With the assent of King Mswati III, the Ministry of Information, Communication and Technology (ICT), published its amended Data Protection Act on 4 March.

The Act is meant for the collection, processing, disclosure and protection of personal data; balancing competing values of personal information privacy and sector-specific laws, among others. The regulations of the Act shall primarily be overseen by the Eswatini Communications Commission.

It is intended for two categories: the “data controller”, a public or private body which or any other person designated by law, who determines the purpose of and means for processing personal information. The second is a “data processor”, a natural or legal person who processes personal information for and on behalf of a data controller.

The Commision is meant to administer the Act and protect the respective rights of information provided for under the Act or any other law. The Commission shall engage in ensuring that the processing of personal data by the controller complies to the Act, promote an understanding and acceptance of information protection principles through education and public awareness.

Those who are exempted And then, we are told at least in theory, that the Act does not apply to the processing of personal information, especially in the course solely for “journalistic purposes” or the purposes of artistic or literary expression, where the artistic or literary expression are necessary “to reconcile the right to privacy with the rules governing freedom of expression.”

Unless we’ve forgotten, artistic expressions and journalistic purposes that deviate from praising the narrative of the regime may result to a death sentence or labelled as a “terrorist”. Essentially, you're safe so long as you reconcile with the rules governing freedom of oppression. Perhaps one category of persons that is genuinely exempted from the Act is anyone acting "on behalf of the State and involves national security and defence or public safety."

With well documented evidence showing the erroneous role of the regime in muzzling and surveilling those it deem as threats, particularly those in progressive formations, one wonders to what extent are emaSwati safe so far as this Act is concerned?

In a 2020 report for the Media Policy and Democracy Project authored by Murray Hunter and Admire Mare, titled: Patchwork for Privacy: Mapping Communication Surveillance Laws in Southern Africa, their discovery reaffirm that eSwatini is known for interfering in societal freedoms. They reveal that the regime achieved this through the censorship of the communication industry and high surveillance measures, which have been approved by legal authority.

In a nutshell, this results in a distorted use of the law. ‘Our rights of privacy are being violated’ “Somehow our rights of privacy are being violated and at the same time I feel like they are helpful. I think they are helping us in a way, we might not see it now, but for the future I think it helps,” stresses Celimpilo Dlamini, 29, from Mbabane.

Yuri Lukhele, 26, another permanent resident from the country's capital, says although the regulations have been placed with good intentions to safeguard against fraudulent activity, he too, feels unsafe. “I don’t think it is a good thing that the information is collected without me knowing because truly speaking, I don't know [know for what purpose is] this information is collected,” says Lukhele, adding that when it comes to benefits, the Act benefits both the data controller and data processor, because it helps the data controller track anyone quickly and facilitates work in a much faster way.

Another element that the Act talks about is personal information that is needed for a subscriber to register their sim card. It explains that personal information like one's name, surname, identity number of the person should be necessary and also the country where the passport was published, if it's someone from another country.

It is important, according to the Act, that the information that has been gathered to be stored in a safe and secured storage system. Such information, the Act states, should be well protected from possible intrusions, even if the subscriber has cancelled their contract. Only after five years upon cancellation will the information no longer be valid.

"A licensee shall take all reasonable precautions to preserve the integrity and prevent any corruption, loss or unauthorised disclosure of subscriber information retained and shall take steps to restrict unauthorised use of the subscriber information by its employees who may be involved in capture and/or processing of such subscriber information," states the Electronic Subscriber regulations Act of 2016.

But like any other repressive regimes, spying of people thrive through such Acts. For example, the Subscriber regulations Act of 2016 clearly states, "A licensee shall, on its electronic communication system, record and store: (a) personal information; (b) every MSISDN-number used with every IMEI-number; (c) every IMEI-number used with every MSISDN-number, which shall, on request, be provided to an authorised Security Agency within twelve (12) hours." It adds that such information isn't allowed to be transferred outside eSwatini "except on instruction by an authorised Security Agency."

Mfundo Maseko, 28, who is doing a Diploma in Electrical Engineering at Mangosuthu University of Technology (MUT), worries about the reliability of the security measures that have been placed to protect the information that has been collected. “The only worry I have is that should the information be lost from the database, I would still have to do the very same process,” he says. “When something involves technology you do have a sense of insecurity because in some systems people have access to do whatever they like with their information, so in that sense I believe that I don't have privacy,” explains Maseko.

eSwatini government is thinly provisioned Hunter and Mare's research found that the Communications Act of 2013 gave broad powers to the Commission to seize any data or information from network providers and internet service providers in pursuit of its mandate. While generally this power is enforced through a request for information, non-compliance is an offence.

The Commission is permitted to physically access any premises under its mandate "in situations which present difficulties, and in exceptional circumstances", to inspect or seize documents or data. And quite disturbingly, these search and seizure powers do not require a warrant or judicial approval. “The interception powers of the eSwatini government seem to be nearly as thinly provisioned; in the absence of detailed procedures for interception, the state’s surveillance power is simply written into the legal obligations of network providers. Overlapping and conflicting laws where states do have laws that regulate their surveillance powers, [we] often found a patchwork of overlapping and at times contradictory laws. As a result, safeguards for privacy created in one interception law might easily be circumvented through another,” state Hunter and Mare. The researchers alert us that the information that has been collected from heavy surveillance has been used to abuse power and spy unlawfully. They explain that although certain measures have been placed to protect data, governments like that of eSwatini have had reasons enough to break their own law.

As a citizen from eSwatini, Lukhele fears the strength that the data controller has. “I don't feel very comfortable with this regulation or how they go along with the registration of sim cards because it goes beyond ID numbers, locations and to the extent of taking a picture. It's like having my copy, having the whole of me,” he said.

Magnificent Mndebele is a journalist researching digital surveillance with support from the Media Policy & Democracy Project (MPDP), run by the Department of Communication and Media at the University of Johannesburg.