MASERU – The portfolio committee responsible for information has blocked the tabling of the controversial Communications (Subscriber Identity Module and Mobile Device Registration) Regulations, 2021, for debate in parliament.
The regulations are being made pursuant to Section 55 of the Communications Act of 2012, which states: “The minister may, by notice published in the Gazette, and after consultation with the authority, make regulations for the carrying into effect of the provisions of this Act.” If approved by parliament, the regulatory directives will make it mandatory for all citizens to register their mobile devices and pay an annual fee of M30 for owning a device.
The government believes paying an annual fee for mobile devices is necessary to identify and detect stolen, counterfeited and cloned devices so that such devices can be blocked. But the parliamentary committee has resolved to disallow the regulations and recommended their reassessment by the communications minister, Tšoinyana Rapapa.
The Regulations were tabled in the House by Rapapa’s predecessor, Keketso Sello, on June 3 and, pursuant to its Standing Order No 100 (3), the subordinate laws were referred to the Portfolio Committee on the Prime Minister’s Ministries and Departments, Governance, Foreign Relations and Information Cluster for consideration.
Keketso Sello, without consulting the public, promulgated these regulations which mandate users to register their SIM cards, and requires them to provide a copy of their national identity document and fingerprints for biometric SIM registration.
But the Ministry of Communications was subsequently invited to provide the Committee with the necessary information pertaining to the policy context, financial implications, contents and effects of the Regulations as per Standing Order No 101 (2).
According to the Ministry of Communications the Communications (Subscriber Identity Module and Mobile Device Registration) Regulations, 2021, were intended to, among others, curb criminal activities perpetrated with the use of mobile devices and SIM. The regulations also seek to control the proliferation of counterfeit devices in the market and establish the Central Database where the licensees will be required to transmit all the subscribers’ information.
When enacted, the Regulations would also impose legal obligations on licensees to register the subscribers; stimulate the requirements for registration of different categories of subscribers and curb threats to national security and the harassment of other users of mobile network systems. Views were also invited from stakeholders Vodacom Lesotho and Econet Telecom Lesotho.
The Regulations, in Section 3 state: “These regulations shall apply to a licensee and a user of a mobile device and SIM in Lesotho including corporate, private and commercial subscribers of mobile telecommunications services utilising SIM in the Kingdom of Lesotho.” Section 4 states: “The objectives of these Regulations are to provide; (a) a regulatory framework for the registration of subscribers of mobile telecommunications services utilising SIM and mobile devices in Lesotho, and (b) for the establishment, control, administration and a management of the Central Database.”
The central database will be established and managed by the Lesotho Communications Authority (LCA) and will be linked to the Ministry of Home Affairs’ National Identity and Civil Registry (NICR), allowing service providers to electronically authenticate the fingerprints against the NICR records.
However, following a comprehensive ministerial briefing and stakeholders views the parliamentary committee observed that stakeholders and public consultations are needed to ensure that all stakeholders’ inputs are included in the subordinate law and that the systems testing and readiness ensuring that the central database is envisaged have not been thoroughly considered.
The committee further established that consideration of vulnerable population, informal traders and people with disabilities have not been carefully primed and that the timeframe for registration of SIM and other processes should be reviewed.
Based on the above observations and concerns, the committee resolved to disallow the Regulations. The regulations will make it mandatory for Basotho who watch over-the-top (OTT) video streaming services like Netflix, Amazon Prime Video and others who operate in Lesotho, to pay five percent of their OTT usage to the government.
While the government has not publicly justified why it enacted these regulations, some countries which have similar regulations justify them as an attempt to reign in the ever-increasing incidence of crime facilitated by cell phones.
Locally, some commentators have argued that the ease with which one could acquire, use and dispose of a cellular phone’s SIM card in Lesotho, with little if any trace, provides undetected escape routes for criminals.
By assigning an identity to prepaid devices and tracking their use, these commentators hope it will enable the police and other agencies to curtail criminal activity. However, the regulations have been met with resistance. One of the key concerns among human rights defenders has been the risk of users’ identity particulars falling into wrong hands.
The users’ information, according to the regulations, can be accessed by security agencies; Lesotho Defence Force, Lesotho Mounted Police Service, Lesotho Correctional Services and National Security Services with ease without the user’s consent.
Prior to these regulations, security services had to be granted a court order before they could access citizens’ private information. Now they only require authorisation from a senior officer, equal to the rank of assistant commissioner of police, to have access to all subscribers’ information from the database. At the time of tabling in parliament the Media Institute of Southern Africa (MISA) said in a statement: “MISA is worried about these new regulations as they are a blatant violation of the right to privacy.”
It added: “The new regulations fall far short of regional and international standards and instruments on human rights such as the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention).”
The Convention, according to MISA, sets the standards for cybersecurity and personal data protection laws as well as capacity building, knowledge exchanges and experience sharing among signatories. In addition, MISA continued, the regulations contravene Section 14 of the Constitution of Lesotho of 1993.
The cited section states: “Every person shall be entitled to, and, except with his own consent, shall not be hindered in his enjoyment of freedom of expression, including freedom to hold opinions without interference, freedom to communicate ideas and information without interference, whether the communication be to the general public or to any person or class of persons, and freedom from interference with his correspondence.” MISA demanded the immediate repeal of the regulations.
The committee has similarly recommended that Rapapa should withdraw the Computer Crime and Cybersecurity Bill, 2021, and revisit it. The Bill was tabled before the National Assembly on March 23 by Sello as then communications minister, and the Bill was referred to the Committee for consideration and scrutiny.
In its briefing, the Ministry of Communications had stated that the intention of the Bill is to establish two bodies responsible for management of cyber security in Lesotho, namely; the National Cybersecurity Advisory Council and National Cyber Security Incident Response Team while also providing a legal framework for the prevention of cybercrime and impose penalties thereof.
The Bill further intended to regulate jurisdiction in respect of cybercrime; to provide for mutual legal assistance relating to investigation of cybercrimes; provide for limitation of liability of service providers in that they will not be held liable where their computer systems were used to commit offenses except where the officers are an accomplice to the commission of the crime.
It will also provide for designation and protection of critical information infrastructure. It was also indicated that the Bill seeks to address challenges brought by lack of cyber legislation in Lesotho which led to perpetrators of cybercrime going unpunished.
In addition, the measures were meant to reaffirm the Government of Lesotho’s commitment to respond to a call of the Budapest Convention and African Union on Cybersecurity and Personal Data Protection Convention to enact legislation on cybercrime and cybersecurity, as well as to enact laws that address the prevention of computer crimes, protection of computer crimes, protection of privacy, intellectual property rights and security measures for online transactions.
The Committee observed and is worried that security agencies – LDF, LMPS, NSS and the LCS – were excluded in the formulation of the Bill. Inclusion of media houses and telecommunication agencies is also very crucial in the compilation of this Bill. “All Security Agencies should be an integral part of the cybersecurity management and should be represented in the National Cybersecurity Advisory Council.
The Bill deals with two major sets of crime; computer crime and crime of cyber security. The two sets of crime are comprehensive enough to constitute two legal frameworks; and combination of two sets of crime may lead to a law that is vague and difficult to implement,” reads the Committee’s report in part. The Ministry of Defence and National Security, the Transformation Resource Centre and MISA were invited to present their views as stakeholders.