Which governments impose SIM-card registration laws to collect data on their citizens_

Nearly 5.8 billion people worldwide have mobile phones, accounting for 70.5 percent of the entire global population, according to DataReportal.

The majority of national governments (over 160) require mandatory SIM-card registration. Users must register their real name and personal details to sign up for a phone service. Just over 35 countries also require biometrics, e.g., your fingerprints or a facial scan. More countries are in the process of adding biometric requirements, or they have some requirements but not for everyone (e.g., tourists only).

Just how private is mobile phone usage in each country? And how are governments using the data collected?

Comparitech researchers examined a number of factors to determine where in the world SIM-card registrations are the most invasive. These include if biometrics are required in the registration process, whether the data is stored by providers or shared with government agencies, what is (or is not) required for law enforcement to gain access to this data, how long the data is stored, and whether any data privacy legislation protects this information.

This map includes all of the countries we know of that have or do not have SIM-card registration laws. Some of these have been omitted from the overall study (with scoring and rankings) due to insufficient information on the laws and processes in place. Therefore, it wouldn’t be fair for us to include them as we cannot accurately score them for things like law enforcement access, penalties, and so on.

Key findings for 2024/25

  • 6 countries have enforced mandatory SIM-card registration or increased restrictions in the last few years– Brunei Darussalam, Burkina Faso, Cyprus, Lithuania, Maldives, and Serbia. Among these, Brunei Darussalam requests users re-register their SIMs, while Burkina Faso and the Maldives have placed limits on the number of SIM cards available to customers (two and ten per person, respectively).
  • Cambodia and Thailand introduced a mandatory IMEI database, bringing the total number of countries with one of these to 24.
  • Mauritius was the only country that retracted its SIM-card registration requirement. The Council of Ministers approved the decision on December 27, 2024, replacing the 2023 SIM registration rules with fresh 2024 regulations. Mobile operators must now delete all previously stored photos as well.
  • In contrast, several countries introduced or strengthened their biometric identification measures, including Argentina, Eswatini (Swaziland), India, Laos, and Mauritania. Mozambique’s new requirements come into effect at the end of the year.
  • What to watch: Russia is tightening its biometric registration measures. From the start of this year, any foreigners buying SIM cards in Russia will have to provide their biometrics.

Top 14 countries with the worst SIM-card registration policies

1. Tanzania (3 points)

Tanzania is the worst-ranked country for SIM-card registration policies with a score of 3 out of 18 – a drop from its previous score of 4. Although the country introduced a data privacy framework in November 2022, it also tightened registration limits: individuals are now allowed just one SIM per network. Tanzania’s three points come from the absence of mandatory IMEI registration, lack of highly invasive surveillance tools (though authorities can still access data without a warrant), and the aforementioned adoption of the data privacy framework.

In Tanzania, subscribers’ information is submitted to the relevant authority once a month and registration includes fingerprints. This data isn’t protected with storage limitations, which leaves subscribers’ data open to various vulnerabilities. Furthermore, those who don’t comply with the law may find themselves fined 5 million Tanzanian shillings (more than US$1,860) and/or sentenced to a year in prison (plus TZS 75,000 for every day during which an unauthorized SIM card is used or possessed).

3. North Korea (4 points)

In North Korea, telecommunication networks are run by the government, so SIM card use is heavily restricted. For example, if a user accesses something that they shouldn’t, then they are sent an alert, warning them that the government has noted this action. Users are required to submit a facial photo along with personal information to access services like subscription management, missed calls, and payments. Those who don’t follow the registration process are at risk of up to three years in prison and/or hefty fines. North Korea fails to protect registration data with no data protection laws or defined data retention periods. Furthermore, the government has ensured tourists aren’t able to leave SIM cards with residents by deactivating the SIM card after their visit and charging tourists $250 per SIM card.

2. Myanmar, Uganda (5 points)

Myanmar scores poorly for the lack of a data protection framework, as well as limiting the number of SIM cards allowed (two per person). Myanmar requires biometric data for SIM registration, including both fingerprint and facial scans. The country introduced an IMEI database in May 2022 and includes a tax of 6,000 kyat ($3) for mandatory device registration. The few points it does pick up are for the need for a warrant for law enforcement to access personal information and for not having any severe penalties for not registering your SIM (just deactivation).

Uganda has a limit of 10 SIM cards per national ID. The country has long required biometric (fingerprint) registration and imposes strict penalties for non-compliance, including fines of UGX 100,000 (about $30) per day and up to 12 months in prison. In late 2023, Uganda suspended over 1.4 million SIM cards that weren’t linked to users’ biometric data.

3. Tajikistan, the United Arab Emirates (6 points)

Tajikistan and the United Arab Emirates (UAE) share third place with 6 points each, gathered in similar categories. Tajikistan collects fingerprints from SIM-card users and has a limit on the number of SIM cards allowed per provider, set at two (so 8 in total). If a SIM card registered in your name is found in the hands of a criminal, you could face between 2-3 years in prison. It has a mandatory IMEI database.

The UAE collects users’ fingerprints during the SIM-card registration process and limits each ID holder to a maximum of 10 SIM cards. Penalties for false registration are severe, including a minimum of one year in prison and fines ranging from 250,000 to 1 million dirhams (approximately $68,000 to $272,000). Additionally, user data is retained for two years–even after SIM card deactivation.

4. Burundi, Nigeria, Pakistan (7 points)

Burundi, Nigeria, and Pakistan share several similarities as well. Both Nigeria and Pakistan require biometric registration, maintain mandatory IMEI databases, and mandate a warrant for law enforcement to access user data. Neither Burundi nor Pakistan have a concrete data privacy framework, and they limit users to five or fewer SIM cards, deactivating those that are not registered.

There are, however, some key differences between the three countries. Nigeria is the only one with a data privacy framework in place, while Burundi does not maintain an IMEI database. Burundi and Nigeria both impose fines on those who don’t register their SIM cards, while Pakistan just deactivates unregistered SIMs. The countries also differ in how long they store user data: Nigeria retains it for three years, Pakistan for one year, and Burundi has not specified a retention period, which, without a data protection law, leaves this open to abuse.

5. Afghanistan, Argentina, Bangladesh, China, Jordan, Namibia, Saudi Arabia, Singapore (8 points)

These eight countries from different parts of the world all scored eight points for their SIM-card registration procedures.

All of the countries require biometric checks, with Argentina being the latest to introduce this requirement (facial) and increased checks in Afghanistan under Taliban rule (verification via ID cards). Bangladesh, Jordan, and Saudi Arabia require fingerprints. China, Namibia, and Singapore require facial recognition instead of or alongside fingerprints.

Jordan and Namibia, despite lacking clear privacy frameworks, are the only countries in this group that require a warrant for third-party access to user data.

Singapore has the strictest SIM ownership rules, allowing only three SIM cards per person. Bangladesh is the only country among them with a mandatory IMEI database.

Many of the countries also implement harsh penalties for those abusing the laws.

 

Type of ID required by country

The countries that currently have biometric registration laws are Afghanistan, Argentina, Andorra, Bahrain, Bangladesh, Belarus, Benin, China, Côte D’Ivoire, Eswatini (Swaziland), Ghana, India, Jordan, Laos, Lesotho, Mauritania, Mozambique, Myanmar, Namibia, Nigeria, North Korea, Oman, Pakistan, Peru, the Philippines, Saudi Arabia, Singapore, Tajikistan, Tanzania, Thailand, Togo, Uganda, United Arab Emirates, Venezuela, and Zambia. Those in the planning stages of implementing biometrics are Ethiopia, Indonesia, Japan, Lebanon, Liberia, and Russia. In Russia, only foreigners are required to provide biometric data.

In China, anyone registering a new phone number needs to submit a facial scan. This is also a requirement in Myanmar, Nigeria, the Philippines, and Singapore (which uses technology from Singtel, making ID verification possible through an app). Thailand accepts a facial scan as an alternative to fingerprint scanning.

In all of the remaining countries (where we conducted our in-depth study), where biometrics aren’t yet implemented, photo ID is a requirement in order to register. If someone doesn’t have an ID, authorities often implement rules stipulating that they register through another person or seek a sponsor who will vouch for them.

In many countries, other requirements are stipulated alongside the ID, including a permanent address, date of birth, nationality, and gender (many personally identifying factors that may also be included on the ID). However, certain countries also have other unique stipulations. For example, in Chile and Sudan, your mother’s name is required on the registration form. Kosovo, Liberia, and Mali want to know your profession, and Cameroon requires you to submit a localization map to confirm your country of residence.

Countries without mandatory SIM-card registration laws

Those without any SIM-card registration requirements are Bosnia and Herzegovina, Cabo Verde, Canada, Comoros, Croatia, Czech Republic, Denmark, El Salvador, Estonia, Finland, Greenland, Iceland, Ireland, Israel, Latvia, Liechtenstein, Marshall Islands, Mauritius, Micronesia, Moldova, the Netherlands, New Zealand, Nicaragua, Portugal, Romania, Slovenia, the United Kingdom, and the United States.

Several countries that were previously debating SIM card registration have now implemented it in this update, including Argentina and Mozambique. And, in some countries, laws have been introduced but retracted. These include Romania, Cabo Verde, and Estonia. Japan is the only country on our list that got half a point for mandatory SIM-card registration, as it is required only for voice-enabled SIM cards. Data-only SIM cards do not require registration, which is more convenient for tourists.

SIM-card registration for tourists

Speaking of tourists, some countries apply different SIM card registration rules for visitors than they do for residents.

Eight countries have specific limits on the number of SIM cards tourists can register: Bangladesh, Iran, Maldives, Namibia, Russia, Rwanda, Saudi Arabia, and the UAE. Among them, Rwanda and the UAE are the strictest, each allowing only one SIM card per visitor.

Russia and Namibia are more generous when it comes to SIM card registration allowances for foreigners, permitting up to 10 and 5 SIM cards per visitor, respectively.

Some countries limit tourists in other aspects. Russia, for example, requires tourists to provide biometric data in order to purchase a SIM card. Others take a more flexible approach. As noted earlier, Japan allows tourists to use data-only SIM cards without any registration requirements, offering a more traveler-friendly option.

How does SIM-card registration threaten privacy?

Creating a database of citizens and their mobile numbers restricts private communications, increases the potential of them being tracked and monitored, enables governments to build in-depth profiles of their citizens, and risks private data falling into the wrong hands.

A SIM card is more than a phone number. It allows authorities to easily track people’s locations and movements. All of their online activity—websites visited, search queries, purchases, and more—can be traced back to their device. Authorities could selectively throttle, censor, or block internet connections of specific people or groups of people, giving way for harassment and persecution.

Without laws to protect registration data, personal details could be shared with third parties. These could include advertisers, other governments, or tax collection agencies, for example. This puts personal data at a higher risk of theft and abuse.

In China, SIM-card registration is combined with real-name registration for online accounts and services. When you sign up for a social media account or chat app, for example, you’re required to provide your real name and phone number. In combination with SIM-card registration, the policy prevents anyone from making anonymous accounts online or communicating in secret.

Qatar faced controversy during the 2022 World Cup for mobile phone tracking through apps, as well as the possibility that authorities could track SIM cards. The country introduced new rules for football fans, making it much easier for them to obtain SIM cards. However, news outlets questioned whether authorities tracked app users through IMEI numbers, SIM cards, and apps used on the phone.

Some experts suggest that mandatory registration for SIM cards only seeks to fuel their illicit use. It creates the need for a black market as people want to communicate anonymously, and it also encourages identity fraud as people try to evade the system.

Identity theft is also a threat to this system. Criminals have little trouble finding someone else’s photo and other information required to sign up for a new SIM. Fraudulent SIM card registration could cause a lot of trouble for the victim with little consequence for the impersonator.

Methodology

To conduct this study, we utilized various sources (government legislation/guidelines, telecommunication providers’ regulations, high-authority news sites, and industry reports) to find out whether or not SIM-card registration is mandatory in each country. We then followed this up by taking an in-depth look at each country’s laws to find out how this data was used, stored, accessed, and so on.

Where we were unable to find this information, we have omitted the country from the study.

Scoring

Registration Requirements:

  • Registration required = No (1 points), Yes (0 points), Optional (0.5 points)
  • Capture and Store = 1 point
  • Capture and Share = 0 points or 0.5 if often shared with entities but not compulsory
  • Capture and Validate = 0 points

Data Privacy Framework:

  • Yes (1 point)
  • No (0 points)

Biometric Check:

  • Fingerprints and/or Facial Scans (0 points)
  • Fingerprints used for limited groups (i.e. those without ID (1 points)
  • In progress/only some required to do so (2)
  • No biometrics (3)

SIM Card Limit:

  • 5 or less (0 points)
  • 6 to 10 (1 points)
  • Over 10 or other restrictions (2 point)
  • No limit (3 points)

Law Enforcement Access:

  • Severe interception capabilities (0 points)
  • Without warrant (1 point)
  • With warrant (2 points)

Penalties:

  • Subscriber prison sentences and/or penalties (0 points)
  • Subscriber penalties/fines (1 point)
  • Subscriber deactivation (2 points)

Data Storage:

  • 6 or more years (0 points)
  • 4 to 5 years (1 point)
  • 2 to 3 years (2 points)
  • Up to 1 year (3 points)
  • Length of contract and up to six months after (4 points)

If no data storage timescales are given, countries are allocated 0 points if there is no data protection law and a 2 if there is a data protection law in place (as this will put some safeguards in place despite no timescales being given).

IMEI Registration:

  • Mandatory (0 points)
  • Not Mandatory (1 point)

Countries where no SIM card or IMEI registration is required automatically received a score of 18.

Sources

For a full list of sources, please request access here.

Data researcher: Danka Delić