BILL WATCH 49/2013
[7th October 2013]
SI 142 of 2013: A Spies’ Charter?
The Postal and Telecommunications (Subscriber Registration) Regulations, 2013, were published in the Gazette as SI 142 of 2013 [available from Veritas by email or on website – see addresses at end of bulletin] and have provoked some alarm. “Government has … permitted its security agencies to spy into people’s telephone call records, text messages and Internet communication,” is just one of the comments made in the press.
Is the alarm justified? In this Bill Watch we shall attempt an answer, first by trying to determine what the regulations actually mean [not a very easy task], then by seeing if they are valid in terms of the Act under which they purport to be made, and finally by looking at their constitutionality.
Content of the regulations
Obtaining of subscriber information
The regulations prohibit “service providers” [i.e. organisations that provide telecommunication services such as cell-phone services, telephone services and internet access] from providing services to their customers unless they have obtained and recorded basic information about their customers’ identity. The information, called “subscriber information” in the regulations, consists of:
- · in the case of an individual, his or her full names, residential address, nationality, gender, national ID or passport number and the number of their SIM card or telephone [section 4(1)(a) of the regulations].
- · in the case of an entity such as a company, its full name, address and registration number; its registration certificate or business licence; the full name, national ID number and address of its authorised representative; and the number of its SIM card or telephone [section 4(1)(b) of the regulations].
The provision of false information to a service provider is a criminal offence, and service providers who suspect they have been given false information must report the matter to the police within 24 hours. Service providers must store their customers’ subscriber information for as long as they provide services to the customers and for five years afterwards [section 4(6)–(9) of the regulations].
Databases of subscriber information
Service providers must keep registers recording the subscriber information which they and their agents have collected, and must provide the Postal and Telecommunications Regulatory Authority of Zimbabwe [POTRAZ] with access to and copies of their registers on demand [section 7 of the regulations. Note, incidentally, that this does not apply to the records kept by employers or renters under section 5]. Service providers are also obliged to supply POTRAZ regularly with updates from their registers [section 8].
POTRAZ is obliged to maintain a central database of subscriber information supplied by service providers. One of the objects of the database is to “assist law enforcement agencies or safeguarding [sic] national security”.
Disclosure of subscriber information
The regulations emphasise repeatedly that subscriber information contained in service providers’ registers and in POTRAZ’s central database is confidential:
- · Information in the central database is “held on a strictly confidential basis” [section 8(5)].
- · Service providers must “take all reasonable precautions … to prevent any … unauthorised disclosure” of subscriber information [section 8(9)]
- · Access to subscriber information is prohibited except on limited grounds, including:
- · assisting emergency services;
- · assisting “enforcement agencies or safeguarding national security”;
- · “approved educational and research purposes” [section 8(10)].
- · Employees of POTRAZ and service providers have a duty of confidentiality regarding subscriber information [section 9(1)].
- · Any outsider who has been given the right to use subscriber information from the central database must destroy it within 10 days after such use [section 11].
Nonetheless, the regulations provide for POTRAZ to disclose subscriber information:
- · Under section 9, subscriber information in the central database “may” be given to a law enforcement agent [a term which is not defined but which presumably includes the CIO] if it is requested in writing by an officer of or above the rank of Assistant Commissioner of Police or an equivalent rank in another force. Although the word “may” is used, the context suggests that POTRAZ cannot refuse such a request. The regulations do not expressly require the officer to give reasons for his or her request, but since they go on to say that POTRAZ can disclose information only to the extent that it is necessary for the proper performance of the officer’s duties, there is a clear implication that the officer must give at least some reasons. POTRAZ must refuse a request to disclose information if the disclosure would:
- · constitute a breach of the Constitution or any other enactment, or
- · constitute a threat to national security.
- · Under section 10, POTRAZ may approve the disclosure of subscriber information for research purposes, but researchers seeking approval must complete a “privacy impact form” evaluating the risks to privacy and the way in which the risks will be mitigated; they are also prohibited from providing the information to anyone else unless authorised to do so.
It is these provisions for the disclosure of subscriber information, particularly disclosure to the Police and CIO, that have given rise to fears that the regulations will allow government agencies to intercept telephone and cell-phone calls, e-mails and text messages.
Do the regulations authorise calls and e-mails to be “tapped”?
No. It must be emphasised that the regulations deal with “subscriber information”, i.e. the names, addresses and identification particulars of subscribers or customers. The regulations do not cover information regarding calls made, or e-mails or text messages sent, by subscribers or customers. Hence the regulations do not directly allow government agencies to eavesdrop on calls or to intercept e-mails or text messages. They may, however, facilitate such eavesdropping or interception, as, under the Interception of Communications Act, law enforcement officers can apply to the responsible Minister for a warrant authorising them to intercept communications including calls, e-mails and messages and the SI may assist officers in applying for interception warrants if they know the personal particulars of people whose calls and messages they want to intercept.
At the most, therefore, it can be said that the regulations facilitate, rather than directly authorise, the interception of communications.
Even so, there are grounds for questioning the validity of the regulations.
Validity of the regulations under the Postal and Telecommunications Act
The regulations were made under section 99 of the Postal and Telecommunications Act, and there is nothing in the section that expressly empowers the Minister to make regulations dealing with the recording and disclosure of subscriber information. The section begins with the usual formula allowing the Minister to make regulations for “all matters which, in the opinion of the Minister, are necessary or convenient to be prescribed for carrying out or giving effect to [the] Act.” Wide though this formula is, it does not permit the Minister to go outside the ambit of the Act, and the long list of specific topics on which the Minister can make regulations, set out in section 99(3), does not mention anything relating to subscriber information. Although this is not decisive, it does give rise to an inference that Parliament did not envisage the Minister making these regulations — an inference that is reinforced by section 98 of the Act, which deals specifically with the interception and handing over of telegrams to law enforcement authorities but does not mention the handing over of other information.
It can be argued, therefore, that the regulations are invalid on the ground that they are ultra vires [i.e. not authorised by] the Act under which they were purportedly made.
Another ground for questioning the validity of the regulations is that they purport to have been made by the Minister of Transport, Communications and Infrastructural Development. There was a Minister with that title in the inclusive government, but there is no such portfolio in the current Cabinet, and it is not clear which Minister is currently authorised to make regulations under the Act. There is at least a possibility, therefore, that an unauthorised person made the regulations, and if so they would be invalid. If the regulations were challenged on this ground in court, the question would have to be settled by evidence as to who made them.
Individual provisions of the regulations may be invalid on other grounds:
- · Section 9, as noted above, obliges POTRAZ to provide law enforcement officers with subscriber information on request, but does not limit the grounds on which the officers may request the information. Nor do the officers have to go through any procedure before requesting the information, such as applying to a judge or magistrate for a warrant. To the extent that the section allows officers to demand information for any reason, and without any impartial monitoring, it is unreasonably wide.
- · Similarly, section 10, which allows POTRAZ to disclose subscriber information “for approved research purposes” is too wide because there is no provision to ensure that private and personal information is not disclosed.
- · Most of the penalties prescribed for offences under the regulations exceed the maximum permitted by section 99(6) the Act, which is a fine of $5 000 Zimbabwe dollars [the equivalent of level 4, according to the latest standard scale of fines] or, in default of payment, six months’ imprisonment. Under the Act, imprisonment cannot be imposed except as an alternative to a fine; the regulations purport to allow imprisonment without the option of a fine.
Validity of the regulations under the Constitution
Section 57 of the Constitution protects the right to privacy as a fundamental human right, and although the section does not state specifically that the right extends to keeping one’s personal particulars private, undoubtedly it does do so. That is clear from court decisions in other countries. Many countries go further and have data protection laws which prohibit the disclosure and misuse of databases of personal particulars. Even Zimbabwe has such a law — AIPPA. However, the right to privacy is not absolute. Under section 86 of the Constitution it may be limited by law to the extent that the limitation is “fair, reasonable, necessary and justifiable in a democratic society based on openness, justice, human dignity, equality and freedom”.
Do the regulations fall within this limitation? For the following reasons, our Constitutional Court would probably hold that they do:
- · Many other countries in Africa have laws requiring the registration of subscriber details: for example, South Africa, Nigeria and Kenya — all of which can be regarded as democratic societies.
- · In South Africa, where the constitution protects privacy in very similar terms to ours, the courts have held that a person’s right to privacy must be protected stringently in the “inner sanctum” of his or her family life and home environment, but that the protection becomes less stringent the further the person goes outside that inner sanctum and interacts with other people. So, for example, a person’s private letters to his or her spouse are stringently protected from exposure, but his or her business letters are less so. The further the person goes outside the inner sanctum the more important are the rights of other people, and of society as a whole. Personal particulars such as one’s name, address and telephone or cell number probably do not fall within one’s “inner sanctum” and so are not immune from disclosure to the State.
- · If the regulations were amended to state that subscriber information can be handed over only if the information is reasonably required for the investigation of crime or in the interests of national security, or if the Constitutional Court were to hold that such a limitation is implicit in the regulations — which, as indicated earlier, may be the case — then it is most unlikely that the Court would hold that the regulations are an unconstitutional invasion of the right to privacy.