Two specific incidents in Zimbabwe’s pre-election period, highlight the lack of protection and privacy of citizen’s personal information and the need for personal data protection instead of laws restricting freedom of expression.
This article was originally published on zimbabwe.misa.org on 13 July 2018.
It has been an interesting week in Zimbabwean politics. This short digest discusses two ICT related events that show how dated Zimbabwean laws are when it comes to the protection and promotion of fundamental rights in the digital age.
The ZANU-PF SMS scandal
The first incident involves the sending out of personalised and targeted campaign adverts by the ruling Party ZANU-PF. These campaign adverts were in the form of SMSs sent out to registered voters in different parts of the country.
The use of Bulk SMS services is not a new phenomenon in Zimbabwe; however, the problem with the SMSs sent out by ZANU-PF is that they were specific to the name and location of each registered voter. In other words, ZANU-PF had to have access to a database that contained people’s names, their mobile numbers, and constituency information – in other words, voters’ personal data. Section 57 of the current Constitution protects the privacy of personal data.
When asked where ZANU-PF had acquired such information, the Zimbabwe Electoral Commission (ZEC) stated that it was most likely Mobile Network Operators (MNOs) who had leaked or sold their consumer information to ZANU-PF. MNOs however, were quick to refute this and issued statements stating that they respect their consumers’ privacy and they do not share consumer data with any third parties.
In its defence, ZANU-PF later issued a statement saying that they had only sent SMSs to ZANU-PF members who were part of the different ZANU-PF cell groups/structures from around Zimbabwe. This was not entirely true as non-ZANU-PF members including independent candidates received the marketing SMSs. It, therefore, remains unclear how ZANU-PF acquired people’s personal data.
Supa Mandiwanzira, the Minister of ICT and Cybersecurity would later state that anonymous hackers were responsible for leaking voters’ personal details. The minister’s statement is discussed further below.
The legal issues
What is apparent from this incident is the urgent need for the adoption of adequate privacy and data protection laws. There currently exists a glaring gap in data privacy legislation in Zimbabwe. The Access to Information and Protection of Privacy Act does not adequately protect the right to privacy as enshrined in section 57 of our current Constitution.
Secondly, affected consumers cannot rely on AIPPA’s access to information provisions to get answers on how ZANU-PF acquired their contact details without consent. This is because AIPPA applies the right to access information to only that information which is in the hands of public bodies.
In this instance, since neither ZANU-PF, MNOs, nor the Bulk service provider are public bodies, they cannot be compelled in terms of AIPPA to give information on the data they have and how they acquired such data.
Persons affected by the sending out of these bulk SMS may resort to the Postal and Telecommunication Regulatory Authority of Zimbabwe (Regulatory Circular on Unsolicited Bulk SMS) Regulatory Circular No. 2 of 2013 issued in terms of the Postal and Telecommunications Act.
This regulatory circular prevents MNOs from sharing consumer data with third parties without the consumer’s consent. Further, it prohibits the sending of marketing SMSs that do not give the consumer an option to opt out of receiving such messages in the future. An applicant has approached the courts for relief arguing that the ZANU-PF bulk SMS incident violated his consumer rights.
While the 2013 POTRAZ regulatory circular applies only to Bulk SMS services, the draft Cybercrime and Cybersecurity Bill is meant to criminalise the sending of unsolicited electronic messages, sometimes referred to as spam. Unfortunately, this draft Bill has been in the pipeline for the past 5 years leaving consumers currently unprotected from spam emails and messages.
The sending out of unsolicited SMSs based on personal information that was clearly lifted from the voters’ roll has led to the filing of a legal challenge meant to stop ZEC from releasing a voters’ roll containing voters’ photographs. A few weeks ago, the main opposition parties actually called for the release of a complete roll, however, the bulk SMS issue has shown the real threats associated with the indiscriminate sharing of people’s personal data.
Online version of the voters roll
The second incident revolves around a website that has published the current version of the Zimbabwean voters roll in its entirety. The voters’ roll on the website contains most of the personal data voters gave when they registered to vote; nothing was redacted before the roll was shared online.
It must be stated that the website creators state that they are not sharing the voters’ roll out of malice. Rather they are sharing it as an act to make information on the voters’ roll accessible and to allow voters to audit the voters’ roll on their own to identify any discrepancies which would negatively affect the voting process.
The first legal issue is that the publication of the current voters’ roll is most likely illegal since section 20 of the Electoral Act states that only ZEC is responsible for the keeping of the physical and electronic formats of the voters roll.
The second legal issue, which is more relevant to the present discussion, is the fact that this website is hosted outside of Zimbabwe. The Minister of ICT and Cybersecurity, Supa Mandiwanzira issued a statement condemning the uploading of an “unprotected” version of the voters’ roll. In the same statement, the Minister called for the website and its (hosting) internet service provider to “cease” the illegal publishing of the voters roll.
The minister’s remarks about taking down the website or going after its host internet service provider are made in the absence of any backing statutory provisions. A takedown request refers to the process used to compel an Internet service provider or website host to take down content from their website.
Take down requests are commonly used to remove content that is shared without the proper consent or infringes on copyright. However, there has to be a law or set of laws in terms of which such takedown requests are made.
For example, in the United States, takedown requests are made in terms of the Digital Millennium Copyright Act. Zimbabwe does not have any similar laws which can effectively compel a foreign organisation to take down content from its website.
Furthermore, Zimbabwean courts currently have no jurisdiction to decide on the content contained in websites hosted outside of Zimbabwe. The draft Cybercrime and Cybersecurity Bill confers this jurisdiction to Zimbabwean courts but it is unfortunate that the draft Bill has still not come into effect.
The idea of having their personal details shared with political parties and online has roused some Zimbabweans to the need for the introduction of relevant and adequate data privacy laws. MISA takes this moment to echo this general sentiment and to remind readers that privacy is not only exercised to hide personal information from prying eyes, privacy is the cornerstone of other rights such as the right to free expression.
Threatened arrest of social media users
Senior Assistant Commissioner Erasmus Makodza is quoted as saying that the Zimbabwe Republic Police is on the lookout for people who are using social media to spread misinformation about postal voting. He was speaking at a ZEC press conference, commenting on how social media reportage uncovered that postal voting was already taking place in some provinces without ZEC’s knowledge. MISA reminds the government that the sharing of information should not be criminalised during the electoral cycle. It is in everyone’s interest for factual information to be shared even if such information does show a lack of preparation or awareness on the electoral body tasked with the running of elections.