Kristophina Shilongo is a Senior Mozilla Fellow in Tech Policy, focused on national data policies and regulation on the African continent.
If we believe that privacy is culturally and socially articulated differently depending on the context, perhaps Africans should take the lead in conveying our definition of data privacy. To begin, we can develop data protection regulations that respond to the socioeconomic context of specific countries while upholding human rights such as the right to non-discrimination, the right to dignity and to expression. Presently, although some African countries have data protection laws and policies, they may threaten the above-mentioned human rights. In the case of countries like Namibia where data protection laws and supporting digital legislation are newly passed or in drafting stages, it is increasingly important for businesses to adopt data governance standards that respect the privacy of both individuals and communities. These standards should not only protect their own interests but those of their customers too. In balancing business interests with the interests of the public, African or local businesses are likely to help foster innovation and sectoral growth through fair competition.
Namibia’s Draft National Data Protection Bill is yet to be approved by the Cabinet and supporting governance frameworks like the Access to Information Act which was only passed in November 2022. In the absence of the necessary infrastructure and regulating authorities, both the Namibian public sector and an increasing number of private companies have digital databases of citizens’ personal biometric data including facial scans and fingerprints. In some instances, it is mandatory that citizens give up this data to access essential services like telecommunications, banking, and even other financial services like state pension funds. All of this data is collected in the absence of the relevant digital and data protection legislation. The rationale behind why this data is being collected is not enough justification and may have unintended consequences for both the private sector and consumers.
Balancing business and public interests
In a statement released on 13 January 2023, Mobile Telecommunications Company (MTC), one of the leading telecommunications companies in Namibia, announced that it has taken the decision to make biometric authentication a condition for the sale of its services through its Know-Your-Customer (KYC) tool Verifi. Almost 12 months prior to this condition being set in place, a press statement dated 12 January 2021, justified the collection of biometric data as necessary to protect consumer data and restrain identity theft. In both these statements and others analyzed by the company there is an underlying assumption that any technology adopted by the company benefits all customers in Namibia and is in the interest of the public.
MTC and other institutions in Namibia are well within their remit to protect their customers and business interests by reducing fraud or making it convenient for customers to access services through technology upgrades. Choice and meaningful consent are, however, essential foundations for data protection. Therefore, setting up mandatory conditions like biometric authentication should not be permissible for essential services such as telecommunications. Especially not in a small country like Namibia where due to a small number of providers there are very few service alternatives to choose from if people do not like that condition. Additionally, the emergence of digital financial innovations has significantly contributed to financial inclusion in the country, therefore exclusions that require the collection of biometric data without adequate data protective safeguards, are not in accordance with the interests of the public. This is an issue that the Communications Regulatory Authority of Namibia (CRAN) recognized and acted on by issuing a directive that the collection of biometric data should not be mandatory for the registration of sim cards. A directive that MTC has publicly decided to defy.
Choice and meaningful consent are, however, essential foundations for data protection.
Kristophina Kiito Shilongo, Senior Fellow at Mozilla
The collection of biometric data or digital identification etc allows MTC and other institutions to protect their businesses but where does this leave the customer? Who protects the customers against fraud and even discrimination at the hands of institutions or against mishaps resulting from automated systems?
Furthermore, it is important to caution against setting a precedent for data security and the improvement of products or services that require the collection of large amounts of data with no clear legitimate means. Firstly, from a competition and innovation point of view, companies or institutions can easily form partnerships with or sell this data to foreign companies or bigger players which may undercut local competitors who do not have similar data infrastructure. After all, there are no set regulations against the sharing of data whether personal or otherwise in Namibia. Secondly, it is not true that large amounts of data necessarily lead to an improvement in products or services. In fact, it increases the operational costs for companies to manage the data; inevitably leading to high costs of products or services.
Governing data and tech for the interest of the public
True public interest is ensuring that the public can enjoy advancements in technologies at free will. It also enables the public or communities to have access to data for their own benefit, including promoting innovation by small businesses. A necessary public interest is ensuring the public can opt out without risk of exclusion from an essential service, abandoning their right to privacy, or unwillingly participating in activities that extract their data so big tech companies can make billions of US Dollars in profits. Public interest is having mechanisms in place to ensure the protection of personal data but also other sensitive data collected are not exploited by entities for profit. Finally, this nascent stage of data governance formulation offers a unique opportunity for businesses and the private sector at large in Namibia to take the lead in establishing industry guardrails that benefit the public. One tangible example is actively engaging with the government on the development of the draft National Data Protection Bill which promotes innovation and supports industry accountability by protecting human rights.