Joint Civil Society Statement: States Use of Digital Surveillance Technologies to Fight Pandemic Must Respect Human Rights

Joint Statement |

The COVID-19 pandemic is a global public health emergency that requires a coordinated and large-scale response by governments worldwide. However, States’ efforts to contain the virus must not be used as a cover to usher in a new era of greatly expanded systems of invasive digital surveillance.

We, the undersigned organizations, urge governments to show leadership in tackling the pandemic in a way that ensures that the use of digital technologies to track and monitor individuals and populations is carried out strictly in line with human rights.

Technology can and should play an important role during this effort to save lives, such as to spread public health messages and increase access to health care. However, an increase in state digital surveillance powers, such as obtaining access to mobile phone location data, threatens privacy, freedom of expression and freedom of association, in ways that could violate rights and degrade trust in public authorities – undermining the effectiveness of any public health response. Such measures also pose a risk of discrimination and may disproportionately harm already marginalized communities.

These are extraordinary times, but human rights law still applies. Indeed, the human rights framework is designed to ensure that different rights can be carefully balanced to protect individuals and wider societies. States cannot simply disregard rights such as privacy and freedom of expression in the name of tackling a public health crisis. On the contrary, protecting human rights also promotes public health. Now more than ever, governments must rigorously ensure that any restrictions to these rights is in line with long-established human rights safeguards.

This crisis offers an opportunity to demonstrate our shared humanity. We can make extraordinary efforts to fight this pandemic that are consistent with human rights standards and the rule of law. The decisions that governments make now to confront the pandemic will shape what the world looks like in the future.

We call on all governments not to respond to the COVID-19 pandemic with increased digital surveillance unless the following conditions are met:

  1. Surveillance measures adopted to address the pandemic must be lawful, necessary and proportionate. They must be provided for by law and must be justified by legitimate public health objectives, as determined by the appropriate public health authorities, and be proportionate to those needs. Governments must be transparent about the measures they are taking so that they can be scrutinized and if appropriate later modified, retracted, or overturned. We cannot allow the COVID-19 pandemic to serve as an excuse for indiscriminate mass surveillance.
  2. If governments expand monitoring and surveillance powers then such powers must be time-bound, and only continue for as long as necessary to address the current pandemic. We cannot allow the COVID-19 pandemic to serve as an excuse for indefinite surveillance
  3. States must ensure that increased collection, retention, and aggregation of personal data, including health data, is only used for the purposes of responding to the COVID-19 pandemic. Data collected, Fed, and aggregated to respond to the pandemic must be limited in scope, time-bound in relation to the pandemic and must not be used for commercial or any other purposes. We cannot allow the COVID-19 pandemic to serve as an excuse to gut individual’s right to privacy.
  4. Governments must take every effort to protect people’s data, including ensuring sufficient security of any personal data collected and of any devices, applications, networks, or services involved in collection, transmission, processing, and storage. Any claims that data is anonymous must be based on evidence and supported with sufficient information regarding how it has been anonymized. We cannot allow attempts to respond to this pandemic to be used as justification for compromising people’s digital safety.
  5. Any use of digital surveillance technologies in responding to COVID-19, including big data and artificial intelligence systems, must address the risk that these tools will facilitate discrimination and other rights abuses against racial minorities, people living in poverty, and other marginalized populations, whose needs and lived realities may be obscured or misrepresented in large datasets. We cannot allow the COVID-19 pandemic to further increase the gap in the enjoyment of human rights between different groups in society.
  6. If governments enter into data sharing agreements with other public or private sector entities, they must be based on law, and the existence of these agreements and information necessary to assess their impact on privacy and human rights must be publicly disclosed – in writing, with sunset clauses, public oversight and other safeguards by default. Businesses involved in efforts by governments to tackle COVID-19 must undertake due diligence to ensure they respect human rights, and ensure any intervention is firewalled from other business and commercial interests. We cannot allow the COVID-19 pandemic to serve as an excuse for keeping people in the dark about what information their governments are gathering and sharing with third parties.
  7. Any response must incorporate accountability protections and safeguards against abuse. Increased surveillance efforts related to COVID-19 should not fall under the domain of security or intelligence agencies and must be subject to effective oversight by appropriate independent bodies. Further, individuals must be given the opportunity to know about and challenge any COVID-19 related measures to collect, aggregate, and retain, and use data. Individuals who have been subjected to surveillance must have access to effective remedies.
  8. COVID-19 related responses that include data collection efforts should include means for free, active, and meaningful participation of relevant stakeholders, in particular experts in the public health sector and the most marginalized population groups.

Signatories:

7amleh – Arab Center for Social Media Advancement

Access Now

African Declaration on Internet Rights and Freedoms Coalition

AI Now

Algorithm Watch

Alternatif Bilisim

Amnesty International

ApTI

ARTICLE 19

Asociación para una Ciudadanía Participativa, ACI Participa

Association for Progressive Communications (APC)

ASUTIC, Senegal

Athan – Freedom of Expression Activist Organization

Barracón Digital

Big Brother Watch

Bits of Freedom

Center for Advancement of Rights and Democracy (CARD)

Center for Digital Democracy

Center for Economic Justice

Centro De Estudios Constitucionales y de Derechos Humanos de Rosario

Chaos Computer Club – CCC

Citizen D / Državljan D

Civil Liberties Union for Europe

CódigoSur

Coding Rights

Coletivo Brasil de Comunicação Social

Collaboration on International ICT Policy for East and Southern Africa (CIPESA)

Comité por la Libre Expresión (C-Libre)

Committee to Protect Journalists

Consumer Action

Consumer Federation of America

Cooperativa Tierra Común

Creative Commons Uruguay

D3 – Defesa dos Direitos Digitais

Data Privacy Brasil

Democratic Transition and Human Rights Support Center “DAAM”

Derechos Digitales

Digital Rights Lawyers Initiative (DRLI)

Digital Security Lab Ukraine

Digitalcourage

EPIC

epicenter.works

European Digital Rights – EDRi

Fitug

Foundation for Information Policy Research

Foundation for Media Alternatives

Fundación Acceso (Centroamérica)

Fundación Ciudadanía y Desarrollo, Ecuador

Fundación Datos Protegidos

Fundación Internet Bolivia

Fundación Taigüey, República Dominicana

Fundación Vía Libre

Hermes Center

Hiperderecho

Homo Digitalis

Human Rights Watch

Hungarian Civil Liberties Union

ImpACT International for Human Rights Policies

Index on Censorship

Initiative für Netzfreiheit

Innovation for Change – Middle East and North Africa

International Commission of Jurists

International Service for Human Rights (ISHR)

Intervozes – Coletivo Brasil de Comunicação Social

Ipandetec

IPPF

Irish Council for Civil Liberties (ICCL)

IT-Political Association of Denmark

Iuridicum Remedium z.s. (IURE)

Karisma

La Quadrature du Net

Liberia Information Technology Student Union

Liberty

Luchadoras

Majal.org

Masaar “Community for Technology and Law”

Media Rights Agenda (Nigeria)

MENA Rights Group

Metamorphosis Foundation

New America’s Open Technology Institute

Observacom

Open Data Institute

Open Rights Group

OpenMedia

OutRight Action International

Pangea

Panoptykon Foundation

Paradigm Initiative (PIN)

PEN International

Privacy International

Public Citizen

Public Knowledge

R3D: Red en Defensa de los Derechos Digitales

RedesAyuda

SHARE Foundation

Skyline International for Human Rights

Sursiendo

Swedish Consumers’ Association

Tahrir Institute for Middle East Policy (TIMEP)

Tech Inquiry

TechHerNG

TEDIC

The Bachchao Project

Unwanted Witness, Uganda

WITNESS

World Wide Web Foundation

In Search Of Safe Space Online: Research Summary

By WomenAtWebUg |

Efforts to improve digital rights and digital literacy among more women in Africa should be supported by a thorough understanding of the online and offline social structures that influence the extent to which women can be active participants in the digital arena. This is key to realising Goal five of the Sustainable Development Goals which aims to achieve gender equality and empower all women and girls, who have historically been in a position of disadvantage for various reasons including cultural norms, lack of economic opportunity, and low literacy.

Across Africa, various discussions continue to reiterate how obstacles such as unequal access to finance, education and tech devices inhibit many women from participating in the digital society. However, beyond governments, additional efforts are required by other stakeholders including civil society, the tech community, academia, and the private sector to address these gaps. It is against this background that the Women At Web Alliance was initiated in October 2017 with an aim to improve digital literacy among African women, with a focus on Kenya, Tanzania, Rwanda, and Uganda. With support from Deutsche Welle (DW) Akademie, in Uganda an alliance of five organisations is working to strengthen the skills of women through digital security workshops, raising awareness on digital rights, and building digital literacy skills. As part of this work, Chapter Four, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), the Defenders Protection Initiative (DPI), Not your Body and Unwanted Witness conducted research into the nature of challenges faced by Ugandan women who are active online, and manifestations of  cyber Violence Against Women (VAW). The results of the study are intended to be used to address these challenges, including through the improvement of digital literacy among more Ugandan women, policy development, and informing responsive safety mechanisms.

Women in Uganda face various challenges that undermine their use of the web and other Information and Communications Technology (ICT). These challenges mirror the impediments which women face in the offline world, be it in access to education and economic opportunities, participation in civic processes, or in claiming their freedom of expression and assembly. 

Despite a large gender disparity in digital access, more women face various forms of online violence than their male counterparts, which has continuously undermined their participation online. The absence of laws designed to specifically address the various forms of digital violence (such as revenge pornography, trolling, and threats) and the lack of sufficient in-country reporting mechanisms, exacerbate these challenges and often result in many women being forced to go offline or resorting to self-censorship. Additional consequences of cyber VAW mentioned included psychological, emotional and the physical abuse.

See the In Search Of Safe Space Online: Research summary.

Building a Robust Data Protection Regime in Senegal

By Simone Toussi |
Across Africa, there is a push for digitalisation with different countries at various stages of technology adoption and varying levels of legislative regimes that uphold human rights in the digital sphere.
Senegal is among the African countries that remain committed to upgrading legal and institutional frameworks governing the technology sector. Senegal passed a data protection law twelve years ago and was among the  first African states and the first African Francophone country to ratify the Africa Union Convention on Cyber Security and Personal Data Protection in 2016. It has therefore established itself among the pioneers in data governance in Africa.
Given rapid developments related to biometrics, big data, artificial intelligence, and cloud computing, among others, the government of Senegal is in the process of repealing law n° 2008-12 of January 25, 2008 which governs personal data protection. A draft bill published at the tail end of 2019 to replace the preceding law is currently under public consultation.
On February 27 – 28, 2020, Jonction Senegal, in partnership with the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) and Facebook hosted a workshop to review the Personal Data Protection Bill, 2019 and make relevant recommendations from a digital rights perspective. The workshop brought together 25 participants including officials from the Personal Data Commission (CDP), the Ministry of Digital Economy and Telecommunications, the Ministry of Women, Family and Gender, the Ministry of Justice, and representatives from the private sector, and civil society organisations including human rights defenders, lawyers, academia, bloggers and journalists.
Opening the workshop, Professor Mamadou Niane, Director of the Legal Department of the CDP justified the draft bill, citing inadequacies in the 2008 law given the dynamic digital environment and emergence of a diversity of players and threats. Furthermore, he noted the need for convergence with regional and international data protection developments and standards such as those laid out in the General Data Protection Regulation (GDPR), the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data signed and ratified by Senegal in 2016, the Budapest Convention, and the African Union Convention on Cyber Security and Personal Data Protection. According to Prof. Niane, other considerations for a new law related to the composition and oversight powers of the CDP and compliance monitoring mechanisms are also to be addressed. He stated that the draft bill provided for data protection principles in the proposed article 7 including the need for processing within the legal requirements, seeking consent, and necessity with exceptions tied to processing for lawful purpose.
Indeed, Diagne El Hadji Daouda, a cybersecurity specialist from the Computech Institute highlighted the importance of data security and commended the draft bill for outlining the principles of identification and authentication, confidentiality, availability and integrity (non-alteration or modification of the data during processing) under Articles 42 and 43. He also commended the proposed obligations for data controllers to put in place encryption measures and regularly review them to ensure data security; and the notification of breaches  to data subjects and authorities (Article 44). However, Daouda noted that despite these provisions, the draft bill did not incorporate the principle of anonymisation, which is crucial for preserving personal data confidentiality and guaranteeing its security.
The draft bill proposes the establishment of the Personal Data Protection Authority (APDP) to replace the CDP – with a diverse member composition including non-governmental representation. Member nomination is by decree of the president (Article 52). However, a number of provisions in the draft bill refer to a Control Authority and a Protection Authority, which seem separate from the APDP.
Dr. Ndiogou Thierno Amadou, Lecturer and Researcher at the Faculty of Legal and Political Sciences of Cheikh Anta Diop University (UCAD), raised concerns about the distinction between the three different authorities mentioned in the draft bill. Participants therefore urged for clarity on the role of the Control Authority (Article 44), as well as a clear definition and distinction between the APDP and the Protection Authority (Article 62) to avoid ambiguities. The  CDP’s Prof. Niane clarified that all mentions of an authority  in the draft bill refer to the APDP and that the necessary revisions would be made in the next draft.
The need to strike a balance between freedom of expression and personal data protection also emerged.  In his presentation, independent journalist and Director of PressAfrik.com Faye Ibrahima Lissa cited the continent-wide trend in legislative restrictions to freedom of expression on grounds of national security and public order. He emphasised that exemptions under the proposed article 105 of the draft bill relating to personal data for the purposes of journalism, research, artistic or literary expression should be precise to avoid them being used to persecute critical voices.
Similarly, Joe Marone, a media trainer and head of online radio Futurs Media noted the fundamental role of journalists in seeking the truth and being the moral conscience of public opinion and civil society. In this regard, journalism ethics and code of conduct pre-empt personal data protection through protection of sources. However, given the advent of data journalism and citizen journalists, the draft bill serves to better guarantee personal data protection within the profession.
Other issues that emerged included age of consent to data collection. Consent is defined as a declaration or clear affirmative action, either orally or in writing that gives permission to process personal data (article 8). The age of consent is not provided for in the draft bill.  Prof. Niane stated that ongoing efforts at the CDP and Ministry of Justice in partnership with the Ministry of Digital Economy and Telecommunications seek to establish a Children’s Code and related strategy dedicated to minors’ protection in the context of data protection and privacy.
The workshop participants made the following formal recommendations for revision in the next draft of the bill:

  • Set a minimum age of consent
  • The president of the ADPD should be appointed through an internal election by members in order to guarantee the authority’s autonomy.
  • Provide for adequate resource allocation to the APDP to facilitate smooth implementation and enforcement of the law
  • Provide for APDP oversight in procurement and contracting of public or government projects involving personal data collection and processing
  • Provide for authority of the APDP to collect and recover financial penalties imposed on offenders and pass them on to the victims of data breaches.
  • Strengthen the financial autonomy of the APDP by granting it 50% of the amounts recovered from any data protection operations
  • Provide for legal personality of the ADPD to give it perpetual succession with capacity to sue and be sued in its name.

Representatives of the CDP and the Ministry of Digital Economy and Telecommunications welcomed the recommendations and committed to including them in the next draft of the bill, before submission to the General Secretariat of the Presidency of Senegal.

Senegal to Review Data Protection Law

By Thomas Robertson |

Twelve years after being among the first African countries to enact data protection legislation, Senegal has published a bill to replace the 2008 Personal Data Protection Law. The Personal Data Protection Bill of 2019 is part of the government’s goal of upgrading the legal and institutional framework of the technology and telecommunications sector by 2025 as part of “Digital Senegal 2016-2025 Strategic Plan” and seeks to address key emerging digital issues including biometrics, big data, artificial intelligence, geo-location and cloud computing. Further, the bill seeks to address  gaps in the existing legislation related to the composition and independence  of the oversight authority, mechanisms for self-referral, and cross-border cooperation.

In January 2008, Senegal adopted Law No. 2008-12 of 25 which provides a legal and institutional framework for the protection of personal data. The law established an independent authority known as the Commission of Personal Data (CDP) whose mandate is to ensure that the processing of personal data is implemented in accordance with the provisions of this law, and upholds the rights of data subjects and the obligations of data processors. A few years later in 2016, Senegal went on to become the first African country to ratify the continent-wide convention on Cyber Security and Personal Data Protection, which was adopted by the African Union in 2014.

Despite being a pioneer on data governance in Africa, implementation and enforcement of the law has remained a challenge. There have been reports of resource limitations for the CDP to sufficiently fulfill its mandate. In February 2018, CDP president Awa Ndiaye made a plea for government assistance to support efforts for sensitisation and compliance monitoring.

Meanwhile, the country has recorded a growing telecommunications sector, with a 2018 internet penetration rate of 68.49%, a diverse digital media and technology innovation landscape. However, several private and public actors continue to collect personal data in Senegal without any regulatory enforcement by the CDP. This is the case for mandatory SIM card registration implemented by the Regulatory Authority for Telecommunications and Posts (ARTP) through mobile telecom operators, which is  linked to the national identity database.

The principles of the bill state that collection, registration, processing, storage and transmission of personal data must be done in a lawful, fair and non-fraudulent manner. According to Article 7 of the bill, personal data processing is defined as lawful if “consent is given, processing is necessary for legal obligations, a task of public interest, a task related to exercising public authority, the implementation of policy, or in order to protect the interest of fundamental rights and liberties of the person whose data is being processed”.

Consent is defined as a declaration or clear affirmative action, either orally or in writing, that gives permission to process personal data (Article 8). The data processed must be stored securely and confidentially, be limited to data relevant to the task at hand, and be stored only within the period necessary (Articles 10-12). The bill also addresses third party processing of data and mandates a contract between the data controller and subcontractor that guarantees compliance with the law (Article 16). Article 110 maintains the rights of a data subject to access data held about them and to monitor its accuracy.

Section 1 of the bill proposes the establishment of the Personal Data Protection Authority (APDP) to replace the existing CDP. The APDP would operate much like the CDP, but its member composition is different in size and selection. The APDP would have 12 members, one more than the CDP. The APDP’s composition would be two presidential representatives, and one representative each from the National Assembly, the Finance Ministry, the Justice Ministry, the Ministry of Telecommunications and Digital Economy, a business organisation, a digital media organisation, a medical organisation, a human rights organisation, a civil society organisation and the Bar Association of Senegal. On the CDP, there are three presidential representatives, a deputy nominated by the head of the National Assembly, a Senator nominated by the head of the Senate, one magistrate member each from the Council of State and the Court of Cassation, the Director of the State Digital Information Agency (ADIE), a lawyer nominated by the Chairman of the Bar Association of Senegal and one representative each from a business organisation and a human rights organization.

The proposed constitution of the APDP is a four-member increase in the non-governmental representation in the oversight body, replacing seats formerly taken by government representatives and presidential advisors. Even if these non-governmental representatives must be nominated by decree of the president, the inclusion of non-state actors in APDP’s membership bodes well for incorporating the interests of civil society into the work of the Authority. Moreover, the 2019 bill builds on the 2008 law’s promise of CDP’s impartiality and protection of members’ freedom of expression by guaranteeing that members cannot be detained, arrested, or punished based on their opinions or decisions made.

Under the proposed law, exemptions apply when processing personal data for the purposes of journalism, research, artistic or literary expression, if implemented within “the ethical standards of these professions” (Article 105). Exemptions under the existing law are outlined under Article 2, which states that “any processing of data relating to public security, defense, investigation and prosecution of criminal offenses or state security, as well as significant economic or financial interests of the State, is subject to the exceptions defined by this law and specific provisions on the matter set by other laws.”

Provisions proposed under Section 6 specifically speak to personal data and law enforcement. Section 6  states that data collection as part of crime prevention, investigation and punishment must respect the principles of necessity and proportionality as well as follow a legitimate goal. Although both the 2008 law and 2019 bill do well in defining technical terms, “legitimate goal” is undefined in the bill, and as such, is a vague description that may be subject to abuse by the government.

The bill also introduces regulation of video surveillance, with a requirement for a visible  notification of the presence of the surveillance system, a receipt reference issued by the Authority, and contact details of the person or service responsible for the “rights of access, opposition and deletion” of content from the video system (Article 121). Other than for purposes of safety of property and people, the installation of video surveillance for “systematic, deliberate and permanent monitoring” at places of work as defined in the Labor Code is outlawed (Article 120). Video monitoring at workplaces was a contentious issue in Senegal in 2019.

Article 128 expands the definition of “sensitive data,” which is illegal to process, to include familial descent and genetic data. Article 129 allows the processing of genetic data only in order to verify the existence of genetic connections in the context of court proceedings or criminal investigations. This expanded definition of “sensitive data” builds upon how it was defined under the previous law, where sensitive data was defined as personal data relating to religious, philosophical, political, and labor union activities, as well as sexual life, race, and health.

In a move to promote research and collaboration, the management of big data is also included in the bill, mandating that risks of big data collection and processing must be identified and evaluated (Article 114). Additionally, Article 118 sets out the conditions  for the use and reuse of open data.

Overall, the bill is a significant step towards establishing a modernised data protection framework for Senegal that is rights respecting, and provides a conducive environment to support innovation amidst an increasingly digitised environment. Public consultations on the bill are ongoing and it remains to be seen whether ongoing drafting will incorporate recommendations and provide clarity on ambiguous/vague provisions.

Thomas Roberston is a fourth-year undergraduate student studying international affairs and foreign languages at Occidental College in Los Angeles, California, United States. He is currently interning with the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) as part of research on his final year composition paper on digital expression and China-Africa relations. 

Are Malawians Sleep-Walking into a Surveillance State?

By Jimmy Kainja |
In the last three years, the Malawi government has passed a lot of legislation, among these, is the National Registration and Identification System (NRIS), which according to the National Registration Bureau, is aimed at addressing the lack of universal and compulsory registration – the NRIS allows Malawians to have a national ID.
According to UNDP, one of the main funders of the exercise, 9 million Malawians have registered as of October 2019. This shows that Malawians have generally welcomed the exercise. Meanwhile, the registration in on going all District Offices where anyone turning 16 years can register and have their ID card issued.
Reasons for the general acceptability of the ID registration differ and in absence of any survey it is difficult to generalise the reasons but it can be speculated that among the reasons is that the majority of Malawians lacked any form of ID to do daily transactions. Majority Malawians do not have a passport or driver’s license and yet advance in technology, mobile banking for example, has increased demand for IDs in the country.
Following the NRIS exercise, the national ID has become increasingly become the only form of identification for most public transactions and registrations. In 2018 Malawi government through its telecoms regulator, MACRA, rolled out mandatory SIM Card registration, this is provided for in PART XI of Communications Act, 2016. The voter registration for 2019 tripartite elections required the national ID as a form of identification; and now commercial banks in the country have rolled out what they are calling “know your customer” (KYC) exercise, in which clients have to update their personal information with the banks. This time the banks are only accepting the national ID as a form of identity for Malawians, and passport for none Malawians.
This means that in a very short space of time Malawians have given away a lot of their personal data to both private and public institutions. All the data is tied to one’s national ID. This includes our communication data through our SIM Card enabled communication – internet, text messages and voice calls. But who how safe is this personal data? During the voter registration exercise did we not hear of Malawi Electoral Commission found abandoned in Mozambique? How do we ensure that our personal data is safe? How can we be sure that no third parties have access to our personal data? Who should be held accountable in case of any data breach?
These are legitimate questions, especially as any breach of personal data has implications on personal privacy. Privacy is inviolable right and it is constitutionally provided for under article 21 of Malawi constitution. Often people argue that you should not worry about privacy if you have nothing to hide. Yet, privacy does not mean that you have something to hide.
Journalist, Glenn Greenwald observes that privacy is important because we all need places where we can go to explore the issue without the judgmental eyes of other people being cast upon us. He argues that their people have all kinds of things they want to keep a secret that has nothing to do with criminality. He adds:
“only in a realm where we’re not being watched can we really test the limits of who we want to be. It’s really in the private realm where dissent, creativity and personal exploration lie… When we think we’re being watched, we make behaviour choices that we believe other people want us to make … it’s a natural human desire to avoid societal condemnation. That’s why every state loves surveillance — it breeds a conformist population.”
In the wake of mass personal data collection, Malawi needs personal data protection legislation, and this legislation should have been in place before the NRIS and what has followed that exercise. Data protection is important in order to prevent third parties from accessing personal data and also stopping the authorities abusing personal data they collected in good faith.
Personal data protection is crucial for freedom of choice and freedom of expression. People are unable to express themselves freely in the presence of watchful eye on everything that you are doing, browsing on the Internet for example. Inevitably, this has a chilling effect on activists, human rights defenders and other vulnerable communities as these groups can easily be targeted by both state and non-state actors.
The mass collection of personal data in the absence of data protection law should be of concern to all Malawians as it has the capacity to allow state surveillance. Furthermore, the mandatory SIM card registration in the absence of data protection laws means that our private communication, online and offline can easily be violated by both state and non-state actors. As with the mandatory SIM card registration, governments usually use security to introduce laws and policies. But you cannot protect people on one hand while violating other rights and freedoms on the other. Security and civil liberties can and do coexist and it is the obligation of the state to balance the two.
*Note: this article is informed by Internet freedom and digital rights training for CSOs I coordinated and co-facilitated in Lilongwe (30-31st July 2019) on behalf of The Collaboration on International ICT Policy in East and Southern Africa (CIPESA).
This article was originally published in The Nation