Digital Identity in Paraguay: risks and recommendations from a Human Rights Perspective

TEDIC
Blog Personal Data
flyer with text: digital identity in Paraguay: risks and recommendations

With the enactment of Law No. 7177/2023, Paraguay joins the growing number of countries adopting digital formats for mandatory documents, such as the national identity card and driver’s license. This trend poses significant challenges to the exercise of privacy and other fundamental rights.

From TEDIC, we have been warning about the risks of implementing public policies with a digital component without integrating human rights impact assessments into their development and implementation1. In this article, we offer a synthesis of our main concerns, as well as some recommendations for steps to be taken within the framework of implementing this policy.

GLOBAL CONTEXT

Although digital identity promises efficiency and convenience, its implementation worldwide has revealed significant risks to the privacy and security of personal data.

In Mexico, more than 20 national and international organizations opposed the mandatory implementation of the Unique Digital Identity Card (CUID) because it lacked mechanisms to guarantee the right to legal identity and to avoid significant risks to the privacy and security of over 130 million people. Furthermore, there were no mechanisms to prevent mass surveillance, and it was proposed to condition access to public services on the possession and use of the Digital ID Card, which would disproportionately impact vulnerable populations.

In India, the implementation of the Aadhaar biometric system violated the privacy of the population and led to massive restrictions on state services and benefits, deepening social exclusion.

Jamaica, a country that also implemented a system similar to Aadhaar, had to adjust its data protection framework beforehand. However, its implementation revealed that more than 16 personal data points were retained without clear consent management.

Other documented cases in Tunisia, Estonia, Morocco, Peru, among others, illustrate the complexities and challenges that countries face when adopting digital identity technologies. These examples highlight the need for a balanced approach that protects the human rights of individuals. For Paraguay, it is essential to study these international experiences to develop a legal and operational framework that guarantees both technological efficiency and comprehensive protection of citizens’ fundamental rights in the context of the use and promotion of digital ID.

BIOMETRICS: RISKS AND CONCERNS

Privacy International (PI) defines biometric data as “automated methods that can accurately recognize a person based on their physical or behavioral characteristics”. In turn, PI also indicates that “biometric technologies encompass a wide range, including fingerprint, palm, facial, vein pattern, iris, voice recognition, and other bodily manifestations such as DNA and typing dynamics”, among others.

In this regard, the United Nations High Commissioner for Human Rights has indicated that it is “concerning that some States have undertaken enormous projects based on biometric data without having the necessary legal and procedural guarantees”, and has recommended that States “ensure that systems that use a large volume of data, including those involving the collection and retention of biometric data, are only used when States can demonstrate that they are necessary and proportionate to achieve a legitimate purpose”1.

The former UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue2, along with Navi Pillay3, former UN High Commissioner for Human Rights, have expressed concern about privacy infringements caused by inadequate protection in the use of biometric technologies4.

Martin Scheinin, who served as UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms in the fight against terrorism, warns about the risks associated with storing biometric data in centralized databases rather than on identity documents. According to Scheinin, this practice increases individuals’ vulnerability and information security and could lead to a significant increase in error rates as more biometric information accumulates.

Privacy International points out how these systems can lead to exclusion from essential services, increased risk of identity theft, and invasive surveillance systems. This situation becomes even more delicate in contexts with a weak rule of law.

Furthermore, Access Now expands its concern to cases where the implementation of centralized digital identity systems can lead to extensive surveillance and profiling of users, violating privacy, and generating exclusion in cases where they are established as mandatory or with practices that undermine autonomy and consent.

The risks associated with the use of biometric identifiers, such as fingerprints and iris scans, in digital identity systems amplify the damage in the event of potential breaches since, unlike passwords, they cannot be easily changed once compromised and are also irretrievable.

On the other hand, historically marginalized populations, such as refugees and transgender people, could be severely affected by the mandatory enrollment in digital identity programs that force them to identify differently from their identity, posing discriminatory records or violently digitizing their biometric features. This could also lead to coercion and the autonomy of individuals in exchange for access to essential services and basic rights, undermining human dignity.

NATIONAL CONTEXT

In Paraguay, the implementation of Law No. 7177/2023 is taking place in an environment where there is an excessive enthusiasm for technological solutions, often referred to as ‘techno-solutionist hype56‘. This approach may neglect critical considerations in terms of rights and privacy.

The issuance of the civil identity card in Paraguay is the responsibility of the National Police, which generates a concentration of personal data in the same entity responsible for the prosecution of crimes in the country. Paraguayan legislation requires every person within the national territory to carry the identity card and authorizes the Police to detain individuals without any flagrant indication of unlawful activity.

Paraguay has historical debts in the consolidation of an effective democracy. The Paraguayan population, according to data from the 2021 Americas Barometer, has high levels of dissatisfaction with democracy, while the levels of positive assessment of the military forces in public opinion are growing. Furthermore, there is data indicating that at least half of the population would accept a coup against the democratic order.

Paraguay is the only country in Mercosur that has not separated the issuance of civil documents from the police agencies7. The lack of separation between civil management and security mechanisms raises concerns about the design of the State.

Since 2018, with the law creating the Ministry of Information and Communication Technologies (MITIC by its acronym in Spanish) and subsequent resolutions, the existence of a “Single Government and Online Procedures Portal” was established, which was instituted as an indexer of e-government solutions, supported by an information exchange system with other entities.

This implementation grew in usage, incorporating the generation of documents such as birth certificates, police and judicial records, vaccination book certificates, academic degrees, among others. In October 2023, there were more than 46,000 registered users. Additionally, according to projections, it seeks to digitize and simplify 120 procedures within the framework of a digital agenda of the State.

In September 2023, the National Congress sanctioned Law No. 7177/2023, which validates the digital format of mandatory documents, entering into force in October of that year. The project did not have much socialization or hearings to discuss its implications. However, it presents several technical and legal aspects that require detailed analysis.

The law aims to give official validity to the digital format of mandatory documents, establishing the coexistence of digital and physical formats. The implementing authority will be the MITIC, through the Vice Ministry of Information and Communication Technologies.

The obligated subjects under this law also include the issuing authorities of documents. Specifically:

  • National identity card issued by the Identification Department, dependent on the National Police.
  • Vehicle green card issued by the Directorate of Motor Vehicles Registry, dependent on the Supreme Court of Justice.
  • Vehicle driving license and vehicle authorization issued by each corresponding municipality.

ANALYSIS OF LAW No. 7177/2023

The law in question is in force, but its practical application depends on adequate regulations that are still pending. This law establishes a period of up to two years for implementation and regulation, which implies a transition and adjustment period for all parties involved, a situation that has not yet occurred.

Considering that the National Government sought to incorporate the implementation of this policy into its 100-day government achievements report, it enabled the use of the digital identity card and driver’s license registration without there being a regulation published by the MITIC. This can be seen, for example, by verifying that the current platform still does not have a privacy policy adjusted to the regulatory framework and the specificities of the digital identity card. Therefore, such speed in this implementation raises concerns about the way in which the implementation of this type of policy is agreed upon in a democratic system.

1. LEGISLATIVE COLLISION

Law No. 7177/2023 of Paraguay, which establishes the digital format of mandatory documents, presents significant legal and ethical challenges in terms of protecting rights and privacy. This legislation must be carefully analyzed in light of international human rights and data protection regulations, such as the International Covenant on Civil and Political Rights (ICCPR, Article 17) and the American Convention on Human Rights (ACHR, Article 11). Both instruments, ratified by Paraguay, protect against arbitrary or unlawful interference in private life, which is fundamental in the era of digital identity. The need for informed consent and robust security measures for handling personal data is a central pillar of these regulations.

In the international context, jurisprudence on the protection of personal data and privacy has been widely developed by entities such as the European Court of Human Rights and the Inter-American Court of Human Rights (hereinafter referred to as the IACtHR). Although the IACtHR has not specifically addressed biometric data, its decisions have consistently emphasized the importance of protecting privacy and personal data. In this context, Law No. 7177/2023 must implement explicit safeguards, including limitations on the collection of biometric data, protection against unauthorized access, and procedures to ensure the integrity and confidentiality of this data. Likewise, it is crucial to establish clear and accessible procedures for individuals to correct or delete their personal data.

The Law must also be evaluated from the perspective of necessity and proportionality. According to the IACtHR, any measure that affects privacy must be necessary in a democratic society and proportional to the legitimate aim pursued8. This principle is essential to ensure that technological advances do not undermine fundamental rights.

Transparency and the right to access public information are crucial aspects in the management of personal data. The legislation must ensure that people have clear access to information on how their data are used and stored and how they can exercise their rights to challenge or rectify this information9, something not evidenced in the current implementation in Paraguay.

In addition, the implementation of Law No. 7177/2023 has raised specific concerns related to the presumption of innocence, a right enshrined in Article 16 of the National Constitution of Paraguay. Jurists such as Jorge Vasconcellos and José Casañas Levi have pointed out that random detentions for not presenting documents could constitute a violation of this fundamental principle. Such a practice, considered a vestige of authoritarian times, undermines the presumption of innocence and the constitutional order and could be interpreted as a form of criminalization due to lack of documentation.

Furthermore, this law generates even more legal confusion by colliding with the recently implemented Law No. 7179/2023 on “Simplification of Administrative Procedures in State Agencies and Entities”, still unregulated. Its Article 2 establishes that:

“No state entity may require, as a requirement for administrative procedures or procedures, the presentation of a certificate, certificate, or other document that has been issued by itself or that by its nature should be in its files.”

This situation highlights the need to harmonize laws to avoid contradictions and ensure respect for fundamental rights.

Law No. 7177/2023, although it represents progress towards digital modernization in Paraguay, must be carefully balanced to protect fundamental rights to privacy and personal data protection. Reviewing and adjusting legislation is essential to align it with international standards and relevant jurisprudence and to ensure that authoritarian practices are not perpetuated under the pretext of technological modernization.

2. DATA PROTECTION

A fundamental and highly deficient aspect in the discussion on the implementation of digital identity in Paraguay is the protection of personal data. Paraguay still lacks a comprehensive legal framework for the protection of personal data.

The absence of a macro regulatory framework that establishes careful and due processes in the treatment of personal data, coupled with the absence or even overlap of regulations between interoperable systems linked to digital identity in public agencies10, generates an uncertain scenario regarding the protection that must be guaranteed by the Paraguayan State.

In this sense, both the “Portal Paraguay” application, developed for Android operating systems, and the Electronic Identity web portal direct to the same privacy policy11 and the Terms and Conditions (T&C12), despite being two completely different infrastructures.

In the T&C, the MITIC completely disclaims responsibility for modifications, losses, or damages suffered in the maintenance of the platform. It also does not assume responsibility for system failures. In addition to this, situations that discretionarily undermine the informed consent of the user population are proposed, such as “the right to update and modify at any time and in any way, unilaterally and without prior notice, the present terms of use, privacy policies, and the contents of the page”13.

At the same time, the state platform acknowledges sharing information about the use of the application from the Digital ID web to Google Analytics14. This implies entrusting data management to a foreign company, whose code is closed and cannot be thoroughly audited. Information disclosure includes sensitive details such as:

  • Number of users accessing the web,
  • Number of page views,
  • Frequency and repetition of visits, their duration,
  • The browser used,
  • The operator providing the service,
  • The language used,
  • The city to which its IP address is assigned.

Despite the privacy policy of these T&C stating that it does not share its data with third parties for marketing purposes, there is a lack of guarantees to prevent a private service like Google from using user cookies for advertising profiling purposes.

Finally, the privacy policy invokes a repealed law such as Law No. 1682 “REGULATING PRIVATE CHARACTER INFORMATION” and its complementary norms and other regulations of the Republic of Paraguay.

Not only is the risk of implementing digital identity being discussed here, but since the launch of the platform, a robust framework has not been established to guarantee the security of the personal data of the users. This reflects a deficient approach that requires urgent review.

Conclusion and Recommendations

The implementation of the digital identity card in Paraguay, under Law No. 7177/2023, has been carried out in a global context where digital identification systems are undergoing intense scrutiny due to their implications for privacy and fundamental rights. The experience of countries such as Mexico, India, and Jamaica, where the implementation of similar systems has raised significant concerns, offers valuable lessons that the Paraguayan State cannot ignore. In this regard, within the framework of this policy as well as others regarding digital identity, we recommend the following steps:

  1. Risk assessment and rights protection: It is crucial that the Paraguayan State integrates comprehensive human rights assessments into the development and implementation of public policies involving technology and personal data processing. Such assessments must address the risks of exclusion, surveillance, and data exploitation in order to mitigate possible risks arising from the implementation of any policy.
  1. Transparency and public participation: The process of implementing the digital identity card must be transparent and participatory. This implies socializing the project, promoting transparency policies for auditing and controlling implementation among multiple parties, and ensuring that the population understands the implications of the new law.
  1. Adequate regulation and privacy policies: Before its effective implementation, it is fundamental that there be a Comprehensive Law on the protection of personal data, and subsequently, harmonized regulation. The regulation must include clear policies on the use, storage, and access to personal data.
  1. Training and awareness: There must be investment in training and awareness both for those responsible for implementation and for the general population about the risks and benefits of the digital identity card.
  1. Damage mitigation mechanisms: It is essential to establish effective mechanisms to address and remedy any violations of rights that may arise as a result of the implementation of the digital identity card. Such mechanisms must be publicly accessible and available to all users of the system.
  1. Inclusive and non-discriminatory access: The implementation of the digital identity card must ensure that no part of the population is excluded, paying special attention to historically marginalized groups, such as indigenous people and transgender individuals.
  1. Biometric data security: Given the sensitive nature of biometric data, robust measures must be taken to protect this data against unauthorized access and/or leaks.
  1. Alignment with international standards: The implementation must align with international standards on human rights and data protection, taking into account the experiences and best practices of other countries.

In conclusion, as Paraguay advances towards digitalization, it is imperative that measures be taken to ensure that this transition does not undermine human rights. This implies not only establishing a solid framework for data protection but also ensuring that technology is not used as a tool for restricting civil liberties. It is urgent that the Paraguayan State addresses these concerns comprehensively, avoiding an advance driven solely by techno-solutionism, to protect its citizens in an increasingly digitized world.

1 General Assembly (UN). The right to privacy in the digital age. Report of the United Nations High Commissioner for Human Rights. A/HRC/39/29. 2018. [https://documents.un.org/doc/undoc/gen/g18/239/61/pdf/g1823961.pdf](https://documents.un.org/doc/undoc/gen/g18/239/61/pdf/g1823961.pdf)

2 Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue. A/HRC/23/40. UN. April, 2013.

3 UN News Centre, UN rights chief urges protection for individuals revealing human rights violations. ONU.

Julio, 2013.

4 These concerns had also been previously published regarding the announcement of the possible incorporation of biometric records to exercise voting rights in electoral contexts in Paraguay: https://www.tedic.org/huella-dactilar-iris-y-reconocimiento-facial-identidad-que-no-se-puede-reimprimir/

5 It means noise or exaggerated emotion in response to an event, an expression that literally translates as “drumroll.”

6 Morozov, E. (2015). La locura del solucionismo tecnológico. Katz.

7 https://en.wikipedia.org/wiki/Identity_document

8 Inter-American Court of Human Rights. Case Tristán Donoso vs. Panama.

https://www.corteidh.or.cr/ver_ficha_tecnica.cfm?nId_Ficha=253&lang=es

9 This is part of what is established in the “Updated Principles on Privacy and Personal Data Protection,” adopted by the General Assembly of the OAS in 2021, as well as in the “Thematic Report A/77/196: Principles Informing Privacy and Personal Data Protection,” published by the United Nations Special Rapporteur on the right to privacy in 2022.

10 The data available on the portal relies on the Information Exchange System (or Sistema de Intercambio de Información in Spanish), which links data from various public entities. Each of these may have its own data protection policy or legal framework that differs from what is established on the portal regarding the protection of personal data. There is also no warning in this regard.

11 MITIC. Privacy Policy. https://www.paraguay.gov.py/identidad-electronica/privacidad](https://www.paraguay.gov.py/identidad-electronica/privacidad

12 MITIC. Terms and Conditions of Electronic Identity. https://www.paraguay.gov.py/identidad-electronica/terminos](https://www.paraguay.gov.py/identidad-electronica/terminos

13 Idem.

14 Google Analytics is a private web analytics tool developed by Google that is widely used to track and aggregate data about user behavior on a website. It provides detailed information about visitor interactions, such as the pages they visit, the duration of their stay, and their origin, enabling website owners and marketing professionals to better understand the preferences and patterns of their audience. This tool collects demographic and behavioral data, enabling users to optimize their websites and marketing strategies based on comprehensive analysis of web traffic and user trends.

1 As previously mentioned by TEDIC, impact assessments are tools utilized to analyze the potential consequences of a specific activity that impacts one or more relevant social interests. The aim of these tools is to aid in the decision-making process concerning whether this activity should be undertaken and under what conditions. Consequently, impact assessment serves to safeguard the social interests affected by a particular initiative. For further information, please refer to: https://bootcamp.tedic.org/uso-de-huella-dactilar-para-votar-es-debate-para-proximas-elecciones/ and https://cris.vub.be/ws/portalfiles/portal/49998404/dpialab_pb2017_1_final_PT.pdf