During an internet freedom and digital rights training for CSOs it was highlighted that recently passed legislation in Malawi requiring mandatory registration has the capacity to allow state surveillance in the absence of a data protection law and should be of concern to all Malawians.
This statement was published on cipesa.org on 12 August 2019.
In the last three years, the Malawi government has passed a lot of legislation, and among these is the National Registration and Identification System (NRIS), which according to the National Registration Bureau, is aimed at addressing the lack of universal and compulsory registration – the NRIS allows Malawians to have a national ID.
According to the UNDP (United Nations Development Programme), one of the main funders of the exercise, 9 million Malawians have registered as of August 2019. This shows that Malawians have generally welcomed the exercise. Meanwhile, the registration in ongoing in all District Offices where anyone turning 16 years can register and have their ID card issued.
Reasons for the general acceptability of the ID registration differ and in absence of any survey it is difficult to generalise the reasons but it can be speculated that among them is that the majority of Malawians lacked any form of ID allowing them to do daily transactions. The majority of Malawians do not have a passport or a driver’s license and yet the advance in technology, with mobile banking for example, has increased the demand for IDs in the country.
Following the NRIS exercise, the national ID has increasingly become the only form of identification for most public transactions and registrations. In 2018 the Malawi government through its telecoms regulator, MACRA, rolled out a mandatory SIM Card registration, this is provided for in PART XI of Communications Act, 2016. The voter registration for the 2019 tripartite elections required the national ID as a form of identification; and now commercial banks in the country have rolled out what they are calling “know your customer” (KYC) exercise, in which clients have to update their personal information with the banks. This time the banks are only accepting the national ID as a form of identity for Malawians, and a passport for non Malawians.
This means that in a very short space of time Malawians have given away a lot of their personal data to both private and public institutions. All the data is tied to one’s national ID. This includes our communication data through our SIM Card enabled communication – internet, text messages and voice calls. But how safe is this personal data? During the voter registration exercise did we not hear of Malawi Electoral Commission [information] found abandoned in Mozambique? How do we ensure that our personal data is safe? How can we be sure that no third parties have access to our personal data? Who should be held accountable in the case of any data breach?
These are legitimate questions, especially as any breach of personal data has implications for personal privacy. Privacy is an inviolable right and it is constitutionally provided for under article 21 of the Malawi constitution. Often people argue that you should not worry about privacy if you have nothing to hide. Yet, privacy does not mean that you have something to hide.
Journalist Glenn Greenwald observes that privacy is important because we all need places where we can go to explore an issue without the judgmental eyes of other people being cast upon us. He argues that people have all kinds of things they want to keep a secret that has nothing to do with criminality. He adds:
“Only in a realm where we’re not being watched can we really test the limits of who we want to be. It’s really in the private realm where dissent, creativity and personal exploration lie… When we think we’re being watched, we make behaviour choices that we believe other people want us to make… it’s a natural human desire to avoid societal condemnation. That’s why every state loves surveillance – it breeds a conformist population.”
In the wake of mass personal data collection, Malawi needs personal data protection legislation, and this legislation should have been in place before the NRIS and what has followed that exercise. Data protection is important in order to prevent third parties from accessing personal data and also to stop the authorities from abusing personal data they collected in good faith.
Personal data protection is crucial for freedom of choice and freedom of expression. People are unable to express themselves freely in the presence of a watchful eye on everything that you are doing, browsing on the Internet for example. Inevitably, this has a chilling effect on activists, human rights defenders and other vulnerable communities, as these groups can easily be targeted by both state and non-state actors.
The mass collection of personal data in the absence of a data protection law should be of concern to all Malawians as it has the capacity to allow state surveillance. Furthermore, the mandatory SIM card registration in the absence of data protection laws means that our private communication, online and offline can easily be violated by both state and non-state actors. As with the mandatory SIM card registration, governments usually use security to introduce laws and policies. But you cannot protect people on one hand while violating other rights and freedoms on the other. Security and civil liberties can and do coexist and it is the obligation of the state to balance the two.
*Note: this article is informed by Internet freedom and digital rights training for CSOs I coordinated and co-facilitated in Lilongwe (30-31st July 2019) on behalf of The Collaboration on International ICT Policy in East and Southern Africa (CIPESA).
This article was originally published in The Nation