‘MTC must stop biometric data collection’

The former technology adviser to the United Nations and the chairperson of the Payment Association of Namibia’s e-Money Forum, Paul Rowney, wants to know why the Mobile Telecommunications Company (MTC) continues to harvest the biometric data of clients when registering their SIM cards.

He says this cannot be done before legislation regulating the practice is in place.

Rowney advises the government to suspend SIM card registration to ensure a data protection law is in place.

“I would question MTC as to why they are harvesting biometric data and have them delete all the biometric data they have harvested under the pretext of SIM registration, because it was collected under false pretences,” he says.

Rowney suggests that MTC could be using this data in preparation of an application the company plans to launch next year.

“Where is the data protection act before they started this Rica process in the first place?” he asks.

Only 45% of SIM card users have registered with the company, with two weeks until the deadline.

This follows MTC and Telecom Namibia on Friday confirming that the impact of SIM card suspension would make more than a dent in their financial books.

The Communications Regulatory Authority of Namibia (Cran) last year issued a directive stating that telecommunications operators should discontinue capturing clients’ biometric data when registering their SIM cards in the absence of a data-protection legislative framework.

However, MTC ignored this directive and continued offering its biometric process as a condition of service to its customers.

In South Africa, the SIM card registration law is called the Regulation of Interception of Communications and Provision of Communication-Related Information Act (Rica).

Rowney, who has over 30 years of technology experience in the information and communication technology (ICT) sector, believes the government is trying to keep up with other countries.

“You are getting mobile network operators (MNOs) to collect people’s data where we have no legislation in place on how that data is going to be protected.

“If we delayed Rica until we have a data protection act, I don’t think that would have caused any problems in this country,” he says.

The Institute for Public Policy Research (IPPR) has also raised concerns around this collection.

“The regulations for Part 6 of Chapter 5 of the Communications Act of 2009, as well as the further conditions on telecommunications licensees, require operators to collect basic information such as names, dates of birth, addresses and copies of identification documents to register a SIM card.

“There is no mention of biometric information being legally required or necessary for SIM card registration,” the IPPR states in its January blog.

UNINFORMED CONSENT

Rowney also questions MTC’s request for a one-time-pin (OTP) in the registration process, which wants consent for data.

MTC’s message reads: “By providing the OTP to MTC you consent to the processing and storing of your personal data.”

MTC’s legal executive, Patience Kangueehi-Kanalelo says Namibia has no data protection legislation and MTC has aligned this practice with the European Union (EU) General Data Protection Regulation (GDPR).

“… to align ourselves with that and that is why we are asking you, you are giving consent for us to store your personal data. So that is in terms of a law that doesn’t really exist,” she says.

The legal advisor further explained that the personal data information includes name, surname, identification number and residential address.

“All of that is considered personal data. So our request for an OTP is our preparation for when the law is implemented, which we assume will be based on these EU GDPR practices as is the draft that is currently with the parliament,” she says.

The GDPR is an important component of EU privacy and human rights law.

Rowney counters Kangueehi-Kanalelo’s argument, saying the GDPR would require the option to opt out of non-essential data and an explanation as to why certain data is being collected, how it is stored and the right to have it deleted.

MTC was unable to respond to questions around the safety of clients’ data, while confirming that there was a security breach from inside the company.

Kangueehi-Kanalelo has told the media that the company has shared the link for online registration internally, which has led to it being leaked.

She says the system was meant to handle entries by MTC employees as it was a “test”.

Meanwhile, MTC has confirmed that its online registration platform has been compromised.

Rowney believes this leak was MTC being taken to task for harvesting data.

“I think it was not a leak. They got taken to task because they are harvesting biometric data with the online system,” he says.

REVENUE COMPROMISE

Telecom chief executive Stanley Shanapinda says the company currently generates between between N$250 million and N$280 million on an annual basis through SIM card usage.

“And any customer who is not registered come 1 January is going to be too much revenue lost – even from one single customer.

That is why we want to urge our customers,” he says.

Shanapinda says if not all customers get registered it would bite into revenue projections and losses.

“We are not able to calculate those at the moment, but obviously if we know we have got only a 45% rate of registration, 55% we know if we have to cut them off today, we know what that loss would amount to,” he says.

Kangueehi-Kanalelo echoes Shanapinda’s sentiments.

“Naturally it would have a revenue impact and that’s why we are working hard to make sure we are registered. We hope come that date, we will have some consideration for an extension. But obviously it is not in their hands,” she says.

Cran says unregistered numbers would be given to other users after the three-month suspension period.

Cran’s legal adviser, Stanley Kavetu, who was addressing the media on Friday, said during the three-month suspension period, a user’s number will be off, but he or she would still be able to register it.

However, after that, they would lose their number.

Cran indicated that unregistered SIM cards would be suspended if not registered by 31 December.