Digital rights groups are sounding the alarm about a new law in Mexico that would require all cell phone users to register their personal information and biometric data in a massive government database.

The legislation, signed into law by Mexican president Andrés Manuel López Obrador on April 16, adds Mexico to a list of 18 countries globally — including China, Saudi Arabia, Venezuela, and the United Arab Emirates — that mandate biometric data collection for people with mobile phones. Critics say the law puts users’ sensitive personal information at risk of being leaked to criminal groups in a country with a troubling history of deploying spyware to surveil human rights defenders, journalists, and activists.

“Almost no democratic country requires its citizens to provide biometric data to buy a SIM card,” said Luis Fernando García, the executive director of the Mexican digital rights group R3D. “It’s not unreasonable to fear that the information provided to the database would end up being used by, if not by this administration, by future administrations that are not committed to human rights at all.”

Under the law, anyone with a cell phone or seeking to buy a SIM card would have to register their personal information — such as their name, nationality, and address — as well as their biometric data to include in a sprawling government database that would be managed by the country’s telecommunications regulator. While the law does not specify what kind of biometric data would be collected, Fernando García said it could include fingerprints, iris scans, or images of a person’s face. The law also gives companies two years to collect the data and make it accessible to the government. Anyone who refuses to comply will lose access to their phone lines. 

Human rights groups, including R3D, have vowed to challenge the law in court.

Supporters say the law is intended to root out organized crimes, such as kidnappings and extortion rackets, which often take place over the phone. They argue that authorities could use the government database to access information about cell phones in order to track down the perpetrators.

Critics point out that sophisticated criminal groups would be highly unlikely to commit crimes over phones they know are registered to their personal information and biometric data. They also warn that the new law does not require authorities to have a warrant to access user information and could be exploited by corrupt officials with connections to criminal groups. “In Mexico, unfortunately, the line that divides organized crime and security authorities, it’s many times blurry or nonexistent” Fernando García said. “It’s not an irrational fear that these databases would end up in the hands of organized crime.”

Finally, critics caution that the government’s ability to look up sensitive information poses significant risks to journalists, human rights defenders, activists, and political opponents. Mexico is the world’s most dangerous place to be a journalist and a 2017 investigation revealed that the government was using spyware to monitor journalists, anti-corruption activists, and human rights lawyers.

The database “creates a huge risk for groups that have been surveilled by other governments,” said Verónica Arroyo, a Peru-based policy associate with the digital rights group Access Now. “For journalists and activists that are doing a lot of work in Mexico, for some of them it’s quite important to maintain their privacy and anonymity.”