A Guide to Litigating Identity Systems: Data Protection and National Identity Systems

This section presents arguments on data protection concerns, highlighting the importance of safeguards to protect rights, and pointing to issues around the role of consent, function creep, and data sharing.

data protection

National identity systems naturally implicate data protection issues, given the high volume of data necessary for the systems’ functioning.

This wide range and high volume of data implicates raises the following issues:

  • consent as individuals should be aware and approve of their data’s collection, storage, and use if the system is to function lawfully. Despite this, identity systems often lack necessary safeguards requiring consent and the mandatory nature of systems ignores consent entirely.
  • function creep with identity systems have a propensity to extend in application beyond their initial conception into numerous areas of public and private life, spreading individuals’ data to numerous actors without their consent and consideration.
  • equality, non-discrimination and exclusion as even where the system is legislatively prescribed to be voluntary, the spread of requirements across public and private life make consent arguably illusory. The most vulnerable populations are at greater risk of losing the practical ability to withhold consent because of the power imbalances that exist between individuals and the state.
  • data sharing given how widespread such practices are amongst public and private actors involved in the identity system’s administration and application. This sharing occurs without safeguards and judicial oversight in many contexts.
  • the role of multinationals given they are frequently involved in the design and implementation of identity systems, further expanding the scope of data sharing involved in the systems.

This section of the guide illustrates arguments surrounding data protection law and its relationship to identity systems, while providing context from several of the national court judgments analyzing the systems. Without these safeguards, there can be no guarantee that an identity system is implicating privacy rights in the least intrusive way to accomplish state objectives.

Advocates and human rights defenders should use these arguments to challenge the implementation of identity systems designed without the requisite internal safeguards and background data protection frameworks to protect individuals’ rights.