In 2006, the Council of Europe launched "Data Protection Day" to commemorate the anniversary of the 1981 passage of Europe's data protection bill, "Convention 108". Today, Data Protection Day (also known as "Privacy Day") is celebrated globally to raise awareness about the rights to personal data protection and privacy. In recognition of this day, Open Internet Leader Nashilongo Gervasius examines current gaps in Namibia's data protection environment, and highlights how the COVID-19 pandemic has further put citizens' data and privacy at risk.
Although Namibia is said to be a country where the rule of law is intact, the country does not have a modern data protection and privacy law in place, despite well-publicized instances of both personal and corporate data breaches in the past. Even Article 13 of the constitution, written at the time of Namibia's independence in 1990, remains the only type of privacy guaranteed as of today. This lack of legal framework has led the country to be referred to as "a safe haven for cybercrime," and without a cybercrime law many citizens have fallen victim to online fraud.
The COVID-19 pandemic further highlighted the importance of having an adequate data protection law in place. As the government battled to contain the spread of the virus, it released new guidelines on April 30, 2020, including a provision that required businesses to keep clientele logs to assist with contact tracing. Immediately after the implementation of the guidelines, businesses and public establishments around the country began taking down people's data (including names, national ID numbers and contact information) for contact tracing and surveillance. The guidelines stipulated that this information was to be entered into a customer register at the front of each public establishment. However, without a data protection law in place, there were no corresponding guidelines for how this information was to be managed, stored, and kept confidential, concerns that became more pressing given the urgency in which directives were issued as the pandemic continued to spread.
The public registers were heavily criticized by the media immediately upon implementation. One of the oldest weekly newspapers in the country, the Windhoek Observer, lamented the move saying "Namibia has neither the resources nor capacity for metadata processing." In criticizing the move, the newspaper further wrote that the exercise was intrusive and exposed people to identity theft. Many Namibians listed identity theft as a top concern in the data collection mandated during COVID-19.
For women in particular, the public data collection exercise brings increased risk. The Namibia chapter of the Internet Society has studied how the lack of cybercrime and data protection legislation puts women at risk of violence, and places them in vulnerable positions in cases of non-consensual image sharing, online blackmail, and sexualized hate speech. In early April, one young woman received an unsolicited message as a result of leaving her information at a shop register in Oshana region. The incident made rounds on various social media platforms and its screenshot ended up on many people whatsApp statuses.
While women are at heightened risk of cyber-stalking and harassment after leaving their personal information in these unsecured registers, data privacy breaches pose a risk to everyone. There have been multiple reports of people receiving spam advertisements after leaving their phone numbers in public contact-tracing registers, and in one case, a COVID-19 customer register was stolen from a fish shop.
While the Namibian government's COVID-19 Information Hub does not share personal data, the lack of regulation and training for businesses conducting contact tracing has left individuals vulnerable to privacy violations. Videos that show customer's data have circulated on TikTok and WhatsApp, demonstrating how easy it is for citizens or businesses to access and misuse personal data. There are no standards or requirements for the protection of data at different establishments, and it is easy to scan through peoples' contact details on social media as well as in stores.
Additionally, there is little evidence that health workers, business establishments, and others who are responsible for contact tracing have been trained on best practices for data protection and management by Namibia's statistics agency. As a result, health care workers, businesses, and the public, who lack guidance and awareness about the importance of keeping personal data secure, have been left to manage the data themselves.
The digital and paper systems used to collect information, like the customer registers described above, were developed rapidly and did not consider potential for usage beyond COVID-19 measures. In response to some of these concerns, in September 2020, the government set punitive measures for businesses that do not keep their registers in a safe place, or for people who disclose confidential customer information collected through contact tracing to third parties. But the fate of the data collected after the pandemic is over is still an unanswered question.
As more incidents of data handlers and security guards harassing women emerge, and as people fear that the contact tracing information they leave in public registers will be sold to advertisers or other third parties, the efforts to gather data to contain COVID outbreaks have had the opposite effect: many in Namibia now opt to assume fictitious names when using public registers, which makes effective contact tracing and other public health measures impossible.
Although the Ministry of Information and Communication Technology is in the process of drafting such legislation, COVID-19 has demonstrated an urgent need not only to speed up work on the bill, but to ensure it addresses new data privacy and protection issues uncovered during the pandemic. Any legislation must prioritize public education and awareness on how personal data is collected, stored, disseminated, and secured. A better data protection law in Namibia would not only protect individuals from identity theft and data misuse, but would make COVID-19 contact tracing more reliable and keep communities safe from the virus.