Countering Digital Authoritarianism in Africa

By Apolo Kakaire |

The Internet which is viewed as the panacea for democracy, participation and inclusion is increasingly becoming a tool of repression deployed by regimes across the world to stifle rights and voice.  Africa, a continent already replete with poor democratic credentials and practices seems to be rapidly catching up on the new ‘epidemic’- digital authoritarianism.

The use of technology tactics to advance repressive political interests has come to be  referred to as digital authoritarianism. However, the tactics employed by authoritarian regimes have also been deployed by democratic states for purposes of surveillance, spread of misinformation, disinformation, and the disruption of civic and political participation under the pretext of fighting cybercrime, and in the interest of protecting national security, and maintaining public order.

Big technology companies are key drivers of digital authoritarianism through the creation, innovation and supply of repressive technology and related support. Moreover, political parties, interest groups, and smaller private companies have lapped it up too, developing and using tools and strategies of digital authoritarianism.

Digital authoritarianism is a great case study in understanding and appreciating the impact of technology on human rights. While laws legalising surveillance and interception of communications, and widespread data collection and processing may not be a problem in themselves, it is the ambiguity often present within those laws that give governments wide latitude of interpretation to facilitate the rights abuse that is a growing challenge.

At the Forum on Internet Freedom in Africa 2022 (FIFAfrica22), Global Voices Advox, shared findings from the Unfreedom Monitor– a project exploring the political and social context that fuels the emergence of digital authoritarianism in 17 countries. They hosted a panel discussion in which project researchers from India, Nigeria, Sudan and Zimbabwe presented the project findings on the connections between political contexts, analogue rights, and the growing use of digital communications technology to advance authoritarian governance.

The findings paint a grim picture for  freedom of the media, expression, and democracy in general. In Zimbabwe for instance, the Unfreedom Monitor report notes that; “the press walks a precarious line between national security and the professional obligation to report truthfully” on issues that happen in the country. It is an observation that is replicated in the mapping conducted in Morocco, Egypt, and Tanzania 

In Sudan, where internet censorship, bad laws and repressed liberties and network disruptions are commonplace, Khattab Hamad noted that the contours and motives of digital authoritarianism include fear of losing power, protecting the existence of regional or international alliances, and geopolitical motives protecting private and family interests. He added that terrorism and support for terrorist groups was another motive for authoritarianism in the country. 

In Tanzania, researchers found that often, laws are enacted as precursors to enable various methods of digital authoritarianism. For example, the Cybercrime Act which was hurriedly enacted just months before the October 2015 elections. “There were many other such laws, including the amendments to the Non-Governmental Orgnaisations (NGO) Act, that saw NGOs being deregistered and control on them tightened in the lead up to the 2020 elections”, they revealed.

In Uganda, network disruptions in the run up to and during recent elections is another example of digital authoritarianism. “Sometimes the internet is restored after elections. So, the question is what exactly is the purpose? What are you hiding? Why do you deny your people access to information? Internet shutdowns also question the credibility of elections”, said Felicia Anthonio of Access Now. She added that network disruptions affect engagement between voters and political candidates, in addition to limiting  electoral oversight and monitoring by human rights activists and election observers. 

As part of the Unfreedom Monitor project, Global Voices Advox has established a publicly available database on digital authoritarianism to support advocacy in light of the “urgency of a fast deteriorating situation”, said Sindhuri Nandhakumar, a researcher  with the project. 

While applauding the research and database in supporting evidence-based advocacy, digital rights activists at FIFAfrica22 noted that given the behaviour of authoritarian regimes, advocacy at the national level may be met with a lot of resistance. As such, more engagement was called for  through special mandates and periodic human rights review mechanisms at the African Union (AU) and the United Nations Human Rights Council.   

“Advocacy [against digital authoritarianism] at national level will be difficult. Positive results could be registered through Special rapporteurs at the AU and states through the Universal Periodic Review (UPR), towards securing accountability”, said Arsene Tungali from the Democratic Republic of Congo.

For African digital rights activists, the Global Voices Advox research and database unravels new  avenues for collaborative advocacy and transnational opportunities for interventions to stem this spread of digital authoritarianism. The findings however also point at the need for a concerted and robust response to its growing traction.

As elections in Africa remain a major flashing point for digital authoritarianism as all manner of manipulation of voters, narratives, even results abound, it remains a key area of transnational cooperation. Ahead of the elections in Zimbabwe, slated for July-August 2023, Advox will come up with tips on awareness raising on voter rights and the role of technology in elections. Zimbabwe provides a good opportunity to pilot, learn and perhaps adopt some interventions to counter this behemoth.

Privacy Imperilled: Analysis of Surveillance, Encryption and Data Localisation Laws in Africa

By Evelyn Lirri |

Across Africa, the proliferation of digital technologies is being matched by state measures that negate the right to privacy. The accelerated adoption of digital technologies has come with increased collection and sharing of large quantities of personal data, which is a major concern as several countries lack data privacy laws and many that have them are not implementing the laws. 

As a result, the right to privacy has come under growing siege, which is in turn negatively impacting the enjoyment of other rights, including freedom of expression, association, and access to information online.

In this report, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) analyses country-specific laws that various governments on the continent have enacted and how they impact privacy and data security through surveillance, restrictions on encryption, data localisation, and biometric databases. The report covers 23 countries – Algeria, Angola, Benin, Burkina Faso, Burundi, Cape Verde, the Central Africa Republic (CAR), Congo Brazzaville, the Democratic Republic of Congo (DRC), Gabon, Guinea Conakry, Ivory Coast, Lesotho, Liberia, Madagascar, Mauritania, Morocco, Niger, Sao Tome and Principe, Sierra Leone, South Sudan, and Togo.

According to the report, governments across the continent continue to collect and process personal data, intercept communications and permit surveillance without putting in place the requisite oversight mechanisms and adequate remedies, despite being signatories to regional and international conventions that recognise the right to privacy and provide safeguards for data protection, such as the revised Declaration of Principles of Freedom of Expression and Access to Information in Africa, the International Covenant on Civil and Political Rights, and the Universal Declaration of Human Rights.

Weak Oversight of Surveillance Operations 

One of the emerging concerns is the lack of independent judicial oversight over surveillance operations. In some countries, surveillance operations are entirely carried out and overseen by bodies within the executive, with parliaments and courts of law excluded. In Lesotho, interception warrants may be issued by the Minister responsible for the National Security Services, while in Niger, interception is ordered by the President. In South Sudan, this responsibility is vested with the Director General of the National Security Service, while in The Gambia it lies with the Minister of Interior. In Togo, the Prime Minister, and the Ministers responsible for the economy and finance, defence, justice, and security and civil protection can trigger interception of communications.

In countries such as Benin, the Democratic Republic of the Congo (DRC), Morocco, Niger, and Togo, justification for surveillance is specified under the law. The reasons provided include the preservation of national security or defence, investigation of crimes, prevention of terrorism, organised crime, and activities that undermine public peace or public order. However, these crimes are not defined or are vaguely defined, which gives latitude to state authorities to broadly interpret the laws in undermining the rights of critics and opponents.

 Limitations on Encryption

The use of encryption is critical in helping citizens to protect their data and communications while enjoying the right to privacy and freedom of expression. In several countries, however, this right is being threatened as governments impose restrictions that require the registration of encryption service providers, ban certain types of encryptions, and compel service providers to hand over decrypted data.

In Algeria, individuals and organisations that want to acquire and use encryption services must be granted authorisation by the country’s Regulatory Authority of Post and Electronic Communications. On the other hand, in countries such as the Democratic Republic of Congo, the Central Africa Republic, Niger, Benin, Guinea Conakry, Ivory Coast, Congo-Brazzaville, Morocco, Togo and Burkina Faso, an authorisation may be sought if the encryption is not exclusively for providing authentication or integrity control functions. Failure to seek authorisation or using prohibited encryption could attract a heavy penalty including jail time, a fine, or both.

Countries like Mali, Tanzania, and Malawi also require service providers to disclose specific software to be used for encryption. Such prohibitive provisions undermine privacy and freedom of expression that access to encryption accords.

Compelled Assistance by Service Providers

Governments are also using compelled assistance – where state agencies seek access to data from service providers, including through courts of law and regulators, to gain access to individuals’ private data. This includes access to the secret code of encrypted data, or to decrypted data, and generally requiring service providers to render assistance to state agencies in the interception of communications.     

Laws in countries like Benin, Ivory Coast, Congo-Brazzaville, Gabon, Guinea Conakry, and Sierra Leone specify grounds on which the state can access encrypted data of individuals and also facilitate lawful interception of communications. Laws in several countries require intermediaries such as telecom companies and Internet Service Providers (ISPs) to facilitate surveillance.

 As the report notes, compelled service provider assistance as stipulated in some countries’ laws is quite worrisome as it gives governments and their agencies unfettered access to individuals’ private data beyond limits prescribed by law or permissible by international standards.

Data Localisation

Various countries have enacted laws to control the cross-border transfer of personal data for a multitude of reasons, including national security, personal data protection, and data sovereignty. Algeria, Niger, Morocco, Benin, Cape Verde, Madagascar, Guinea Conakry, Ivory Coast, Congo Brazzaville, Sao Tome & Principe and Togo have laws that prohibit cross-border transfer of personal data unless authorised by data protection authorities.

However, as the report’s findings show, despite having laws in place, enforcement remains weak. Further, data localisation requirements could, in the absence of robust legal and practical safeguards, further facilitate efforts by state and non-state actors to undermine privacy-related rights. Morocco, Algeria, and Ivory Coast are some of the countries where data localisation measures are being implemented.

 Biometric Data Collection

Recent years have seen a number of African countries undertake mass collection, processing and storage of personal data through initiatives such as mandatory SIM card registration, electronic biometric passports, IDs, and driving licences. Although many countries have also passed laws on data protection and privacy, weak implementation mechanisms, coupled with the absence of the requisite safeguards, remain a threat to individual privacy. This is particularly so in instances where regulatory authorities have the power to direct telecom operators to hand over information such as that contained in the SIM card databases.  

Furthermore, the existing oversight mechanisms and provisions for remedies in the case of data breaches have not been effective enough to protect the personal information and communication of individuals in line with internationally recognised human rights standards.    Many countries have enacted data protection laws but have additional legislation that gives the state and its agencies power to access citizens’ biometric information, often under the guise of protecting national security. This is the case with countries such as Kenya, Gabon, Uganda, Lesotho, Mauritius, Morocco, Niger, Sao Tome, Togo, Algeria, Congo Brazzaville, and Ivory Coast.

 Recommendations

 Government:

  • Enact data protection laws in countries such as Liberia, Sierra Leone and South Sudan to provide for and guarantee protection of personal data.
  • Review existing laws, policies and practices on surveillance, including COVID-19 surveillance, biometric data collection, encryption and data localisation, to ensure they comply with article 9 of the African Charter and with the principles in the African Commission on Human and Peoples’ Rights Declaration of Principles on Freedom of Expression and Access to Information in Africa 2019.
  • Cease blanket compelled service provider assistance and provide for clear, activity-bound and court-mandated assistance.
  • Submit periodic reports to the different international human rights treaty body monitoring mechanisms such as the African Commission on Human and Peoples’ Rights, the Human Rights Committee and the Universal Periodic Review process, on the measures taken to guarantee the right to privacy and data protection.

Civil Society:

  • Work collaboratively with stakeholders such as the private sector and academia, including through litigation to challenge laws and measures that violate privacy rights.
  • Monitor and document privacy rights violations through evidence-based research.
  • Conduct regular analysis of proposed laws to identify the gaps and propose revisions before they are enacted into law.
  • Advocate for the promotion and protection of the right to privacy and data protection through various advocacy engagements.

Private Sector: 

  • Develop, publish and implement internal privacy and data protection policies and best practices in handling customer data so as to guarantee customers’ data protection and privacy.
  • Regularly publish transparency reports that highlight all cases of personal data and information disclosure to government agencies as well as other assistance offered to governments to enable communication interception and monitoring.
  • Develop technologies and solutions and use privacy-enhancing technologies that embed and integrate privacy principles by design and default.
  • Comply with the United Nations Business and Human Rights Principles by conducting human rights impact assessments to ensure that measures undertaken do not harm individual rights to privacy and data protection.

Find the full report here: Privacy Imperilled: Analysis of Surveillance, Encryption And Data Localization Laws in Africa  

See another CIPESA report Mapping and Analysis of Privacy Laws in Africa that maps privacy-related laws in 19 other countries.

Togo: Fumbling With a Digital ID While Actively Surveilling Citizens

By Afi Edoh |

For four years Togo has been inching towards issuing a digital identity (ID) card. While there are indications that 2022 may be the year in which the west African country finally delivers the long-awaited digital ID, the road ahead remains uncertain. Challenges lie both in bureaucratic delays and citizens’ caginess about handing their data to a government with a penchant for surveilling citizens and shutting down digital communications.

The Togolese government announced the e-ID Togo project in 2018, but it was not until mid 2021 that the Ministry of the Digital Economy and Digital Transformation initiated efforts to recruit a communications consultant to devise an awareness campaign to precede the registration stage and a technology solutions service provider. The International Institute of Information Technology Bangalore was awarded the system contract in December 2021.

According to the government, the e-ID project will simplify the process of updating the electoral register, facilitate access to public services and to credit, reduce fraud in the financial sector, and facilitate the targeting of social protection beneficiaries. Only 25% of the country’s population of eight million has a form of identification, with women less likely to have an identification document, which hinders their ability to open bank accounts, enrol children in school, benefit from health insurance, or get a mobile phone number. In recognition of the gaps in civil registration among citizens, the government set out to enrol citizens for e-ID even without proof of birth registration.

Togo passed Law No. 2019-014 relating to the protection of personal data in October 2019. In 2020, parliament passed Law No. 2020-009 relating to the biometric identification of natural persons, whose objective is to establish a system for identification and authentication of natural persons. The law aims to establish a “secure and reliable methodology” for obtaining, maintaining, storing and updating data on the identity of registered individuals. The law requires all citizens and residents in Togo to obtain a Unique Identification Number (NIU) by submitting their demographic and biometric data (Article 4). The biometric data specified for purposes of obtaining a NIU are photograph and / or facial recognition, fingerprints, and iris scan. The National Identification Agency (ANID) is mandated to collect biometric data for the NIU.

SIM Card Registration
In July 2021, a SIM card registration and limitation of subscriptions per individual and network campaign was launched by the telecommunications regulatory authority ARCEP, supported by leading telecom operators Moov Africa Togo and TogoCom. The SIM registration requirements include a national identity card or passport and collection of biometric and demographic data. 

But this extensive collection of individuals’ personal data raises concerns for the safety of such data. These concerns are not unfounded and they partly arise from the state’s record on respect for digital rights, which have seen it order network disruptions and use malware to target opponents and dissidents.

State Surveillance
In 2020, lingering suspicions that the Togolese government was undertaking interceptions of communications gained credence when the Citizen Lab revealed that Israeli-made spyware Pegasus, supplied by the NSO Group, was used between April and May 2019 to target Togolese civil society, including a Catholic bishop and a priest, as well as two members of Togo’s political opposition. The surveillance reportedly coincided with nationwide pro-reform protests that were forcibly dispersed. The Togolese government did not respond to the allegations, which nonetheless sparked debate within Togolese media and civil society.

Further, in October 2021, Amnesty International research found that Togolese activists had been targeted with spyware by the Donot Team hacker group based in India – the  first time that Donot Team spyware was found in use outside of South Asia. According to the report, the activists’ devices were targeted between December 2019 and January 2020, during a tense political climate ahead of the 2020 presidential election.

Network Disruptions

During the February 2020 elections, authorities disrupted access to messaging services (WhatsApp, Facebook Messenger, and Telegram). Later that year, the Economic Community of West African States (ECOWAS) Court of Justice ruled that the 2017 internet shutdown in Togo was illegal and an affront on the right of freedom to expression. 

According to Access Now, the court ordered the government of Togo to pay two million francs (USD 3,459) to the plaintiffs as compensation, and to take all the necessary measures to guarantee the implementation of safeguards with respect to the right to freedom of expression of the Togolese people.

Privacy and Data Protection

Togo’s laws provide safeguards against unlawful surveillance and unauthorised access to data whilst also granting authorities sweeping powers to violate privacy. Law No. 2012-018 on electronic communications provides for privacy of communications but article 92 empowers the Prime Minister, and the Ministers responsible for the economy and finance, defence, justice, and security and civil protection, to trigger the interception of communications and electronic content.

The biometrics identification law requires the National Identification Agency to encode and encrypt data on its registry and only allows access to authorised agents (article 10, 21 & 22). Violation of the obligation of non-disclosure of personal data, identity theft and unauthorised processing of personal data are punishable with fines ranging from one million to 10 million Central African Francs (USD 1,747 to 17,472), imprisonment between one and five years, or both.   

Article 94 of Togo’s 2012 electronic communication law obliges encryption service providers to comply with lawful interception orders, with refusal to provide secret decryption codes to government agencies punishable with a fine of between USD 3,544 and USD 14,178. Cryptology services providers are required to retain for one year, content and data allowing the identification of anyone who has used their services, and to provide the technical means that enable the identification of those users. The service providers are required to avail this data, on request, to the investigating judge, Prime Minister, Minister for the Economy and Finance, the Minister of Defence, the Minister  of Justice, and the Minister of Security. The multiple officials who access data – similar to the various officials that can trigger the interception of communications – offers wide latitude for abuse of citizens’ data privacy rights.

Digital Exclusion
In the wake of Covid-19, Togo initiated a relief programme for vulnerable citizens whose livelihoods were affected by the state of emergency. As at March 2021, the programme, known as NOVISSI, had disbursed a total of 13.3 billion francs (USD 22 million) to 819,972 citizens via mobile money.

However, the programme was criticised for requiring applicants to possess a voter’s ID card. During the last electoral census, opposition parties called on the population to boycott the exercise, which meant that some citizens had not renewed their voter ID cards. There were also cases of unscrupulous individuals utilising the voter’s ID details of other citizens to fraudulently benefit from the programme. As a result, the government temporarily halted the program to allow for physical verification of beneficiaries at dedicated centres.

Way forward

Whereas the various sanctions within the existing legal framework might be a deterrent against unauthorised access to and misuse of personal data, there is wide latitude for state agencies and officials to access the data, which could be abused. This calls for a review of the provisions to ensure they uphold citizens’ right to privacy and data protection, with adequate oversight and redress mechanisms. Further, the e-ID should be rolled out in a manner that ensures agency and dignity, without enhancing exclusion and surveillance. 

CIPESA Makes Submission to the OHCHR on Human Rights in the Tech Sector

Submission |

The Collaboration on International ICT Policy for East & Southern Africa (CIPESA) has made submissions to the Office of the United Nations High Commissioner for Human Rights (OHCHR) on how businesses in the technology sector can improve the observance of human rights. 

The submissions, made in February 2022 in response to a call for inputs on the application of the United Nations Guiding Principles on Business and Human Rights (UNGPs) to the activities of technology companies, will feed into a report the OHCHR will submit to the Human Rights Council in June 2022. 

Below is a summary of CIPESA’s submission.

Emerging Trends

The digital age presents new challenges and ways of working that necessitate a review of how the UNGPs can be applied in the technology sector. Increasingly, states have become purchasers of digital technologies from technology companies to facilitate the implementation of various national programmes which present previously unforeseen risks to privacy as they facilitate mass surveillance. Commonly implemented national programmes posing threats to individual privacy include national digital identification systems, voter registration using digital biometric systems, mandatory SIM card registration, smart cities programmes, and installation of national video surveillance (CCTV) programmes integrating facial recognition systems.

Furthermore, digital technologies have fallen prey to retrogressive legal measures undertaken by states. Across Africa, countries have enacted legislation which compel telecommunications service providers to embed capability within their systems to facilitate the interception of communications by state security agencies, and the state acquisition of software and hardware equipment to facilitate surveillance and interception. 

In addition, some states have taken advantage of digital tools to carry out cyber attacks, censor online content, disseminate propaganda and disinformation. Moreover, many African governments have adopted laws limiting anonymity and the use of encryption.

Pressure on tech companies

Some governments continue to apply undue pressure on technology companies including social media platforms to provide personal information, take down content, and shut down the internet. Others have adopted repressive legislation to control the spread of information on social media, or to regulate internet intermediaries by placing undue liability on them for content on their platforms. During the Covid-19 pandemic, states developed various contact tracing systems and applications without adequate legal frameworks, or an assessment of the human rights impact of the applications. Also, state responses to hold companies accountable remain ad hoc, fragmented and not aligned with international standards.

Questionable company practices
Across the continent, social media, online search, fintech and advertising companies have adopted business models that are based on surveillance capitalism and thus continue to threaten the privacy of users, in some cases without users’ explicit knowledge or consent. Further, social media platforms have also contributed to the spread of harmful content online, which companies have failed to take effective measures to address. Also, social media content policies do not always adopt definitions of content that are rights-respecting, and their practices around content moderation are problematic. Content is often moderated using automated systems which lack local context, are discriminatory and embed bias.

Moreover, some platforms’ practices around content takedowns remain inaccessible, their content policies are not uniformly applied, and redress mechanisms do not always apply the rules of natural justice. In addition, some companies have continued to develop and sell surveillance technology to autocratic governments on the continent, which is subsequently used against human rights activists, government critics, and opposition leaders, which further exacerbates risks to human rights.

Trade of privacy for business continuity

The total sum of the government measures coupled with the pressure imposed on tech sector players is continent-wide trade of privacy for business continuity by technology companies. This is commonly seen in state surveillance through electronic technologies, including interception of communications, hacking of information of target persons especially political dissidents, activists and human rights defenders. The tech sector has, however, not done enough to ensure that individual privacy is guaranteed for their customers. 

In a continent where strong privacy laws remain scanty, the increased usage of online platforms and social media in the absence of adequate safeguards and oversight over companies remains a critical risk for privacy rights. The enjoyment of human rights and freedoms, especially freedom of expression and  access to information, association, assembly and movement have sharply declined.

Recommendations

Addressing human rights risks in business models:

  • The commitment to respect human rights as envisaged by the UNGPs  should be integrated at all levels in the company hierarchy and embedded across all its functions and processes.
  • Companies should take steps to mitigate risks within their existing business models, and continuously innovate new business models that are rights-respecting.
  • There is a need for continued research to promote greater understanding of the human rights risks in technology business models on the continent. 
  • Multistakeholder engagement should be promoted as it is a critical avenue to promote shared understanding of the human rights risks and impacts of technology in Africa.

Human Rights Due Diligence and end-use

Companies should do the following:

  • Conduct due diligence to identify, prevent or mitigate risks of harmful impact on their business. The due diligence should be conducted from project design and development phase of new products, services and solutions, and thereafter periodically through the lifecycle including promotion, deployment, sale and use.
  • Assess and monitor the effectiveness of their responses to human rights risks, with results of

such assessments guiding decision-making.

  • Review their state clients’ human rights records and ensure they do not develop, sell or offer

them technology products, services or solutions that contribute to or result in adverse human

rights impacts.

Accountability and remedy 

  • Companies should be transparent and accountable in how they address their human rights impact. Such transparency and accountability can be enhanced through periodic reporting to external stakeholders including through public reports.
  • Create platforms and avenues for engagement, information sharing and feedback between technology companies and various stakeholders.  
  • Implement credible and effective complaints reporting and handling mechanisms.
  • Companies should put in place measures to monitor and promote rights-respecting and responsible business practices and culture, and to remedy and mitigate adverse impacts caused by their actions.

The State’s duty to protect

  • Put in place administrative, policy, legislative, institutions to hold technology companies accountable for human rights violations, provide effective remedies for victims of rights violations related to technology, require companies to conduct due diligence and to have proper safeguards to protect the public from harm.
  • Develop laws, policies, regulations, standards, and guidance, including at the regional level to embed and ensure responsible business practices by technology companies and greater respect for human rights in the digital context.
  • Take measures to promote the use and adoption of digital technologies and address the growing digital divide, including by removing barriers to internet access and digital technologies.

See the full submission here.

CIPESA Submits Comments on Tanzania’s Proposed Amendment to The Online Content Regulations 2021

By Edrine Wanyama |

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has made a submission on the proposed amendments to Tanzania’s controversial Electronic and Postal Communications (Online Content) Regulations, 2020 that regulate online content service providers, internet service providers, application services licensees, and online content users.

On August 24, 2021, the government made a public call for comments on proposals to amend the 2020 Regulations, which entrenched the licencing and taxation of bloggers, online discussion forums, radio and television webcasters, and repressed online speech, privacy and access to information. The move towards amending the Regulations follows a series of concerns expressed in 2017, 2018 and 2020 over the regressive and repressive nature of online content regulation in the country, and its detrimental effect on freedom of expression, access to information, and the right of establishment of media.  

The proposed 2021 regulations largely reflect the previously issued regulations. While they have  some positive elements, they largely fail to address the threats posed to human rights defenders, political dissidents, journalists, academics, civil society organisations and actors.

On a positive note, the proposed regulations reduce licence application fees, as well as annual and renewal fees charged for online media content services and online content aggregators. Thus, online media content service providers will pay application fees of TZS 50,000 (USD 22) down from TZS 100,000 (USD43), initial licence fees of USD 217 from USD 433, annual licence fees of USD 217   from USD 433 and renewal fees of USD 43 from USD217.

The regulations also remove some ambiguous specification of obligations of service providers, such as the proposed deletion of the current regulation  9 (d) which potentially censors a broad variety of content by imposing on service providers the obligation to filter what is considered “prohibited content.” Regulation  9 (d) of the EPOCA Regulations of 2020 requires online content service providers to, “use moderating tools to filter prohibited content.” 

Furthermore, under regulation 3, some level of certainty in the scope of definitions is provided especially for “online media content services” and “online content aggregators”, which are lacking in the current regulations. The proposed regulations also make attempts to define and narrow the scope of categories of licences by removing all fees that were earlier imposed on online content relating to education and religion, and fees chargeable for the provision of Online Content Service Licence Category B (Simulcasting radio and television). 

However, the proposed regulation maintains broad and vague definitions, such as of “hate speech”, which could potentially be misused against individuals, media and private sector players.

Moreover, the licensing requirements under Part II of the EPOCA regulations of 2020, which have not been proposed for amendment, are still prohibitive with very heavy penalties of not less than five million shillings (USD 2,157) or  12 months imprisonment, or both, for operating without a license from the Tanzania Communications Regulatory Authority (TCRA). 

Further, the process of applying for a licence under regulation 6 remains tedious, requiring the applicant to furnish TCRA with extensive information including personal information. This comprises certified copies of certificate of incorporation or certificate of registration, tax identification number, tax clearance certificate, national identity cards, and list of owners and management teams, curriculum vitae of staff, editorial policy guidelines and any other documents required by the authority. 

The proposed amendments do not make any attempt to address the wanton restrictions laid down in the Third Schedule to regulation 16 on prohibited content.  This  includes content in paragraph 1 on sexuality and decency, content on personal privacy and respect for human dignity which extends to insults, slander and defamation or exposes news related to a person’s privacy under Paragraph 2(b)

Further, there are restrictions on content  on public security, violence and national security (Paragraph 3), content that is considered to be disrespectful of religion and personal beliefs (paragraph 7), public information that may cause public havoc and disorder (paragraph 8), use of bad languages and disparaging words (paragraph 9) and false, untrue and misleading content (paragraph 10). 

The scope of prohibited content under the Third Schedule is wide and ambiguous, and the provisions facilitate curtailment of freedom of expression and access to information. 

Additionally, the schedule prohibits publication of “content with information with regards to the outbreak of a deadly or contagious disease in the country or elsewhere without the approval of the respective authorities.” The penalty for breach of regulations is a fine of not less than five million Tanzanian shillings (USD 2,174), imprisonment for not less than 12 months, or both. This prohibition undermines freedom of expression and access to health information as it provides room for suspension of content.

Regulation 9(g) maintains  the status quo of the obligations of online content service providers to ensure that prohibited content  is removed immediately upon being ordered by TCRA. This ultimately means the sweeping powers of the authority to determine what content is available for public consumption are still on the statute books. Such powers are also a potential tool for censorship of content and hinder free expression and access to information.

The proposed amendments to the regulations come a few months after the death of Tanzania’s former president, John Magufuli. His reign was characterised by systematic clampdown and curtailment of freedoms including of expression, access to information, assembly and associations. The period before Magufuli’s death was also  characterised  by a lacklustre response to the Covid-19 pandemic.  

The analysis concludes that the proposed amendments provide some ray of hope especially in providing some degree of certainty in definition of key terms and reduction of application and licensing fees. However, the proposals are not sufficient to tackle the deep concerns in the 2020 regulations. 

You can read the full submission here.