On April 16th, 2021, the National Register of Mobile Telephone Users (PNUTM) was created in Mexico. This register is a database with information on the natural or legal persons who own each mobile telephone line who has a registered number in Mexico, according to the definition established in article 180 Bis of the reformed Federal Telecommunications Law.
The creation of this registry comes into force with the publication of the reforms to the Telecommunications Law in the Official Gazette of the Federation (DOF) of Mexico on April 16, 2021. However, opposition legislators, as well as governmental and non-governmental organizations in the country, have risen concerns related to some key points in the Act.
Why does the Mexican government want to register SIMs Cards?
The main purpose of the registry of SIMs cards is to help Mexican authorities in the prosecution of crimes. However, its critics assert that in the more than 150 countries where these registries are carried out, no reduction in the incidence of crime has been observed.
Following what is published in article 180 Ter of the aforementioned law, the National Register of Mobile Telephone Users will contain the following information on each mobile line:
I. Mobile phone line number;
II. Date and time of activation of the mobile phone line purchased on the SIM card;
III. Full name or, where appropriate, name or company name of the user;
V. Official identification number with a photograph or Unique Population Registry Code of the line holder;
VI. Biometric data of the user and, where appropriate, of the legal representative of the legal entity, under the general administrative provisions issued by the Institute for this purpose;
VII. User’s address;
VIII. Data of the telecommunications concessionaire or, where appropriate, of the authorized ones;
IX. Mobile phone line contracting scheme, either postpaid or prepaid, and
X. The notices that update the information referred to in this article.
National Register of Mobile Phone Users raises concerns in civil organizations
In the world, 155 countries have mandatory registration and identification of SIM cards as the law approved in Mexico. However, only 17 other countries require the registration of biometric data, as does the reform of the Telecommunications Law in the country.
The requirement for biometric data raises concerns in public and private organizations in the country. For the National Institute for Access to Information (INAI), the registry represents a risk in the protection of personal data as it can be manipulated by various mobile operators. The autonomous government body pointed out that biometric data, when directly related to the identity of a person, constitute irreplaceable characteristics. For this reason, the INAI emphasized the need to implement high-security standards for the National Register and limit their collection as much as possible.
The Network in Defense of Digital Rights (R3D) expressed a similar concern in the collection of biometric data, going further than the INAI by pointing out that the demand violates human and civil rights, such as the presumption of innocence, freedom of expression, privacy and even people’s lives.
According to this non-governmental organization, the other 17 countries that require biometric data are authoritarian governments such as China, Saudi Arabia, Afghanistan, Venezuela, the United Arab Emirates, Tajikistan, among others. R3D highlighted that in this list, there is no fully free and democratic country.
Are previous mistakes repeated?
Data privacy concerns are well-founded if we consider previous experiences in Mexico in the implementation of similar measures. In 2008, during the administration of Felipe Calderón, the National Registry of Telecommunications Users (RENAUT) was created, which was finally dismantled just two years later for being inefficient and becoming a risk for users. On multiple occasions, it was reported that the database had been compromised and sold over the Internet.
In the creation of the National Register of Mobile Telephone Users, onerous fines have been established in the case of data leakage, which does not reduce concerns. One of the main problems mentioned is that the operators will be in charge of managing the registry, which potentially increases the chances of data breaches if the necessary security measures are not followed.
Previous experiences validate concerns about the risks that a pattern of this type implies for users. We will witness in the coming months if tangible progress is made or if it is another failed strategy against crime.