In the last three years Malawi government has passed a lot of legislation, among these is the National Registration and Identification System (Nris), which according to National Registration Bureau, is aimed at addressing the lack of universal and compulsory registration – the NRIS allows Malawians to have a national ID.

According to United Nations Development Programme (UNDP – Malawi), one of the main funders of the exercise, 9 million Malawians have registered as of December 1, 2017.This shows that Malawians have generally welcomed the exercise. Meanwhile, the registration in on going all District Offices where anyone turning 16 years can register and have their ID card issued.

Reasons for the general acceptability of the ID registration differ and in absence of any survey it is difficult to generalise the reasons but it can be speculated that among the reasons is that majority of Malawians have no any form of ID to allow them do daily transactions. Majority Malawians do not have a passport or driver’s license and yet advance in technology, mobile banking for example, has increased demand for IDs in the country.

Following the NRIS exercise, the national ID has increasingly become the only form of identification for most public transactions and registrations. In 2018 Malawi government through its telecoms regulator, Malawi Communications Regulatory Authority (MACRA), rolled out mandatory SIM Card registration, which is legislated for in PART XI of Communications Act, 2016. The voter registration for 2019 tripartite elections required the national ID as form of identification; and recently commercial banks in the country have rolled out what they are calling “know your customer” (KYC) exercise, in which clients have to update their personal information with the banks. This time the banks are only accepting the national ID as a form of identity for Malawians, and passport for none Malawians.

This means that in a very short space of time Malawians have given away a lot of their personal data to both private and public institutions; and the data is tied to one’s national ID. This includes communication data through SIM Card enabled communication – internet, text messages and voice calls. But who how safe is this personal data? During the voter registration exercise did we not hear of Malawi Electoral Commission registration kit found abandoned in Mozambique? How do we ensure that our personal data is safe? How can we be sure that no third parties have access to our personal data? Who should be held accountable in case of any data breach?

These are legitimate questions, especially as any breach of personal data has implications on personal privacy. Privacy is inviolable right and it is constitutionally provided for under article 21 of the Malawi constitution. Often people argue that you should not worry about privacy if you have nothing to hide. Yet, privacy does not mean that you have something to hide.

Journalist,Glenn Greenwald observes that privacy is important because we all need places where we can go to explore issue without the judgmental eyes of other people being cast upon us. He argues that their people have all kinds of things they want to keep a secret that have nothing to do with criminality. He adds:

“only in a realm where we’re not being watched can we really test the limits of who we want to be. It’s really in the private realm where dissent, creativity and personal exploration lie… When we think we’re being watched, we make behaviour choices that we believe other people want us to make …it’s a natural human desire to avoid societal condemnation. That’s why every state loves surveillance — it breeds a conformist population.”

In the wake of mass personal data collection, Malawi needs personal data protection legislation; and this legislation should have been in place before the NRIS and what has followed that exercise. Access Now defines personal data as “any information relating to you, whether it relates to your private, professional, or public life.” On the other hand, Access Now defines data protection as “the practices, safeguards, and building rules put in place to protect your personal information and ensure that you remain in control of it.”

Personal data protection is important in order to prevent third parties from accessing personal data and also stopping the authorities abusing personal data that was willingly given, in ‘good faith’.

Personal data protection is crucial for freedom of choice and freedom of expression. People are unable to express themselves freely in the presence of watchful eye on everything that you are doing, browsing on the Internet for example. Inevitably, this has a has chilling effect on activists, human rights defenders, journalists, dissidents and other vulnerable communities as these groups can easily be targeted by both state and non-state actors.

Privacy International observes that SIM card registration undermines people’s ability to communicate anonymously, organise and associate with others; this is an infringement rights to privacy, freedom of expression and freedom of assembly and in absence of personal data protection it also means that our private communication, online and offline can easily be accessed by both state and non-state actors. This has the capacity to facilitate surveillance, which is a gross human rights violation.

Governments usually use security to introduce these laws and this is often enough to convince unsuspected population often unsure about new technologies and their personal safety. Yet, you cannot ensure people’s on one hand while facilitating human rights violations on the other hand. National security and civil liberties can and do coexist and it is the obligation of the state to ensure that this is the case. Personal data protection law in Malawi is long overdue and it need now.

*Note: this article is informed by Internet freedom and digital rights training for CSOs I coordinated and co-facilitated in Lilongwe (30-31stJuly 2019) on behalf of The Collaboration on International ICT Policy in East and Southern Africa (CIPESA