Domestic Law and Policy
The National Digital Identification Act (the ‘Act’) outlines the protection and management of the personal data collected from Samoan citizens and residents over the age of 18 within the NDIDS. [22]Those under 18, people with disabilities, senior citizens, and protected others must be registered by a parent, a legal guardian, or a lawful administrator acting on their behalf. [23]Domestic data of individuals under 18 will not be collected. [24]The Act states in its objectives that it aims to provide each registered individual with a unique, legally recognized digital identity while enabling secure authentication through the purposeful protection of personal data associated with the system. [25]The Act details that registration and the issuance to a person of an SDIN, associated token, or an ID credential is not proof of nor will it confer to Samoa citizenship. [26]
The Registrar General and all rolying parties are required under the Act to ensure they abide by the collection and protection requirements connected to personal data. [27]A “rolying party” is any government ministry, department or agency of the Government of Samoa, or any legal entity or person registered with the Registrar General that is entitled to rely on the NDIDS for the authentication of a registered person. [28]Nevertheless, the Act releases the Government of Samoa from any liability from loss or damages “resulting from any malfunction of the NDIDS or any human error, including loss or damage resulting from an incorrect identification or authentication of an individual, unless such is committed in bad faith or the result of willful misconduct or gross negligence. [29]In data breach instances, the data processor relying party, and Registrar General are required to report to all relevant individuals. [30]A registered person may also lodge grievances. [31]However, the mechanisms for filing and resolving complaints are left ambiguous and at the discretion of the Registrar General. [32]
Data Protection
The Act requires integration and coordination of the Passports Act (2008), the Identity Database, and the Register of Births, Deaths, and Marriages. [33]Per the Act, all members in leadership of each are subject to the security, integrity, and confidentiality of registrants’ data. [34]Collection and processing of personal data must be adequate, relevant, and limited to the minimum necessary purposes, retained no longer than needed, and kept accurate, complete, and up to date for its intended present and future purpose. [35]Accordingly, the Registrar General, relying parties, and data processors are expected to implement appropriate technical and administrative measures to ensure accidental, unauthorized, or unlawful destruction, loss, misuse, or access. [36]When personal data breaches occur, the Act details how repairs must be made and the subsequent penalties. [37]There is no evidence to establish that the usage of this data by the government in relation to stateless persons, refugees, or migrant populations could be a violation of fundamental rights to privacy. The biometric data that would be collected are photographic facial images, fingerprints, and signatures. [38]In addition to biographical data (such as name, date of birth, address, and other personal details), everything is expected to be collected and processed solely for the authentication purposes outlined in the Act. [39]If not outlined, this information may not be used beyond digital identification. [40]
International Commitments
On November 15, 2023, the EU Member States and the Organisation of the African, Caribbean, and Pacific States (OACPS) adopted a legal framework addressing the emerging international challenges and changes with data protection and AI. [41]The Samoa Agreement under this framework mandates the “establishment of legal and regulatory regimes, policies, and independent supervisory authorities for data protection.” [42]
Samoa is not a party to treaties specific to digital ID or data privacy and protection. As Samoa continues to develop its digital ID system, it is important to do so in line with its international obligations under the human rights treaties it is party to, including the 1951 Refugee Convention and its 1967 Protocol, the ICCPR, CRC, and CEDAW.
