Promoting Effective and Inclusive ICT Policy in Africa

Blog

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Blog
19Jul

CIPESA, Small Media Make Stakeholder Submissions to the United Nations Human Rights Council on Digital Rights in South Sudan, Uganda and Zimbabwe

Author CIPESA Writer Posted on

By Ashnah Kalemera |

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) together with Small Media last week made joint stakeholder submissions on digital rights in South Sudan, Uganda and Zimbabwe to the United Nations Human Rights Council.

The submissions were made as part of the Universal Periodic Review (UPR) mechanism which is an assessment of a country’s human rights under the auspices of the Human Rights Council. Every United Nations (UN) member state has its human rights record assessed, and all UN member states are involved in the review process. It happens every four-and-a-half years, for every state.

The submissions urge the three countries to ensure that rights to freedom of expression, freedom of information, equal access and opportunity as well as data protection and privacy are protected both offline and online pursuant to constitutional guarantees, regional and international instruments. Based on developments since the three countries’ previous UPR back in November 2016, the submissions make recommendations to be considered during the upcoming third cycle of the UPR, tentatively scheduled for November 2021.

The South Sudan submission was made in partnership with Defy Hate Now and supported by eight institutions – Rise Initiative for Women’s Rights Advocacy (RiWA), Freedom of Expression Hub, Koneta hub, Okay Africa Foundation, Anataban Initiative, IamPeace, Internet Governance Forum (IGF) South Sudan and Information Communication Technology for Development (ICT4D) Network.

The submission for Uganda was supported by Access Now, Freedom of Expression Hub, Women of Uganda Network (WOUGNET), Internet Society – Uganda Chapter and Pollicy.

Access Now, Paradigm Initiative, Zimbabwe Human Rights Association, Association for Progressive Communication (APC), Zimbabwe Lawyers for Human Rights, Zimbabwe Centre for Media and Information Literacy (ZCMIL), Media Alliance of Zimbabwe supported the Zimbabwe Submission.

Read the full submissions:

The three submissions bring to 14 the total number of UPR submissions made by CIPESA and Small Media on digital rights in Africa since 2018. Previous submissions made include: Ethiopia, the Gambia, Kenya, Malawi, Mozambique, Namibia, Nigeria, Rwanda, Senegal, Sierra Leone, and Tanzania

19Jul

How Surveillance, Collection of Biometric Data and Limitation of Encryption are Undermining Privacy Rights in Africa

Author CIPESA Writer Posted on

By Paul Kimumwe |

The right to privacy online has become a critical human rights issue, given its intricate connection with, and its being a foundation for the realisation of other rights including the rights to freedoms of expression, information, assembly, and association and preservation of human dignity. However, many African countries have steadily taken measures to undermine this right, including enacting retrogressive laws and policies that facilitate surveillance and the collection of biometric data, and others that limit the use of encryption

The advent of the Covid-19 pandemic has exacerbated the privacy concerns yet in several countries, digital rights were already under steady attack, including via internet shutdowns, criminalisation of “false news”, misinformation and disinformation campaigns by state and non-state actors, harassment and prosecution of social media users, and growing state surveillance.

In responding to the pandemic, many countries adopted regulations and practices, including deploying surveillance technologies and untested applications, to enable them collect and process personal data for purposes of tracing, contacting, and isolating those suspected to be carrying the virus and those confirmed to carry it. These measures were quickly adopted, often without adequate regulation or oversight.

In this research report, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has analysed laws and policies that impact on privacy, notably those that regulate surveillance, data localisation, biometric databases, and encryption.

The research covered 19 countries – Cameroon, Chad, Egypt, Ethiopia, Kenya, Ghana, Malawi, Mali, Mozambique, Namibia, Nigeria, Rwanda, Senegal, Tanzania, Tunisia, Uganda, Zambia, Zimbabwe, and South Africa.

Summary findings

Growing Surveillance: The research findings show that overall, there has been notable progress in the enactment of specific laws and policies safeguarding the right to privacy, including requiring judicial authority to authorise surveillance in countries such as Kenya, Nigeria, Tanzania, Tunisia and Uganda.

However, there are a few cases, such as in Zimbabwe, where authorisation for monitoring and intercepting communications is offered by non-independent and partial actors such as ministers. In addition, many of the countries’ laws do not measure up to international human rights standards and fail to establish clear and appropriate oversight, redress, and remedy mechanisms.

Indeed, “national security” considerations have been employed in laws in various countries broadly to justify and authorise the interception of communication, restrict privacy rights, grant wide search and seizure powers to law enforcement agencies, mandate intermediaries such as telecommunication service providers to facilitate interception, and to require data localisation.

In addition, while various countries have criminalised illegal surveillance and placed various safeguards on the conduct of state surveillance, many of them still contain retrogressive provisions that leave scope for intrusion, including enabling state surveillance with limited safeguards.

Limitation of Encryption Anonymity and the use of encryption in digital communications are critical in advancing both the right to freedom of expression and right to privacy. In the absence of these rights,  the capacity of individuals to communicate anonymously and without fear of their communications being intercepted cannot be guaranteed.

There are few positive provisions in some countries that require the protection of personal data through technical security measures which include encryption. On the other hand, many countries in the study have passed legislation that limit anonymity and the use of encryption through criminalisation of possession and use of cryptographic software or hardware, providing for fines and prison sentences.

The findings show that in countries like Chad, Malawi, Senegal, Tanzania, Tunisia and Zambia, there are penalties for offering cryptographic services without licensing, registration or authorisation. Interception of communications provisions often require service providers to decrypt any encrypted information that they may intercept in the course of offering assistance to lawful interception. In countries such as Mali and Tanzania, the laws require the encryption service providers, upon registration with the authorities, to disclose the technologies they plan to use for encryption.

Data Localisation The findings show that a growing number of African countries have been legislating on data localisation, which has mostly taken the form of a requirement to store data locally and forbidding unauthorised cross-border data transfers. Various countries have specified the conditions for authorising transfer, mostly where the data subject has offered consent and where an adequate level of protection is assured in the recipient country or international organisation.

Several African countries have adopted different approaches towards data localisation. Several countries use laws on financial services (Nigeria, Ethiopia and Rwanda), cybersecurity and cybercrimes (Rwanda, Zambia and Zimbabwe), telecommunications (Cameroon, Rwanda and Nigeria) and data protection (Kenya, South Africa, Tunisia and Uganda) to place restrictions on cross-border transfer of data.

Some countries have specified the data that cannot be exported without authorisation. Kenya specifies all public data; Nigeria mentions all government data and all subscriber and consumer data; while Zimbabwe, Malawi and Tunisia cite personal information.

Establishment of Biometric Databases  In several countries, government agencies are collecting and processing personal data without adequate data protection laws, amidst limited oversight mechanisms and inadequate remedies. While many have recently passed data protection laws and policies, implementation is not effective, and the safeguards are not water-tight as required under international human rights law.

Some laws in countries such as Chad, Kenya, Tunisia, Uganda, South Africa, and Zimbabwe, prohibit the collection of certain categories of data, including specific types of biometric data generally, or where certain conditions are not complied with. In the other countries studied, the laws require the mandatory collection of biometric information for the registration of telecommunications subscribers, for digital identity programmes and during voters’ registration. Several laws and policies on biometric data collection contain provisions on sanctions and penalties for breach.

Weak Oversight, Transparency and Accountability Mechanisms The study found that countries have adopted different approaches to oversight, including specifying courts, data protection authorities, sector regulators and administrative bodies as key oversight bodies. Some of these bodies are located within the executive, and therefore may lack the proper legal, financial, and institutional independence to stem violations within government, and especially by state security agencies. The laws in most countries require judicial authorities to issue a warrant for interception or monitoring of communications. However, in some countries interception orders can be issued by non-judicial officials, such as ministers.

The deficiency of accountability and transparency is among the weakest links in the various countries’ surveillance laws. While some countries, such as Nigeria, Rwanda, Tunisia, Zimbabwe, have commendable oversight and accountability provisions, it is not known whether they are applied. No entity in any of the countries studied permits public access to records on interception which the laws require state authorities to compile periodically, or publishes any data related to interception warrants issued and if at all they do record such data, they are categorised as classified information under state secrets laws. Thus, the public and oversight institutions such as judiciaries and parliaments remain in the dark about the extent and legality of the conduct of surveillance in the respective countries.

Recommendations

  • Governments should review existing laws, policies and practices on surveillance, including Covid-19 surveillance, biometric data collection, encryption and data localisation to ensure they comply with the principles in the African Commission on Human and Peoples’ Rights (ACHPR) Declaration on Principles of Freedom of Expression and Access to Information in Africa and international human rights standards.
  • Governments should also adopt multi-stakeholder approaches to ensure meaningful participation of all stakeholders in the development of policies and laws that affect the right to privacy and data protection.
  • Civil society actors should use strategic public interest litigation as an avenue to challenge laws that violate privacy rights and push for policies and practices reforms that uphold privacy.
  • Civil society actors should also monitor and document privacy rights violations through evidence-based research, and report on state compliance with their obligations to human rights monitoring bodies.

See the full research report here.

08Jul

New Cyber Law Impedes Civil Liberties in Increasingly Repressive Zambia

Author CIPESA Posted on

By CIPESA Writer |

Zambia is increasingly repressing the exercise of civic rights, a trend that is growing as the country heads to general elections in August 2021. Human rights defenders are equally worried that state agencies could apply the recently enacted Cyber Security and Cyber Crimes Act 2021 to further undermine the digital civic space.

President Edgar Lungu, who has been in power since 2015, is standing for re-election in the August 12 elections. In the last five years of his reign, freedom of expression and peaceful assembly have come under increasing attack, with opposition leaders and activists jailed, and independent media outlets shut down, according to an Amnesty International Report.

The government denies these accusations, claiming the country has a vibrant civil society, a thriving independent media, and an impartial judiciary that protects civil liberties. However, independent analysts dismiss the government’s claims, pointing out that there has been “a creation of a fear society through the demonising of civil society and political opposition, the punishing of dissent, and weaponising the law and applying it selectively against anyone critical of the state.”

The repression in the southern African country has been witnessed both offline and online. Freedom House ranked the country’s state of internet freedom in 2020 as “partly free”, citing network restrictions, arrest of pro-government commentators and online users. And with the recent enactment of the cyber crimes law, worries are growing that the government could employ it as yet another weapon to silence dissenters and critics. Crucially, the new law falls short on protecting individual rights to privacy, anonymity, and freedom of expression online.

Notably, the law was passed amidst criticism that it was primarily aimed at policing cyber space and gagging freedom of expression and speech of government critics and opponents ahead of the August 12, 2021 general election. The government passed the law after rejecting concerns raised by civil society about its regressive provisions.

According to the Bloggers of Zambia, during 2020 seven people were arrested under the Criminal Procedure Code for purportedly defaming the president through posts on social media. Meanwhile, a 2020 report by Citizen Lab, a global digital rights watchdog, identified Zambia as a possible customer of cyber espionage software. This was the second time that Zambia, alongside other African governments, was featured in the report that unmasks clients of surveillance software. The country has also embarked on a Safe City Project that is mounting 24-hour surveillance cameras in public places and on the main road networks, despite its lack of an operational data protection law and regulations to govern the use of such video surveillance.

According to CIPESA’s analysis of the law, while cyber security is critical in the highly evolving technological era, it is important that a rights-based approach is employed in the development of policies and laws to ensure that the adopted laws and policies do not wantonly limit individual rights and freedoms. The Cyber Security and Cyber Crimes Act, 2021 in its current state offers some solutions to emerging challenges in the digital space but has wide negative impacts on the protection, promotion and enjoyment of digital rights and freedoms.

Under international human rights law, the rights to privacy, freedom of expression and information may only be restricted if prescribed by law, in pursuit of a legitimate aim, and if the restrictions are necessary and proportionate in pursuance of a legitimate aim. Many provisions in the Zambian law are vague and overly broad, and in contravention of the principle of legality. The law extends the powers of state authorities to restrict and punish online expression, and gives law enforcement agents leverage to conduct unsupervised surveillance without judicial oversight.

Indeed, the CIPESA analysis shows that Zambia’ cyber law falls short of the established regional and international human rights standards on the right to privacy as laid down in the African Union Convention on Cyber Security and Personal Data Protection, Universal Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR), and the African Commission on Human and Peoples’ Rights (ACHPR) Declaration on Principles of Freedom of Expression and Access to Information. 

Accordingly, the Zambian parliament should consider repealing or amending the regressive provisions to ensure the protection of digital rights and freedoms. Short of this, the new law could only serve the purpose of handing enemies of democracy yet another weapon for silencing the legitimate expression of critics, political opponents, and ordinary citizens.

See here CIPESA’s full review of the ramifications of Zambia’s Cyber Security and Cyber Crimes Act 2021.

01Jul

Uganda Abandons Social Media Tax But Slaps New Levy on Internet Data

Author CIPESA Posted on

By Daniel Mwesigwa |

Uganda has ditched the Over-The-Top (OTT) tax that it introduced three years ago on the use of social media services after the tax failed to raise revenues and constrained internet usage. But appearing to not have learnt any lessons, the country has instead introduced a 12% tax on internet data.

Introduced on July 1, 2018, the infamous OTT tax, widely known as ‘social media tax’, required Ugandans to pay a daily levy of Uganda Shillings (UGX) 200 (USD 0.05) in order to access over 50 platforms including Facebook, Twitter, and WhatsApp. President Yoweri Museveni directed the introduction of the social media tax as a ‘sin tax’ to punish social media users in Uganda for the consequences of their “opinions, prejudices [and] insults” and as a means to raise government revenues. 

From inception, sections of civil society and the public saw the tax as an attempt to stifle free speech and access to information – and they warned that the tax would have disastrous effects on the country’s fledgling digital economy and digital civic space. These fears were not unfounded, as Uganda is a notable digital rights predator that has ordered social media blockages and internet shutdowns, besides harassing some social media users that are critical of the government.

Predictions that the social media tax would harm internet use and fail to generate the envisaged revenues indeed came true. At the time the government filed proposals to introduce the OTT tax, the Ministry of Finance projected that up to UGX 486 billion (USD 131 million) could be collected annually by 2022. However, by the end of July 2018, the projections had been revised downwards to UGX 284 billion (USD 78 million) annually. In July 2019, one year after the introduction of the tax, the revenue body reported that it had experienced an annual shortfall of 83%, having collected only UGX 49.5 billion (USD 13.5 million). In the second year, the social media tax fetched a paltry USD 16.3 million. 

Now, beginning July 1, 2021, the government has replaced the OTT tax with a direct 12% levy on the net price of internet data, after which a value added tax (VAT) of 18% will apply. 

According to a social media notice by Roke Telkom, an internet service provider, the charges for a basic 60GB monthly bundle will increase by an extra USD 1.5 per month with the new levy compared to what the same bundle cost when the OTT tax was being levied. In other words, this will cost an additional USD 18 per year compared to what the same bundle cost when the OTT tax was being levied.

Within the first year of the social media tax, Uganda lost five million internet subscriptions due to the negative effects of the tax. Although the tax was envisioned as small and manageable, it did not meet the fairness and proportionality requirements: for a country whose average phone subscriber spends just UGX 10,500 (about USD 2.8) per month on all their voice calls, data, SMS, and access taxes, according to Uganda Communications Commission (UCC) figures, a monthly social media tax of USD 1.5 alone consumes up to 54% of their telecommunication services spend. 

Moreover, in 2018, the Alliance for Affordable Internet (A4AI) showed that the social media tax was likely going to push basic connectivity out of reach for many including the underemployed and unemployed youth who make up over 78% of the population. Additionally, A4AI explained that this tax would increase the lowest income group’s access to the internet by 10%, resulting in just 1GB of data costing them nearly 40% of their average monthly income. 

In the 2020 Affordability Report, Uganda’s data costs are higher than the African average, with 1 GB of data costing up to 8.07% of an average Ugandan’s monthly income compared to Sub-Saharan Africa’s average of 3.1%. According to a 2018 nation-wide survey by the National Information Technology Authority of Uganda (NITA-U), 76.6% of respondents named high cost as the main reason why their use of the internet was limited.

Based on problematic assumptions and projections?

The tax was clearly based on wrong assumptions, and the signs were ominous from early on. In January 2019, the then Minister of ICT, Frank Tumwebaze, reportedly said his ministry could have been misguided by the finance ministry in introducing the social media tax and he promised an impact assessment to gauge potential policy re-alignments. A year later in January 2020, the then revenue body’s Commissioner General, Doris Akol, decried social media tax avoidance through the use of Virtual Private Networks (VPN). She called for the tax to be repealed and replaced with a direct levy on internet data. 

Indeed, since the social media shutdown during Uganda’s 2016 general elections, the use of VPN apps has been growing. These have helped users to avoid paying the OTT tax and to sidestep further internet shutdowns, such as the recent disruption during the 2021 election and the suspension of Facebook access in Uganda, which is in the fifth month now.

According to UCC, as of December 2020, there are 21.4 million active internet subscriptions – translating into a little more than one active connection for every two Ugandans – but the number of subscribers  who paid the OTT tax at least once during that month was 13.7 million. For most months in the lifetime of the tax, the number of OTT taxpayers remained under 10 million. At the time Uganda introduced the tax, the internet penetration rate stood at 47.4% (18.5 million internet subscriptions), meaning in three years, the country has added under three million subscriptions and the penetration rate has risen marginally. 

The new 12% levy comes when Uganda is in the middle of a second wave of Covid-19, which saw the government recently instituting a 42-day lockdown that prohibits all public gatherings, inter-district travel, and public transport. This has rendered digital technologies indispensable to working, learning, public participation, and livelihoods, yet Uganda’s new tax will adversely affect internet access and citizens’ access to information – perhaps more than the now repealed social media tax

Having recently secured a USD 200 million loan from the World Bank to support “access [to] high-quality and low-cost internet, public services online, a digital economy driving growth, innovation and job creation,” Uganda’s new tax seems inconsistent to the larger national visions of digital transformation, including the National Broadband Policy (2018-2023) and the Digital Vision 2040.

But Uganda is not alone on this worrying path. Following the Covid-19 disruptions to domestic economies marked by weakening tax bases, various countries in the region have turned to, or are considering, some form of digital tax as one of the new revenue streams. For example, Zambia and Nigeria have considered plans of imposing direct taxes on OTT services but have withdrawn following backlash. Botswana has indicated it is exploring a digital tax due to a decrease in tax revenue and in 2020, Mauritius introduced a 15% VAT on digital services provided by non-resident companies.

01Jul

Eswatini Must Ensure Internet Availability At All Times

Author CIPESA Posted on

Petition |

Amidst ongoing pro-democracy protests in the southern African kingdom nation of Eswatini, the government is reported to have disrupted access to digital communications including the internet. The Collaboration on International ICT Policy for East and Southern Africa (CIPESA)  joins other human rights actors including the Media Institute of Southern Africa (MISA) Zimbabwe, IFEX and the African Freedom of Expression Exchange (AFEX) to demand the immediate end of the internet shutdown and a restoration of internet access to all the citizens of Eswatini.

The petition is directed at the Eswatini Prime Minister, and copied to regional bodies like the Southern Africa Development Community (SADC) Chairperson, the African Union chairperson and the ACHPR Special Rapporteur on Freedom of Expression and Access to Information –    Commissioner Jamesina King, as well as local internet service providers.

 Below is the full petition.

  

                                                                                                                                       30 June 2021

Joint Petition on the need to ensure internet availability at all times in Eswatini 

We, the undersigned organisations, write to urgently appeal to you, Honourable Prime Minister, to ensure that the internet, social media platforms, and all other communication channels are open, secure, and accessible in regardless of the protests that are currently taking place in Eswatini.

Our appeal is informed by reports that in the wake of the current pro-democracy protests, the Eswatini government has reportedly ordered network providers, Eswatini Post and Telecommunications, Eswatini MTN and Eswatini Mobile, to turn off internet connectivity.

By blocking access to the internet, the Eswatini government is violating fundamental  human rights of all citizens of eSwatini, including but not limited to the right to free speech and opinion, access to information and the right to assembly.

Further, internet shutdowns disrupt emergency services, cripple economies and restrict the flow of business related information and communications, including internet-based banking services and transactions. 

The internet and social media platforms play a critical role in enhancing participatory governance in a democratic society through the provision of space for communicating, public debates and citizens’ right to seek and share information on how they are governed.

We also note with concern that the current Internet shutdown comes at a time when freedom of the media and that of expression have been deteriorating in Eswatini. 

Research shows that internet shutdowns and violence go hand in hand. Shutting down the internet during protests only serves to heighten tensions and this is likely to be followed by more violence.

By disrupting the free flow of information, shutdowns exacerbate existing tensions, and create space to conceal potential violence and human rights violations perpetrated by both state and non-state actors. 

The abhorrent, undemocratic  actions of the government of the Kingdom of Eswatini are a clear violation of the ACHPR principles. The African Commission on Human and Peoples’ Rights (ACHPR) Resolution of 2016, recognises the “importance of the internet in advancing human and people’s rights in Africa, particularly the right to freedom of information and expression.” 

The ACHPR/Res. 362 (LIX) 2016, also condemns the “emerging practice of State Parties interrupting or limiting access to telecommunication services such as the internet, social media, and messaging services.” 

Additionally, UN experts and high-level officials — including the UN Secretary-General — formally affirm that “blanket Internet shutdowns and generic blocking and filtering of services are considered by United Nations human rights mechanisms to be in violation of international human rights law”.

Eswatini Post and Telecommunications, Eswatini MTN and Eswatini Mobile, have a responsibility to Eswatini citizens to keep the internet on. 

Eswatini MTN,  in line with the United Nations Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises, has the added responsibility  to respect human rights, prevent or mitigate potential harms, and provide remedy for harms they cause or contribute to. 

Further, the UN Guiding Principles outlines that “states should take additional steps to protect against human rights abuses by business enterprises that are owned or controlled by the State”.

Honourable Prime Minister, we thus call upon you to immediately end the internet shutdown and restore internet access to all the citizens of Eswatini.

Signed

African Freedom of Expression Exchange (AFEX)

Collaboration on International ICT Policy for East and Southern Africa (CIPESA)

IFEX

Panos Institute Southern Africa 

Media Institute of Southern Africa (MISA) 

cc: Southern Africa Development Community (SADC) Chairperson, His Excellency President Filipe J. Nyusi

cc: Southern Africa Development Community (SADC) Incoming Chairperson, His Excellency Dr. Lazarus Chakwera

cc: The Executive Secretary of the Southern African Development Community (SADC), Dr Stergomena Lawrence Tax

cc: African Union Chairperson His Excellency President Felix-Antoine Tshisekedi

cc: ACHPR Special Rapporteur on Freedom of Expression and Access to Information –    Commissioner Jamesina King  

cc:  UN Special Rapporteur for Freedom of Opinion and Expression Irene Khan 

cc: Eswatini Post and Telecommunications

cc: Eswatini MTN 

cc: Eswatini Mobile

1 38 39 40 41 42 158