The Zimbabwean government extended its reach into the private lives of its citizens this week by promulgating a new law establishing a central database of information about all mobile telephone users in the country. The Statutory Instrument 142 of 2013 on Postal and Telecommunications (Subscriber Registration) Regulations 2013, gazetted last Friday, raises new challenges to the already embattled rights to privacy and free expression in Zimbabwe, increasing the potential that the repressive state will spy on its citizens and further clamp down on free speech.
The approval of the Statutory Instrument clearly shows a disregard for the rights to privacy and free expression protected by the new Zimbabwean constitution. Mandatory SIM card registration eradicates the potential for anonymity of communications, enables location-tracking, and simplifies communications surveillance and interception.
State surveillance & national security argument: The law is clearly designed to facilitate greater State surveillance, given that it is subordinate legislation that was passed on the basis of powers granted the Interception of Communications Act. According to the Statutory Instrument, telecommunications providers must each establish a subscriber database of all SIM card holders, connecting their phone number to their name, address, gender, nationality and passport or ID number. The law obliges service providers to regularly hand over copies of this data to the government, which will then establish its own central subscriber information database. Access to the database will be available for the purpose of law enforcement, upon the written request of a law enforcement agent, or for “safeguarding national security”, as well as for “undertaking approved educational and research purposes.”
Human rights argument: Service providers must keep data for five years after the customer has concluded their contract. Individuals must report the loss of their SIM card or phone, and any change in ownership of their SIM card, and the provision of false information to a telco makes an individual liable for six months imprisonment.
By facilitating the establishment of an extensive database of sensitive user information, it places individuals at risk of being tracked or targetted, and poses risks against the misuse of private information. In the absence of comprehensive data protection legislation and judicial oversight, SIM users’ information can be shared with government departments and matched with other private and public databases, enabling the State to create comprehensive profiles of individual citizens. An individual’s phone number could potentially be matched with their voting preferences or health data, enabling governments to identify and target political opposition, for example, or people living with HIV/AIDs. The potential for misuse of such information, particularly in countries with traditions of ethnic conflict and in situations of political instability and unrest, is enormous.
SIM registration can also have discriminatory effects – the poorest individuals (many of whom already find themselves disadvantaged by or excluded from the spread of mobile technology) are often unable to buy or register SIM cards because they don’t have identification documents. Undocumented migrants are similarly disadvantaged. When mobile phones are the most common form of accessing important avenues such as banking and finance, this could result in exclusion from numerous vital public services. In addition, given the additional burdens that SIM registration places on telcos, this may result in additional costs being passed on to a customer.
How policy laundering has failed elsewhere: Importantly, the justifications commonly given for SIM registration – that it will assist in reducing the abuse of telecommunications services for the purpose of criminal and fraudulent activity – are unfounded. SIM registration has not been effective in curbing crime, and instead has fueled it: States which have adopted SIM card registration have seen the growth of identity-related crime, and have witnessed black markets quickly pop up to service those wishing to remain anonymous (for example, Saudi Arabia) SIMs can be illicitly cloned, or criminals can use foreign SIMs on roaming mode, or internet and satellite telephony, to circumvent SIM registration requirements.
Because of its ineffectiveness and exclusionary impacts, SIM registration has been rejected after consultation in Canada, Czech Repulic, Greece, Ireland, the Netherlands and Poland. Yet almost all African states have now adopted SIM cards.
Civil Society disquiet and fear: A number of civil society actors have already spoken out against the move by the Zimbabwean government to join its African peers in mandating SIM registration, although most of them have chosen to remain anonymous. Indeed, dissent coming out of Zimbabwe has often been mounted under the important veil of anonymity, demonstrating the current state of free speech in the country. This law will only further eradicate democratic debate and the enjoyment of constitutional protections in the country.
Violation of constitution and law: In a country that has a presumption of constitutionality, some Zimbabwean legal experts we consulted expressed the view that section 9 the Statutory Instrument will certainly violate the new constitution which allows the police to get access to the user data base to the extent that this may not be interception of communications but an invasion of privacy. Further, they expressed the view that the new law is irregular as a ministry that is now defunct is passing it.
Jurisprudence from EU Courts on the issue: Other legal experts we consulted were of the view there is still an argument to be made that even the establishment of such a database would infringe the right to privacy in the constitution. Certainly the jurisprudence of the European and British courts is that it would. This reasoning was most recently applied by the British Court of Appeal in Catt v ACPO  EWHC 1471 where the Court considered the retention in a database of written and photographic reports about the applicant’s attendance at demonstrations and protests and held, at , “[t]he systematic collection, processing and retention of a searchable database of personal information, even of a relatively routine kind, involves a significant interference with the right to respect for private life.” In the case of publicly available information, the test is not solely, or even predominantly, concerned with whether the individual had a reasonable expectation of privacy, but rather the factor of particular importance is whether data have been subject to systematic processing and entry on a database capable of being searched in a way that enables the authorities to recover information by reference to a particular person (at , citing S v United Kingdom).
Regional Developments in respect of the issue: On 20 October 2013, together with Article 19, Media Alliance of Zimbabwe, IHRDA and Privacy International, we will be holding a Panel discussion on this and other issues, titled “Protection of the rights to free expression, privacy for journalists and HRDs”. This will take place during the Forum on the participation of during the 54th Session of the African Commission on Human and Peoples’ rights, Kairaba Beach Hotel, The Gambia. The panel discussion will be an opportunity to harness regional and international expertise and comparative experiences on how the protection of the twin rights of expression and privacy both at national and regional levels could be strengthened both in policy and practice. In particular the panel will look at what gaps, if any, are there in bringing the current policy, legislative and practice frameworks in line with international standards and norms, and other comparable national and regional regulatory standards that exhibit best practice.
*Contribution to this article from Carly Nyst, of HR Forum’s Safeguard Research partner Privacy International.