By Edrine Wanyama |
It is anticipated that by 2025, there will be at least 5.9 billion mobile subscribers accounting for 71% of the world’s population. As of 2017, Sub-Saharan Africa (SSA) had a mobile subscription rate of 44% which is projected to reach 52% by 2025. Further, SSA’s mobile internet penetration by 2017 stood at 21% and is anticipated to increase to 40% by 2025. However, the region has registered the largest number of cases of mandatory SIM card registration yet it suffers some of biggest challenges in personal data protection and privacy.
The benefits of SIM card registration include facilitation of citizens’ access to e-Government services, easy identification of an individual’s mobile number and number portability when switching networks. In addition, it aids combating cybercrime including terrorism by limiting covert communication and promotes good relations between consumers and service providers by simplifying identification of consumers and their use of SIM services. Accordingly, many governments argue that mandatory SIM card registration is for purposes of safeguarding digital and physical security. However, critics argue that when SIM card registration is effected without due safeguards, it poses a threat to privacy and freedom of expression.
Indeed, in 2013 Mexico repealed its policies on SIM card registration “after a policy assessment showed that it had not helped with the prevention, investigation and/or prosecution of associated crimes.” Finland has not enforced compulsory SIM card registration and nonetheless, through voluntary mobile signatures, service providers has succeeded in facilitating user’s access to relevant retail, banking and e-Government services.
Globally, over 90 countries conduct compulsory SIM card registration yet some remain without clear policy on its implementation. Amidst criticisms that mandatory registration does not necessary combat cybercrime, as criminals take the necessary precautions to avoid being detected and circumvent mandatory SIM card registration, African countries continue to proactively enforce SIM card registration. Among the prevailing challenges on the continent is the difficulty in validating identity documents in an environment with a wide range of service providers who create room for potential circumvention.
Mandatory registration has negatively affected access and usage of mobile telecommunication services due to the tedious process which entails the production of documentation such as passports and national identity cards prior to registration, which sometimes results in failure to attain a SIM card, disconnection, or deactivation of SIM cards.
Additionally, there have been repetitive calls for registration of SIM cards in countries such as Uganda and Nigeria with personal data being collected more than once. In Uganda, despite government explanation that SIM card verification is aimed at ensuring secure and safer communications, citizens have unanswered questions on the exercise. Suspicion arises due to a fresh validation of SIM card registration using national identity cards subsequent to registration which was initially done using valid documents such as students’ identity cards, driving permits and passports.
Double collection of personal data may partly imply collection of data beyond what is necessary for the purpose contrary to the internationally established data protection principles such as those set out in the Organisation for Economic Co-Operation and Development (OECD) Data Protection Principles. Further, there is no guarantee of individual privacy as most of the African countries do not have data protection laws. Moreover, most of the existing data protection laws do not meet internationally recognised standards considered sufficient to guarantee personal data protection and are therefore regarded as offering moderate or limited protection.
Meanwhile, efforts to buttress data protection in Africa have not yielded much. Out of 54 countries on the continent, only 14 have data protection laws (Angola, Benin, Burkina Faso, Mali, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Morocco, Senegal, South Africa, Tunisia and Zimbabwe). A few others such as Uganda, Kenya, Nigeria, Tanzania and Niger have Bills. Regional efforts have also not yielded much. The Convention on Cyber Security and Personal Data Protection which was adopted by the African Union in 2014 has registered only 10 signatories (Benin, Chad, Congo, Ghana, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe, Zambia and Comoros) and one ratification by Senegal.
Ultimately, there is need to reconcile state interests with citizens’ personal data and privacy rights. Mandatory registration, especially in the absence of clear registration guidelines and the lack of data protection laws, puts personal data at risk. African governments need to learn from other jurisdictions such as Europe with regards to processing of personal data as part of SIM card registration. In enforcing SIM card registration, there should be a clear set registration timelines, clear and unambiguous registration requirements.
CIPESA Submits Comments On The Uganda Data Protection and Privacy Bill, 2015
Official Submission |
Article 27 of Uganda’s constitution provides for citizens’ right to privacy, however, there is no law to protect an individual’s data privacy despite the large amounts of citizen data collected by government departments and private entities on a regular basis. More concerning, is that this data is collected with no guarantee of its protection and privacy.
Some existing legislation, for instance the Computer Misuse Act, 2011 (section 18); Access to Information Act, 2005 (section 26); Uganda Communications Act, 2013 (section 79); Electronic Signatures Act, 2011 (section 81); and the Regulation of Interception of Communications Act, 2010 (section 2) prohibit unauthorised access and disclosure of information. However, the provisions in these laws are not elaborate and do not adequately protect personal data.
The publication of the draft Data Protection and Privacy Bill 2014 was therefore a milestone. Accordingly, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) submitted comments to that version of the bill. Various concerns were raised including vague wording which left the bill open to misinterpretation, unclear procedural processes for collection and retention, as well as the costs associated with accessing personal data.
More recently on , CIPESA welcomes the Parliament of Uganda’s call for submissions on the Draft Data Protection and Privacy Bill, 2015. It once again gives opportunity for stakeholders to provide input to ensure that the law, when enacted, measures up to internationally acceptable standards of data protection.
In our latest submission, we highlight some of the positive principles and provisions of the Bill. Furthermore, we indicate areas of concern and suggest amendments to ensure that if the bill is passed into law, there are sufficient safeguards to regulate the collection, storage and use of data towards upholding citizens’ right to privacy.
See the full submission made on the Uganda Data Protection and Privacy Bill, 2015 presented to the Committee on Information and Communication Technologies (ICT) in the Parliament of the Republic of Uganda
With the sheer amount of data – including personal data – that #Uganda citizens are sharing, it is NB to have a well crafted law to safeguard this data!
See our comments on the #Uganda #DataProtection #DataPrivacy bill 2015 -> https://t.co/Clf5jvfK5j pic.twitter.com/SQmeVFyMwn
— CIPESA (@cipesaug) February 15, 2018
Report: Women's Rights and the Internet in Uganda
By APC, CIPESA, WOUGNET |
This submission is a joint stakeholder contribution to the second cycle of the Universal Periodic Review (UPR) mechanism for Uganda. This submission focuses on women’s rights and the internet in Uganda. It explores the extent of implementation of the recommendations made in the previous cycle of the UPR and also identifies emerging concerns in Uganda regarding women’s rights online.
See the full report here
CIPESA Convenes Journalists to Discuss Uganda’s Data Protection Bill
By Esther Nakkazi |
Ugandan citizens’ personal data may be at risk of misuse if the Uganda Data protection and Privacy Bill (2014) to be tabled before parliament is passed in current form. Currently, large entities like telecommunications service providers, insurers, hospitals and even schools retain the information of millions of citizens who remain unaware of how secure their information is, especially as more of it becomes digitised.
While Uganda called for comments to the Bill in late 2014, little progress was made on it over the course of 2015. According to Gloria Katuuku from the Ministry of ICT, the comments received have been incorporated into a revision of the bill. “We brought this Bill before the public so that we get conclusive remarks. The bill has been gazetted and will be tabled in parliament, meaning at this time we shall just compile the concerns,” said Katuuku. She was speaking at a workshop convened by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) where Ugandan parliamentary journalists discussed data protection and privacy with reference to the bill.
The workshop was organised in conjunction
with the Uganda Parliamentary Press Association (UPPA) and aimed to create awareness among parliament journalists about clauses in the proposed law that contravene citizens’ rights, including to privacy. Few journalists were aware that government had drafted the law and called for robust media engagement with Members of Parliament so as to generate debate on data protection and privacy issues.
The former Chairman of parliament’s ICT Committee, Edward Baliddawa, said the data protection law should have been the basis for other cyber laws in Uganda. He added that as the country edges towards e-commerce, such as business process outsourcing, there is a need to regulate data controllers.
“This Bill is good for our safety and privacy as individuals and to become an e-commerce country,” he said. However,he also called for continuous engagement with all stakeholders across the lifespan of the bill – drafting, tabling to parliament and any eventual amendments.
Although existing laws such the Electronic Signatures Act, 2011, the Computer Misuse Act, 2011, the Regulation of Interception of Communications Act 2010 and the Communications Commission Act 2013 cover aspects of data protection and privacy, they contain contradictions and potentially expose users’ information to unwarranted access and misuse by authorities. Lillian Nalwoga, CIPESA’s Policy Officer, said of the laws: “These laws have broad terminologies that should be amended to repeal contradictory provisions and this can be done within the Data protection and Privacy Bill, 2014 in the contexts of data users and collectors, and to prevent abuse.”
See this Overview of How ICT Policies Infringe on Online Privacy and Data Protection in Uganda
But the proposed data protection and privacy law that is meant to address privacy of citizens’ communications and data still has ambiguous terminologies, unclear definitions and arbitration issues that will negate its purpose.
According to CIPESA officials, the drafting phrase should further engage with and seek consultations with different stakeholders including civil society, private sector, the media and academia for an extended period prior to tabling it before parliament. This would ensure that the law passed “is inclusive, accommodative and addresses the concerns raised by all the stockholders,” said Wakabi Wairagala, the head of CIPESA.
At the workshop, CIPESA officials referred journalists to various areas of concern in the draft bill including some of its ambiguous terminologies, such as Section 4 (2) which states that personal data may be collected or processed where necessary for ’national security’ or for the ‘proper performance’ of a public duty’ by a public body. However, these words can be misinterpreted and leave room for the access to and abuse of citizens’ information.
Meanwhile, Section 7 (2) says data can be collected from another person, source or public body in certain circumstances without the consent of the owner. The length of time that the collected personal data can be retained is also not indicated. Section 14 (1) states that the data cannot be held for a period longer than is necessary and says it will be retained for national security purposes.
Overall, the bill does not explicitly state what constitutes a ‘privacy infringement’, thereby leaving users’ data open to abuse by data collectors and processors. It also does not state the procedures for citizens to access their data.
See CIPESA’s review of the Bill: Reflections on the Draft Data Protection and Privacy Bill
Promoting Online Safety in Africa
The global community on February 10 marked Safer Internet Day which promotes safe and responsible use of Information and Communication Technologies (ICT) mainly amongst children and young people across the world.
The day provided an opportunity to see what African stakeholders are doing in promoting access to the internet and ensuring that this access comes with a culture of digital safety habits.
Companies like Google Africa in partnership with local organisations marked the day by hosting a series of events across the continent targeting youth and advocating for better internet practices. This included a hangout session that brought together audiences from Nigeria, Senegal, South Africa and Kenya.
In East Africa, the OpenNet Africa initiative held a twitter chat, to explore internet safety and security while questioning how various organisations are addressing these issues.
@safeinternetday @OpenNetAfrica Supporting #SID2015 with a focus on how we can promote more internet safety practices in #Africa
— CIPESA (@cipesaug) February 10, 2015
@OpenNetAfrica @ISOCUg @cipesaug #SID2015 #SID2015UG All stakeholders play a role in ensuring Safety Online — ILICIT Africa (@ILICIT_Africa) February 10, 2015
The discussion noted that a number of challenges exist in the online sphere due to the increased internet exposure for youth and adults alike. While the internet is a useful educational resource, it has become home to online child predators and even sparked trends in online bullying and the sharing of sensitive information amongst youth unaware of the repercussions that this may have.
We have lived through this technological revolution naively oblivious of what impact it might have on our children. #SID2015UG
— Gloria Katuuku (@gkatwine) February 10, 2015
According to the State of Internet Freedom in East Africa 2014 report, increasing internet usage in the region particularly access to social network sites such as Facebook and Twitter, has led to an increment in democratic participation and the expansion of opinion expressed in the public domain. Mobile phones were indicated as the main tool used to access the internet and youth constituted the largest proportion of social media users.
Many governments in the region, however, keep trying to play catch up with the rapidly changing digital landscape and in many instances fall short on guaranteeing the human rights afforded in their constitutions. This has been seen in the policy and legislative environment of many East African countries which impede internet freedoms, including by granting excessive surveillance power to the police without sufficient oversight, and curbing freedom of expression and freedom of the press primarily against those critical of the state.
The Twitterthon participants shared that despite the existence of pan-African frameworks such as African Union Convention On Cyber Security And Personal Data Protection and the Declaration of Principles on Freedom of Expression in Africa of 2002, few countries have adopted laws that safeguard privacy, protect data and guarantee freedom of expression in the online sphere.
Meanwhile, efforts to promote ICT access for the youth, including through ICT literacy curriculums, remained low. Consequently, incidents and concerns about cyber bullying, online abuse, data protection, surveillance and privacy have risen alongside the exponential growth that internet access has seen in Africa.
Tanzania need to maintain a pre-emptive legal framework that can keep pace with the rapidly changing telecom technology #internetfreedom
— Jamii Forums (@JamiiForums) February 10, 2015
The absence of a Data Protection and Privacy law in #Tanzania makes subscriber information vulnerable to state abuse #SID2015
— Jamii Forums (@JamiiForums) February 10, 2015
For instance, chat participants from Tanzania expressed concern at not having adequate laws that protect the online rights of users, also pointing out the lack of a data protection law. In Kenya, a data protection Bill drafted back in 2013 has made little progress to date. While in Uganda, the review of the Data Protection and Privacy Bill drafted towards the end of 2014 is ongoing.
In Kenya, a #DataProtection Bill, 2013 was tabled in Parliament in 2014 but it has hardly progressed since then! #internetfreedom #SID2015
— Jamii Forums (@JamiiForums) February 10, 2015
Other efforts towards safeguarding online safety shared included an online safety education toolkit for Young People in Uganda developed by the Internet Society Uganda as part of its ongoing activities in the country.
See more of the Safer Internet Day Twitter chat on Promoting internet Safety in Africa on Storify.