Back to Index
142 of 2013: A spies' charter? - Bill Watch 49/2013
October 07, 2013
and Telecommunications (Subscriber Registration) Regulations, 2013,
were published in the Gazette as SI 142 of 2013 and have provoked
some alarm. “Government has … permitted its security
agencies to spy into people’s telephone call records, text
messages and Internet communication,” is just one of the comments
in the press.
Is the alarm
justified? In this Bill Watch we shall attempt an answer, first
by trying to determine what the regulations actually mean [not a
very easy task], then by seeing if they are valid in terms of the
Act under which they purport to be made, and finally by looking
at their constitutionality.
of the regulations
of subscriber information
prohibit “service providers” [i.e. organisations that
provide telecommunication services such as cell-phone services,
telephone services and internet access] from providing services
to their customers unless they have obtained and recorded basic
information about their customers’ identity. The information,
called “subscriber information” in the regulations,
- in the case
of an individual, his or her full names, residential address,
nationality, gender, national ID or passport number and the number
of their SIM card or telephone [section 4(1)(a) of the regulations].
- in the case
of an entity such as a company, its full name, address and registration
number; its registration certificate or business licence; the
full name, national ID number and address of its authorised representative;
and the number of its SIM card or telephone [section 4(1)(b) of
of false information to a service provider is a criminal offence,
and service providers who suspect they have been given false information
must report the matter to the police within 24 hours. Service providers
must store their customers’ subscriber information for as
long as they provide services to the customers and for five years
afterwards [section 4(6)–(9) of the regulations].
of subscriber information
must keep registers recording the subscriber information which they
and their agents have collected, and must provide the Postal and
Telecommunications Regulatory Authority of Zimbabwe [POTRAZ] with
access to and copies of their registers on demand [section 7 of
the regulations. Note, incidentally, that this does not apply to
the records kept by employers or renters under section 5]. Service
providers are also obliged to supply POTRAZ regularly with updates
from their registers [section 8].
POTRAZ is obliged
to maintain a central database of subscriber information supplied
by service providers. One of the objects of the database is to “assist
law enforcement agencies or safeguarding [sic] national security”.
of subscriber information
emphasise repeatedly that subscriber information contained in service
providers’ registers and in POTRAZ’s central database
in the central database is “held on a strictly confidential
basis” [section 8(5)].
providers must “take all reasonable precautions …
to prevent any … unauthorised disclosure” of subscriber
information [section 8(9)]
- Access to
subscriber information is prohibited except on limited grounds,
“enforcement agencies or safeguarding national security”;
educational and research purposes” [section 8(10)].
of POTRAZ and service providers have a duty of confidentiality
regarding subscriber information [section 9(1)].
- Any outsider
who has been given the right to use subscriber information from
the central database must destroy it within 10 days after such
use [section 11].
the regulations provide for POTRAZ to disclose subscriber information:
- Under section
9, subscriber information in the central database “may”
be given to a law enforcement agent [a term which is not defined
but which presumably includes the CIO] if it is requested in writing
by an officer of or above the rank of Assistant Commissioner of
Police or an equivalent rank in another force. Although the word
“may” is used, the context suggests that POTRAZ cannot
refuse such a request. The regulations do not expressly require
the officer to give reasons for his or her request, but since
they go on to say that POTRAZ can disclose information only to
the extent that it is necessary for the proper performance of
the officer’s duties, there is a clear implication that
the officer must give at least some reasons. POTRAZ must refuse
a request to disclose information if the disclosure would:
a breach of the Constitution
or any other enactment, or
a threat to national security.
- Under section
10, POTRAZ may approve the disclosure of subscriber information
for research purposes, but researchers seeking approval must complete
a “privacy impact form” evaluating the risks to privacy
and the way in which the risks will be mitigated; they are also
prohibited from providing the information to anyone else unless
authorised to do so.
It is these
provisions for the disclosure of subscriber information, particularly
disclosure to the Police and CIO, that have given rise to fears
that the regulations will allow government agencies to intercept
telephone and cell-phone calls, e-mails and text messages.
regulations authorise calls and e-mails to be “tapped”?
No. It must
be emphasised that the regulations deal with “subscriber information”,
i.e. the names, addresses and identification particulars of subscribers
or customers. The regulations do not cover information regarding
calls made, or e-mails or text messages sent, by subscribers or
customers. Hence the regulations do not directly allow government
agencies to eavesdrop on calls or to intercept e-mails or text messages.
They may, however, facilitate such eavesdropping or interception,
as, under the Interception
of Communications Act, law enforcement officers can apply to
the responsible Minister for a warrant authorising them to intercept
communications including calls, e-mails and messages and the SI
may assist officers in applying for interception warrants if they
know the personal particulars of people whose calls and messages
they want to intercept.
At the most,
therefore, it can be said that the regulations facilitate, rather
than directly authorise, the interception of communications.
Even so, there
are grounds for questioning the validity of the regulations.
of the regulations under the Postal and Telecommunications Act
were made under section 99 of the Postal and Telecommunications
Act, and there is nothing in the section that expressly empowers
the Minister to make regulations dealing with the recording and
disclosure of subscriber information. The section begins with the
usual formula allowing the Minister to make regulations for “all
matters which, in the opinion of the Minister, are necessary or
convenient to be prescribed for carrying out or giving effect to
[the] Act.” Wide though this formula is, it does not permit
the Minister to go outside the ambit of the Act, and the long list
of specific topics on which the Minister can make regulations, set
out in section 99(3), does not mention anything relating to subscriber
information. Although this is not decisive, it does give rise to
an inference that Parliament did not envisage the Minister making
these regulations — an inference that is reinforced by section
98 of the Act, which deals specifically with the interception and
handing over of telegrams to law enforcement authorities but does
not mention the handing over of other information.
It can be argued,
therefore, that the regulations are invalid on the ground that they
are ultra vires [i.e. not authorised by] the Act under which they
were purportedly made.
for questioning the validity of the regulations is that they purport
to have been made by the Minister of Transport, Communications and
Infrastructural Development. There was a Minister with that title
in the inclusive government, but there is no such portfolio in the
current Cabinet, and it is not clear which Minister is currently
authorised to make regulations under the Act. There is at least
a possibility, therefore, that an unauthorised person made the regulations,
and if so they would be invalid. If the regulations were challenged
on this ground in court, the question would have to be settled by
evidence as to who made them.
of the regulations may be invalid on other grounds:
9, as noted above, obliges POTRAZ to provide law enforcement officers
with subscriber information on request, but does not limit the
grounds on which the officers may request the information. Nor
do the officers have to go through any procedure before requesting
the information, such as applying to a judge or magistrate for
a warrant. To the extent that the section allows officers to demand
information for any reason, and without any impartial monitoring,
it is unreasonably wide.
section 10, which allows POTRAZ to disclose subscriber information
“for approved research purposes” is too wide because
there is no provision to ensure that private and personal information
is not disclosed.
- Most of
the penalties prescribed for offences under the regulations exceed
the maximum permitted by section 99(6) the Act, which is a fine
of $5 000 Zimbabwe dollars [the equivalent of level 4, according
to the latest standard scale of fines] or, in default of payment,
six months’ imprisonment. Under the Act, imprisonment cannot
be imposed except as an alternative to a fine; the regulations
purport to allow imprisonment without the option of a fine.
of the regulations under the Constitution
Section 57 of
the Constitution protects the right to privacy as a fundamental
human right, and although the section does not state specifically
that the right extends to keeping one’s personal particulars
private, undoubtedly it does do so. That is clear from court decisions
in other countries. Many countries go further and have data protection
laws which prohibit the disclosure and misuse of databases of personal
particulars. Even Zimbabwe has such a law — AIPPA.
However, the right to privacy is not absolute. Under section 86
of the Constitution it may be limited by law to the extent that
the limitation is “fair, reasonable, necessary and justifiable
in a democratic society based on openness, justice, human dignity,
equality and freedom”.
Do the regulations
fall within this limitation? For the following reasons, our Constitutional
Court would probably hold that they do:
- Many other
countries in Africa have laws requiring the registration of subscriber
details: for example, South Africa, Nigeria and Kenya —
all of which can be regarded as democratic societies.
- In South
Africa, where the constitution protects privacy in very similar
terms to ours, the courts have held that a person’s right
to privacy must be protected stringently in the “inner sanctum”
of his or her family life and home environment, but that the protection
becomes less stringent the further the person goes outside that
inner sanctum and interacts with other people. So, for example,
a person’s private letters to his or her spouse are stringently
protected from exposure, but his or her business letters are less
so. The further the person goes outside the inner sanctum the
more important are the rights of other people, and of society
as a whole. Personal particulars such as one’s name, address
and telephone or cell number probably do not fall within one’s
“inner sanctum” and so are not immune from disclosure
to the State.
- If the regulations
were amended to state that subscriber information can be handed
over only if the information is reasonably required for the investigation
of crime or in the interests of national security, or if the Constitutional
Court were to hold that such a limitation is implicit in the regulations
— which, as indicated earlier, may be the case — then
it is most unlikely that the Court would hold that the regulations
are an unconstitutional invasion of the right to privacy.
makes every effort to ensure reliable information, but cannot take
legal responsibility for information supplied
Please credit www.kubatana.net if you make use of material from this website.
This work is licensed under a Creative Commons License unless stated otherwise.