 10 social organizations, demanded that the National Commission for Human Rights (Comisión Nacional de Derechos Humanos, or CNDH, in Spanish), an autonomous state agency, file an action to challenge the unconstitutionality of the registry. However, the Commission responded that it would not join and will only follow up.