SIM and Device Registration Could Fundamentally Interfere with Data Protection and Privacy in Lesotho

By Edrine Wanyama |

The Lesotho government has drafted the Communications (Subscriber Identity Module and Mobile Device Registration) Regulations, 2021 pursuant to section 55 of the Communications Act, 2012. The proposed regulations provide a regulatory framework for registering subscribers of mobile telecommunications services utilising SIM and mobile devices in, and establish a Central Database of subscribers. 

The regulations also apply to corporate, private and commercial subscribers of mobile telecommunications services utilising SIM cards, as well as subscribers of foreign licensees who roam on the network of a licensee in Lesotho.

As the regulations would have a direct impact on various rights of telecom services users, including to privacy and data protection, CIPESA teamed up with the Internet Society  Lesotho Chapter to make a submission to the sector regulator, the Lesotho Communications Authority (LCA). The submission identifies various gaps in the proposed regulations, and urges the Lesotho government to drop the repressive and regressive provisions.

Although the proposed regulations may reflect a legitimate aim in light of technological advancement and emerging issues such as cybercrimes and online harms, they raise major concerns with potentially adverse effects on data protection and privacy, such as unfettered discretion in access to subscribers’ data by the LCA and security agencies.

The LCA will establish and maintain a central database of all registered subscribers’ information, which will be segregated across network services. The database would be run in a manner that facilitates easy access to subscribers’ information by “authorised persons” who include members of security agencies that may access this information under unclear procedures. 

Furthermore, the regulations introduce mandatory registration and transmission of subscriber information including personal information and biometric data to the central database. The registration requirements potentially interfere with the constitutionally guaranteed rights of privacy and freedom of expression. 

The proposed regulations also provide for transmission of subscriber information of a person or entity whose mobile device or SIM has been deactivated and deregistered. However, there is no clear justification for the transmission and the duration of storage of the transmitted data. . This  could interfere with data retention limitations and purpose specification which are laid down in the country’s Data Protection Act of 2012.

Further still, the liability placed on subscribers for any activity carried out using a mobile device or SIM registered with their personal information, with no provision for exceptions, could potentially result in innocent civilians being convicted for offences committed without their knowledge.

The Regulations also present worrisome loopholes for government and its security agencies to wantonly use subscribers’ personal data without their consent. They  limit the enjoyment of the right to access information and  freedom of expression  contrary to regional and international human rights instruments.

Meanwhile, CIPESA and ISOC Lesotho also made submissions to the LCA on the draft Compliance Monitoring and Revenue Assurance Regulations, 2021 which were made in accordance with section 55(1) and 55(2) of the Communications Act, 2012. The objective of the regulations is to provide conditions, requirements and procedures for “monitoring of telecommunications traffic in Lesotho through the installation of tools or systems for transparency in monitoring the regulatory compliance of mobile network operators and mobile financial service providers.” 

According to the submission, if passed in the current form these regulations would interfere with individuals’ privacy especially through facilitating real time surveillance and monitoring of communications and transactions. While they present opportunities for countering some cybercrimes, they should be revised and the regressive provisions removed or amended to protect individuals’ data and privacy rights which are guaranteed in the Constitution, the Data Protection Act, and regional and international human rights instruments.

Read the Submission on the Communications (Subscriber Identity Module and Mobile Device Registration) Regulations, 2021

Read the Submission on the Compliance Monitoring and Revenue Assurance Regulations, 2021.