By Ashnah Kalemera |
A court in Tanzania has dealt a blow to the rules governing the country’s internet intermediaries, after ruling that requests for disclosure of user information for law enforcement purposes pursuant to the Cybercrimes Act (2015) are not arbitrary. In a March 8, 2017 ruling, three judges of the court in Dar es Salaam also ruled that the absence of regulations to govern the enforcement of the Act did not render the controversial law unconstitutional.
The ruling dismissed a petition filed by Jamii Media, proprietors of the popular Jamii Forums discussion platform, who argued that Section 32 of the Cybercrimes Act was arbitrary and contrary to citizens’ right to privacy guaranteed by article 16 (1) of the country’s constitution. Jamii filed the petition last April, after receiving three notices from police demanding that it discloses the personal details of up to four users who had posted on the forum information on political tensions among members of the ruling party Chama Cha Mapinduzi, and scandals in one of the country’s leading banking institutions.
The notices, issued during January and February 2016 pursuant to Section 32 of the Act, demanded disclosure of the names of the users, their emails and Internet Protocol (IP) addresses. Last December, Jamii Forums founder Maxence Melo was charged with obstruction of investigations under Section 22 of the Cybercrimes Act for failure to comply with the disclosure notices.
Section 32 of the Cybercrimes Act provides:
(1) Where the disclosure of data is required for the purposes of a criminal investigation or the prosecution of an offence, a police officer in charge of a police station or a law enforcement officer of a similar rank may issue an order to any person in possession of such data compelling him to disclose such data.
(2) The order issued under subsection (1) shall be granted to a law enforcement officer who shall serve the order to the person in possession of the data.
(3) Where the disclosure of data cannot be done under subsection (1), the law enforcement officer may apply to the court for an order compelling:
(a) a person to submit specified data that is in that person’s possession or control; or
(b) a service provider offering its services to submit subscriber information in relation to such services in that service provider’s possession or control.
(4) Where any material to which an investigation relates consists of data stored in a computer system or device, the request shall be deemed to require the person to produce or give access to it in a form in which it is legible and can be taken away.
In its petition, Jamii Media argued that no procedures were in place to enforce Section 32 as required under Section 39 (2) of the Act to govern the circumstances and procedure of disclosure by intermediaries. Section 39 (2) states that the Minister for Information and Communication Technology shall “prescribe the procedures for service providers to avail competent authorities, at their request, with information enabling the identification of recipients of their services”.
However, the judges noted that, often, for laws that provide for putting in place regulations by the Ministers responsible, “it takes a while before the said regulations are formulated.” This implied that intermediaries were obliged to honour disclosure notices in the absence of the regulations.
In their defense, the Tanzania Police argued that they had the duty to carry out investigations and prosecution of offences and maintained that the disclosure notices issued to Jamii Media were “justified”. According to the state attorney, the disclosure notices did not infringe upon citizens’ right to privacy because they were “intended to obtain the names of people who have published information that may turn out to be relevant to some offences under investigation”. The state attorney added that the Cybercrimes Act did not require the police to disclose to the recipient of the disclosure notices the offences under investigation.
Meanwhile, Jamii Media also argued that under sub-section 32 (4), the 2015 Act confers powers upon authorities to require the surrender of devices on which information is contained, without any safeguards. “If an investigator takes away one such device in order to access one piece of information relevant to a particular investigation, there is no guarantee that by taking the same, the investigation will not access other pieces of information contained in the same device and [which are] irrelevant to the matter being investigated,” it argued.
Judges ruled that Section 32 (4) did not empower the police to take away the devices as contended. “Our understanding of that section is that the person to whom the request has been made, like the petitioner in this case, may print the information such that it can be read and/or taken away by the investigators in printed form,” the judges stated.
Citing jurisprudence including provisions under Article 19 (2) and (3) of the International Covenant on Civil and Political Rights, the judges considered that Section 32 of the Cybercrimes Act was “proportional” for balancing individual human rights on the one hand and public interest on the other.
Lawyers representing Melo in the ongoing case plan to file submissions for police to seek court’s intervention for mandatory disclosure pursuant to provisions of the Act and dismiss the obstruction charges.
For more on the government’s tactics to stifle citizens’ digital rights in Tanzania see the State of Internet Freedom in Tanzania 2016 report.