Joint Call |
The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) is part of a call urging G20 countries to place citizens and consumers at the centre of decisions around the digital society.
The call states, “For the digital society to be open, safe, and empowering for everyone, policies for the digital age must be trusted and trustworthy – putting the interests of people and their rights first. Governments should intensify efforts to assure that the Internet is not fragmented and that people and their rights are at its centre.”
See the complete document here.
When was the last time you read the “Terms and Conditions” before you signed up for a new service online?
We don’t blame you. It’s easy to get lost in the legal jargon.
But do you know what happens to your personal data every time you click on “I have agreed to terms and conditions”? Did you know at the mere click to accept, you could have given a way a portion of your vital information and put your data privacy in absolute jeopardy?
Today, it’s hard to raise the issue of data privacy without putting a thought on the recent Facebook-Cambridge Analytica scandal that made many people realize the power of data. Even with as much information spewed out explaining what the scandal was about, very few took a note to learn from.
A recent allegation from the Cambridge Analytica scandal pins the Uhuru Kenyatta presidential campaign to have employed social media surveillance results to target campaign messages to different profiles of voters. This was possible because Facebook monitors your social media activity and can predict your behavior from that, hence such information is used to target messages that speak to your interests and emotions to sway major decisions such as election outcomes. This isn’t just happening on our doorsteps, allegations claim similar outcomes in the United States and the UK.
The EU revised as much on data privacy and protection in Europe and promised to give users more power over their data. While Europe seems to take quick action, down in Uganda and Africa at large, we continue to grapple with weak data privacy and protection laws, a citizenry that is not well-informed on data privacy, a delay in passing necessary bills and weak implementation processes. Unfortunately, a majority of African countries lack the necessary mechanisms for the inclusive participation of citizens and other stakeholders in the processes of formulating the very laws on internet and digital rights that directly affect them.
Do we care about Data Privacy and Protection?
In December 2017, Unwanted Witness, an activists group petitioned the Uganda Human Rights Commission (UHRC) to compel Parliament to speed up the enactment of privacy and data protection law.
They argued that without a governing law, citizens’ personal data is exposed to abuse without collection and protection safeguards. They further asked UHRC to prioritize privacy and recognize it as a fundamental right under attack in the country. However, to date, we are yet to see significant action taken to build an informed citizenry on their digital rights and to provide appropriate protections.
When talk about data arises, many are not really willing to delve further into the ethics surrounding the topic. This can and will still be attributed to the high illiteracy levels in the country and because many don’t know what data is or how valuable it might be on the long run, they will give it away easily. Funny as it may sound, a majority internet users think ‘data’ is the a term tied to the internet bundles that the ISPs provide and it’s that school of thought that has stuck with them. Whether their data gets in the hands of the wrong or the right people, it’s the least of their concerns.
Data Protection basically means to ensure the right to privacy, respect to confidentiality principles in various relations such as doctor patient, employer-employee and service providers with their clients generally.
Did you know that privacy is your human right?
The right to privacy refers to the concept that one’s personal information is protected from public scrutiny. It is essentially, your right to be left alone. Privacy is a core aspect of human dignity and values such as freedom of association and freedom of speech.
One would wonder, even with the data privacy breaches, are there really laws in place to curb and punish those that are misusing people’s data and evading on their privacy or we are simply looking while our data gets tampered with and is easily handed to the wrong hands.
Are there Laws in Place?
Yes! There is a Ugandan Data Protection and Privacy Bill that was tabled before parliament in 2015 and although the Bill needs to be revised and aligned better with human rights provisions, comments have been raised on the need to balance civil liberties, national security and data protection and privacy.
According to a paper published a couple of years ago by Dr Ronald Kakungulu Mayambala a Senior Lecturer of Human Rights and Peace Centre at Makerere University, Article 27 of the Constitution guarantees the right to privacy of person, home and other property. In particular, article 27(2) of the Constitution provides that a person shall not be subjected to interference with the privacy of that person’s home, correspondence, communication or other property.
Unfortunately there is no comprehensive law giving effect to article 27, yet a lot of data concerning individuals are collected, stored or processed regularly by various institutions in the private and public sector, including banks, hospitals, insurance companies, the Uganda Citizenship and Immigration Control Board, the Uganda Revenue Authority, Uganda Registration Services Bureau, the Electoral Commission, utility service providers and telecommunications companies under the SIM card registration exercise
The Bill seeks to protect the privacy of the individual and personal data by regulating the collection and processing of personal information. It provides for the rights of persons whose data is collected and the obligations of data collectors and data processors; and regulates the use or disclosure of personal information.
However even with these laws and bills in place, further questions continue to be raised on whether they even hold any solid ground in implementation, especially, if there has not been enough sensitization of the bills and data literacy.
What do some people think about data privacy in Uganda?
A chat with a few random Ugandans around town shows you just how long of a way we have to go with the data privacy and protection talk.
“I honestly have nothing to hide with my data and anyone who wants to access it can go ahead and access it. Your data can only be private if you choose to keep it private but if you choose to put it out there and later claim for privacy, then you are playing yourself” — Lisa
“Whatever you put out there is public. I don’t really care who gets my data because once Ipost anything on social media, it’s no longer in any way private. I get a need for data privacy if it comes to my business data like emails. That is when i need some real privacy” — Hans
“Data privacy is not even a topic of debating here in Uganda because people don’t really care what happens with their data. Because we have a huge Internet penetration gap, very many people don’t even know what data is in most parts of africa.” — Emmanuel
‘Do Ugandans really Care About their #Data Privacy?’
By Edrine Wanyama |
It is anticipated that by 2025, there will be at least 5.9 billion mobile subscribers accounting for 71% of the world’s population. As of 2017, Sub-Saharan Africa (SSA) had a mobile subscription rate of 44% which is projected to reach 52% by 2025. Further, SSA’s mobile internet penetration by 2017 stood at 21% and is anticipated to increase to 40% by 2025. However, the region has registered the largest number of cases of mandatory SIM card registration yet it suffers some of biggest challenges in personal data protection and privacy.
The benefits of SIM card registration include facilitation of citizens’ access to e-Government services, easy identification of an individual’s mobile number and number portability when switching networks. In addition, it aids combating cybercrime including terrorism by limiting covert communication and promotes good relations between consumers and service providers by simplifying identification of consumers and their use of SIM services. Accordingly, many governments argue that mandatory SIM card registration is for purposes of safeguarding digital and physical security. However, critics argue that when SIM card registration is effected without due safeguards, it poses a threat to privacy and freedom of expression.
Indeed, in 2013 Mexico repealed its policies on SIM card registration “after a policy assessment showed that it had not helped with the prevention, investigation and/or prosecution of associated crimes.” Finland has not enforced compulsory SIM card registration and nonetheless, through voluntary mobile signatures, service providers has succeeded in facilitating user’s access to relevant retail, banking and e-Government services.
Globally, over 90 countries conduct compulsory SIM card registration yet some remain without clear policy on its implementation. Amidst criticisms that mandatory registration does not necessary combat cybercrime, as criminals take the necessary precautions to avoid being detected and circumvent mandatory SIM card registration, African countries continue to proactively enforce SIM card registration. Among the prevailing challenges on the continent is the difficulty in validating identity documents in an environment with a wide range of service providers who create room for potential circumvention.
Mandatory registration has negatively affected access and usage of mobile telecommunication services due to the tedious process which entails the production of documentation such as passports and national identity cards prior to registration, which sometimes results in failure to attain a SIM card, disconnection, or deactivation of SIM cards.
Additionally, there have been repetitive calls for registration of SIM cards in countries such as Uganda and Nigeria with personal data being collected more than once. In Uganda, despite government explanation that SIM card verification is aimed at ensuring secure and safer communications, citizens have unanswered questions on the exercise. Suspicion arises due to a fresh validation of SIM card registration using national identity cards subsequent to registration which was initially done using valid documents such as students’ identity cards, driving permits and passports.
Double collection of personal data may partly imply collection of data beyond what is necessary for the purpose contrary to the internationally established data protection principles such as those set out in the Organisation for Economic Co-Operation and Development (OECD) Data Protection Principles. Further, there is no guarantee of individual privacy as most of the African countries do not have data protection laws. Moreover, most of the existing data protection laws do not meet internationally recognised standards considered sufficient to guarantee personal data protection and are therefore regarded as offering moderate or limited protection.
Meanwhile, efforts to buttress data protection in Africa have not yielded much. Out of 54 countries on the continent, only 14 have data protection laws (Angola, Benin, Burkina Faso, Mali, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Morocco, Senegal, South Africa, Tunisia and Zimbabwe). A few others such as Uganda, Kenya, Nigeria, Tanzania and Niger have Bills. Regional efforts have also not yielded much. The Convention on Cyber Security and Personal Data Protection which was adopted by the African Union in 2014 has registered only 10 signatories (Benin, Chad, Congo, Ghana, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe, Zambia and Comoros) and one ratification by Senegal.
Ultimately, there is need to reconcile state interests with citizens’ personal data and privacy rights. Mandatory registration, especially in the absence of clear registration guidelines and the lack of data protection laws, puts personal data at risk. African governments need to learn from other jurisdictions such as Europe with regards to processing of personal data as part of SIM card registration. In enforcing SIM card registration, there should be a clear set registration timelines, clear and unambiguous registration requirements.
By Juliet Nanfuka |
Uganda’s president Yoweri Museveni has directed the finance ministry to introduce taxes on the use of social media platforms. According to him, the tax would curb gossip on networks such as WhatsApp, Skype, Viber and Twitter and potentially raise up to Uganda Shillings (UGX) 400 billion (USD 108 million) annually for the national treasury. The ministry has already proposed amendments to the Uganda Excise Duty Act, 2014 to introduce taxation of “over-the-top” (OTT) services, and raise taxes on other telecommunications services.
Section 4 of the Excise Duty (Amendment) Bill 2018, a copy of which was obtained by CIPESA, states: “A telecommunication service operator providing data used for accessing over the top services is liable to account and pay excise duty on the access to over the top services.” The amendment defines such services as the “transmission or receipt of voice or message over the internet protocol network and includes access to virtual network; but does not include educational or research sites which shall be gazetted by the Minister.”
According to the proposals, which could take effect on July 1, 2018, OTT services that commonly include messaging and voice calls via Whatsapp, Facebook, Skype and Viber will attract a tax duty of UGX 200 (USD 0.05) per user per day of access. In his letter, Museveni said the government needed resources “to cope with the consequences” of social media users’ “opinions, prejudices [and] insults”. He proposed a levy of UGX 100 (USD 0.025) per day per OTT user. Prime Minister Ruhakana Rugunda supported the suggestion as did the ICT minister, who stated that the taxes were meant to increase local content production and app innovation in Uganda.
If implemented, the proposed tax will be the latest in a series of government actions that threaten citizens’ access to the internet. Last month, the communications regulator issued a directive calling for registration of online content providers and also released tough restrictions on registration of SIM cards. At the USD 0.05 per day suggested by the finance ministry, a Ugandan user would need to fork out USD 1.5 per in monthly fees to access the OTT services. That would be hugely prohibitive since the average revenue per user (ARPU) of telecom services in Uganda stands at a lowly USD 2.5 per month.
According to the Uganda Communications Commission (UCC), in the 2016-2017 financial year, Uganda’s telecommunications sector contributed UGX 523 billion (USD 141.2 million) to national tax revenue, an increase of 14.3% from the previous year’s UGX 458 billion (USD 123.6 million).
As of September 2017, Uganda had an internet penetration rate of 48% while the mobile subscription stood at 65 lines per 100 persons. Research shows that at least one in nine internet users in the country is signed up for a social networking site, with Facebook and WhatsApp the most popular.
Indeed, social media and by extension OTT services, are key avenues for public discourse, service delivery and political engagement. As per the recently released results of the national IT survey 2017/18, 92% of MDAs have a social media presence with most using Facebook, Twitter and WhatsApp as their primary platforms for information dissemination and engagement with citizens. Meanwhile, telecommunications companies have tapped into the popularity of OTTs by offering competitive social media data packages, resulting in what was popularly referred to as “data price wars.”
The amendment bill also proposes a 12% tax for airtime on cellular, landline and public payphones. The latter two previously attracted a 5% tax. The tax on mobile money transfers has been increased from 10% to 15%, while a 1% tax has been introduced to the value of mobile money transactions of receiving and withdrawals.
The proposed taxes do little to support internet affordability in Uganda, which already scores poorly on the Affordability Drivers Index (ADI) that annually assesses communications infrastructure, access and affordability indicators. Currently, 1GB of mobile prepaid data in Uganda costs more than 15% of the average Ugandan’s monthly income. This is much higher than the recommended no more than 2% in order to enable all income groups to afford a basic broadband connection.
The proposed taxes have also raised considerable debate among members of civil society and the business sector, who are concerned that consumers will inevitably be economically affected, while the legal fraternity has called the move unconstitutional. In a country where two social media shutdowns were ordered in a space of three months during 2016, and where some social media users have been prosecuted or arrested over opinions expressed on Facebook and Twitter critical of public officials, these developments are particularly worrying. Already, the perceived high level of surveillance has forced many Ugandans including the media, into self-censorship, turning them away from discussing “sensitive” matters of community or national importance.
The increasing popularity of social media enabled OTT services, brings new regulatory challenges for governments, as many of these services have not required a licence or been required to pay any licensing fee according to the Electronic Frontier Foundation (EFF). However, the regulation of OTT platforms and services may in some cases adversely affect user rights.
On the financial inclusion front, the proposed taxes are also likely to affect mobile money subscriptions and the cost of doing business. In Uganda and across Africa, mobile money has become the primary means of financial transactions, offering new opportunities for productivity and efficiency gains to governments, businesses and individuals. Feature photo by GotCredit
By Ashnah Kalemera |
Tanzania has issued online content regulations that oblige bloggers, owners of discussion forums, as well as radio and television streaming services to register with the communications regulator and to pay hefty licensing and annual fees.
There are three types of licences. A license for provision of online content services comes at an initial cost of TZShs 1.1 million (USD 484) comprised of an application fee of USD44 and an initial licencing fee of USD 440. In addition, there is an annual licence fee of USD440, and a similar amount has to paid for licence renewal after three years.
A licence to stream radio or television content on the internet costs TZShs 250,000 (USD110), with annual licence fees set at USD 88. This licence also has to be renewed after three years at a cost of USD 88.
The Electronic and Postal Communications (EPOCA) (Online Content) Regulations, 2018, which were issued on March 13, 2018, join a catalogue of legislation related to online content in Tanzania that threatens citizens’ constitutionally guaranteed rights to privacy and freedom of expression. The regulations are also likely to negatively impact on an already fragile intermediary liability landscape in a country fraught with increasing media repression and persecution of government critics.
When the Tanzania Communications Regulatory Authority (TCRA) initially published the draft regulations last September, they did not have the requirement to apply for online content service licences as set out in Regulation 14 of the enacted regulations. It states: “Any person who wishes to provide online content services shall fill in an application form as prescribed in the First Schedule and pay fees as set out in the Second Schedule to these Regulations.”
Applicants are required to provide their company details including physical address, shareholding, citizenship of shareholders/directors and tax registration. The communications regulator, TCRA, has the right to cancel licences over non-compliance.
The regulations that have been issued are more regressive than the draft which the regulator issued in September 2017 for public comment.
See CIPESA’s full analysis of the draft EPOCA Content Regulations, 2017 – available in English and Swahili.
Under obligations of internet cafes, the final regulations introduced two clauses that threaten user privacy. Under regulation 9, café owners are required “to ensure that all computers used for public internet access are assigned public static IP addresses”. This could inhibit the use of circumvention tools such as Virtual Private Networks (VPN) that rely on dynamic IP address protocols, and which citizens resorted to using in neighbouring Uganda during state-initiated interruptions to communications.
Further, the regulations extend café owners’ obligations to install camera equipment to include registration of users “upon showing a recognised identity card”. Pursuant to regulation 9(2), recorded surveillance and the user register “shall be kept for a period of twelve months.”
Several regressive provisions from the draft version were also passed. Regulation 6(1) requires licenced service providers who provide online content or facilitate online content production to terminate or suspend subscriber accounts and remove content if found in contravention of the regulations, within 12 hours from the time of notification by TCRA or by an affected person. This requirement places a heavy technical and human resource burden on content hosts and providers to have in place competencies to handle complaints within 12 hours.
Swift content restriction or removal is also required of online content hosts under regulation 8(b) and content providers and users under regulation 5(1)(g). As we argued in an earlier brief, while content such as revenge pornography and that which promotes violent extremism may be justifiably removed promptly, there is a danger that the regulations may be applied unjustifiably to content such as that relating to exposure of corruption or human rights violations.
Whereas regulation 16 provides for a complaints handling procedure, the regulations do not provide for the process nor mechanisms for legal recourse over contested content.
Regulation 5(1)(e) requires content providers to “have in place mechanisms to identify source of content”. This obligation poses a threat to the right to anonymity and whistleblowing and may lead to self-censorship.
Moreover, Regulation 12 on content prohibited from publication lists restrictions with broad definitions and which have potential to limit freedom of expression. In terms of scope, it includes unspecified content that “causes annoyance”; “uses disparaging or abusive words which is calculated to offend an individual or a group of persons”; and is “crude”, “obscene” or “profane” including in local languages.
Regulation 12 also prohibits publication of “false content which is likely to mislead or deceive the public except where it is clearly pre-stated that the content is i) satire and parody ii) fiction; and iii) where it is preceded by a statement that the content is not factual.”
Nonetheless, the regulations have some positive elements, among them regulation 10(b) which requires users to use device passwords to ensure that unscrupulous and unauthorized persons do not access their social media accounts.
The requirement for provision of easily accessible user terms and conditions by licensed service providers, adoption of a code of conduct for content hosting, and publication of a safe internet use policy for internet cafes, are also commendable in promoting user awareness of platform policies. The regulations also provide important safeguards for child protection online, such as regulation 13 which prohibits children’s to access to prohibited content online.
In a boost to privacy and data protection, regulation 11 prohibits unauthorised disclosure of “any information received or obtained” under the provisions of the regulations, except where the information is required for law enforcement purposes. Furthermore, regulation 11 restricts use of information only to the “extent” that is “necessary for the proper performance of official duties.” Nonetheless, in the absence of data protection and privacy legislation in Tanzania, these safeguards could be rendered of little value and hence prone to abuse.
It remains to be seen how the new regulations will be enforced and how they will impact on citizens’ rights online. However, given Tanzania’s history of predatory action against internet users following the enactment of the Cybercrime Act, 2015, the new regulations are likely to be utilised to further undermine the internet freedom situation in the country.
