The Lesotho government has gazetted the Communications (Subscriber Identity Module and Mobile Device Registration) Regulations of 2021, which makes it a requirement for everyone in that country using mobile phones to have their personal information stored with the Lesotho Communications Authority (LCA) and accessed by security agencies with ease without their consent.
The new regulations will see the establishment and maintenance of a database of personal information of all telecommunications subscribers in Lesotho and have it stored in a “Central Database” held by the LCA on behalf of the government of Lesotho.
Furthermore, the new regulations demand that mobile phone users’ biometrics and other personal information be captured, registered and transmitted to the central database at the time they acquire mobile devices, as well as when they activate their sim cards.
Prior to these regulations, security services had to be granted a court order before they could access citizens’ private information.
Security services now only require authorisation from a senior officer, equal to the rank of assistant commissioner of police, to have access to all subscribers’ information from the database.
Diplomats are also not spared by these new regulations.
MISA is worried about these new regulations as they are a blatant violation of the right to privacy.
The new regulations fall far short of regional and international standards and instruments on human rights such as the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention).
The Convention sets the standards for cybersecurity and personal data protection laws as well as capacity building, knowledge exchanges and experience sharing among signatories.
In addition, the regulations contravene Section 14 of the Constitution of Lesotho (1993), which states that:
Every person shall be entitled to, and, except with his own consent, shall not be hindered in his enjoyment of freedom of expression, including freedom to hold opinions without interference, freedom to communicate ideas and information without interference, whether the communication be to the general public or to any person or class of persons, and freedom from interference with his correspondence.
In the promulgation of such laws, MISA reminds Lesotho authorities to be mindful of Principle 41 of the Revised Declaration on Principles of Freedom of Expression and Access to Information in Africa of the African Commission on Human and Peoples’ Rights (ACHPR), which provides as follows:
- States shall not engage in or condone acts of indiscriminate and untargeted collection, storage, analysis or sharing of a person’s communications.
- States shall only engage in targeted communication surveillance that is authorised by law, that conforms to international human rights law and standards, and that is premised on specific and reasonable suspicion that a serious crime has been or is being carried out or for any other legitimate aim.
- States shall ensure that any law authorising targeted communication surveillance provides adequate safeguards for the right to privacy, including:
1. the prior authorisation of an independent and impartial judicial authority
2. due process safeguards
iii. specific limitation on the time, manner, place and scope of the surveillance
- notification of the decision authorising surveillance within a reasonable time of the conclusion of such surveillance
- proactive transparency on the nature and scope of its use; and
- effective monitoring and regular review by an independent oversight mechanism.
In that regard, MISA demands the immediate repeal of the Communications (Subscriber Identity Module and Mobile Device Registration) Regulations of 2021.