MTC is scanning fingers and taking facial photos, while legal frameworks only require basic information for SIM registration.
IN A USUALLY empty retail space just around the corner from the box office inside the MTC Dome at Swakopmund, a crowd of people recently had their fingerprints scanned and then a photo taken of their faces by MTC Namibia employees.
The same was happening inside the MTC Dome arena where MTC Namibia officers were also accepting forms, scanning fingers and taking photos of patrons of the four-day Namibia Sport Expo, which ran from 8 to 11 December.
Namibia’s biggest mobile and internet service provider used the opportunity to encourage its customers to register their SIM cards, with the deadline looming for mandatory SIM card registration, 31 December 2022, just weeks away.
Since the beginning of October, Namibians have been called on to register their SIM cards so that by the time mandatory SIM card registration is implemented, on 1 January 2023, they are compliant and can continue making use of mobile telecommunications and internet services.
What was striking about what was happening at the registration points was the collection of fingerprint and facial biometric data.
The regulations for Part 6 of Chapter 5 of the Communications Act of 2009, as well as the further conditions on telecommunications licencees, require operators to collect basic information such as names, dates of birth, addresses, and copies of identification documents to register a SIM card.
There is no mention of biometric information being legally required or necessary for SIM card registration.
Since the start of the three-month window period for SIM card registration on 1 October, there have been public concern and discomfort about the collecting of biometric data to register a SIM card.
These concerns have been raised with the management of both the Communications Regulatory Authority of Namibia (Cran) and MTC Namibia.
Cran’s management was asked what the regulator’s position was on the harvesting of biometric data by telecoms companies for the purpose of registering subscribers in the absence of legislated data protection safeguards.
MTC Namibia was asked on what legal basis it was collecting biometric data.
In acknowledging receipt of the request for comment and responding to a follow-up email, Cran spokesperson Jairus Kapenda said: “Kindly note that the authority will provide a response in due course.”
Similarly, MTC Namibia’s Tim Ekandjo promised a response to the questions sent on 21 December.
However, by the time of going to print yesterday, no response was received from either entity.
That said, the issue is not only of concern in Namibia, but across the African continent.
In Kenya, since late 2021, human rights defenders have been battling the Kenyan regulator and the country’s largest mobile operator, Safaricom, over the company’s unlawful collection of subscriber biometric data for SIM card registration.
After first siding with Safaricom and other mobile operators who had been harvesting biometric data from subscribers, the Communications Authority of Kenya (CAK) in April backtracked in the face of legal challenges from civil society and members of the public, and conceded that Kenyans were not legally required to provide biometric data to register their SIM cards.
Since then, Safaricom – which had stopped collecting biometric data in May 2022 – has been called upon by human rights organisations and the Law Society of Kenya to delete the illegal biometric database it had created during its SIM card registration drive.
In an open letter to Safaricom published online on 14 December this year, Africa’s campaigner for global human rights organisation Access Now, Jaimee Kokonya, once again called on the company to delete the illegal biometric database, stating: “Safaricom misrepresented the law’s requirements to people who subscribe to your services on several occasions between November 2021 and April 2022, informing them they were in fact required to provide facial biometrics to comply with SIM registration requirements, and warning that failure to do so would see your company disconnect their services. Collecting facial biometrics during this process is in clear violation of various laws.”
The issue of the unregulated or legally questionable collecting of biometric data was also recently spotlighted by the Uganda-based Collaboration on International Information and Communications Technology Policy for East and Southern Africa (Cipesa), in its September 2022 report, titled ‘The Rise of Biometric Surveillance’. The Cipesa report states that a feature of biometric data collection practices by African states and mobile operators has been a lack of transparency, and that “the public provides biometric data without question or prior informed consent, but out of necessity to acquire critical services”.
“Where there have been public campaigns, these have been carried out over short periods and sporadically, often with limited disclosures and misleading information on the technologies and the purpose of the programmes, coercive directives to ensure compliance without question, and mandatory in nature without provision of alternatives to registration and enlisting,” Cipesa adds.
Namibia does not have an online privacy and data protection law, but consultations around such a draft law have been ongoing since 2019, with the latest call for public inputs ending on 30 November this year.
The draft law does not deal in depth or appropriately with biometric data, even though Namibia is looking to be compliant with the General Data Protection Regulation (GDPR) of the European Union (EU), which is considered the best practice example for data protection internationally, and which prohibits the collection and processing of biometric data, except under very specific circumstances.
An online summary of GDPR’s provisions dealing with biometric data clearly states: “The processing of biometric data generally produces higher risks to the freedoms and rights of the individual. As a result, the processing of biometric data for the purpose of uniquely identifying a natural person is prohibited according to art. 9 (1) of GDPR.”
According to GDPR, and other international best practice guidance, the processing of biometric data should be “lawful”, meaning based in clear and comprehensive legal frameworks.
Against this backdrop, the question is whether what is happening in Namibia right now is lawful.
– Frederico Links is a research associate at the Institute for Public Policy Research (IPPR).