New communications interception regulations appear to be weak on protections and enabling of rights violations.
BY FREDERICO LINKS
Namibia is quickly moving closer to becoming another African surveillance state as legally questionable state surveillance-enabling regulations are pushed towards implementation under the guise of fighting crime and protecting national security.
Since the gazetting of regulations on 15 March 2021, the full implementation of Part 6 of the Communications Act of 2009 is moving ever closer and so too is the growing threat of large-scale state violation of the constitutionally protected right to privacy, along with other associated rights.
Part 6 of the Communications Act and its new regulations enable interception of all telecommunications by police and national intelligence officials through mandatory SIM card registrations and extensive and expansive data collection and retention obligations and measures imposed on telecommunications service providers.
However, critical scrutiny of Part 6 of the Communications Act and the recently publicised regulations have pointed to a lack of substantial data protection and transparent, strong oversight mechanisms to safeguard against surveillance overreach and abuse.
These interpretations are contained in a recently published critique of the regulations of 15 March 2021 by Dianne Hubbard of the public interest law firm, the Legal Assistance Centre (LAC).
The LAC assessment of the regulations finds, among others, that they are overbroad and lack proportionality; that they lack suitability to serve the intended objectives; contain flawed judicial authorisation and inappropriate decision-making processes; and that there is no attention to data security principles.
On the concern around broadness and proportionality, the LAC finds that the regulations enable “retaining a massive amount of data of which only a tiny proportion is likely to ever be requested by the police or intelligence services”.
On the issue of suitability to serve the intended objectives, the LAC questions “what purpose the data retention requirements can actually serve given the exclusion of (a) pre-paid telecommunications services and (b) services accessed via foreign telecommunications service providers”.
Considering the issue of judicial authorisation and decision-making, while under regulation five (5) it is spelled out that police or national intelligence officials need to obtain a warrant from a judge or a magistrate to access the telecommunications information or data of any individual, the process falls short of best practice.
Worryingly, but not uncommonly, a police officer (but not an intelligence official) can bypass judicial authorisation to access someone’s personal data by claiming urgency.
However, as per the LAC, this provision is oddly articulated in the regulations “because it places the decision-making burden on the telecommunications service provider instead of on the trained police officer”.
“The regulations require the police officer making the request to convince the authorised officer at the telecommunications service provider “on reasonable grounds” of three things: (1) that the requested information is required urgently; (2) that the delay in getting court authorisation would defeat the purpose of the request; and (3) that a request to the court for authority for requesting the information would have been granted if it had been made,” finds the LAC.
This approach is at odds with the process authorised under the Criminal Procedures Act 51 of 1977, which places the decision-making burden on the police officer and not the service provider.
Furthermore, the judicial processes do not make provision for ex post facto notice to affected individuals and no other safeguards for ex parte proceedings. This means transparency and accountability, through legal notification and representation, are non-existent in these judicial processes.
On the issue of lack of adherence to data security principles, the LAC assessment finds that the regulations are substantially weak on “measures pertaining to the security of the data and protections for confidentiality and the prevention of unauthorised access, as well as provision for the erasure or destruction of data after the requisite time period for its retention has expired”.
In its final assessment, the LAC concludes, based on comparable legal frameworks, that “it seems likely that Namibia’s telecommunications data retention scheme might be found to be an unconstitutional infringement of the right to privacy overall, given the intrusion into the privacy of large segments of the population in a manner that has a questionable ability to serve the intended objectives”.
And it continues: “At the very least, it seems to be unconstitutionally faulty in some key aspects relating to the breadth of its coverage and the kinds of data required to be collected, the lack of procedural safeguards and the lack of attention to data protection principles. It does not seem to be appropriately proportional to its aims.”
Based on this assessment of the regulations, it appears that Namibia is on track to implement regulatory measures that could become problematic, both legally and digitally.
This sort of controversy has dogged similar mandatory SIM card registration and data retention regimes the world over for years.
Already way back in 2014 the UN High Commissioner for Human Rights flagged the dangers of such regulatory regimes in a report titled ‘The Right to Privacy in the Digital Age’.
The report states: “Mandatory third-party data retention – a recurring feature of surveillance regimes in many States, where Governments require telephone companies and Internet service providers to store metadata about their customers’ communications and location for subsequent law enforcement and intelligence agency access – appears neither necessary nor proportionate.”
Despite this, countries across the world and the African continent have continued implementing such regulatory frameworks, with especially many African governments abusing them for authoritarian and repressive purposes.
This was once again highlighted in the ‘State of Internet Freedom in Africa 2021’ report, which was recently released by the Uganda-based Collaboration on International ICT Policy for East and Southern Africa (CIPESA).
The CIPESA report states that the abuse of SIM card registration and data retention regimes have been central to “state surveillance in Africa [and] has harmed various rights of journalists, human rights defenders and opposition politicians, and undermined their participation in social and public affairs”.
*Frederico Links is a Namibian journalist, researcher and chairperson of the ACTION Namibia Coalition. This article was commissioned by the Media Policy and Democracy Project (MPDP), an initiative of the University of Johannesburg’s department of journalism, film and TV and Unisa’s department of communication science.
A version of this article was first published in The Namibian newspaper of 10 November 2021.