Promoting Effective and Inclusive ICT Policy in Africa

Blog

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Blog
27Mar

Covid-19 in Africa: When is Surveillance Necessary and Proportionate?

Author admin Posted on

By CIPESA staff |

As the world grapples to contain the novel coronavirus disease (Covid-19), the role of Information and Communications Technology (ICT) to enhance disease surveillance, coordinate response mechanisms, and promote public awareness has become more significant. This role of digital technologies is particularly crucial in sub-Saharan Africa where systemic vulnerabilities such as weak health systems and high levels of illiteracy could slow the response to the pandemic.

As of March 25, 2020, the World Health Organization (WHO) reported 2,245 confirmed cases of Covid-19 in 44 countries and 58 deaths in 12 countries in Africa. For a continent of 1.2 billion people across 54 countries, these numbers are still relatively  low, but could potentially escalate. The head of the WHO has advised African governments “to prepare for the worst and prepare today.

In order to stem the spread of the coronavirus, several countries across the world have deployed the use of big data, mobile apps and other digital technologies. Austria, Iran, Israel, Italy, Singapore, South Korea, Taiwan, Province of China, and the USA are among the countries using geo-location technology reliant on data from tech platforms and telecom companies in order to contain the spread of the Covid-19. 

In Austria, A1 Telekom has provided the government with real-time data on its subscribers to enable disease surveillance, while Deutsche Telekom is providing anonymised subscriber data to the Robert Koch Institute which is coordinating the German national response to Covid-19. Singapore’s contact tracing app is purportedly privacy conserving and data protection sensitive. Given the urgency of the pandemic and the dire social and economic costs, countries such as the USA and Israel are triggering emergency powers to institute state-level surveillance previously reserved for counter-terrorism operations. 

China’s approach has seen the country leverage its pervasive and sophisticated digital surveillance infrastructure for disease control. Citizens in provinces such as Hubei – the worst hit by the virus – are required to install mobile apps that track travel and medical history and effect ‘digital quarantines’ to control access to subways, malls, and other public spaces. Drones and robots have also been deployed in the affected areas. In Italy, the second hardest-hit country after China, Vodafone has indicated in a statement that it is “providing Italian officials with anonymised customer data to track and analyse population movements in the hard-hit Lombardy region, where people are in lockdown.”

According to Bloomberg, about a dozen countries are testing a disease surveillance tool developed by Israeli spyware firm NSO Group. The software purportedly collects up to two-weeks of mobile tracking data from an infected person and matches it with geo-location data from mobile operators, which identifies individuals who were in close proximity with the infected person. The NSO Group has over the years been at the centre of spyware schemes in authoritarian and repressive governments in Africa and elsewhere. 

The extent to which African countries are conducting technology-based disease surveillance is not fully known. However, according to an unconfirmed report, Kenya is monitoring the mobile phones of individuals who are under self-isolation, to arrest those who violate the restrictions imposed on their movements. Further, the Kenyan government has announced it will launch a contact tracing app for public transport to provide critical contact data that will help trace back the movements of confirmed or suspected cases. In South Africa, telecom companies have agreed to give the government location data to combat Covid-19. In Uganda, where health authorities struggled to locate several individuals who travelled on the same flights as persons who tested positive for the coronavirus, there has been a suggestion to use information from the immigration department and telecom companies to locate those individuals.

While well intentioned, Covid-19 surveillance and data-based tracking interventions have been effected in haste, and with limited precedent and oversight mechanisms. 

See:   Covid-19 in Africa: A Technology and Digital Rights Response

Indeed, the Covid-19 pandemic has fuelled debate about the ethics and legality of disease surveillance, echoing arguments around the collection and use of refugee data without consent nor agency. Recently, the chair of the European Data Protection Board (EDPB), Andrea Jelinek, stated that data protection rules (such as the General Data Protection Regulation – GDPR) do not hinder measures taken in fighting the pandemic, but added that even in these exceptional times, data controllers must ensure the protection of personal data.

According to Jelinek, the GDPR provides the legal grounds to enable employers and competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. There are separate rules for processing electronic communication data, such as mobile location data. They require public authorities to first aim for processing of location data in an anonymous way, namely, processing data aggregated in a way that it cannot be reversed to personal data. When this is not possible, states may issue enabling legislation provided this is a necessary, appropriate and proportionate measure within a democratic society.

In a recent statement, renowned freedom of expression defenders similarly expressed support for efforts to confront the pandemic. However, they cautioned that it is crucial that the use of surveillance technology to track the spread of the coronavirus be limited in terms of purpose and time, and that individual rights to privacy, non-discrimination, the protection of journalistic sources, and other freedoms, be rigorously protected. They added that the use of such technology ”abide by the strictest protections and only be available according to domestic law that is consistent with international human rights standards.”

In Africa, there is no GDPR equivalent. However, in 2014 the African Union (AU) adopted the Convention on Cybersecurity and Personal Data Protection which has to-date been signed by only 14 countries and ratified by four countries. Regional blocs have also invested efforts in ensuring that data protection and privacy are prioritised by member states. In 2013, the Southern African Development Community (SADC) adopted a model law on data protection. Also in 2010, the Economic Community of West African States (ECOWAS) adopted the Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS. The East African Community, in 2008, developed a Framework for Cyberlaws

See: Challenges and Prospects of the General Data Protection Regulation (GDPR) in Africa

Notwithstanding these efforts, many countries on the continent are still grappling with enacting specific legislation to regulate the collection, storage and processing of individuals’ data. At least 28 African countries had enacted a privacy and data protection law by the end of 2019. But even those with the laws have challenges of implementing them.

Which Way for Data Privacy and Digital Rights?

Undoubtedly, greater availability and processing of data can be instrumental in addressing societal challenges such as the current coronavirus pandemic. However, a study on the use of big data in containing Ebola found plenty of evidence of misuse and abuse of the data and technological tools. It is therefore crucial that a balance is struck between processing data and conducting surveillance for the public good on the one hand, and protecting individuals’ rights on the other. This is essential both in trying times such as these, and in the post-coronavirus era. 

Should governments – and relevant actors such as telecom companies – appropriately navigate the balance between disease surveillance and human rights, it will provide valuable learning on good data governance practices – those that help to solve societal problems and inform policy, while at the same time respecting individuals’ digital rights. The reverse could be true too: If governments abuse data and botch up the coronavirus surveillance effort, they will undermine citizens’ trust in data-based initiatives. This would particularly be true in the African countries where digital rights are under threat, data protection is misunderstood and citizens’ appetite for public participation is low. 

It is therefore important that African governments commit to transparently deal with the use of technology-enabled disease surveillance, with robust legal safeguards and privacy standards. Accordingly, specific data protection principles must be adhered to. For instance, data should be processed for lawful and specific purposes and there must be strict accountability. Similarly, the justifications of public good should not be misused whatsoever, especially in the post-coronavirus era.

Follow the CIPESA (@cipesaug) hashtag #InternetFreedomAfrica which has a Twitter thread on Covid-19 developments from around the continent. 

19Mar

In Search Of Safe Space Online: Research Summary

Author admin Posted on

By WomenAtWebUg |

Efforts to improve digital rights and digital literacy among more women in Africa should be supported by a thorough understanding of the online and offline social structures that influence the extent to which women can be active participants in the digital arena. This is key to realising Goal five of the Sustainable Development Goals which aims to achieve gender equality and empower all women and girls, who have historically been in a position of disadvantage for various reasons including cultural norms, lack of economic opportunity, and low literacy.

Across Africa, various discussions continue to reiterate how obstacles such as unequal access to finance, education and tech devices inhibit many women from participating in the digital society. However, beyond governments, additional efforts are required by other stakeholders including civil society, the tech community, academia, and the private sector to address these gaps. It is against this background that the Women At Web Alliance was initiated in October 2017 with an aim to improve digital literacy among African women, with a focus on Kenya, Tanzania, Rwanda, and Uganda. With support from Deutsche Welle (DW) Akademie, in Uganda an alliance of five organisations is working to strengthen the skills of women through digital security workshops, raising awareness on digital rights, and building digital literacy skills. As part of this work, Chapter Four, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), the Defenders Protection Initiative (DPI), Not your Body and Unwanted Witness conducted research into the nature of challenges faced by Ugandan women who are active online, and manifestations of  cyber Violence Against Women (VAW). The results of the study are intended to be used to address these challenges, including through the improvement of digital literacy among more Ugandan women, policy development, and informing responsive safety mechanisms.

Women in Uganda face various challenges that undermine their use of the web and other Information and Communications Technology (ICT). These challenges mirror the impediments which women face in the offline world, be it in access to education and economic opportunities, participation in civic processes, or in claiming their freedom of expression and assembly. 

Despite a large gender disparity in digital access, more women face various forms of online violence than their male counterparts, which has continuously undermined their participation online. The absence of laws designed to specifically address the various forms of digital violence (such as revenge pornography, trolling, and threats) and the lack of sufficient in-country reporting mechanisms, exacerbate these challenges and often result in many women being forced to go offline or resorting to self-censorship. Additional consequences of cyber VAW mentioned included psychological, emotional and the physical abuse.

See the In Search Of Safe Space Online: Research summary.

10Mar

Building a Robust Data Protection Regime in Senegal

Author admin Posted on

By Simone Toussi |
Across Africa, there is a push for digitalisation with different countries at various stages of technology adoption and varying levels of legislative regimes that uphold human rights in the digital sphere.
Senegal is among the African countries that remain committed to upgrading legal and institutional frameworks governing the technology sector. Senegal passed a data protection law twelve years ago and was among the  first African states and the first African Francophone country to ratify the Africa Union Convention on Cyber Security and Personal Data Protection in 2016. It has therefore established itself among the pioneers in data governance in Africa.
Given rapid developments related to biometrics, big data, artificial intelligence, and cloud computing, among others, the government of Senegal is in the process of repealing law n° 2008-12 of January 25, 2008 which governs personal data protection. A draft bill published at the tail end of 2019 to replace the preceding law is currently under public consultation.
On February 27 – 28, 2020, Jonction Senegal, in partnership with the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) and Facebook hosted a workshop to review the Personal Data Protection Bill, 2019 and make relevant recommendations from a digital rights perspective. The workshop brought together 25 participants including officials from the Personal Data Commission (CDP), the Ministry of Digital Economy and Telecommunications, the Ministry of Women, Family and Gender, the Ministry of Justice, and representatives from the private sector, and civil society organisations including human rights defenders, lawyers, academia, bloggers and journalists.
Opening the workshop, Professor Mamadou Niane, Director of the Legal Department of the CDP justified the draft bill, citing inadequacies in the 2008 law given the dynamic digital environment and emergence of a diversity of players and threats. Furthermore, he noted the need for convergence with regional and international data protection developments and standards such as those laid out in the General Data Protection Regulation (GDPR), the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data signed and ratified by Senegal in 2016, the Budapest Convention, and the African Union Convention on Cyber Security and Personal Data Protection. According to Prof. Niane, other considerations for a new law related to the composition and oversight powers of the CDP and compliance monitoring mechanisms are also to be addressed. He stated that the draft bill provided for data protection principles in the proposed article 7 including the need for processing within the legal requirements, seeking consent, and necessity with exceptions tied to processing for lawful purpose.
Indeed, Diagne El Hadji Daouda, a cybersecurity specialist from the Computech Institute highlighted the importance of data security and commended the draft bill for outlining the principles of identification and authentication, confidentiality, availability and integrity (non-alteration or modification of the data during processing) under Articles 42 and 43. He also commended the proposed obligations for data controllers to put in place encryption measures and regularly review them to ensure data security; and the notification of breaches  to data subjects and authorities (Article 44). However, Daouda noted that despite these provisions, the draft bill did not incorporate the principle of anonymisation, which is crucial for preserving personal data confidentiality and guaranteeing its security.
The draft bill proposes the establishment of the Personal Data Protection Authority (APDP) to replace the CDP – with a diverse member composition including non-governmental representation. Member nomination is by decree of the president (Article 52). However, a number of provisions in the draft bill refer to a Control Authority and a Protection Authority, which seem separate from the APDP.
Dr. Ndiogou Thierno Amadou, Lecturer and Researcher at the Faculty of Legal and Political Sciences of Cheikh Anta Diop University (UCAD), raised concerns about the distinction between the three different authorities mentioned in the draft bill. Participants therefore urged for clarity on the role of the Control Authority (Article 44), as well as a clear definition and distinction between the APDP and the Protection Authority (Article 62) to avoid ambiguities. The  CDP’s Prof. Niane clarified that all mentions of an authority  in the draft bill refer to the APDP and that the necessary revisions would be made in the next draft.
The need to strike a balance between freedom of expression and personal data protection also emerged.  In his presentation, independent journalist and Director of PressAfrik.com Faye Ibrahima Lissa cited the continent-wide trend in legislative restrictions to freedom of expression on grounds of national security and public order. He emphasised that exemptions under the proposed article 105 of the draft bill relating to personal data for the purposes of journalism, research, artistic or literary expression should be precise to avoid them being used to persecute critical voices.
Similarly, Joe Marone, a media trainer and head of online radio Futurs Media noted the fundamental role of journalists in seeking the truth and being the moral conscience of public opinion and civil society. In this regard, journalism ethics and code of conduct pre-empt personal data protection through protection of sources. However, given the advent of data journalism and citizen journalists, the draft bill serves to better guarantee personal data protection within the profession.
Other issues that emerged included age of consent to data collection. Consent is defined as a declaration or clear affirmative action, either orally or in writing that gives permission to process personal data (article 8). The age of consent is not provided for in the draft bill.  Prof. Niane stated that ongoing efforts at the CDP and Ministry of Justice in partnership with the Ministry of Digital Economy and Telecommunications seek to establish a Children’s Code and related strategy dedicated to minors’ protection in the context of data protection and privacy.
The workshop participants made the following formal recommendations for revision in the next draft of the bill:

  • Set a minimum age of consent
  • The president of the ADPD should be appointed through an internal election by members in order to guarantee the authority’s autonomy.
  • Provide for adequate resource allocation to the APDP to facilitate smooth implementation and enforcement of the law
  • Provide for APDP oversight in procurement and contracting of public or government projects involving personal data collection and processing
  • Provide for authority of the APDP to collect and recover financial penalties imposed on offenders and pass them on to the victims of data breaches.
  • Strengthen the financial autonomy of the APDP by granting it 50% of the amounts recovered from any data protection operations
  • Provide for legal personality of the ADPD to give it perpetual succession with capacity to sue and be sued in its name.

Representatives of the CDP and the Ministry of Digital Economy and Telecommunications welcomed the recommendations and committed to including them in the next draft of the bill, before submission to the General Secretariat of the Presidency of Senegal.

04Mar

Silencing Critical Voices: Our Online Civic Space is Shrinking

Author admin Posted on

By Digital Shelter |

Somalia had recorded steady growth in telephone penetration – with 7.6 mobile subscribers. However, internet penetration remains low – 2% as at 2017, according to the International Telecommunications Union (ITU). The adoption of technology has expanded civic space in the post conflict era, with social media platforms and blogs empowering journalists, activists and human rights defenders to document and report human abuses, mobilize public opinioncampaign for reforms, share relevant content and information, and build networks at national and global level.

However, the past three years have seen a rise in threats against online freedom of expression, such as the arrest and intimidation of several journalists and social media campaigners for comments posted on social media. There are reports of dissenting social media accounts being hacked, while others have deactivated their accounts due to fear of attacks. A culture of censorship prevails, amidst a rise in sponsored trolls spreading misinformation and propaganda to counter factual narrative reported by journalists, human rights defenders and activists online.

It is against this background that Digital Shelter hosted a panel discussion on the shrinking online civic space in Somalia and the growing digital threats faced by media professionals, bloggers and human right defenders in the digital space on February 13, 2020. The event was part of series of activities under the theme “Protect our Online Space”, supported by the Africa Digital Rights Fund (ADRF) – an initiative of the Collaboration on International ICT Policy for East and Southern Africa (CIPESA).

Among the panelists was Mohamed Irbad, a prominent blogger and researcher known for his critical writings on governance, human rights, freedom of expression and censorship on social media platforms. In early 2019, after publishing an article titled “Media Censorship In Somalia: A Nation Risk Into Information Darkness” on his personal blog, Mohamed faced serious online and physical threats which forced him to flee the country for six months due to fear for his safety.
“All critical voices, particularly individuals who are based inside Somalia have been silenced with online and physical threats altogether. For instance, when your raise critical issue on Twitter or Facebook you have two options, you either end up battling with anonymous trolls in their hundreds by answering to their toxic comments or you feel intimidated and sacred of writing about certain issues, hence, your remain silenced . And that is exactly what happened to me after writing that article. And therefore, it is fair to stay that we are witnessing the worst shrinking of our online/offline civic and democratic spaces” Mohamed Irbad.
Also speaking at the event was Hassan Ali Osman, a journalist, with the New Humanitarian newsletter. Hassan actively uses Twitter to disseminate local and international news as it breaks for his 90,000 followers. He shared that he has been constantly attacked by trolls merely because of reporting the truth on social media platforms.
Highlighting the issue of online violence against women was Sucdi Dahir Diriye, a passionate community volunteer and member of CaawiWalaal loosely translated as “HelpYourBrother” –  a digital campaign launched three years ago to support local communities affected by droughts in Somalia. As in most of the world, the internet has provided a platform for Somali women to amplify their voices. However, it has also enabled perpetuation of different forms of online violence against women including harassment, doxing, threats, stalking and blackmail, sometimes leading to physical violence. The targets of these attacks are women that are vocal on issues such as gender equality, sexual violence, free expression, or challenging the patriarchal structure of the society. This has created a hostile online environment for women and girls in Somalia, fraught with shaming, intimidation and degrading, leading to withdraw of from the online space.
As part of her work, Sucdi documents cases of online blackmailing and extortion against young girls in Mogadishu and other regions of Somalia. She stated that limited recognition of the existence of online violence and harassment against women in Somalia is allowing the abuse to continue inexorably. Relevant policies to address online violence against women need to be put in place and more women and girls need to be skilled in digital safety and security.
Based on their personal and professional experiences, the panelists stressed the need for counter measures against the prevailing threats. Among the recommendations made was increased digital security skills and knowledge building among activists, bloggers and media professionals. Specialized training on gendered online harassment was encouraged. Panelists also emphasized a dual approach in voice amplification – online and offline to reach wider audiences.  Furthermore, more stakeholder dialogue to raise awareness on online civic space and digital rights, including data protection and privacy inline with Somalia’s growing technology sector. Other recommendations included research undertakings on current digital threats in Somalia, to inform advocacy and policy interventions; and establishment of a solidarity network to support victims of online attacks.
“Digital Shelter is proud to be in a unique position to amplify voices in the most difficult time where the online civic space is shrinking in Somalia”, said Abdifatah, co-founder of Digital Shelter in the closing remarks of the forum.
Digital Shelter continues its “Protect our Online Space” drive during March 2020 with series of trainings on digital security. Digital Shelter is also planning to host other forums on expanding online civic space in Somalia.

This article was first published by the Digital Shelter on March 04, 2020

21Feb

Malawi's Democracy and Digital Rights Record to be Spotlighted by the Human Rights Council of the United Nations

Author admin Posted on

By Michael Kaiyatsa and Ashnah Kalemera |

On February 3, 2020 Malawi scored a democracy victory when the Constitutional Court nullified the May 2019 presidential elections and ordered for fresh polls within 150 days. In that time, the country will also undergo its Universal Periodic Review (UPR) by the Human Rights Council, scheduled for May 2020.  Whereas previous reviews did not receive elections-related recommendations, Malawi’s  democratic credentials – freedom of expression, media freedom, and access to information – have come under scrutiny.

At the upcoming review, it is crucial that the country’s democratic credentials are scrutinised and recommendations to the Malawian government reflect explicitly the need to uphold rights and freedoms online and offline, in line with the state’s obligations under Articles 17 and 19 of the International Covenant on Civil and Political Rights (ICCPR).

In recent years, Malawi has made significant policy and structural reforms in the technology sector. The third Malawi Growth and Development Strategy (MGDS III) (2017–2022), recognises Information and Communications Technology (ICT) among the five priority areas in accelerating development. The strategy aims to increase access to ICT services; provide well-developed ICT broadband and infrastructure services; and increase the number of ICT-skilled and industry-ready workforce in public and private sector institutions. Meanwhile, the National ICT Policy, 2013 is dedicated to promoting the use of ICT in the country, and a national fibre optic backbone project was completed in April 2018.

However, the country must  commit towards ensuring a conducive environment for privacy and data protection as well as access to and affordability of the internet and related technology as key enablers of social, economic, and political development.

Freedom of expression

Article 35 of the Malawi Constitution guarantees freedom of expression while  Article 36 makes provisions for a free press. Despite these enabling constitutional provisions, other legislation places restrictions on citizens’ exercise of the right to freedom of expression.

The Electronic Transactions and Cybersecurity Act of 2016 provides for restrictions on online communications to “protect public order and national security”. The law also penalises “offensive communication” via online platforms with fines of Malawian Kwacha (MWK) 1,000,000 (USD 1,352) or a maximum 12 months prison sentence. Section 4 of the Protected Flag, Emblems and Names Act, 2012 makes it an offence to “do any act or utter any words or publish or utter any writing calculated to insult, ridicule or to show disrespect” to the President, the national flag, armorial ensigns, the public seal or any other protected emblem or likeness. The Penal Code penalises sedition (punishable with a fine of up to MWK 354, 845 – USD Dollars 480 – and imprisonment of five years for first time offenders and seven years for subsequent offences), and libel (up to two years imprisonment).

In the previous cycle of the UPR (May 2015), the government of Malawi received three recommendations relating to freedom of expression, opinion and the press from the governments of Austria, Ghana, and Tunisia although none explicitly mentioned the online sphere. Austria and Tunisia’s recommendations to “fully investigate all cases of harassment and intimidation of journalists and human rights defenders with a view of bringing the perpetrators to justice” and “issue a standing invitation to the special procedures of the Human Rights Council and ensure an enabling environment for the activities of journalists, human rights defenders and other civil society actors”, respectively were supported. However, Ghana’s recommendation to “decriminalise defamation and incorporate this into the Civil Code” was only “noted”.

Since then, there have been various instances of restrictions on freedom of expression online with notable arrests and prosecution for allegedly insulting the President and First Lady on Facebook; speech against a marginalised group; circulating forged documents; and treason. In July 2019, the Minister of Information and Government Spokesperson warned that the Electronic Transactions and Cyber Security Act, 2016 would be used to take punitive action against online speech viewed as denigrating to others. Furthermore, in the run up to the now annulled elections, the Malawi Communications Regulatory Authority (MACRA) issued a notice warning the public against disinformation on social media platforms. The notice stated that the regulator would “work with various stakeholders to seek ways of countering the spread of fake news.”

Freedom of information and censorship of content

Citizens’ right of access to information is provided for under Article 37 of the Constitution. The Access to Information Act of 2017 provides for the right of access to information in the custody of public bodies and relevant private bodies, as well as the processes and procedures for obtaining such information.

However the Official Secrets Act under section 4(1) prohibits disclosure of a wide range of information. The Preservation of Public Security Act (1960), under section 3 (Public Security Regulations) makes it an offense to publish anything likely to be “prejudicial to public security; undermine the authority of, or the public confidence in, the government; promote feelings of ill-will or hostility between any sections of classes or races of the inhabitants of Malawi; or promote industrial unrest in the country.” These two outdated laws place restrictions on access to information, in addition to offenses relating to sedition and publication of false information under the Penal Code. Further, Section 46 of the Penal Code empowers the Minister of Justice to prohibit the publication or importation of any publication that he or she considers to be contrary to the public interest.

During the second cycle of the UPR, the government of Malawi received two recommendations from Norway relating to the freedom of information – “Consolidate the policy gains into legal reforms on issues such as treatment of same-sex relations and access to information” (noted) and “Prioritise public education and information as well as capacity building of state institutions as part of efforts to strengthen implementation of national human rights legislation” (supported).

Since the review, instances of restrictions to access to information online include internet outages on election day in May 2019, with reports suggesting that the disruption was ordered by the government to disrupt information flows and keep citizens un-informed during the election. On censorship of content, amidst concerns over “moral standards, values and aspirations as a nation” within the music industry,  in May 2018, the Malawi Censorship Board embarked on a programme to review songs and films with “suspicious moral content” in order to “protect the rights of listeners”. In February 2019, Malawi Police arrested a musician for producing a “blasphemous song”. He was sentenced to two years in jail. According to Freedom House, “several journalists have complained that their articles are sometimes never published online or in print because their editors received directives from officials to refrain from publishing about certain topics”.

Equality and barriers to access

Section 157 of the Communications Act of 2016 mandates MACRA to establish a Universal Service Fund. In October 2019, MACRA announced that it would roll out the Universal Access to Information and Communications Technology (ICT) Services Project starting in 2020 to ensure universal coverage in the country, including to rural and under-served areas.

Despite these efforts, ICT adoption in Malawi remains among the lowest in the world – 25.5 mobile broadband subscriptions for every 100 inhabitants as at 2017, the most recent year International Telecommunications Union (ITU) data is available for. The Inclusive Internet Index 2019 which assesses internet availability, affordability, relevance of content and readiness ranks Malawi 98th out of 100 countries. Malawi is currently ranked 52 out of 61 countries in internet affordability. The average monthly cost of 1GB data is MWK 3,500 (USD 4.8).

The country has maintained a 17.5% value-added tax (VAT) on mobile phones and services, a 16.5% VAT on internet services and an additional 10% excise duty on mobile phone text messages and internet data transfers, introduced in 2015.

In October 2019, the government of Malawi attempted to introduce a 1% withholding tax on mobile money transactions in the 2019/20 National Budget. The proposal was withdrawn following pressure from civil society groups and the private sector.

Data protection and privacy

The right to privacy is enshrined in Section 21 of the Constitution of Malawi, which stipulates that “Every person shall have the right to personal privacy, which shall include the right not to be subject to: (a) searches of his or her person, home or property; (b) the seizure of private possessions; or (c) interference with private communications, including mail and all forms of telecommunications”.

Malawi does not have a standalone data protection law. In March 2018, the then Minister of ICT, Nicholas Dausi, announced plans to draft a bill on data protection in response to the changing media and technological landscape. In the meantime, The Electronic Transactions and Cybersecurity Act of 2016 which aims “to put in place mechanisms that safeguard information and communication technology users from fraud, breach of privacy, misuse of information and immoral behaviour brought by the use of information and communication technology” provides some protections. The Act provides for the processing of personal data (section 71); and the rights of data subjects (section 72) while sections 73 and 74 relate to the obligations of a data controller. Under section 84, the Act criminalises unauthorised access, interception, and modification of data with conviction attracting fines of MWK2,000,000 (USD 2,680) and imprisonment for five years. However, article 29 requires service providers to retain data and disclose it when required by courts.

There is also the Communications Act of 2016 which criminalises unlawful interception or interference, and disclosure of electronic communications (section 176), with penalties upon conviction of a fine of MWK 5,000,000 (USD 6,500) and imprisonment for five years.

Section 20(1) of the Access to Information Act of 2017 requires an information holder to notify third parties if information being requested relates to confidential or commercial interest. Third parties are required to respond in writing within 10 working days from the date of receipt of the notice and indicate whether the requested information is considered confidential and provide reasons for non-disclosure. The Act also prohibits information holders from disclosing information whose disclosure would result in the unreasonable disclosure of personal information about a third party (section 29) or which is likely to result in endangering the life, health or safety of a person (section 31). On the other hand, information holders are prohibited from disclosing legally privileged information unless the data subject (patient, client, source or person entitled to the privilege), consents to the release of the information or has waived the privilege or a court order is made to that effect (section 32).

Section 10 of the National Statistics Act, 2013 empowers the National Statistics Organisation (NSO) to collect all types of information, including personal information, nationwide on behalf of the government.

The major weakness of the current legal and policy framework is the lack of a dedicated data governance framework. This is especially problematic considering ongoing mandatory personal data collection exercises such as SIM card registration and biometric data collection as part of the national identification programme. Meanwhile, the government is reported to have rolled out the Consolidated ICT Regulatory Management System (CIRMS), with perceived surveillance capabilities. In 2017, the Malawi Supreme Court of Appeal dismissed an application by Telekom Networks Malawi (TNM), one of the country’s mobile service providers, to stop the implementation of the CIRMS on privacy grounds.

As part of Internet Freedom and UPR advocacy efforts at the Human Rights Council, the Centre for Human Rights and Rehabilitation (CHRR),  the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), and Small Media made the following recommendations to UN members to consider putting forward to the Malawi delegation during the upcoming review:

  • In compliance with international standards and the right to freedom of expression guaranteed under Article 19 of the ICCPR and section 35 of the Malawi Constitution, guarantee freedom of expression and opinion online as well as offline for media and individuals, including marginalised and discriminated groups by repealing all laws that restrict freedom of expression, including the Protected Flag, Emblems and Names Act, libel and defamation laws.
  • Refrain from implementing internet shutdowns or disruptions under any circumstances.
  • Ensure that the 2017 Access to Information Act is fully implemented and all public bodies are in full compliance in providing their data regularly in accessible formats.
  • Hasten efforts to provide equal access to technology and communications to all citizens, including disadvantaged and marginalised groups of the population, by removing barriers to access and improving affordability, as well as expanding infrastructure and desisting from internet disruptions.
  • Approve the legislation on personal data protection and privacy in order to provide safeguards on the use of personal data and to protect the right to privacy online.

1 61 62 63 64 65 158