Bill Watch 29/2014 of 21st July

Update on PLC’s Adverse Report on Zimbabwe’s “Spying Regulations”

SI 142/2013: Postal and Telecommunications (Subscriber Registration) Regulations

SI 142/2013 Repealed & PLC Adverse Report Withdrawn

New Regulations Gazetted

On 5th March the Parliamentary Legal Committee [PLC]’s adverse report on SI 142/2013 was announced and placed on the Order Papers for consideration by both Houses of Parliament. The PLC had found infringements of the constitutional rights to privacy and freedom of expression [see summary of adverse report below] Debate and a vote on whether or not to approve the adverse report should have followed promptly as required by the Constitution, which provides that if an adverse report on an SI is approved it must be repealed unless the responsible Minister applies to the Constitutional Court for a ruling that the SI is not unconstitutional [see Bill Watch 15/2014 of 19th March].

This debate did not, however, take place. Veritas explained in a previous bulletin [Bill Watch 26/2014 of 12th June] that this was because the responsible Minister had told the PLC that he would, in consultation with the Postal and Telecommunications Regulatory Authority of Zimbabwe [POTRAZ], make appropriate changes to the regulations with a view to the PLC withdrawing the report if satisfied with the changes made. Withdrawal of an adverse report is permitted by the Constitution if the PLC is satisfied that the provisions it objected to are either repealed or amended in such a way as to remove infringements of the Constitution [Fifth Schedule, paragraph 9(1)].

This is what has now happened – the SI was repealed and PLC chairperson Jonathan Samukange followed up the repeal by withdrawing the adverse report in the National Assembly on 10th July.

The repeal was effected by section 13 of SI 95/2014, gazetted on 13th June and in force immediately, entitled the Postal and Telecommunications (Subscriber Registration) Regulations, 2014 [available from Veritas].

As its title indicates, the SI contains a new set of regulations on the same subject as SI 142/2013. In fact, the regulations are largely a repetition of SI 142, but with two changes designed to meet the PLC’s objections [see below]. The PLC will now have to consider and report on the new SI in the normal way.

The New Regulations SI 95/2014

The new regulations under SI 95/2014 come from the President’s Office

The preamble to the new regulations [SI 95/2014] states that they were made by the Minister for Presidential Affairs in the President’s Office in consultation with POTRAZ. SI 142/2013 was made by the Minister of Transport, Communications and Infrastructural Development. This difference is explained by the fact that earlier this year the President re-assigned responsibility for the enabling Act [the Postal and Telecommunications Act] to “the Office of the President and Cabinet”. [Note: At the time Veritas criticised this imprecise and therefore legally incorrect assignment in Bill Watch 6/2014 of 18th February; now, at least we know what the Office of the President and Cabinet think it means. We also drew attention to the fact that, confusingly, the enabling Act is also assigned to the Minster of Information Communication Technology, Postal and Courier Services. The assignments are in SIs 19 and 25/2014.]

Are the new regulations like those under SI 142/2013 ultra vires? Bill Watch 49/2013 of 7th October 2013 pointed out that SI 142/2013 as a whole might well be a legal nullity because it was ultra vires, i.e. went beyond the regulation-making powers conferred by the enabling Postal and Telecommunications Act. Attention was also drawn to individual ultra vires provisions such as the provision in section 12 for a gaol sentence for contravening the regulations, when the Act allows only a fine. These observations apply with equal force to SI 95/2014. It makes no difference that SI 95/2014 has come from the President’s Office.

What the PLC’s Adverse Report Said

[full report available from the addresses given at the end of this bulletin]

The PLC’s unanimous report makes it clear that the PLC members were agreed that as a matter of principle regulations for the maintenance of telephone subscriber databases by service providers, and a national database [amalgamating these service provider databases] by POTRAZ, would be constitutional. This is also the conclusion that Veritas came to in its analysis of SI 142/2013 [in Bill Watch 49/2013 of 7th October 2013.] The report’s survey of laws on the subject in other countries, both in Africa and the rest of the world led to this conclusion.

But the PLC was nevertheless concerned about the risks posed to subscribers by the collection of subscriber information into databases – placing them at risk of being tracked or targeted, having their private information misused, being subjected to crimes like identity theft – and was not satisfied with what SI 142/3013 had to say about access to stored subscriber information:

“One such access is by law enforcement agents on the authority of a request from an official with a rank coordinate to or above the rank of an Assistant Commissioner of Police. Unfortunately, such access is premised on a mere written request by a ranked official without any oversight to safeguard against potential abuse. The regulations could have required that the ranked official’s request be in the form of a warrant issued by a court to ensure judicial oversight. This would take into cognisance the importance of the rights in question. Although the regulations provide for legal redress for the unlawful use of personal data, judicial oversight should be available from the outset.

In addition, making subscriber information available for “educational and research purposes” removes people’s control over how and by whom their personal information will be used. Ideally, people should consent – which consent should be informed, specific and explicit – to how personal information relating to them should be used. Instead, the regulations give POTRAZ and service providers the authority to provide access to subscriber information without defining what the term “educational and research purposes” really entails. Personal information can be used to profile subscribers without their consent under the guise of “educational and research purposes”.

Bill Watch 49/2013 also mentioned the risks to which subscribers could be exposed by being obliged to provide personal information for incorporation in databases.

Finally, the report stated the PLC’s conclusion and recommendations:

“Conclusion and Recommendations Some of the provisions in the regulations need amending to align them with the Constitution. In particular, the regulations should guarantee judicial oversight over access to subscriber data bases. More importantly, Zimbabwe requires comprehensive data protection law to be put in place to govern the collection, storage, access, use, protection and security of personal information to guarantee protection of the right to privacy. The principles contained in the EU wide Data Protection Directive 95/46 EC, can serve as a guide for the implementation of this SIM card registration process. Amongst other things, this directive has been internationally touted as setting the benchmark by which data protection laws are evaluated, the standards set are widely regarded as "high" and place an emphasis on human rights while its principles have been flexible in their approach.”

Although this is not stated in the conclusion, it is clear enough from the rest of the report that the PLC’s concern was with the impact of the regulations on the rights to privacy and freedom of expression [Constitution, sections 57 and 61].

The Changes That Have Been Made in the New Regulations

The new regulations now in force under SI 95/2014 have the same structure and essentially the same wording as the now repealed SI 142/2013. There are only two changes of any significance in response to the PLC’s recommendations, in sections 9 and 10. Both changes relate to access to the database:

Access by law enforcement officers [section 9]

Section 9(2) of the repealed SI 142/2013 allowed POTRAZ to provide information from its Central Data Base to a law enforcement agent if it had received a prior written request from a official of the law enforcement agency concerned with the rank of Assistant Commissioner of Police, or equivalent rank in any other law enforcement agency. The new section 9(2) in SI 95/2014 requires a prior written request from an official of the law enforcement agency [no rank specified] who is “in possession of a warrant or court order to obtain such information”.

Does this change satisfy the PLC’s recommendations? Perhaps not. The word “warrant” rings an alarm bell. The PLC wanted the regulations to guarantee judicial oversight over access to subscriber databases. The new provision fails to do this – because, while a court order involves a judge or magistrate, warrants can be issued by police officers who have been designated as justices of the peace.

Access for research and educational purposes [section 10]

In section 10 the only change is the introduction of the word “statistical”, which limits the section to the use of “statistical” subscriber information for approved research purposes.

Does this change satisfy the PLC’s recommendations? It does not do so directly – there is no provision for subscriber consent, and no attempt at a definition of “research and educational purposes”, despite the PLC apparently wanting both. On the other hand, it may do so indirectly, because by now limiting access to statistical information only, the Minister has probably removed the original cause for the PLC’s concern, which was the risk of misuse of personal information for identity theft and the like.

What Now?

• If the PLC in due course gives SI 95/2014 a clean bill of health, its opinion cannot be the last word on the subject. It is for the courts, and ultimately the Constitutional Court, to give final rulings on the constitutionality of statutory instruments. An opinion by the PLC is not binding on any court.

• The recommendation in the PLC adverse report that: “More importantly, Zimbabwe requires comprehensive data protection law to be put in place to govern the collection, storage, access, use, protection and security of personal information and to guarantee protection of the right to privacy.” needs to be taken seriously and followed up as a matter of urgency.

A Final Point

It should be noted that the regulations under SI 142/3013 were in force from 1st October 2013 onwards. There was a long delay before the SI was considered by the PLC, leading to the adverse report on 5th March. The adverse report did not, indeed could not, nullify the SI, so it continued in force until repealed on 13th June. This delay meant that there a period of more than eight months during which access to the POTRAZ database could have granted without the safeguards the PLC considered necessary.

As pointed out above, the new regulations are also of questionable constitutionality and possibly ultra vires the enabling Act, and could attract a further adverse report from the PLC. In the interests of our constitutional right to privacy, it is important that the PLC report on them promptly and that any new adverse report be dealt with promptly by the Senate and/or the National Assembly.

Post published in: Politics

Leave a Reply

Your email address will not be published. Required fields are marked *