Privacy Under Surveillance: Namibia’s SIM Card Registration and Biometric Data Collection

By: Jessica Uiras

Introduction

Namibia’s mandatory SIM card registration, established under the Communications Act of 2009^[1],was passed to combat identity fraud, enhance national security, and align the country with global telecommunications practices. However, this law has extended into biometric data collection without comprehensive protections, raising significant privacy concerns. Mobile Telecommunication company (MTC), Namibia’s primary telecom provider, now requires citizens to submit fingerprints and facial scans to activate SIM cards, leaving Namibians vulnerable to state surveillance and potential misuse without the security of a dedicated data protection law. The rolling out of sim card registration is happening outside of a data protection law  to protect personal data collected through sim card registration and biometric data collection.This article explores the implications of SIM registration and biometric collection, emphasising the urgent need for stronger data governance policies that align with Namibia’s constitutional and human rights obligations.

SIM Registration as a State Surveillance Tool

1. 1. Government’s Justification for SIM Registration

The Namibian government justifies mandatory SIM card registration as a critical tool for enhancing national security and combating cybercrime. Part 6 of the Communications Act of 2009, titled “Interception and Monitoring of Telecommunications,” provides the legal framework for this policy. It mandates that telecommunications providers collect and retain user information for up to five years, enabling the identification of users and the lawful interception of communications under judicial authority. These measures aim to deter criminal activities such as identity theft and fraud.

The Regulations in Terms of Part 6 of Chapter V of the Communications Act, 2009, gazetted in Government Gazette No. 7481 on 15 March 2021^[2], further enforce the requirements for SIM registration. These regulations obligate service providers to collect detailed customer information, including full names, addresses, and identification numbers, as part of the registration process.

During the launch of the SIM Registration Awareness Campaign, former ICT Minister Dr Peya Mushelenga highlighted that this policy aligns Namibia with over 157 countries implementing similar measures, ensuring compliance with international standards. The policy was also framed as vital for facilitating e-commerce, digital identity, and crime prevention strategies.

While these regulations are positioned as necessary for national security, critics highlight the lack of safeguards to protect citizens’ privacy. The broad powers granted under Part 6 of the Act, including data retention and interception, risk infringing on constitutional rights, particularly in the absence of a comprehensive data protection framework to oversee the use and storage of such sensitive information.

2. 2. Extended Data Retention and Privacy Risks

Under Section 73 of Namibia’s Communications Act of 2009, telecommunications providers are required to collect and retain extensive customer information, including call records, metadata, and other transactional details, for a period of five years. This data retention policy facilitates the identification of telecommunications users and supports law enforcement efforts, particularly in investigating and prosecuting criminal activities. However, the lack of clear data handling standards and oversight mechanisms leaves this sensitive information vulnerable to misuse, abuse, and security breaches.

The practice of long-term data retention creates an environment ripe for mass surveillance, as it enables the government and authorised agencies to monitor individuals’ communications and activities over extended periods. While intended to bolster national security, such measures inherently erode personal freedoms by undermining privacy rights and discouraging free expression.

Without a comprehensive data protection law, there are no established safeguards to prevent the misuse of this retained data or to hold institutions accountable for breaches. This absence not only threatens the confidentiality of private communications but also exacerbates power imbalances, where the state has far-reaching surveillance capabilities with little to no checks in place. For citizens, this means living under the shadow of potential overreach, where every communication is traceable and permanently recorded, irrespective of its relevance to national security.

A better approach would be to implement data minimization principles, retaining only essential data for limited timeframes, and establishing strict accountability and oversight mechanisms to protect individual freedoms while addressing security needs.

Biometric Data Collection and Privacy Risks

1. 1.MTC’s Mandatory Biometric Collection

Although Namibia’s Communications Act does not explicitly require biometric data collection for SIM registration, MTC implemented its Verifi system^[3], mandating the submission of fingerprints and facial scans for all customers. This requirement stems from MTC’s 31 January 2023 press release^[4], which declared Verifi as a mandatory condition for accessing all MTC services. The rationale provided includes combating identity fraud and enhancing the security of SIM registration processes, a measure framed in alignment with the draft Namibian Data Protection Bill and international standards such as the GDPR and the AU Convention on Cybersecurity and Personal Data Protection. However, no specific legislation supports MTC’s mandatory biometric collection, raising concerns about the lack of legal safeguards for protecting such sensitive personal data​

2. 2.Lack of Legal Protections for Biometric Data

Namibia’s failure to enact a comprehensive data protection law leaves a glaring gap in regulatory standards for managing biometric data. This legislative vacuum means entities like MTC are not held accountable for securely storing and responsibly using sensitive data. Biometric data, by its very nature, is particularly vulnerable because it is permanent and irreplaceable unlike passwords or other changeable identifiers. Without stringent safeguards, the unchecked collection and storage of biometric data not only heighten the risk of breaches but also create a fertile ground for surveillance overreach and misuse.

The absence of enforceable legal frameworks undermines individuals’ privacy and erodes public trust in digital governance. Robust data protection measures, including transparency in collection processes, clear limitations on data retention, and mechanisms for oversight, are urgently needed to ensure the responsible handling of such sensitive information. Until these safeguards are in place, biometric data collection in Namibia remains a significant privacy concern.

Implications for Human Rights and Constitutional Privacy

1. 1.Lack of Compliance with Constitutional Protections for Digital Privacy

Article 13 of the Namibian Constitution^[5] guarantees the right to privacy, explicitly protecting individuals from interference with their homes, correspondence, and communications except as prescribed by law and necessary in a democratic society for purposes such as national security or public safety. This provision can be interpreted to encompass digital privacy, placing a constitutional obligation on the state to protect personal data.

The absence of comprehensive data protection laws, however, undermines these constitutional guarantees. While Article 13 provides a strong foundation, the lack of supporting legislation means that privacy rights are left unenforced in practice. For instance, the mandatory SIM card registration process requiring extensive data collection operates in a legal vacuum, leaving users without safeguards against potential misuse or abuse of their data. To comply with the Constitution, Namibia must urgently enact data protection laws that establish clear guidelines on data collection, retention, and use, ensuring compliance with privacy rights guaranteed under Article 13.

2. 2.Chilling Effect on Expression and Confidentiality

Namibia’s SIM card registration requirements^[6], combined with the absence of robust data security measures, pose significant risks to freedom of expression and confidentiality. Part 6, Chapter V of the Communications Act of 2009 mandates that telecom providers retain customer data for up to five years, allowing agencies such as the Namibia Central Intelligence Service (NCIS) to request this data under judicial authorisation. This raises concerns about excessive surveillance, particularly given the lack of transparency in how this data is managed or accessed.

Such a surveillance environment fosters self-censorship, as individuals may refrain from expressing dissenting views or engaging in sensitive communications for fear of being monitored. This chilling effect undermines the democratic principles of free expression. Furthermore, inadequate safeguards for data management also jeopardise the confidentiality required in sensitive professions like journalism, law, and healthcare, where breaches could have serious implications for vulnerable groups.

To mitigate these risks, Namibia must implement oversight mechanisms for data collection and retention, ensuring that access to such data is limited, transparent, and compliant with constitutional and human rights standards.

Conclusion

Namibia has ratified the Malabo Convention^[7] and aims to align with frameworks like the GDPR,^[8] yet without domestication and enforcement, these standards remain a fiction. Countries like South Africa have set strong precedents by implementing data protection laws,^[9] limiting biometric data use and ensuring transparency. Namibia could model similar protections to curb surveillance abuses and build public trust in its digital systems. Namibia’s SIM card registration and biometric data collection policies, implemented without comprehensive data protection laws, expose citizens to privacy violations and unchecked surveillance. Passing the Data Protection Bill^[10] is crucial to safeguard Namibians’ rights and align with international standards. Establishing privacy-centred policies will enable Namibia to secure a balanced digital environment that respects individual freedoms and promotes trust. As such it is recommended that the government enacts a data protection law that protects the right to privacy in line with the Namibia Constitution.

---

^[1] https://www.npc.gov.na/wp-content/uploads/2022/06/Communication-Act.pdf

^[2] Communications Act 8 of 2009 – Regulations 2021-040

^[3] https://www.mtc.com.na/prepaid/verifi

^[4] https://www.mtc.com.na/uploads/press_releases/Press_release_-_Sim_reg_and_Virifi_Update.pdf

^[5] https://www.lac.org.na/laws/annoSTAT/Namibian%20Constitution.pdf

^[6] https://mtc.com.na/sim/sim-registration-en

^[7] https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf

^[8] General Data Protection Regulation (GDPR) – Legal Text

^[9] https://popia.co.za/

^[10] Namibia advances data protection and cybercrime legislation amid rising cyber threats – Innovation Village | Technology, Product Reviews, Business