Questionable Harvesting Of Biometric Data

MTC has been scanning fingerprints and taking face photos while the legal framework only requires basic information for SIM registration.

In a usually empty retail space just around the corner from the box office inside the MTC Dome in Swakopmund, a crowd of people filled out forms and then queued to have their fingerprints scanned and then a photo taken of their faces by MTC Namibia employees. 

The same was happening inside the MTC Dome arena where, under a branded gazebo, MTC Namibia officers were also accepting forms, scanning fingers and taking photos of patrons of the four-day Namibia Sport Expo, which ran from 8-11 December 2022. 

Namibia’s biggest mobile and internet service provider used the opportunity of the sport expo to encourage its customers who attended the event to also register their SIM cards before 31 December 2022. 

From the beginning of October 2022, Namibians were called on to voluntarily register their SIM cards during a three-month window period so that by the time mandatory SIM card registration was to be implemented, as from 1 January through to December 31 2023, they were already compliant with the law.

What was striking about what was happening at the MTC Namibia SIM card registration points was the collection of fingerprint and facial biometric data. 

The regulations for Part 6 of Chapter 5 of the Communications Act of 2009, as well as the further conditions on telecommunications licensees, require operators to collect basic information such as names, dates of birth, addresses, and copies of identification documents to register a SIM card. There is no mention of biometric information being legally required or necessary for SIM card registration.

From the start of the three-month window period for SIM card registration that began on 1 October, the Institute for Public Policy Research (IPPR), and this writer in particular, received a number of queries through various channels – from emails to phone calls and SMSs – from associates and members of the public who expressed concern and discomfort that they are required to hand over biometric data in order to register their SIM cards. 

Dubious practice

These concerns have been raised with the management of both the Communications Regulatory Authority of Namibia (CRAN) and MTC Namibia. 

Specifically, the CRAN management was asked what the regulator’s position was on the harvesting of facial and fingerprint biometric data by telecoms companies for the purpose of registering subscribers in the absence of legislated data protection safeguards.

MTC Namibia was asked on what legal basis it was collecting facial and fingerprint biometric data in order to register customers. 

On 9 January 2023, CRAN responded: “Operators are required to only collect customer identification information as stipulated in the regulations and conditions. Kindly contact Mobile Telecommunications Limited for their consideration and possible response to [your other questions].”

CRAN had also sent a complaint form a few days earlier, encouraging this author to file a complaint for adjudication, if that was what was desired to address the matter.  

In mid-December 2022, MTC Namibia’s Tim Ekandjo had indicated that this writer would receive a response to the questions sent to the state-owned telecoms firm on Wednesday, 21 December 2022. When contacted again in early January 2023 for a response, Ekandjo did not commit to responding to the questions or the issues as sketched in the article that was published.  

That said, the issue of a regulator being silent or complicit in the face of legally questionable or unlawful biometric data collection practices by a telecommunications company is not only a concern in Namibia, but across the African continent. 

In Kenya, since late 2021, human rights defenders have been battling the Kenyan regulator and the country’s largest mobile operator, Safaricom, over the company’s unlawful collection of subscriber biometric data for SIM card registration.  

After first siding with Safaricom, and other mobile operators who had been harvesting biometric data from subscribers, in April 2022 the Communications Authority of Kenya (CAK) backtracked in the face of legal challenges from civil society and members of the public and conceded that Kenyans were not legally required to provide biometric data to register their SIM cards. 

Since then, Safaricom – which had stopped collecting biometric data in May 2022 – has been called upon by human rights organisations and the Law Society of Kenya to delete the illegal biometric database it had created during its SIM registration drive.

In an open letter to Safaricom published online on 14 December 2022, a campaigner for global human rights organisation Access Now, Jaimee Kokonya, once again called on the company to delete the illegal biometric database, stating: “Safaricom misrepresented the law’s requirements to people who subscribe to your services on several occasions between November 2021 and April 2022, informing them that they were in fact required to provide facial biometrics in order to comply with SIM registration requirements, and warning that failure to do so would see your company disconnect their services. Collecting facial biometrics during this process is in clear violation of various laws.”

The issue of unregulated or legally questionable collecting of biometric data was also recently spotlighted by the Uganda-based Collaboration on International ICT Policy for East and Southern Africa (CIPESA), in its September 2022 report titled ‘The Rise of Biometric Surveillance’.

The CIPESA report states that a feature of biometric data collection practices by African states and mobile operators has been a lack of transparency and that “the public provides biometric data without question or prior informed consent, but out of necessity in order to acquire critical services”.

“Where there have been public campaigns, these have been carried out over short periods and sporadically, often with limited disclosures and misleading information on the technologies and the purpose of the programmes [and] coercive directives to ensure compliance without question,” CIPESA adds.  

‘Lawful’ processing

Namibia does not have an online privacy and data protection law, but consultations around such a draft law have been ongoing since 2019, with the latest call for public inputs ending on 30 November 2022. 

The draft law does not deal in depth or appropriately with biometric data, even though Namibia is looking to be compliant with the General Data Protection Regulation of the European Union (EU), which is considered the best practice example for data protection internationally and which prohibits the collection and processing of biometric data, except under very specific circumstances. 

An online summary of GDPR’s provisions dealing with biometric data clearly states: “ The processing of biometric data generally produces higher risks to the freedoms and rights of the individual. As a result, the processing of biometric data for the purpose of uniquely identifying a natural person is prohibited according to art. 9 (1) of GDPR.”

According to GDPR, and other international best practice guidance, the processing of biometric data should be “lawful”, meaning based in clear and comprehensive legal frameworks. 

Against this backdrop, the question is whether what is happening in Namibia right now – MTC Namibia collecting biometric data in the absence of a legal framework and safeguards while the regulator is seemingly silent – is “lawful”?

UPDATE: This article was first published in The Namibian on 23 December 2022. It has since been amended to include responses from both the Communications Regulatory Authority of Namibia (CRAN) and MTC Namibia.  

23 January 2023


Frederico Links

Frederico Links is a research associate at the Institute for Public Policy Research (IPPR) for which he coordinates a project looking at cybercrime and data protection policy issues