Tanzanian Court Acquits Jamii Forums Founders on One of Three Charges

By Ashnah Kalemera |
A Tanzanian court has acquitted the founders of popular online discussion platform Jamii Forums, who were charged over failure to comply with a police order to disclose the identity of two users of their platform.
The magistrate’s court at Kisitu in the capital Dar es Salaam found that Maxence Melo and Micke William had no case to answer in the case, in which the two were alleged to have obstructed investigations in contravention of Section 22(2) of the Cyber Crimes Act, 2015 by refusing to comply with an order to disclose their platform users’ data. The ruling cuts the number of cases against Melo and William to two.
Reacting to the June 1, 2018 decision, Melo stated that it was a “victory for anyone who would like to see freedom of expression flourish” in Tanzania. He said he was glad to have only two outstanding cases, having recently endured four court appearances over five days.
In December 2016, Melo was charged with three offences: two counts of not complying with a disclosure order under Section 22(2) of the Cyber Crimes Act (2015) and one count of managing a domain that is not registered in Tanzania under Section 79(c) of the Electronic and Postal Communications Act (2010). Melo was initially charged alone but William was subsequently added to the cases as a co-accused, since he is a shareholder in Jamii Media, the legal entity under which Jamii Forums is run.
Section 22(2) of the Cyber Crimes Act relates to unlawful interference with investigations and refusal to comply with an order under the Act. The penalty, upon conviction, is a fine of three million Tanzania Shillings (USD 1,300) or imprisonment for one year, or both. Meanwhile, Section 79 of the Electronic and Postal Communications Act (2010) provides for the regulation of all electronic communication numbering and electronic addresses by the Tanzania Communications Regulatory Authority (TCRA). Part C of the section mandates the authority to perform oversight role of management of .tz – the country’s code Top Level Domain (ccTLD).
The charges stemmed from Jamii Forum’s refusal to comply with police disclosure notices to reveal the Internet Protocol (IP) addresses, email and phone numbers of users, whose identities authorities sought after whistleblowing corruption scandals in the oil and banking sectors.
Initially, Jamii Media, went to court challenging the disclosure orders and specifically provisions of Section 32 and 38 of the Cybercrime Act. However, the petition was dismissed in a ruling that dealt a blow to intermediary liability rules in Tanzania.
During court proceedings in the now dismissed case, prosecutors called four witnesses including two officials from the Tanzania Police cybercrime department. Court also heard testimony from the Human Resource Manager of CUSNA Investment LTD, the company which made a defamatory report to police regarding the information disclosed by the whistleblowers. The fourth witness called by the prosecutor was the Acting Deputy Registrar of Intellectual Property at Tanzania Business Registrations and Licensing. Proceedings then stalled with the prosecution indicating that it had no further witnesses to call.
Since its enactment in 2015, state authorities in Tanzania have used the Cyber Crimes Act to arrest and prosecute individuals for expressing critical opinion. Reportedly passed in the middle of the night, the Act is one of many recent laws in Tanzania that have been criticised for disregarding free speech and access to information, among other citizens’ constitutionally guaranteed rights.
Hearings in the remaining two cases against Melo and William are scheduled to continue during June.

Uncertainty Over How Uganda’s New Social Media Tax Will be Collected

By Juliet Nanfuka |
On May 30, 2018, Uganda’s parliament passed the Excise Duty (Amendment) Bill 2018, which will see users of Over-The-Top (OTT) services that include messaging and voice calls via Whatsapp, Facebook, Skype and Viber pay a mandatory fee of UGX 200 (USD 0.05) per day of use. In another move that could hit affordability, stifle innovation, and undermine the role digital technologies play in socio-economic transformation, the amendment will also introduce a one percent fee on each mobile money transaction. However, it remains unclear how the tax on social media use would be collected.
The amendment bill was first introduced last April and was met with criticism over the new taxes, which many observers believe would make Information and Communication Technologies (ICT) inaccessible to majority of Ugandans. The taxes were proposed in response to a letter president Yoweri Museveni wrote to the finance ministry wherein he stated that the government needed resources “to cope with the consequences” of social media users’ “opinions, prejudices [and] insults”. Without mentioning mobile money, Museveni proposed a levy of UGX 100 (USD 0.025) per day per OTT user, but proposals by the finance ministry, since passed by parliament, doubled this figure.
Further, days after parliament passed the amendments bill, the finance minister reportedly stated that the tax rate on mobile money transactions should be 0.5% and not 1% and suggested that the bill could need revisiting.


As of September 2017, Uganda had an internet penetration rate of 48%. Meanwhile, there were 23 million mobile money subscribers in a country of 37.7 million people, and their more than 340 million transactions during the third quarter of 2017 alone totalled UGX 18.1 trillion (USD 4.7 billion).
Mobile money has been a primary avenue of financial inclusion particularly for the unbanked. According to the Bank of Uganda, in 2015, only 16% of the population had a bank point of service within one kilometre of a home, whereas 54% of the population had a mobile money point of service within one kilometre.
Meanwhile, social media has served as many users’ initial entry point to internet use in many developing countries such as Uganda. This is among the reasons why OTT packages have been popular with telecommunications companies as tools to attract more clients. Introducing taxes on the use of these platforms could therefore negatively impact local content development and civic participation tools that rely on these services.
The proposals passed by Uganda’s parliament also include raising tax on airtime on cellular, landline and public payphones from 5% to 12% and the increase on the tax on mobile money transfers from 10% to 15%. .
The passing of the bill attracted various reactions on Twitter:


In 2016, social media and mobile money services were shut down twice during the electioneering period.


As a result of the shutdown of social media platforms, Virtual Private Networks (VPNs) became popular as users sought alternative avenues to remain online. There were no alternatives for mobile money users but the impact of the shutdown was felt by mobile money service providers such as the Airtel Uganda mobile money platform which at the time was  used by around 650,000 unique users per day and processed around 30 billion Ugandan shillings (USD 8.8 million) according to FSD Uganda.
At a private sector dialogue hosted by the Collaboration on International ICT Policy in East and Southern Africa (CIPESA) a day after the passing of the bill, participants noted that the move to tax mobile money services could potentially force users to explore other alternatives for transactions, including reverting to cash or to new financial transaction models such as blockchain which is emerging as a  potential alternative avenue for financial transactions in Uganda.


According to a 2017/18 Uganda National Information Technology Survey, social media platforms including OTT services are some of the popular avenues through which civic engagement has been pursued by the state. It remains to be seen how access to government services will be incorporated in the new tax model.


With the taxation expected to come into effect as early as July 1, 2018, uncertainty remains over whether, if signed into law by the president, the tax would be executed given the limited public consultation and the absence of guidelines.

Sections of Kenya’s Computer Misuse and Cybercrimes Act, 2018 Temporarily Suspended

By Juliet Nanfuka |
Barely two weeks after the presidential assent to the Computer Misuse and Cybercrimes Act, 2018, a High Court judge has issued a conservatory order suspending the entry into force of 26 sections of Kenya’s contentious Computer Misuse and Cybercrimes Act, 2018. The order by Judge Chacha Mwita, suspending the sections until July 18, follows a petition filed by the Bloggers Association of Kenya (BAKE), which challenged the law for contravening constitutional provisions on freedom of opinion, freedom of expression, freedom of the media, freedom and security of the person, right to privacy, right to property and the right to a fair hearing.
In the order issued on May 29, the judge certified BAKE’s petition as urgent, and stated that  respondents (who include the Attorney General, the Speaker of the National Assembly, the head of the National Police Service, and the Director of Public Prosecutions) be served immediately. The respondents would have seven days from receipt to file written submissions. Hearing of the petition is scheduled for July 18, 2018.
Although the conservatory order only stalls the enforcement and could be lifted or maintained thereafter, it nonetheless represents a win for digital rights advocates in Kenya, as they have in the interim satisfied the judge that there is an arguable case to be made against the constitutionality of the recently enacted law. The order also marks another landmark ruling in the litigation towards respect and realisation of digital rights across Africa.

According to the  order, the suspended sections are: 5, 16, 17, 22, 23, 24, 27, 28, 29, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 48, 49, 50, 51, 52 & 53.


Various organisations criticised the bill prior to its assent on May 16, 2018 calling it unconstitutional. Among the organisations were the Kenya ICT Action Network (KICTANET), Article 19 Eastern Africa, BAKE and the Centre to Protect Journalists (CPJ) who deemed numerous sections unconstitutional and detrimental to Kenyan citizens’ digital rights. They said it infringed on the privacy of individuals, freedom of expression, speech, opinion and access to information online.
Kenya already has a history of stifling online critics of the state and state actors, as echoed by James Wamathai, the Director of Partnerships at BAKE. In a statement, he said: “In the past several years, there have been attempts by the government to clamp down on the freedom of expression online. This Act is a testament of these efforts, especially after other sections were declared unconstitutional by the courts.
Among the prevailing concerns on the law is the use of vague language on issues such as “false” or “fictitious” content and false publications in Section 22 and 23, accompanied with heavy obligations on users to verify truthfulness or untruthfulness of information before disseminating. As per section 12, failure to comply would result in a fine of five million Kenyan shilling (USD 50,000), up to two years in prison, or both.
The  court order comes on the heels of the two judgments (Okiya Omtatah Okoiti v The Communication Authority of Kenya and 3 others Constitutional Petition No. 53 of 2017 and Kenya Human Rights Commission v Communications Authority of Kenya and 3 others no. 86 of 2017) by the Kenya High Court in which the petitioners successfully challenged the installation on mobile phone networks of a communication surveillance system dubbed Device Management System (DMS), by the Communications Authority (CA) Kenya (CA). The petitioners argued that, through this system, the authority would have undue access to the communications of citizens.
As more countries in Sub-Saharan Africa develop technology related laws, it is fundamental that the laws uphold human rights standards prescribed at global and regional levels, including in the International Covenant on Civil and Political Rights (ICCPR), the African Charter on Human and Peoples Rights (ACHPR), and African Union Convention on Cybersecurity and Personal Data Protection. However, recent developments such as has been witnessed in East Africa appear to prioritise the criminalisation and penalisation of internet use rather than encourage its adoption as a tool for greater access to information, and for expanding free expression and civic engagement.
Kenya’s neighbours Tanzania and Uganda have this year taken actions detrimental to digital rights. In Uganda, social media taxes that could be introduced in July 2018 threaten internet access and affordability while in in Tanzania, online content producers will have to pay over USD 900 to register with the state for permissions to maintain their platforms, according to new regulations.
 

The Stampede for SIM Card Registration: A Major Question for Africa

By Edrine Wanyama |
It is anticipated that by 2025, there will be at least 5.9 billion mobile subscribers accounting for 71% of the world’s population. As of 2017,  Sub-Saharan Africa (SSA) had  a mobile subscription rate of 44% which is projected to reach  52% by 2025. Further, SSA’s mobile internet penetration by 2017 stood at 21% and is anticipated to increase to 40% by 2025.  However, the region has registered the largest number of cases of mandatory SIM card registration yet it suffers some of biggest challenges in personal data protection and privacy.
The benefits of SIM card registration include facilitation of citizens’ access to e-Government services, easy identification of an individual’s mobile number and number portability when switching networks. In addition, it aids combating cybercrime including terrorism by limiting covert communication and promotes good relations between consumers and service providers by simplifying identification of consumers and their use of SIM services. Accordingly, many governments argue that mandatory SIM card registration is for purposes of safeguarding digital and physical security. However, critics argue that when SIM card registration is effected without due safeguards, it poses a threat to privacy and freedom of expression.
Indeed, in 2013 Mexico repealed its policies on SIM card registration “after a policy assessment showed that it had not helped with the prevention, investigation and/or prosecution of associated crimes.” Finland has not enforced compulsory SIM card registration and nonetheless, through voluntary mobile signatures, service providers has succeeded in facilitating user’s access to relevant retail, banking and e-Government services.
Globally, over 90 countries conduct compulsory SIM card registration yet some remain without clear policy on its implementation. Amidst criticisms that mandatory registration does not necessary combat cybercrime, as criminals take the necessary precautions to avoid being detected and circumvent mandatory SIM card registration, African countries continue to proactively enforce SIM card registration. Among the prevailing challenges on the continent is the difficulty in validating identity documents in an environment with a wide range of service providers who create room for potential circumvention.
Mandatory registration has negatively affected access and usage of mobile telecommunication services due to the tedious process which entails the production of documentation such as passports and national identity cards prior to registration, which sometimes results in failure to attain a SIM card, disconnection, or  deactivation of SIM cards.
Additionally, there have been repetitive calls for registration of SIM cards in countries such as Uganda and Nigeria with personal data being collected  more than once. In Uganda, despite government explanation that SIM card verification is aimed at ensuring secure and safer communications, citizens have unanswered questions on the exercise. Suspicion arises due to a fresh validation of SIM card registration using national identity cards subsequent to registration which was initially done using valid documents such as students’ identity cards, driving permits and passports.
Double collection of personal data may partly imply collection of data beyond what is necessary for the purpose contrary to the internationally established data protection principles such as those set out in the Organisation for Economic Co-Operation and Development (OECD) Data Protection Principles. Further, there is no guarantee of individual privacy as most of the African countries do not have data protection laws. Moreover, most of the existing data protection laws do not meet internationally recognised standards considered sufficient to guarantee personal data protection and are therefore regarded as offering moderate or limited protection.
Meanwhile, efforts to buttress data protection in Africa have not yielded much. Out of 54 countries on the continent, only 14 have data protection laws (Angola, Benin, Burkina Faso, Mali, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Morocco, Senegal, South Africa, Tunisia and Zimbabwe). A few others such as Uganda, Kenya, Nigeria, Tanzania and Niger have Bills. Regional efforts have also not yielded much. The Convention on Cyber Security and Personal Data Protection which was adopted by the African Union in 2014 has registered only 10 signatories (Benin, Chad, Congo, Ghana, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe, Zambia and Comoros) and one ratification by Senegal.
Ultimately, there is need to reconcile state interests with citizens’ personal data and privacy rights. Mandatory registration, especially in the absence of clear registration guidelines and the lack of data protection laws, puts personal data at risk. African governments need to learn from other jurisdictions such as Europe with regards to processing of personal data as part of SIM card registration. In enforcing SIM card registration, there should be a clear set registration timelines, clear and unambiguous registration requirements.

Tanzania Issues Regressive Online Content Regulations

By Ashnah Kalemera |
Tanzania has issued online content regulations that oblige bloggers, owners of discussion forums, as well as radio and television streaming services to register with the communications regulator and to pay hefty licensing and annual fees.
There are three types of licences. A license for provision of online content services comes at an initial cost of TZShs 1.1 million  (USD 484) comprised of an application fee of USD44 and an initial licencing fee of USD 440. In addition, there is an annual licence fee of USD440, and a similar amount has to paid for licence renewal after three years.
A licence to stream radio or television content on the internet costs TZShs 250,000 (USD110), with annual licence fees set at USD 88. This licence also has to be renewed after three years at a cost of USD 88.
The Electronic and Postal Communications (EPOCA) (Online Content) Regulations, 2018, which were issued on March 13, 2018, join a catalogue of legislation related to online content in Tanzania that threatens citizens’ constitutionally guaranteed rights to privacy and freedom of expression. The regulations are also likely to negatively impact on an already fragile intermediary liability landscape in a country fraught with increasing media repression and persecution of government critics.
When the Tanzania Communications Regulatory Authority (TCRA) initially published the draft regulations last September, they did not have the requirement to apply for online content service licences as set out in Regulation 14 of the enacted regulations. It states: “Any person who wishes to provide online content services shall fill in an application form as prescribed in the First Schedule and pay fees as set out in the Second Schedule to these Regulations.”
Applicants are required to provide their company details including physical address, shareholding, citizenship of shareholders/directors and tax registration. The communications regulator, TCRA, has the right to cancel licences over non-compliance.
The regulations that have been issued are more regressive than the draft which the regulator issued in September 2017 for public comment.

See CIPESA’s full analysis of the draft EPOCA Content Regulations, 2017 – available in English and Swahili.

Under obligations of internet cafes, the final regulations introduced two clauses that threaten user privacy. Under regulation 9, café owners are required “to ensure that all computers used for public internet access are assigned public static IP addresses”. This could inhibit the use of circumvention tools such as Virtual Private Networks (VPN) that rely on dynamic IP address protocols, and which citizens resorted to using in neighbouring Uganda during state-initiated interruptions to communications.
Further, the regulations extend café owners’ obligations to install camera equipment to include registration of users “upon showing a recognised identity card”.  Pursuant to regulation 9(2), recorded surveillance and the user register “shall be kept for a period of twelve months.”
Several regressive provisions from the draft version were also passed. Regulation 6(1) requires licenced service providers who provide online content or facilitate online content production to terminate or suspend subscriber accounts and remove content if found in contravention of the regulations, within 12 hours from the time of notification by TCRA or by an affected person. This requirement places a heavy technical and human resource burden on content hosts and providers to have in place competencies to handle complaints within 12 hours.
Swift content restriction or removal is also required of online content hosts under regulation 8(b) and content providers and users under regulation 5(1)(g). As we argued in an earlier brief, while content such as revenge pornography and that which promotes violent extremism may be justifiably removed promptly, there is a danger that the regulations may be applied unjustifiably to content such as that relating to exposure of corruption or human rights violations.
Whereas regulation 16 provides for a complaints handling procedure, the regulations do not provide for the process nor mechanisms for legal recourse over contested content.
Regulation 5(1)(e) requires content providers to “have in place mechanisms to identify source of content”. This obligation poses a threat to the right to anonymity and whistleblowing and may lead to self-censorship.
Moreover, Regulation 12 on content prohibited from publication lists restrictions with broad definitions and which have potential to limit freedom of expression. In terms of scope, it includes unspecified content that “causes annoyance”; “uses disparaging or abusive words which is calculated to offend an individual or a group of persons”; and is “crude”, “obscene” or “profane” including in local languages.
Regulation 12 also prohibits publication of “false content which is likely to mislead or deceive the public except where it is clearly pre-stated that the content is i) satire and parody ii) fiction; and iii) where it is preceded by a statement that the content is not factual.”
Nonetheless, the regulations have some positive elements, among them regulation 10(b) which requires users to use device passwords to ensure that unscrupulous and unauthorized persons do not access their social media accounts.
The requirement for provision of easily accessible user terms and conditions by licensed service providers, adoption of a code of conduct for content hosting, and publication of a safe internet use policy for internet cafes, are also commendable in promoting user awareness of platform policies. The regulations also provide important safeguards for child protection online, such as regulation 13 which prohibits children’s to access to prohibited content online.
In a boost to privacy and data protection, regulation 11 prohibits unauthorised disclosure of “any information received or obtained” under the provisions of the regulations, except where the information is required for law enforcement purposes. Furthermore, regulation 11 restricts use of information only to the “extent” that is “necessary for the proper performance of official duties.” Nonetheless, in the absence of data protection and privacy legislation in Tanzania, these safeguards could be rendered of little value and hence prone to abuse.
It remains to be seen how the new regulations will be enforced and how they will impact on citizens’ rights online. However, given Tanzania’s history of predatory action against internet users following the enactment of the Cybercrime Act, 2015, the new regulations are likely to be utilised to further undermine the internet freedom situation in the country.