Digital rights groups are sounding the alarm about a new law in Mexico that would require all cell phone users to register their personal information and biometric data in a massive government database.

The legislation, signed into law by Mexican president Andrés Manuel López Obrador on April 16, adds Mexico to a list of 18 countries globally — including China, Saudi Arabia, Venezuela, and the United Arab Emirates — that mandate biometric data collection for people with mobile phones. Critics say the law puts users’ sensitive personal information at risk of being leaked to criminal groups in a country with a troubling history of deploying spyware to surveil human rights defenders, journalists, and activists.

“Almost no democratic country requires its citizens to provide biometric data to buy a SIM card,” said Luis Fernando García, the executive director of the Mexican digital rights group R3D. “It's not unreasonable to fear that the information provided to the database would end up being used by, if not by this administration, by future administrations that are not committed to human rights at all.”

Under the law, anyone with a cell phone or seeking to buy a SIM card would have to register their personal information — such as their name, nationality, and address — as well as their biometric data to include in a sprawling government database that would be managed by the country’s telecommunications regulator. While the law does not specify what kind of biometric data would be collected, Fernando García said it could include fingerprints, iris scans, or images of a person’s face. The law also gives companies two years to collect the data and make it accessible to the government. Anyone who refuses to comply will lose access to their phone lines.