Maldives

Legal Identity

The National ID card serves as Maldives’ primary legal identity documentation, established through the Civil Registration and Issuance of Birth Certificates and National Identity Cards Act (2022).^[1]Maldives has a CRVS system in place where the Department of National Registration (DNR) is the government agency responsible for registering births and deaths as well as issuing national identity cards.^[2]One must be a Maldivian citizen in order to obtain a national ID card.^[3]

Birth registration is required in order to acquire a legal identity and Maldivian citizenship because a child’s national identity card number is issued upon registration of the birth.^[4]Stemming from discriminatory legislation, children born to non-Muslim parents or inter-faith parents often do not have equal access to birth registration, excluding them from access to nationality and a legal identity.^[5]

A National ID card is required to access a number of government services, including education, free health care, marriage and divorce registration, passport issuance, loans, and social benefits such as financial support for low-income families, the elderly and persons with disabilities.^[6]Non-citizens, including foreigners, refugees, migrant workers and stateless persons, are therefore excluded from accessing these services.

The eFaas is the Maldives’ digital ID platform, which was launched in 2012.^[7]Developed and maintained by the Maldives’ National Centre for Information Technology (NCIT), the project was undertaken in collaboration with the Global Health Advocacy Incubator and received $10 million of funding from the World Bank.^[8]In May 2023, trial implementation of the eFaas platform began.^[9]In the first three months of this trial period, over 50,000 people began using the eFaas digital ID.^[10]

eFaas is a foundational ID as it allows users to verify their identity digitally as well as access government services such as health services, marriage and divorce form submission, the government job portal, and other services like business registration, licenses and transactions.^[11]eFaas is also required in order to use OneGov, the Maldives’ DPI portal for accessing over 300 government and public services from 11 different government agencies.^[12]Notably, an eFaas account is required in order to register a birth.^[13]

Maldivian citizenship is not a prerequisite to use eFaas as foreigners and work permit holders can also create an account.^[14]To register with eFaas, citizens need to provide a National ID Number and an ID Card Serial.^[15]For foreigners to register, they must provide their passport number and or work permit number.^[16]There is no option for people without passports or Maldivian citizenship to register for an eFaas account, excluding stateless persons from being able to use the Digital ID and access the OneGov platform and all of the services attached to it.^[17]

Domestic law and policy

Maldives does not currently have any legislation on digital ID specifically and lacks other necessary frameworks to govern digital ID.^[18]While not available in English, the Birth, Death and National ID Registration Act (2022) covers the national ID, but does not account for digital ID or the use of the national ID in digital applications.^[19]

Without legislative frameworks, the eFaas privacy policy and terms of service policy can be analyzed as a policy framework for data use and the ability of users to address grievances.^[20]As such, neither of these policies provide for grievances with the eFaas system to be resolved.^[21]

Data Protection

Data collected by the eFaas system includes the user’s facial biometrics, birth date, address and personal contact information, the user’s other identity documents, and data stored by select government agencies.^[22]There is currently no data protection legislation in the Maldives to inform the use and collection of such data.^[23]As of May 2023, there is a draft bill, the Personal Data Protection Act, which is set to establish a framework for the collection, processing and protection of personal data.^[24]

The collection of facial biometric data is problematic mainly due to the high risk it poses for potential abuse of the data.^[25]As an agreement between the user, the eFaas system, the assigned government agency and the ID holder, some data protection measures are dictated by eFaas’s Terms of Service and privacy policy.^[26]These policies cover user’s data collection, use and disclosure.^[27]

Of particular concern for data privacy is the wide range of situations where a user’s data may be disclosed without their consent.^[28]The Maldives partnered with SumSub Ltd, a UK-based private infrastructure company, “to store citizens’ biometric face recognition data” collected through eFaas without transparency on the details of the private contract signed between the two or how legal or policy frameworks cover such a contract.^[29]While SumSub Ltd does comply with the UK’s and European Union’s General Data Protection Regulation (GDPR), there are still concerns over the potential misuse of this sensitive data without legislative protection within the Maldives.^[30]

Human rights groups in the Maldives “have increasingly become targets of surveillance, harassment, threats of violence, and blasphemy allegations”, pointing to concerns of indirect data collection through the eFaas system leading to greater surveillance.^[31]From indirect data collected, such as IP addresses and other records of identity authentication, when and why a user uses their ID can be tracked, which could be used to track an individual’s location and activities.^[32]Collection of this kind of data has previously been ruled as a violation of user privacy in the Maldives, pointing to concerns of indirect data collection through the eFaas system leading to greater surveillance.^[33]The indirect data collected, such as IP addresses and other records of identity authentication, can lead to concerns regarding violation of users’ privacy rights due to an increased risk of monitoring and surveillance.^[34]

International Commitments

As a party to the ICCPR, the Maldives is obligated to uphold the right to privacy, the right to be recognized before the law, the right to be registered at birth and to acquire a nationality, as well as the right against discrimination on the basis of religion.^[35]The requirement of using an eFaas account to register a birth excludes stateless persons from registering their children’s births ^[36]and the denial of access to birth registration children born to non-Muslim parents or inter-faith parents ^[37]in the Maldives can be shown to contradict the country’s obligation to uphold the right to birth registration, as well as its obligations under ICCPR and ICESCR.^[38]Birth registration is also required in order to register for a legal identity,^[39]which further curtails the right to be recognized before the law.^[40]This also contradicts the Maldives’ obligations as a party to the CRC, which also ensures the child’s right to birth registration and to an identity.^[41]The exclusion of children from access to education as a result of not having a National ID card ^[42]also curtails the child’s right to an education under Article 28 of the CRC.^[43]

Legal Identity

Digital ID Overview

Law

Domestic law and policy

Data Protection

International Commitments

Designed to Include?