This article was originally published in Issue 2 of Southern Africa Digital Rights, an online publication produced under the project "The African Declaration on Internet Rights and Freedoms: Fostering a human rights-centred approach to privacy, data protection and access to the internet in Southern Africa".
Between June and July 2021, Eswatini experienced political upheaval, largely stemming from multiple governance issues worsened by the impact of COVID-19. The rise of digital media notably exposed societal awareness to the governance flaws within the political system and its leaders.
In Eswatini, two pivotal legislative measures impact internet governance: the Computer Crime and Cyber Crime Act of 2022 and the Data Protection Act of 2022. Enacted in 2022, these laws underwent a consultative phase wherein civil society organizations actively contributed submissions. Notably, these inputs led to revisions in the legislation, which was still in its draft form (Bill) at the time. Concerns loom over potential implications of these statutes, particularly the perceived threat to press freedom and the possible curtailment of social media criticism directed at the government.
The Eswatini Communications Commission serves as the regulatory authority overseeing the communication sector within the country. Its purview encompasses telecommunications, broadcasting, postal services, and the management of radio spectrum frequencies. This mandate is delineated by the Swaziland Communications Commission Act No. 10 of 2013. [1]
The period of unrest witnessed in June-July 2022 prompted the government to issue directives to various service providers – namely, the state-owned Eswatini Post and Telecommunications Corporation, along with private entities MTN Eswatini and Eswatini Mobile – to suspend internet services.
In response to this action, the International Commission of Jurists drafted a letter directed at the CEO of MTN South Africa, urging the resumption of internet services within the affected region. [2]
Prior to that, in October 2021, during a period of protests in Eswatini, the government took measures to restrict access to various social media platforms. This action notably infringed upon the populace's fundamental right to access the internet. Such constraints not only impede the free flow of information but also pose a severe threat to civil society's ability to function openly and engage in free discourse. This imposition undermines the cornerstone of free speech and threatens to constrict the space for open dialogue and the free exchange of ideas, essential elements for an informed and participative society. [3]
Eswatini legislation and policies to ensure privacy and data protection
The Data Protection Act 2022 was passed at a critical time when the use of the internet and digitalisation rate increased in Eswatini. The Data Protection Act is a comprehensive piece of legislation which provides for the collection, processing, and disclosure of personal data. [4] The Act is indicative that the government recognises the importance of data protection and privacy. Furthermore, to ensure this, the Eswatini Communications Commission is charged with regulating adherence to the Act and also has powers to sanction data controllers who breach this law. Section (6) (3) b indicates that the commission can impose administrative fines of up to five million Emalangeni (about USD 268,000) for non-compliance by public or private party. According to the Act, a data controller is a public or private body or any other person designated by law which determines the purpose and method for processing personal information.
The Data Protection Act of 2022 holds significant importance as a legislative framework governing the handling of personal information, particularly in electronic formats, and the cross-border movement of such data beyond Eswatini’s borders. A crucial aspect lies in Section 9(2), emphasizing the necessity of explicit consent from individuals for processing their personal data. However, certain sections, notably Section 36, raise concerns regarding potential interpretations that might encroach upon fundamental human rights, particularly in the context of reasons provided for non-action on filed complaints.
A comprehensive analysis of the Act indicates a balance between its positive and negative aspects. While certain provisions might raise apprehensions about potential rights infringement, the overall implementation of the Act is anticipated to significantly bolster privacy standards and data protection within the nation. The Act, by and large, stands poised to fortify the safeguarding of individuals' privacy and data rights in the country.
Section 44 of the Data Protection Act 2022 constitutes a pivotal aspect addressing unsolicited electronic communications. It grants citizens the right to halt direct marketing activities upon their request, extending to various forms of marketing, inclusive of digital platforms. Notably, individuals reserve the entitlement to lodge complaints regarding such marketing practices, directing these grievances to the Eswatini Communications Commission, which assumes responsibility for addressing and redressing these complaints.
Moreover, a significant provision within this Act pertains to the prohibition of data collection from children. This crucial stipulation serves to safeguard minors by explicitly disallowing the gathering of their personal data without requisite permissions or legal authorisation.
Another imperative measure, amongst many, is section 17 (1) of the Data Protection Act 2022, which addresses notification of security breaches or compromises and states “Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person, the data controller, or any other third party processing personal information under the authority of a data controller shall notify (a) the commission; and the data subject unless the identity of such data subject cannot be established”. In essence, this means that when a data breach has occurred where one’s data is stored (by a third party, data controller or an entity engaged to store data), one must be notified of such a breach.
The Computer Crime and Cyber Crime Act 2022 compliments the Data Protection Act 2022 in that it criminalises actions intended to manipulate, modify, or destroy data. An illustration is Section 6 of the Computer Crime and Cyber Act which addresses illegal data interference in which it is stated that on conviction, a fine not exceeding five hundred thousand Emalangeni or imprisonment of a period not exceeding three years or both may be applied. [5] The Act also addresses data espionage, illegal system interference, computer related forgery and uttering, cyber terrorism, and many more issues which directly affect data protection and privacy.
The Data Protection Act 2022 encompasses Sections 32 and 33, specifically focusing on the regulation of trans-border movement of personal information outside the territorial bounds of Eswatini. These sections delineate protocols governing the transfer of personal data not only within the Southern African Development Community member states but also with non-member states.
This becomes crucial considering the ubiquitous nature of the internet, facilitating the unintentional transfer of EmaSwati citizens' personal data to foreign jurisdictions.
Similarly, the Computer Crime and Cyber Crime Act 2022 in Section 31 introduces the concept of extra-territorial jurisdiction. In essence, this provision enables the prosecution of individuals for offenses committed under the Act, irrespective of their physical presence within Eswatini's borders. The rationale behind this measure stems from the reality that hackers, operating from abroad, can infiltrate networks, perpetrate cybercrimes, and abscond to other jurisdictions. The evolution of technological landscapes, including the advent of cloud computing and the proliferation of 5G networks, further amplifies the vulnerability to such cyber threats and data breaches.
Hence, advocating for public awareness campaigns centered on digital hygiene and safety assumes paramount importance in mitigating these risks and ensuring the protection of personal information in the digital sphere.
Notes
1 https://www.esccom.org.sz/about/profile
2 https://www.icj.org/wp-content/uploads/2021/07/ICJ-Letter-to-MTN-8.07.21.pdf
3 https://misa.org/blog/restoration-of-internet-and-social-media-services-in-eswatini
4 https://www.esccom.org.sz/legislation/DATA%20PROTECTION%20ACT.pdf
5 https://www.esccom.org.sz/legislation/COMPUTER%20CRIME%20&%20CYBERCRIME%20ACT.pdf