August 30 2013
Draft data protection and privacy legislation is being discussed at a two-day workshop in Swaziland, a small land-locked kingdom in southern Africa. The workshop is hosted by the ministry of information communication and technology, in partnership with the ministry of justice and constitutional affairs, the International Telecommunications Union (ITU), and the European Union.
About 40 participants – mostly from government departments, internet service providers, NGOs, and telecommunications company MTN – attended the workshop.
ITU consultant and University of Swaziland (Uniswa) researcher Gcinaphi Mndzebele, in her presentation on August 28, said one of the “functions” of the proposed data protection law is to establish a data protection authority (DPA).
The draft legislation says no more than seven members will make up the authority. The minister of justice and constitutional affairs will appoint all DPA members, including the chairman and deputy chairman, according to Mndzebele.
This caused some confusion amongst participants, some of who suggested it might make more sense if the minister of ICT appointed the members of the authority. (The ministry of ICT has been driving the legislative process on cybercrime and data protection.)
The drafters of the legislation — ITU consultants and Uniswa researchers, in consultation with the ministry of ICT and ministry of justice — said they would look into this confusion and try to resolve it.
Moreover, according to the data protection Bill, as it stands, the minister of justice and constitutional affairs shall take advice from the judicial services commission (JSC) when appointing people to the DPA.
The to-be-appointed DPA chairman must be of the same “calibre” as a senior judge, said Mndzebele, referring to the draft legislation. The chairman of the DPA must also hold “requisite academic requirements” and must not have a criminal record.
Mndzebele said whoever is appointed chairman of the DPA will be paid a similar wage as a senior judge. She noted that it is “very important” for the members of the DPA to be “knowledgable of ICT issues”.
During question time, a member of the audience said it seemed like the authority may end up being “controlled by judges”.
The presenters of the draft legislation dismissed this suggestion, saying the independence and quality of the DPA members would be ensured because they would be required to hold appropriate qualifications.
Participants noted that it was difficult to give feedback on the draft provisions because copies of the legislation were not made available to participants before the presentation.
Several questions from the floor focused on how the legislation will ensure the independence of the to-be-established data protection authority (DPA). This question was not settled, and participants seemed concerned that anyone who is appointed to the authority may not be independent in practice.
Several questions also focused on what exactly constitutes a “criminal offence” under the draft law. Audience members gave the example of a high-standing citizen who may be qualify to sit as a member on the DPA, but may be ineligible because he or she was charged under Swaziland’s drink-driving laws.
There was further confusion as to why the ministry of ICT are leading the legislative process, when the minster of justice and constitutional affairs appears to play a lead role in the legislation. A member of the audience suggested this was because the data protection Bill contains “criminal” sanctions.
According to the workshop invitation, issued by the ICT ministry, the two-day program has presentations on “draft laws by international and local experts working under the direction of the International Telecommunications Union (ITU). Included in the suite of laws is cyber crime, electronic transactions and data protection”.
The ministry of ICT says the template for the Swaziland laws is taken from the SADC model cyber security legislation, which are in compliance with the African Union.
In addition to establishing a data protection authority, the proposed law on data protection aims to define “illegitimate and unlawful monitoring of individuals”; as well as ensuring that a free flow on information does not affect weaken individual privacy.
The August 28 session was held at Sibane Hotel. Day two of the workshop, Thursday 24 August, was held at the Royal Swazi Sun convention centre.
This is the fifth meeting on cybercrime and data protection held in Swaziland this year, according to ITU consultant Kuena Mophete. The next meeting, after this two-day workshop, is scheduled for the end of September, where “technical operations” will be discussed, said Mophete.
The cybercrime workshop, and the whole exercise of importing SADC model laws into local Swaziland legislation, forms part of a regional program known as HIPSSA.
HIPSSA is also referred to as: Support for harmonisation of the ICT policies in Sub-Saharan Africa. According to HIPSSA consultant and ITU consultant Ida Jallow, the program is funded 90 percent by European Union, and 10 percent by the International Telecommunications Union (ITU). ITU are the “implementing partner” of the program.
Click on the below links to read more about Swaziland’s proposed cyber-security legislation:
For comments or queries, please contact:
MISA-Swaziland National Director