In Malawi, authorities increasingly require citizens to give up personal information to engage in everyday life, from using a mobile phone to participating in elections.
But without a clear data protection law, citizens’ rights to privacy are under threat.
In 2017, the Malawi government rolled out nationwide registration. Every Malawian aged 16 and above is required to register into the national register and obtain a national identity card.
This followed the January 2010 national registration and identification system under then-President Bingu wa Mutharika’s National Registration Act. It took five years for the system to become operational on August 1, 2015.
According to the National Registration Bureau (NRB), the national ID system would serve many purposes by acquiring “information about the population” that would enable “policymakers to use data-driven planning” for development and services delivery. For individuals, this would give them “proof of their nationality and personal information so that they can use it to claim their benefits.”
Voter registration saga
Most recently, these identification registration systems were called into question in the days leading up to Malawi’s do-over election in June, when then-opposition candidate Dr. Lazarus Chakwera, of Tonse Alliance, made allegations that underage children were being registered as part of a plot to rig the fresh election.
On social media, netizens posted photographs of children lining up, purportedly to be registered into the National Registration System, synchronized with voter registration. The NRB denied these allegations.
The Supreme Court of Appeal ruled that in the fresh elections, only previously registered voters in the original May 2019 election could vote and that new voters were ineligible. The decision came when then-President Peter Mutharika disputed the Constitutional Court ruling that ordered the fresh election.
SIM card registration and data protection
The national ID process then became tied to the national sim card registration process.
In January 2018, the Malawi Communications Regulatory Authority (MACRA) announced a mandatory national sim card registration exercise.
Based on the Communications Act of 2016, this required everyone with a mobile phone number in the country to register their sim card. MACRA issued a deadline of March 31, 2018, to register every sim card, after which date all unregistered numbers would stop working. The deadline was later extended to September 30, with a requirement that all newly bought sim cards must get registered within seven days.
By October 2018, it was estimated that up to 9 million Malawians had registered with the National Register.
MACRA said sim registration is important for several reasons: First, it prevents a fraudulent practice called “sim boxing;” it helps recover stolen phones; offers protection from violent, threatening, or hateful texts; instills “discipline” for abusers; helps law enforcement solve crimes; and checks fraud and theft committed via mobile phones.
Banks and telecoms companies operating mobile money services embarked on a “know your customer” exercise in which Malawians were required to present their national ID for all transactions. They announced that failure to present a national ID would result in freezing one’s account.
University of Malawi scholar Jimmy Kainja pointed out in August 2019 that Malawians were being forced to give away a lot of their personal data to both private and public institutions when the country did not have a data privacy protection law. In his article, “Are Malawians Sleep Walking into a Surveillance State?” Kainja argued that the country needed a data protection law before Malawians were required to surrender all personal data.
As stated by the NRB, data collected for the National Register includes a person’s surname and given names, nationality, date of birth, and place of birth. The NRB also collects data on one’s sex, current residence, height, eye color, passport number, marital status and parents’ information. The bureau also collects biometric information, including all 10 fingerprints, a personal photograph and signature.
How safe was this personal data? What assurances were there that third parties would not have access to this data? Who would be held accountable should there be data breaches?
Journalist Gregory Gondwe observed in July that digital surveillance was slowly creeping into Malawi while hiding behind legal instruments. Gondwe argued that the country lacked a “dedicated data governance framework” that placed citizens “at the mercy of those in the custody of such personal data as they could use it against them or worse still, pawn it for a profit.”
Information technology expert Zangaphee Chimombo told Global Voices that sim registration is necessary, especially as the country ponders the introduction of cryptocurrency.
However, he cautions against potential abuse of sim card data by telecoms staff and government authorities. In cases where necessary, “the use of valid police search warrants should be ensured,” urged Chimombo.
A data protection law in the works
According to both Kainja and Gondwe, the government is currently drafting a data protection law, but bringing the law through the legislative process could prove to be a drawn-out process.
University of Malawi law scholar Edge Kanyongolo told Gondwe that a law for the protection of personal data would stand a better chance of passing if there was coordinated pressure among likeminded groups such as human rights advocates, doctors, lawyers and members of the opposition.
Following Malawi's fresh election on June 23, Dr. Lazarus Chakwera became the new president of Malawi. He has since promised Malawians a new era in which the rule of law will be paramount, among other momentous reforms.
Kainja hopes that the enactment of a data protection law will be among those reforms. Malawians have been too willing to surrender their personal data without assurances of the safety and protection of their data, he observes.