Data Protection in the Age of Mass Surveillance – Part I

Namibian authorities pitch flawed safeguards as pervasive state surveillance looms

“Today aims at setting the regulatory framework on how personal data should be collected, stored and processed,” said Linda Aipinge, director of ICT Development in the Ministry of Information, Communication and Technology (MICT), on the morning of 22 August 2023 to a conference hall full of mostly government stakeholders.  

“[The bill] aims to protect the individuals’ fundamental rights, freedoms, as well as privacy,” she added, as she opened the two-day validation workshop, running on 22 and 23 August, of the country’s latest version of a data protection bill.

The order in which Aipinge made these statements, albeit probably inadvertently, was telling. For it has become clear that in the Namibian government’s eyes, protecting individuals’ fundamental rights, freedoms and privacy are very much secondary considerations to the collection, storing and processing of those individuals’ communications data under the heavy cloak of ‘national security’ secrecy.   

This is because, as Linda Aipinge was addressing the room full of high ranking safety and security sector representatives, regulatory officials and political office-bearers – interlaced with a smattering of civil society and private sector representatives – Namibia was literally four months away from the effective implementation of a pervasive mass state surveillance dispensation. 

On 1 January 2024, mandatory SIM card registration and data retention regulations under Part 6 of Chapter 5 of the Communications Act of 2009 come into full effect.

Unregulated landscape

Namibia has been attempting to legislate for data protection since 2013, but these efforts have repeatedly stalled over the last decade, without it being clear why. 

In the meantime, more and more government, commercial and communication services and systems have either digitised or migrated online, with increasing amounts of personal data being collected and processed for all kinds of purposes. 

The Namibian government is arguably the largest collector and processor of personal data in the country, for everything from national ID cards to biometric voter verification, while increasingly private sector actors, such as banks and telecommunications companies, have also grown their personal data collection capacities and practices for commercial purposes.    

All this mass data collection, storing and processing has been largely unregulated.

This has meant that the right to privacy has been degraded under this continuous assault without most people realising what was happening and as mass personal data harvesting has been normalised as necessary for participation in a modern technology-driven society. 

“The right to privacy is inextricably linked to a range of other fundamental rights including the rights to freedom of expression, human dignity, and freedom from discrimination,” stated South Africa-based ALT Advisory in an October 2022 assessment of the Namibian digital rights landscape for the Institute for Public Policy Research (IPPR) and the ACTION Coalition. “The UN Human Rights Committee has found this right includes the right to bodily privacy, territorial privacy, privacy about the nature of one’s personal relationship (inclusive of sexual orientation), reputational interests, and the privacy of one’s communications and data.”

The “privacy of one’s communications and data” is now also set to completely fall with the advent of mandatory SIM card registration and data retention obligations placed on telecommunications and internet service providers that will enable the tracking, intercepting and identifying of every and all telecommunications messages and packets streaming in Namibian cyberspace, and the storing of such metadata for five years, which in effect really means always and forever. 

Glaring gaps

Namibia’s framework for communications surveillance consists of the Communications Act of 2009 and the Namibia Central Intelligence Service Act of 1997. 

In assessing the gaps and challenges of this communications surveillance framework, ALT Advisory found in 2022 that: “Measured against international and regional best practice, Namibia’s laws fall short on a range of fronts.”

Notably, the assessment established that: “Best practice dictates that the privacy violations inherent to communication surveillance demand that these powers be exercised only when necessary to respond to the most severe crimes and threats to safety and security, and only where less intrusive measures have failed. These elements are lacking or are at best inconsistently applied in the Namibian framework.”

On lack of protections for communications metadata, the assessment stated: “The Namibian framework mistakenly assumes that communications data is less sensitive than the content of communications, and accordingly provides fewer protections and safeguards for its access. This is out of keeping with international best practice, which calls for all forms of communication data to be subject to the same rigorous protections and safeguards against access.”

It is further noted that: “The harm is magnified by the extraordinary length for which communications data must be stored in terms of the Namibian framework.”

Against the backdrop of Namibia’s communications surveillance framework looming as the elephant in the room during the validation workshop for the draft data protection bill on 22 and 23 August, government officials and consultants repeatedly claimed that the proposed law met regional and international standards. 

However, ALT Advisory’s independent assessment of the draft data protection bill last year found that it “falls short of international and regional standards and does not do justice to the opportunity for Namibia to develop a digital policy that both matches and advances these standards”. (How it falls short will be discussed in Part 2)

Namibian authorities are advised that: “Considering the significant gaps and challenges in Namibia’s framework for communications surveillance, a full reform process is recommended to provide better protections and safeguards for communications and communication data, drawing on developing standards and best practice internationally and in the region.”

– Frederico Links is a Namibian journalist and researcher. This article was commissioned by the Media Policy and Democracy Project (MPDP), an initiative of the University of Johannesburg’s department of journalism, film and TV, and Unisa’s department of communication science.

– A shorter version of this article appeared in The Namibian newspaper on 24 August 2024.

24 August 2023


Frederico Links