MALAWI’S DATA PROTECTION LAW STILL IN LIMBO

Coat of Arms of Malawi

BY GREGORY GONDWE

Laws in Malawi that would otherwise have helped in achieving data protection have stalled, and the country’s civil society organisations believe that authorities are dragging their feet for fear of the unknown, as there is no plausible explanation for why there are still no appropriate laws in place.

So far, the Centre for Human Rights and Rehabilitation (CHRR) and the Digital Rights Coalition (DRCo) have asked the Malawi Government to expedite the enactment of the Data Protection Bill 2021 into law.

Malawi’s competition law expert Elton Jangale, writing for Bowman’s Law Firm’s Africa Guide to Data Protection, observes that Malawi does not have a comprehensive data protection law.

He is, however, quick to point out that data protection provisions are included in the Constitution of Malawi, Article 21, regarding the right to personal privacy and in the Electronic Transactions and Cybersecurity Act, 2016.

Then there is also a draft Data Protection Bill 2021 published for public comment two years ago. And in the absence of this law, all that is happening is mulling over what could have been.

What is in Store

The draft Bill’s memorandum acknowledges that as the Malawi economy becomes increasingly reliant on digital technologies, there is a need to protect the personal data of individuals collected, generated, stored and utilised by public and private sector institutions including in the provision of healthcare, health and other types of insurance, education, banking and financial services, hospitality services, civil registration, voting, immigration, national ID and delivery of social programmes.

“Such personal data can be stolen, lost, disclosed, misused and abused by those who collect, generate, store and utilise it, resulting in identity theft, unwarranted or embarrassing disclosures, loss of information and unwarranted marketing and solicitation,” the draft’s bill’s memorandum reads.

It further recognises the dangers posed to individuals by the unregulated or uncontrolled collection and use of personal data and the critical role that data integrity, including personal data, plays in modernising the Malawi economy.

“This Bill seeks to provide a comprehensive legislative framework for the protection and security of personal data, consolidate data protection provisions currently found in various Acts of Parliament, and protect the digital privacy of individuals without hampering social and economic development in Malawi,” it says.

Part II of the Bill designates the Malawi Communications Regulatory Authority as the Authority to regulate and monitor personal data protection and digital privacy in Malawi and oversee the implementation of and be responsible for enforcing the Bill.

 A Data Protection Office is established within the Authority responsible for the activities relating to data protection under the Bill.

This part also describes various administrative processes relating to MACRA’s data protection duties, functions, and powers.

The draft bill then describes a “data controller” as an individual, private entity, public authority or agency or any other body who or which, alone or jointly with others, determines the purposes and means of processing personal data.

Then there is also the definition of a “data processor” as an individual, private entity, public authority or agency or any other body which processes personal data on behalf of or at the direction of a data controller or another data processor.

In an ideal situation, these data controllers or data processors should have been on the ground, ensuring that people’s data are protected, but not much can be said about it.

But where is the Bill?

MACRA Communications Manager Zadziko Mankhambo says the draft bill is with the Ministry of Justice.

MACRA Communications Manager Zadziko Mankhambo

According to Part III of the Data Protection Bill, it is at MACRA where the principles governing the processing of personal data must be observed through, among others, the data controller or data processor who will be compelled ‘to process data fairly and transparently’.

However, the exceptions are only where the data subject has given and not withdrawn his or her consent; and the data are required for legitimate purposes outlined in the Bill.

The Bill also further limits the processing of sensitive personal data, which includes an individual’s biometric data; race or ethnic origin; religious or similar beliefs, such as those reflecting conscience or philosophy; health status; sex life or sexual orientation; political opinions or affiliations; or any other personal data prescribed by the Authority as sensitive personal data according to the bill.

As Malawi joined the rest of the world to commemorate Data Privacy Day, CHRR and DRCo pointed out several gaps and weaknesses in Malawi’s policy and legal frameworks regarding data protection.

“CHRR and the Digital Rights Coalition recognise the threat to the right to privacy as guaranteed under section 21 of the Malawi Constitution. We commend the government of Malawi for taking interest and steps in coming up with the Data Protection Bill 2021,” read part of the statement CHRR Executive Director Michael Kaiyatsa co-signed with DRCo National Coordinator Dennis Mwafulirwa.

CHRR Executive Director Michael Kaiyatsa

The two organisations called on the government to expedite the process of taking the important Data Protection Bill before parliament for debate and passed into law.

Kaiyatsa and Mwafulirwa believe that the government must take steps to sign and ratify the African Union Convention on Cybersecurity and Personal Data Protection, an essential regional instrument for data privacy.

The government and private agencies, they contend, need to amend the Electronic Transactions and Cybersecurity Act 2016 to align it with the provisions of the Constitution as well as regional and international conventions and best practices that promote data privacy and protection.

For the Data Protection Law to be effective, the two gentlemen want the authorities to decentralise and localise complaint redress mechanisms, conduct meaningful civic education on data privacy and protection, develop digital rights law and policy framework and communicate data privacy policies, commitments, and guidelines.

Kaiyatsa and Mwafulirwa say they realise the importance of human rights promotion and protection by public and private agencies when they collect, transfer and use personal data to be of fundamental significance to sustained development.

CHRR and DRCo believe that with the right attitude, practice and policy frameworks Data Privacy and protection can be promoted and protected in Malawi.

Despite all these contributions towards the draft Data Protection Bill, more is needed.

Ministry of Justice Spokesperson Pilirani Masanjala told PIJ they are still working on the Bill.

Spokesperson for Ministry of Justice Pilirani Masanjala

“It’s a work in progress,” he said. “The aim is that it should be tabled in the next sitting [of Parliament].” 

The draft bill is a legal instrument positioned to ensure that all processing of personal data must adhere to it internationally.

To prevent abuse of position, the draft bill says a data controller or data processor will be required to obtain the consent of a parent or legal guardian where the processing of personal data relates to a person below the age of eighteen.

The bill also requires a data controller and processor to carry out a data protection impact assessment where processing is likely to result in a high risk to the rights and freedoms of a data subject and to notify MACRA of the results.

Personal Data Definition by the Law and The Bill

The Electronic Transaction and Cyber Security Act defines persona data as any information relating to an individual who may be directly identified, or if not directly identified, may be identifiable by reference to an identification number or one or several elements related to his physical, physiological, genetic, psychological, cultural, social or economic identity.

The definition, however, comes short of defining sensitive personal data, which to an extent, provides a leeway to those in authority to abuse the citizens.

The draft Data Protection Bill, however, defines personal data as any information relating to an individual who can be identified or is identifiable, directly or indirectly,, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual.

The proposed law has, however, specifically defined what sensitive personal data is.

How Government and the Private Sector Get Personal Data

In Malawi, authorities increasingly require citizens to give up personal information to engage in everyday life. This includes getting a national identity card, a travelling document, participating in an election, to using a mobile phone.

Since 2017, when the Malawi government rolled out nationwide registration, every Malawian aged 16 and above is required to register into the national register and obtain a national identity card.

The issuer of the national identity card is the National Registration Bureau (NRB), which demands information from the population if they have to own a card, and such information includes a person’s surname and given names, nationality, date of birth, and place of birth. Data on one’s sex, current residence, height, eye colour, passport number, marital status and parents’ information, and biometric information, including all ten fingerprints, a personal photograph and signature, is also mined from applicants.

During the voter registration in the recent elections in Malawi, those who wanted to participate were expected to provide their personal information to the NRB desk at the registration centre.

The national ID process has been tied to several socio-economic functions, including opening a bank account, acquiring employment, and even owning a mobile phone, as it is a requirement to also provide personal information through the national SIM card registration process, which MACRA announced as a mandatory exercise in January 2018.

University of Malawi lecturer Jimmy Kainja, who has extensively researched digital rights, said Malawians were being forced to give away much of their data to private and public institutions when the country did not have a data privacy protection law.

University of Malawi lecturer Jimmy Kainja

Kainja insist that the country needed a data protection law before Malawians were required to surrender all personal data.

Although a draft data protection bill was submitted for public comments in February 2021, it has yet to become law, although the Government promised to accelerate the legislative process in 2022.

Malawi’s Poor Population to Suffer More

A researcher Chisomo Nyemba, writing his thesis on Right to data privacy in the digital era: a critical assessment of Malawi’s data privacy protection regime, observed that the proliferation of information communication technology (ICT) and consequent increase in the processing of personal data threaten the right to data privacy and related human rights.

“Although Malawi has comparatively been slow in ICT growth and usage, personal data is now being collected and processed at an unprecedented scale. The processing of personal data will likely increase as the ICT infrastructure grows and technology becomes more sophisticated,” he observed.

He argued that there is a need to protect the right adequately and effectively to data privacy, particularly for vulnerable people in the digital era. And in the context of Malawi, a developing country currently classified as one of the poorest countries in the world, the risks of infringement of data privacy may be heightened for the poor and vulnerable.

“Further, the poor and the vulnerable may not be able to avert or mitigate against adverse consequences in case of infringements of the right to data privacy,” he said.

Nyemba argues that, despite having laws under which the right to data privacy can be protected, the laws need to be revised and made more effective because of the threats posed by ICT and prevalent vulnerabilities in Malawi.

He said a need to promulgate a more robust, comprehensive, and effective data privacy protection law that adequately considers Malawi’s vulnerabilities is non-negotiable.

—This article on digital surveillance was supported by the Media Policy & Democracy Project, jointly run by the University of Johannesburg and the University of South Africa.