For nearly ten years now, the Government of Malawi has been gathering personal information of its citizens and stockpiling it elsewhere. Citizens are now at the mercy of those in the custody of such personal data as they could use it against them or pawn it for profit. This has been possible through passing legislation that has strengthened its grip on its digital surveillance undertakings.
With such laws, which include the National Registration Act (2010), Electronic Transactions and Cyber Security Act, (2016), and Communications Act of 2016, Government has managed to put all its citizens in its pockets in as far as their personal data is concerned.
The Malawi government also rolled out the Consolidated ICT Regulatory Management System (CIRMS) – famously known as the spy machine – nine years ago, which had surveillance capabilities.
The National Statistics Act 2013 also empowers the National Statistics Organisation (NSO) to collect all types of information, including personal information, nationwide on behalf of the government.
The way everything has legally been put in place, there is no way that people would escape or chose not to partake in the information collection process.
Take, for example, legal surveillance tools like the National Registration and Identification System (NRIS), which the United Nations Development Programme (UNDP) says has registered 9 million Malawians as of August 2019. This also resulted from a 2018 Malawi government enforcement of mandatory SIM Card registration through the Malawi Communication Regulatory Authority (MACRA).
In all this, the major weakness of the current legal and policy framework is the lack of a dedicated data governance framework. The only glimmer of hope could perhaps be that a data protection law that will prescribe what Government can and not do with this personal information will be put in place now that a new Government was ushered into office on June 23, 2020.
Jimmy Kainja, Lecturer in Media, Communication and Cultural Studies at the University of Malawi, who has done extensive studies in this respect, hopes that judging from the inaugural speech of newly elected President Lazarus Chakwera, it looks like the new government is set to put things straight.
“The mention of getting rid of bad laws and operationalizing Access To Information law, for example, makes one hope that data protection law will also see the light of the day,” says Kainja.
“With full and open public consultations,” Kainja says, “there’s a draft in place already.”
There is also the SADC model law, which he says the government can simply localise.
“Having said this, I think it will still need a push from the civil society and all stakeholders to ask and push the government for it,” he says.
Mandatory personal data collection exercises such as SIM card registration and biometric data collection as part of the national identification programme against the right to privacy, which is enshrined in the Malawi Constitution, is the line stakeholders must take to push for change.
The Malawi Constitution stipulates that “Every person shall have the right to personal privacy, which shall include the right not to be subject to (a) searches of his or her person, home, or property; (b) the seizure of private possessions; or (c) interference with private communications, including mail and all forms of telecommunications”.
However, Kainja observes that there have been incidences where this has been violated by ensuring that the other legislation overrides such constitutional provisions through digital surveillance used to affect arrests since Malawi does not have a standalone data protection law.
As if all this is not even enough, in August 2016, MACRA unveiled plans to undertake an initiative that would have facilitated the development of a Smart City in Malawi, dubbed ‘Making a City Smart’, that sought to mitigate problems generated by what they called growing urban population.
The authority had said the Smart City Initiative would be piloted in Blantyre City before being replicated in other cities upon the successful completion of the pilot phase and that it would rely on, among others, a collection of smart ICT technologies and solutions that are applied to critical infrastructure components and services.
Macra and the City councils were considering broadband connectivity by creating Wi-Fi zones in identified recreation areas, parks, streets, hospitals, ICT innovation and tech hubs. One component would have been the establishment of cameras in the country’s cities and towns that would have been observing the activities of the citizens.
Several weeks of seeking MACRA’s input on this project and its role in ensuring that data protection law bore no fruits, as personnel through their communication chain were reluctant to react in any manner or feedback.
Recently, twenty-six youths from eight African countries completed training in construction and piloting drones meant to integrate them into a supply chain system and analyse drone data in line with the region’s demand for drones and data expertise. They graduated from African Drone and Data Academy (ADDA) in Lilongwe, Malawi.
Some analysts were also suspicious about how much the Government intended to use these drones, fearing that they may be used as part of digital surveillance.
Vice President Saulos Chilima once accused the previous Peter Mutharika Government of using MACRA to eavesdrop on people and using the information to prosecute them for stifling their political aspirations.
In March 2018, the then Minister of ICT, Nicholas Dausi, announced that the drafting of a bill on data protection in response to the changing media and technological landscape was in process.
Bram Fudzulani, ICT Association of Malawi (ICTAM), President, corroborated that Malawi is drafting its data protection and privacy laws. However, in the meantime, the Electronic Transaction and Cyber Security Act 2016 deals with the issue of data protection and privacy in one subsection.
“It simply calls on data controllers to ensure that personal data is processed fairly, legally, and collected for an explicit and legitimate purpose. Under this section, MACRA can ensure that service providers collecting data via SIM registration comply with the law and that data subjects are protected,” says Fudzulani.
Of Malawi’s two mobile phone service providers, only Airtel Malawi was willing to speak about its position in this respect, while TNM refused to comment.
Airtel Malawi’s Corporate and PR Manager Nora Chavula Chirwa says her company ensures that it keeps its customers’ information confidential ‘pursuant to our license obligations, Communications Act, Electronic Transaction and Cyber Security Act, the Constitution of Malawi and any other applicable laws and regulations’.
The Electronic Transactions and Cybersecurity Act, which provides for data protection, establishes the Malawi Computer Emergency Response Team (CERT) as a unit under MACRA.
Section 6(2) provides that the “Malawi CERT shall take charge of its information infrastructure protection actions and serve as a base for national coordination to respond to information and communication technology threats.”
Section 4 of the Act stipulates that MACRA must ensure that the Malawi CERT executes several services.
However, since the Act came into force in March 2018, MACRA Director of Finance Ben Chitsonga told the local media that the communications regulator had engaged experts from the International Telecommunication Union (ITU) to help get Malawi CERT off the ground.
ICTAM’s Fudzulani observes that although the establishment of the CERT is indeed enshrined in the electronic transaction that mandates MACRA to establish CERT, there was a need to do a lot of groundwork to get several things to start working.
“For example, there was a need for us as a country to formulate a strategy but also for MACRA to draft regulations which would then operationalize the act,” he observes.
Another thing, Fudzulani said, was the need for capacity building and sensitization among key stakeholders, ‘which is what has been happening for the past two years in partnership with a number of international partners line ITU etc.’
“I can confirm now that we have a functional CERT in Malawi and has a portal where stakeholders can report security incidents and other CERT functions,” he says.
Kainja expresses his surprise about SIM card registration, especially on how easily Malawians accepted it, as they did with the biometrics ID cards.
“We needed data protection law before rolling out these programmes,” he insists.
He says it would be difficult for citizens to stop it because it means they would have their SIM cards deactivated. Now the best way would be to lobby Parliament to devise a data protection law or review the SIM card registration altogether.
“This is likely to be an unpopular opinion with the public because the public has been told that SIM card registration is their security, so the public has opted for security, not their rights. We need civil society organisations, academia, media etc., to start paying attention to these pertinent issues,” advises Kainja.
Law Expert Edge Kanyongolo, University of Malawi’s Associate Professor of Law, and specialized in constitutional law and jurisprudence, believes the pressure for data protection legislation would probably be effective if it took the political route involving lobbying involving smart partnerships among human rights advocates, groups with special professional interests in confidentiality (doctors, lawyers etc.), opposition.
The opposition that Kanyongolo was referring to at the time of the interview was the Malawi Congress Party of President Chakwela and Vice President Saulos Chilima’s United Transformation Movement.
Now that it is in power, it should perhaps not be difficult to put personal data protection legislation in place.
This article on digital surveillance was supported by the Media Policy & Democracy Project, jointly run by the University of Johannesburg and the University of South Africa.
© investigativeplatform-mw. All Rights Reserved.