The regime of Zine el Abidine Ben Ali in Tunisia was infamous for mass surveillance practices. Yet almost six years after the regime's ousting, and despite the 2014 adoption of a constitution that grants all citizens the right to privacy, Tunisia's data protection law and its application, still do not meet international standards.
Tunisia first recognized the obligation of the state to protect the personal data of its citizens in the constitution of June 1959 (article 9) under the country's first ruler Habib Bourguiba. In July 2004, Tunisia adopted the data protection act (law n°63 of 7 July 2004). An independent authority to enforce the right to privacy was created later in 2008, and became active in 2009. These provisions, adopted under Ben Ali's rule, remain in tact today — despite large-scale changes in governance and improvements in mechanisms for public accountability, the country has made no further official progress towards protecting privacy rights.
Key draft amendments to the 2004 data protection law, prepared by the president of the Data Protection Authority, are chiefly aimed at consolidating the authority's independence from government interference, and making it unlawful for state authorities to collect, process and transfer personal data without the approval of the authority.
Everyday privacy violations in Tunisia
If adopted and properly enforced, the amendments are expected to have an impact on the day-to-day lives of users, in a country where the right to privacy is often flouted.
New obligations and sanctions would be imposed on telecommunications operators who pelt their subscribers with continuous advertising messages, and on supermarkets that harvest, transfer and store data on loyalty cards abroad. The reforms would also limit companies’ abilities to sell that data to third parties without the consent of their customers.
Another common violation is the illegal installation of video surveillance cameras by private individuals and businesses in common living spaces, which is forbidden by the 2004 law on the protection of personal data. Under the law, surveillance cameras can only be installed after the prior authorization of the Data Protection Authority, and in spaces that are open to the public such as commercial centers, parking garages, and public transportation sites.
According to figures given by the authority's president Chawki Gaddes, there are 30,000 security cameras installed illegally across the country. In one case dating back to 2015, citizens in the suburb of Megrine illegally installed two surveillance cameras to film people who throw garbage on the streets, thus threatening their neighbors’ privacy.
Steps towards reform
Chawki Gaddes and the new board members of the Data Protection Authority have taken several steps to ensure stronger privacy protections since May 2015. The authority applied for Tunisia’s accession to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). The Council of Europe later officially invited Tunisia to proceed with its Data Protection reform, so that its membership becomes effective.
Tunisia’s accession to the convention would extend legal protections for personal data in the country by covering the use of video-surveillance, health data and other sensitive data, in addition to data collected by the interconnection of everyday objects such as fridges, lamps, cars and washing machines via the Internet, known as the Internet of Things (IoT). It is expected that this will become a more prominent issue in Tunisia, after the government’s approval this month of a decree establishing a commission in charge of administrating licenses for IoT providers. Paradoxically, the Data Protection Authority is not a member of that commission.
Reforms are stymied by delays in process
The Data Protection Authority has been repeatedly sidelined by other agencies and procedural bureaucracy, and thus afforded limited power to set Tunisia’s agenda for protecting citizens’ privacy.
In a recent interview with Nawaat.org, Gaddes said that the proposal for amendments to the existing 2004 data protection law were ready six months ago. The draft proposal however has not yet been sent to the cabinet or the parliament for approval, because it remains his “individual proposal and not that of the authority’s board.”
The proposal can’t be approved until the board holds a meeting, but since May 2016, it has been impossible for the authority to hold a board meeting and reach a quorum for any decision. Among other challenges preventing the the authority from making progress, the two judges appointed as permanent members to its board have not reported to work due to a dispute over their compensation.
Unique identifiers, biometric ID and the current battles
At a September 2015 meeting, the Strategic Council in charge of the implementation of the National Strategic Plan, which is responsible for the development of the digital economy, granted the Data Protection Authority a supervisory role over the implementation of the very complex and controversial project of creating and administrating a “unique identifier” for all citizens and businesses. This system of the “unique identifier” is a collection of information relating to ID card, civil status, social security, income, taxation and more personal data, under the same code. The system will be technically managed by the National Center for Informatics, and administratively by the Ministry of Local Affairs, in charge of the forthcoming municipal elections.
The unique identifier project has raised concerns among Tunisian privacy advocates, due to the lack of legal reforms that would ensure protections for citizens’ data. Unfortunately the project is linked to Tunisia’s new Biometric Identification project called “eCIN”, which would require all citizens to carry a national ID card encoded with a rich combination of personal biometric data including one’s photograph, digitized fingerprint, social security number, and home address.
In a radio program debate about a bill on biometric identification cards approved by the government last year, the representative of the Ministry of Interior confirmed that the new biometric ID, over which the Data Protection Authority has no oversight power, would include the unique identifier. Including the personal data contained in the unique identifier in the SIM card of the new “eCIN”, will allow the police to access a mega database of citizens’ personal data, without any control. A mass surveillance system would be installed de facto. Also, the interconnection of the different databases containing sensitive data, especially with the lack of security and encryption measures, would increase hacking risks and raise questions about misuse of data by the various authorities privy to the system.
The bill has yet to be debated and adopted by the parliament, but has been criticized by experts, civil society, digital rights advocates as well as the Data Protection Authority. In a statement published on 3 November 2016, the authority lamented the fact that the government kept it from giving its advisory opinion on the draft law, and stressed the importance of involving civil society actors in such a project. It is now too late for the Data Protection Authority to give this input, as the battle has moved to the parliament where the scope of action is limited to hearings by committees.
Hope in advocacy
In response to slow reforms and attitudes towards privacy, this year Tunisia is expected to host conferences and workshops to help raise awareness and accelerate the country's compliance with international best practices as articulated in Convention 108 of the Council of Europe. A Middle East and North Africa regional workshop by the United Nations Special Rapporteur on the Right to Privacy Joseph Cannataci, is scheduled for the end of May, and a meeting of the Data Protection Commissioners of the Francophone Association of Personal Data Protection Authorities will take place later in 2017. This is in addition to a proposed awareness campaign, to be led by the Data Protection Authority with the help and expertise of the EU, if it is approved by both European and Tunisian sides.
In the meantime, the Data Protection Authority remains the only public sector actor working to promote privacy. Despite thousands of locally active NGOs, only few work on ICT or digital rights, such as the right to privacy, and if they do, their voices are not always heard. On 1 February, communication technologies and digital economy minister Anouar Maarouf said that the two civil society representatives to the Strategic Council on digital economy may no longer be invited to attend the council’s meetings, since the government has decided to review its composition, for the next meeting scheduled in three months.