Aller au contenu principal
Photo: DAI's Digital Frontiers, used under CC BY-NC 2.0 licence (https://flic.kr/p/2oRx8wf)

This article was originally published in Issue 2 of Southern Africa Digital Rights, an online publication produced under the project "The African Declaration on Internet Rights and Freedoms: Fostering a human rights-centred approach to privacy, data protection and access to the internet in Southern Africa".

At the time of writing, Namibia still did not have an online privacy and data protection law on the statute books. However, such a law has been in on-and-off discussion within relevant Namibian government circles for most of the last decade, with an initial data protection bill even having been drafted in 2013.

It was only in 2018, though, that efforts towards crafting a substantive law had new life breathed into them when, under a year-long project running from October 2018 to December 2019, a cybersecurity capacity maturity assessment of Namibia was conducted as part of the Commonwealth Cyber Programme, by the World Bank and the Global Cybersecurity Capacity Centre, at the University of Oxford. [1]

It was during this assessment that the prevailing online privacy and data protection situation in Namibia became clear, with the assessment report stating: “Most of the government agencies and private sector companies are not implementing any data protection standards and best practices to ensure that the sensitive and personal data that they collect, process and store are adequately protected.”

Following this process, in 2020 a new consultation process was initiated, with assistance and technical support from the Council of Europe and the Commonwealth Secretariat, to help Namibia come up with an updated data protection draft bill. [2] This process started off with a three-day workshop on data protection legislative drafting in February 2020 and culminated later that year with a draft bill that was shared as the “Final final Data Protection Bill 2020”.

However, by the end of that year, the consultation and drafting process appeared to have stalled again and it was only in early October 2022 that momentum suddenly appeared to pick up again, when the Ministry of Information, Communication and Technology (MICT) suddenly, and quite unexpectedly for those interested in the topic, issued a notice calling for public inputs to a draft data protection bill to be submitted by 31 October. [3]

The bill for which inputs were being sought was quite substantially different from the last version that had been shared publicly – the “Final final Data Protection Bill 2020” version.

It is the version of the bill that became public in October 2022 that will be the focus of discussion in this article.

Domestic, regional and international frameworks

The right to privacy is enshrined in Article 13 of the Namibian Constitution, [4] which states:

“1. No persons shall be subject to interference with the privacy of their homes, correspondence or communications save as in accordance with law and as is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime or for the protection of the rights or freedoms of others.

2. Searches of the person or the homes of individuals shall only be justified:

(a) where these are authorised by a competent judicial officer;

(b) in cases where delay in obtaining such judicial authority carries with it the danger of prejudicing the objects of the search or the public interest, and such procedures as are prescribed by Act of Parliament to preclude abuse are properly satisfied.”

It could be argued that this constitutional provision is clear and crisp, but its scope has never been meaningfully defined by a court of law, although current regulatory developments around mandatory SIM card registration have opened up room for litigation against the backdrop of Article 153.

While Namibia has not yet enacted a law protecting online privacy and personal data, the country’s National Cybersecurity Strategy and Awareness Raising Plan 2022-2027 [5] posits privacy and personal data protection as critical priorities to ensuring cybersecurity. The strategy, in the foreword, expresses the recognition that its aims include protecting Namibian “netizens’ privacy”. In fact, Pillar 1 of the six strategic pillars is “Privacy and Personal Data Protection”, which states that eventual data protection legislation will be in line with international standards.

Furthermore, the strategy states that one of its three guiding principles is “Fundamental Human Rights”, with its design based on “respect for universally agreed fundamental rights, including, but not limited to, the United Nations’ Universal Declaration of Human Rights and International Covenant on Civil and Political Rights, as well as relevant multilateral or regional legal frameworks”.

In this regard, it states that in its rollout “attention should be paid to freedom of expression, privacy of communications and personal-data protection”.

However, while the above statements are very consequential, it should be noted that the strategy does not incorporate a human rights framing in its higher-level statements, such as the mission and vision.

Aside from these domestic and international frameworks informing the country’s attempts at legislating around online privacy and data protection, at a regional level, Namibia is one of the few African countries that has ratified the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention). [6]

Despite these frameworks and instruments supposedly informing the drafting of the latest version of the online privacy and data protection bill of October 2022, the bill appears to considerably fall short of the human rights standards emanating from these frameworks and instruments.

The 2020 draft vs the 2022 draft

As indicated earlier, in October 2022 input and comments were suddenly invited by MICT on a draft data protection bill and it quickly became clear that the bill in question differed markedly with one that was shared for comment in late 2020.

An analysis of the October 2022 draft, compiled by the South Africa-based ALT Advisory on behalf of the Institute for Public Policy Research (IPPR) and the Access to Information in Namibia (ACTION) Coalition, [7] found the differences between the two versions of the bill highly problematic in many respects.

The analysis report, [8] which was submitted to MICT ahead of the 31 October 2022 deadline, starts off by stating that “we note that the present iteration of the Bill (as circulated in October 2022 and dated 2021) appears to be substantially different in comparison to previous versions of the Bill, particularly the draft 2020 version of the Bill which was subject to a multi-stakeholder engagement in February 2020”.

The report goes on to state: “The present iteration of the Bill is of concern and, in multiple instances, removes or amends necessary and important sections from the 2020 version of the Bill, including, among others … Part III of the 2020 Bill which affirms the rights of data subjects.”

And it continues: “While the reason for these sweeping changes remains unclear, they are addressed, in part, in these submissions. However, as a result of these changes, the Bill should be further developed following this public participation process and further opportunities to provide written submissions on future versions of the Bill should be provided to all stakeholders, including civil society.”

Human rights concerns

Some of the areas of specific human rights concern raised about the 2022 draft were underdeveloped consent provisions, the almost complete absence of protections for data subjects, and the absence of carve-outs for journalistic, artistic and academic data collection and processing.

With regard to consent provisions, the civil society analysis states: “Adding the element of prior consent to all data subjects strengthens the definition of “consent” in section 1 of the Bill and ensures that data subjects must consent to the processing of their personal data prior to processing.”

As for issue of the protection of the rights of data subjects, the civil society submission calls for reintroduction of “Part III of the 2020 version of the Bill as a new Part 2 in the present Bill, with the “Data Protection Supervisory Authority” part becoming a new Part 3. This will correctly give prominence to the primary rights holders in the Bill: data subjects.” Part III of the 2020 version lays out comprehensive protections for data subjects, which were completely absent from the latest draft.

In terms of freedom of expression concerns around the lack of recognition of the significance of provisioning for journalistic, artistic and academic data collection and processing, the civil society report states: “An express exemption for journalistic, literary, or artistic purposes should be recognised in the Bill, either in section 34(1)(f) or section 43, and should provide that “The Act does not apply to the processing of personal data solely for the purpose of journalistic, literary, or artistic expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression, including press freedom.” (Additionally, an express exemption for processing personal data for academic purposes, with sufficient safeguards, should be considered by MICT.)”

Conclusion

It is against the backdrop of these, and a host of other, shortcomings of the draft privacy and data protection bill that civil society concluded that in its present form, the Bill is not fit for purpose and called for further consultations.

At the time of finalising this article such consultations were scheduled to take place through March 2023 in communities across the country under the auspices of the Ministry of ICT. It was hoped that these consultations would address the identified shortcomings and weaknesses in the bill towards addressing “the inherent need to protect and promote the rights of data subjects in Namibia”.

Notes

1 https://cybilportal.org/projects/cmm-review-namibia-as-part-of-the-commonwealth-cyber-programme  

2 https://www.coe.int/en/web/cybercrime/news/-/asset_publisher/S73WWxscOuZ5/content/glacy-cyber-security-and-cybercrime-maturity-assessment-of-namibia

3 https://action-namibia.org/government-seeks-public-input-on-draft-data-protection-bill

4 https://www.lac.org.na/laws/annoSTAT/Namibian%20Constitution.pdf

5 https://drive.google.com/file/d/1Zh2B1qpzLiLo80LttqN0fbvhJbzW1TNq/view?usp=sharing

6 https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf

7 https://action-namibia.org/https-action-namibia-org-wp-content-uploads-2022-11-action-data-protection-submission-pdf

8 https://action-namibia.org/wp-content/uploads/2022/11/ACTION-Data-Protection-Submission.pdf