Sections of Kenya’s Computer Misuse and Cybercrimes Act, 2018 Temporarily Suspended

By Juliet Nanfuka |
Barely two weeks after the presidential assent to the Computer Misuse and Cybercrimes Act, 2018, a High Court judge has issued a conservatory order suspending the entry into force of 26 sections of Kenya’s contentious Computer Misuse and Cybercrimes Act, 2018. The order by Judge Chacha Mwita, suspending the sections until July 18, follows a petition filed by the Bloggers Association of Kenya (BAKE), which challenged the law for contravening constitutional provisions on freedom of opinion, freedom of expression, freedom of the media, freedom and security of the person, right to privacy, right to property and the right to a fair hearing.
In the order issued on May 29, the judge certified BAKE’s petition as urgent, and stated that  respondents (who include the Attorney General, the Speaker of the National Assembly, the head of the National Police Service, and the Director of Public Prosecutions) be served immediately. The respondents would have seven days from receipt to file written submissions. Hearing of the petition is scheduled for July 18, 2018.
Although the conservatory order only stalls the enforcement and could be lifted or maintained thereafter, it nonetheless represents a win for digital rights advocates in Kenya, as they have in the interim satisfied the judge that there is an arguable case to be made against the constitutionality of the recently enacted law. The order also marks another landmark ruling in the litigation towards respect and realisation of digital rights across Africa.

According to the  order, the suspended sections are: 5, 16, 17, 22, 23, 24, 27, 28, 29, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 48, 49, 50, 51, 52 & 53.


Various organisations criticised the bill prior to its assent on May 16, 2018 calling it unconstitutional. Among the organisations were the Kenya ICT Action Network (KICTANET), Article 19 Eastern Africa, BAKE and the Centre to Protect Journalists (CPJ) who deemed numerous sections unconstitutional and detrimental to Kenyan citizens’ digital rights. They said it infringed on the privacy of individuals, freedom of expression, speech, opinion and access to information online.
Kenya already has a history of stifling online critics of the state and state actors, as echoed by James Wamathai, the Director of Partnerships at BAKE. In a statement, he said: “In the past several years, there have been attempts by the government to clamp down on the freedom of expression online. This Act is a testament of these efforts, especially after other sections were declared unconstitutional by the courts.
Among the prevailing concerns on the law is the use of vague language on issues such as “false” or “fictitious” content and false publications in Section 22 and 23, accompanied with heavy obligations on users to verify truthfulness or untruthfulness of information before disseminating. As per section 12, failure to comply would result in a fine of five million Kenyan shilling (USD 50,000), up to two years in prison, or both.
The  court order comes on the heels of the two judgments (Okiya Omtatah Okoiti v The Communication Authority of Kenya and 3 others Constitutional Petition No. 53 of 2017 and Kenya Human Rights Commission v Communications Authority of Kenya and 3 others no. 86 of 2017) by the Kenya High Court in which the petitioners successfully challenged the installation on mobile phone networks of a communication surveillance system dubbed Device Management System (DMS), by the Communications Authority (CA) Kenya (CA). The petitioners argued that, through this system, the authority would have undue access to the communications of citizens.
As more countries in Sub-Saharan Africa develop technology related laws, it is fundamental that the laws uphold human rights standards prescribed at global and regional levels, including in the International Covenant on Civil and Political Rights (ICCPR), the African Charter on Human and Peoples Rights (ACHPR), and African Union Convention on Cybersecurity and Personal Data Protection. However, recent developments such as has been witnessed in East Africa appear to prioritise the criminalisation and penalisation of internet use rather than encourage its adoption as a tool for greater access to information, and for expanding free expression and civic engagement.
Kenya’s neighbours Tanzania and Uganda have this year taken actions detrimental to digital rights. In Uganda, social media taxes that could be introduced in July 2018 threaten internet access and affordability while in in Tanzania, online content producers will have to pay over USD 900 to register with the state for permissions to maintain their platforms, according to new regulations.
 

The Stampede for SIM Card Registration: A Major Question for Africa

By Edrine Wanyama |
It is anticipated that by 2025, there will be at least 5.9 billion mobile subscribers accounting for 71% of the world’s population. As of 2017,  Sub-Saharan Africa (SSA) had  a mobile subscription rate of 44% which is projected to reach  52% by 2025. Further, SSA’s mobile internet penetration by 2017 stood at 21% and is anticipated to increase to 40% by 2025.  However, the region has registered the largest number of cases of mandatory SIM card registration yet it suffers some of biggest challenges in personal data protection and privacy.
The benefits of SIM card registration include facilitation of citizens’ access to e-Government services, easy identification of an individual’s mobile number and number portability when switching networks. In addition, it aids combating cybercrime including terrorism by limiting covert communication and promotes good relations between consumers and service providers by simplifying identification of consumers and their use of SIM services. Accordingly, many governments argue that mandatory SIM card registration is for purposes of safeguarding digital and physical security. However, critics argue that when SIM card registration is effected without due safeguards, it poses a threat to privacy and freedom of expression.
Indeed, in 2013 Mexico repealed its policies on SIM card registration “after a policy assessment showed that it had not helped with the prevention, investigation and/or prosecution of associated crimes.” Finland has not enforced compulsory SIM card registration and nonetheless, through voluntary mobile signatures, service providers has succeeded in facilitating user’s access to relevant retail, banking and e-Government services.
Globally, over 90 countries conduct compulsory SIM card registration yet some remain without clear policy on its implementation. Amidst criticisms that mandatory registration does not necessary combat cybercrime, as criminals take the necessary precautions to avoid being detected and circumvent mandatory SIM card registration, African countries continue to proactively enforce SIM card registration. Among the prevailing challenges on the continent is the difficulty in validating identity documents in an environment with a wide range of service providers who create room for potential circumvention.
Mandatory registration has negatively affected access and usage of mobile telecommunication services due to the tedious process which entails the production of documentation such as passports and national identity cards prior to registration, which sometimes results in failure to attain a SIM card, disconnection, or  deactivation of SIM cards.
Additionally, there have been repetitive calls for registration of SIM cards in countries such as Uganda and Nigeria with personal data being collected  more than once. In Uganda, despite government explanation that SIM card verification is aimed at ensuring secure and safer communications, citizens have unanswered questions on the exercise. Suspicion arises due to a fresh validation of SIM card registration using national identity cards subsequent to registration which was initially done using valid documents such as students’ identity cards, driving permits and passports.
Double collection of personal data may partly imply collection of data beyond what is necessary for the purpose contrary to the internationally established data protection principles such as those set out in the Organisation for Economic Co-Operation and Development (OECD) Data Protection Principles. Further, there is no guarantee of individual privacy as most of the African countries do not have data protection laws. Moreover, most of the existing data protection laws do not meet internationally recognised standards considered sufficient to guarantee personal data protection and are therefore regarded as offering moderate or limited protection.
Meanwhile, efforts to buttress data protection in Africa have not yielded much. Out of 54 countries on the continent, only 14 have data protection laws (Angola, Benin, Burkina FasoMali, Gabon, GhanaIvory Coast, Lesotho, Madagascar, MoroccoSenegalSouth AfricaTunisia and Zimbabwe). A few others such as Uganda, Kenya, Nigeria, Tanzania and Niger have Bills. Regional efforts have also not yielded much. The Convention on Cyber Security and Personal Data Protection which was adopted by the African Union in 2014 has registered only 10 signatories (Benin, Chad, Congo, Ghana, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe, Zambia and Comoros) and one ratification by Senegal.
Ultimately, there is need to reconcile state interests with citizens’ personal data and privacy rights. Mandatory registration, especially in the absence of clear registration guidelines and the lack of data protection laws, puts personal data at risk. African governments need to learn from other jurisdictions such as Europe with regards to processing of personal data as part of SIM card registration. In enforcing SIM card registration, there should be a clear set registration timelines, clear and unambiguous registration requirements.

Uganda Moves to Register Online Content Providers  

 
By Daniel Mwesigwa |
Uganda has become the latest East African country to threaten access to information and free speech online by putting in place measures that require the registration of online content providers. In a notice issued earlier this month, the Uganda Communications Commission (UCC) called for online publishers, news platforms, radio and television operators to “apply and obtain authorization” for provision of services.
Without specifying the requirements necessary for application, the UCC indicates that within a month of issuance of the notice, measures will be enforced against non-compliant service providers and this “may entail directing Internet Service Providers (ISP) to block access to such websites and/or streams.”
The UCC is mandated under Section 5 of the Uganda Communications Act 2013 (UCC Act) to monitor, inspect, license, supervise, control and regulate all communications services. This mandate extends to audio, visual or data content production or dissemination through traditional broadcast media as well as internet based platforms.
According to the notice, registration of the various operators which the UCC classifies as “online data communication and broadcast content providers”, is within the regulator’s mandate to set standards and enforce compliance relating to content.
Over the years, UCC’s regulatory role has come under criticism over its lack of independence. Its establishing Act gives powers to the minister in charge of ICT to appoint the commission’s executive director and board members and to approve its budgets.  In April 2017, the parliament of Uganda passed the Uganda Communications (Amendment) Bill (2016) which further gave the minister the power to single handedly make regulations for the sector without parliamentary oversight.
More recently, UCC instructed telecommunications service providers to enforce two social media shutdowns during the presidential elections in 2016, and in September 2017 barred live broadcasts of parliamentary proceedings on the Presidential age limit amendment bill. National security and public safety have been cited as the grounds for the various directives.
There are an estimated 24 million mobile subscriptions and 18.1 million  internet users in Uganda, reflecting an internet penetration rate of 48%. The country has licensed over 40 TV and 300 FM radio stations, many of which maintain online presences through live streaming on platforms such as YouTube, Facebook and Twitter.
Meanwhile, licensed print operators maintain online portals whilst there is a growing number of independent online news publishers and bloggers. Growing media convergence has seen traditional media maintain a dominance online as was witnessed during the Uganda Presidential debate in 2016, where the television stations NTV and NBS TV influenced narrative according to a Twitter sentiment analysis.
However, without regulations in place to guide the proposed registration, it remains to be seen what obligations will be put forth for online content providers and the resultant impact that the registration will have on the country’s growing media landscape as well as the rights of users. Nonetheless, the move is a regressive development for digital rights in the country. It reflects a growing trend in neighbouring countries that are seeking to regulate online content through requirements for registration of users and service providers as well as accreditation to practice journalism.
In 2017, Tanzania published draft regulations on Electronic and Postal Communications (Online Content). The proposed regulations confer powers upon the Tanzania Communications Regulatory Authority (TCRA) to regulate online content, including through registration of users and platforms, and taking action against non-compliance with the obligations, such as ordering the removal of “prohibited content.”
A more targeted avenue has been used in Burundi, through the Press Law of 2015 which calls for all media practitioners to be accredited, including those operational purely in the online domain. A similar stance exists in Rwanda where even social media posts are theoretically regulated by the country’s National Communication Council (CNC).
The move by Uganda, proposed measures in Tanzania and existing practices in Burundi and Rwanda restrict the number of content providers online and thus inhibit the diversity and wider availability of information online. Furthermore, there is the potential for such practices to engender censorship to legitimate content which might be critical of public officials and bodies.

CIPESA Submits Comments On The Uganda Data Protection and Privacy Bill, 2015

Official Submission |
Article 27 of Uganda’s constitution provides for citizens’ right to privacy, however, there is no law to protect an individual’s data privacy despite the large amounts of citizen data collected by government departments and private entities on a regular basis. More concerning, is that this data is collected with no guarantee of its protection and privacy.
Some existing legislation, for instance the Computer Misuse Act, 2011 (section 18); Access to Information Act, 2005 (section 26); Uganda Communications Act, 2013 (section 79); Electronic Signatures Act, 2011 (section 81); and the Regulation of Interception of Communications Act, 2010 (section 2) prohibit unauthorised access and disclosure of information. However, the provisions in these laws are not elaborate and do not adequately protect personal data.
The publication of the draft Data Protection and Privacy Bill 2014 was therefore a milestone. Accordingly, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) submitted comments to that version of the bill. Various concerns were raised including vague wording which left the bill open to misinterpretation, unclear procedural processes for collection and retention, as well as the costs associated with accessing personal data.
More recently on , CIPESA welcomes the Parliament of Uganda’s call for submissions on the Draft Data Protection and Privacy Bill, 2015. It once again gives opportunity for stakeholders to provide input to ensure that the law, when enacted, measures up to internationally acceptable standards of data protection.
In our latest submission, we highlight some of the positive principles and provisions of the Bill. Furthermore, we indicate areas of concern and suggest amendments to ensure that if the bill is passed into law, there are sufficient safeguards to regulate the collection, storage and use of data towards upholding citizens’ right to privacy.
See the full submission made on the Uganda Data Protection and Privacy Bill, 2015 presented to the Committee on Information and Communication Technologies (ICT) in the Parliament of the Republic of Uganda

Recent Developments in Telecoms Regulation Threaten Online Rights in Uganda

By Edrine Wanyama |
In April 2017, the parliament of Uganda gave the minister in charge of Information and Communication Technologies (ICT) powers to single-handedly make regulations that govern the telecommunications sector. Hitherto, regulations proposed by the minister had to receive parliamentary approval.
The Uganda Communications (Amendment) Bill (2016), which parliament passed on April 6, 2017, means that making regulations for the telecommunications sector is in the sole preserve of the minister. Among others, such regulations are related to licensing and fees, operator obligations, competition, consumer rights and protection. It is for this reason that the newly passed law, which was gazzetted back in February 2016 when still a bill faced criticism from civil society.

The Minister may, after consultation with the Commission and with the approval of Parliament, by statutory instrument, make regulations for better carrying into effect the provisions of this Act.” Section 93(1) of the Uganda Communications Act 2013

  “The Minister may, after consultation with the Commission, by statutory instrument, make regulations for better carrying into effect the provisions of this Act.” Section 93(1) of the Uganda Communications (Amendment) Bill (2016)

The authority, Uganda Communications Commission (UCC), was set up in 1997 by the now repealed Communications Act, Cap. 106 (section 3) and now established by the Uganda Communications Act, 2013 (section 4) (the Act)  as the regulator of the communications sector but has since inception faced criticism over lack of independence from the government. The Act gives extensive powers to the minister of ICT, including to appoint the commission’s executive director and board members and to approve its budgets.

Meanwhile, there are growing concerns about mass surveillance particularly in the absence of a data protection and privacy  law to safeguard citizen data collected by the state and private parties. These are further aggravated by the haphazard implementation of laws which have an impact on citizens’ communications.
On April 12, 2017, the telecom industry regulator Uganda Communications Commission (UCC) announced a seven-day deadline for subscribers to update their registration details using national identity (ID) cards in a move reportedly to address cybercrime. Mandatory SIM card registration has been in force since March 2012. At the time of the original deadline for conclusion of the exercise in August 2013, the commission reported that 92% of SIM cards were registered. However, investigations into past and recent crimes have revealed the continued existence and use of unregistered SIM cards.
The April 12 directive raised concerns about the conflicting requirements for the validation of SIM cards, with subscribers pointing out that various other forms of identification other than a national ID should be recognised. Pursuant to the Regulation of Interception of Communications Act 2010, Section 9(1), SIM card registration requires the subscriber’s full name, residential address, business address, postal address and identity number as contained in an identity document. Other forms of identification  that have previously been used by subscribers have included employer identity cards, driving licenses, students’ identity cards and passports.
However, following an interim order as well as public statements by the Uganda Law Society and other stakeholders, the Prime Minister issued a directive extending the SIM card verification and validation deadline for a month to May 19, 2017.
The SIM card registration exercise has attracted criticisms from human rights defenders who claim it violates freedom of expression and goes against Article 27 of the Constitution which guarantees the right to privacy by possibly enabling mass surveillance of communications. Further, the absence of a data protection and privacy law continues to expose citizens’ data which is increasingly and now repeatedly being collected by the state. There is accordingly no guarantee that personal data will not be unlawfully processes and used.
Over the past year, national security has been cited as the basis for directives by the UCC including instructions given to telecommunications service providers to enforce two social media shutdowns during 2016.
Although Uganda has signed and ratified the African Charter on Human and Peoples Rights and also fully subscribes to the international bill of rights, specifically the Universal Declaration for Human Rights and the International Covenant on Civil and Political Rights there are repeated affronts to the rights enshrined in these instruments.
It is for this reason that the Collaboration on International Policy for East and Southern Africa (CIPESA) calls for the following actions to be taken:

  1. The Government should adopt a multistakeholder approach in decisions affecting the ICT industry in Uganda. Decisions that affect the rights of citizens should be evidence-based and reached in consultation with other stakeholders including academia, civil society, media and the private sector.
  2. The Parliament should immediately pass the Data Protection and Privacy Bill, 2015 subject to the proposed amendments from the citizenry.
  3. Government should harmonise the implementation of laws pertaining to registration of data of citizens, refugees and non-citizens in Uganda, including the Regulation of Interception of Communications Act (2010) and the Registration of Persons Act (2015).
  4. There is a need to reinstate the oversight role of the Parliament over the Minister for ICT in making regulations for the ICT sector. Failure to do so will leave excessive powers within the ambit of the minister and resultantly, lead to abuse.

Read more on the State of Internet Freedom Uganda 2016.