The Maldives is moving towards a more digitised state at the same time that recent political and institutional conduct has raised difficult questions about whether privacy is respected when it becomes inconvenient. The government has submitted a Data Protection Bill to Parliament and continues to promote Maldives 2.0 as a major shift towards paperless public services, digital identity, interoperable government systems and more efficient service delivery. Yet the country’s record shows a sharper contradiction: the state is preparing to hold more citizen data than ever before, while some of its own institutions and senior officials have been accused of treating private information as something that can be exposed, defended away or used for political purposes.
That contradiction sits at the centre of the Maldives’ data protection debate. On paper, the proposed law appears to move the country towards a more modern framework. The bill seeks to regulate the collection, processing and use of personal data, define the responsibilities of data controllers and processors, set conditions for cross-border data transfers, require certain organisations to appoint data protection officers, and provide individuals with clearer rights over their personal information. These are necessary steps for a country that is building digital public infrastructure and seeking to expand trust in online services.
However, the strength of any privacy law depends less on its language than on who enforces it, how independent that enforcement is, and whether powerful state actors can be held accountable. The research points to a major concern in the proposed framework: instead of creating a fully independent and specialised data protection authority, the bill would assign the role of Privacy Commissioner to the existing Information Commissioner’s Office. That may appear administratively convenient, but it risks weakening enforcement from the start. The Information Commissioner already operates in a difficult environment, where some public bodies remain resistant to basic transparency obligations. Asking the same office to police complex data processing by ministries, law enforcement agencies, political actors and private entities could leave the Maldives with a modern law on paper but limited protection in practice.
The concern is not merely technical. It is institutional. A country moving into large-scale digital governance needs a regulator with the power, expertise and independence to investigate state agencies, fine public bodies, order corrective action, examine data systems, and protect citizens when those in power misuse personal information. Without that independence, privacy risks becoming another right that exists formally but is difficult to defend when the alleged violator is politically powerful.
Maldives 2.0 makes this issue more urgent. The agenda promises more efficient digital services, stronger digital identity systems and greater interoperability across government. In principle, this could make public services easier to access, especially in a dispersed island nation where people often face delays, duplication and administrative friction. A well-designed digital state could reduce paperwork, improve delivery and make government more responsive.
But the same systems also create serious risks if safeguards are weak. Digital identity, centralised service portals, data-sharing platforms and interoperable government databases can give the state a clearer view of a person’s life than ever before. Civil registration data, immigration records, welfare information, health data, financial details, employment status and biometric identifiers may be connected across agencies. If properly governed, this can improve service delivery. If poorly governed, it can enable surveillance, profiling, political misuse and unauthorised access.
The Maldives already relies heavily on eFaas as a digital identity system, with access to a wide range of public services. The system connects to official government registers and uses verification processes that may involve sensitive personal and biometric data. Maldives 2.0 is expected to deepen this architecture through broader data exchange between institutions. That makes privacy protection not a side issue, but a core requirement of the country’s digital future. The more data the state connects, the greater the damage if that data is misused.
Recent incidents show why public trust is fragile. The DNR political party registration scandal raised some of the most serious concerns. In early 2025, the ruling People’s National Congress was accused of registering people as members without their knowledge or consent, allegedly using personal data linked to the Department of National Registration. It was alleged that official identity photographs and civil registry information were misused in the party registration process. Senior political appointees connected to the Ministry of Homeland Security were photographed inside a DNR meeting room with membership forms.
These remain allegations that would require proper investigation and legal determination. However, the political significance is clear. If citizens believe that national identity data can be accessed or used for partisan purposes, the foundation of digital trust is weakened. A digital state depends on the public believing that data held by the government is used only for lawful, necessary and limited purposes. The DNR case suggested something far more troubling: that sensitive state-held data could become entangled with party politics.
The response also mattered. The government denied misuse of personal information, and the case did not lead to visible accountability at the level required to restore public confidence. The Elections Commission later moved to tighten party registration processes, including through digital identity verification. That may reduce some forms of abuse, but it does not answer the deeper question. If the alleged misuse involved state-held identity data, the central issue is not only how people join political parties in the future. It is whether the state can protect civil registry data from political actors in the first place.
The case involving the Homeland Security Minister’s reference to or discussion of private messages linked to a suicide victim raised a different but equally serious concern. Minister Ihusaan publicly referred to private communications sent to a state victim support mechanism following the death of a Maldivian citizen by alleged suicide. The disclosure or discussion of such material was reportedly made in a context of public pressure and institutional criticism.
This incident goes to the heart of privacy as a human dignity issue. Crisis communications with a state support service are not ordinary administrative records. They involve vulnerability, distress and trust. When such information is exposed or discussed by a senior official, the harm extends beyond one family. It may discourage others from seeking help, weaken confidence in victim support systems, and signal that intimate personal information can be used when an institution needs to defend itself. Even if an official believes they are clarifying the state’s position, privacy law in a functioning system should draw a firm line between institutional defence and the dignity of the individual.
The disclosure of private information by the Islamic Minister in relation to Zakat Fund assistance added another layer to the pattern. Islamic Minister Shaheem publicly revealed financial details of a woman who had raised concerns about being denied assistance. The details reportedly included her salary, previous assistance and bank balance. Minister Shaheem later apologised, saying his intention was to show that officials had acted according to eligibility rules.
The apology acknowledged the problem, but the incident revealed a wider administrative instinct. In the Maldives, public bodies sometimes appear to treat disclosure of personal circumstances as a way to defend institutional decisions. This is especially dangerous in a small society, where financial hardship, health issues, family circumstances and welfare applications can become socially identifiable even when only partial details are shared. A state can explain eligibility rules without exposing a person’s bank balance. It can defend a decision without turning a citizen’s private life into evidence for public consumption.
Taken together, these cases show that the Maldives’ privacy problem is not limited to the absence of a data protection law. It is also a culture problem. The country can pass legislation, create digital portals and speak the language of rights, but those protections will mean little if public officials continue to view citizen data as information that belongs to the state rather than information entrusted to the state.
This gap between formal lawmaking and actual privacy culture is the real challenge. A data protection bill may regulate private companies, banks, telecom operators and service providers, but the most serious test in the Maldives may come from the state itself. Will political parties be treated as data controllers when they collect and process personal information? Will ministers face consequences for exposing private information? Will law enforcement and national security exemptions be narrow, necessary and independently reviewed? Will citizens be notified when their data is accessed? Will agencies be required to report breaches? Will public bodies be punished for unlawful disclosure?
International comparisons show that meaningful privacy protection requires more than passing a statute. The European Union’s GDPR model is built around enforceable rights, lawful basis for processing, data minimisation, breach reporting, independent regulators and significant penalties. The United Kingdom’s system, while not perfect, gives its Information Commissioner enforcement powers and applies data protection rules to public bodies as well as private entities. Political parties, too, are not outside the scope of data protection principles when they process personal information.
Estonia offers a particularly relevant lesson for digital government. It is often celebrated for its advanced digital state, but its success rests on transparency, decentralised architecture and strict access logs. Citizens can see when their data has been accessed, and unauthorised access by public officials can have serious consequences. The lesson for the Maldives is not simply to copy Estonia’s technology, but to understand the principle behind it: digitisation must make state access to data more visible, not more hidden.
Singapore offers another useful comparison, especially because it combines strong digital government with formal rules on public sector data governance. Its model recognises that government agencies need to share data to deliver services, but that such sharing must be subject to rules, security standards and incident reporting. Seychelles, a small island state closer to the Maldives in scale, has also moved towards a modern data protection framework with independent oversight, processing principles, breach reporting and penalties. These examples show that size is not an excuse for weak privacy governance.
For the Maldives, the way forward must go beyond the bill currently before Parliament. The country needs an independent data protection authority with the power to investigate both private and public bodies. That authority must be financially and operationally protected from political pressure. It should be able to examine government systems, issue binding orders, impose penalties and require corrective action. If the same state institutions that hold citizen data are effectively left to police themselves, public trust will remain fragile.
The law should also clearly apply to political parties. The DNR scandal shows why this matters. Political parties collect names, addresses, identity card numbers, phone numbers, signatures and other personal details. They may also process political opinions, which are among the most sensitive forms of personal data. If political actors are not explicitly covered, the law will leave one of the country’s highest-risk areas weakly regulated.
Maldives 2.0 also requires privacy safeguards before further integration takes place. Data protection impact assessments should be mandatory for major public digital systems, especially those involving digital identity, welfare, health, biometrics, policing, immigration and financial information. These assessments should examine what data is collected, why it is needed, who can access it, how long it is retained, how citizens can challenge misuse, and what happens when something goes wrong.
There should also be clear access logs for state-held data. Citizens should be able to see which agency accessed their information, when it was accessed, and for what stated purpose, except in narrowly defined cases where temporary secrecy is legally justified and independently reviewed. This would change the balance of power between citizen and state. It would make access to personal data auditable, challengeable and harder to abuse.
Breach reporting is equally important. If a ministry, agency, contractor or political body loses, leaks or misuses personal data, affected individuals should be informed promptly. The regulator should also be notified within a fixed period. Without mandatory reporting, privacy violations can remain hidden until they become politically impossible to ignore.
The Maldives must also establish consequences for public officials who disclose personal information without lawful justification. Institutional embarrassment should never be treated as a lawful basis for revealing private messages, bank balances, medical details, welfare records or family circumstances. Where public officials misuse personal data, there should be administrative penalties, possible criminal liability and clear routes for affected citizens to seek redress.
The deeper reform, however, is cultural. Privacy must be understood not as a technical inconvenience, but as a constitutional and human dignity issue. Citizens do not surrender their dignity when they apply for Zakat assistance. They do not lose privacy because they criticise a ministry. They do not give political parties the right to use their identity because their data exists in a government registry. They do not forfeit confidentiality when they contact a victim support service in a moment of crisis.
The Maldives is right to modernise its public services. A more efficient digital state could make life easier for citizens, reduce administrative burdens and improve access across the islands. But digital government without privacy discipline can produce a more powerful state without producing a more accountable one. The danger is not only hacking or technical failure. It is the ordinary misuse of access by people who believe they are entitled to use private data for political, reputational or institutional ends.
The real test for the Maldives is therefore not whether it can pass a modern data protection law. It is whether it can build a state that respects privacy when doing so is politically inconvenient. Maldives 2.0 will require public trust, and public trust cannot be built through legislation alone. It will depend on restraint, enforcement, independent oversight and a clear message from the state that personal data belongs first to the person, not to the institution that holds it.
