The Lesotho Communications (Subscriber identity Module and Mobile Device) Regulations, 2021

The Government of Lesotho published new regulations in May 2021 seeking to control the registration of subscribers of telecommunication services utilising SIM cards and mobile devices in Lesotho. The Communications (Subscriber Identity Module and Mobile Device Registration) Regulations, 2021 (the “Regulations“) aims at curbing the inadequate legislation concerning digital growth and security in Lesotho. The objectives of the Regulations are clearly stipulated and although there are some concerns about them breaching and/or violating certain rights and laws, this article aims to extrapolate the Regulations and provide clarity thereto.

It must be noted that these Regulations can be compared to that of the RICA laws in South Africa which regulates the interception of communications and associated processes such as applications for and authorisation of interception of communications. The Lesotho Regulations however, not only regulate SIM cards, they in fact have a broader application in that it requires an individual to register their electronic device.  Interestingly on 3 February 2021, the Constitutional Court of South Africa handed down a judgement maintaining that the RICA legislation is unconstitutional in that it fails to provide adequate safeguards to ‘protect the right to privacy, as buttressed by the rights to freedom of expression and the media, access to courts and a fair trial’.

According to the Regulations in Lesotho,  the regulation and registration of the subscribers of telecommunication services utilising SIM cards and mobile devices in Lesotho is going to be achieved by establishing, controlling, administering, and managing a Central Database. A Central Database is described as subscriber information database, containing the biometric and other registration information of all subscribers. Part II of the Regulations provides for the establishment of the Central Database and provides that the central database shall be segregated across network services in a manner that will ensure easy access to data by authorised persons in respect of subscriber’s information of the different licensees. The Central Database will be the property of the Government of Lesotho however, the management and control of the database shall vest in the Lesotho Communications Authority (the “Authority”).

Section 7 of the Regulations provides that the administration of the central database shall be in accordance with the latest standards issued from time to time by the International Organization for Standardization in relation to security and management of electronic and personal data. Licensees will have a right to use the subscriber’s information on its network but in accordance with applicable laws and the provisions of the license conditions and any other instruments which may be issued by the Authority.

Security agencies will also have access to the subscriber’s information if they furnish a written request to the Authority which clearly stipulates why they require the information and must be from a high ranking official (not below Assistant Commissioner of Police or equivalent in other agencies).

Moreover, the according to the Regulations, the legislation is aligned with the Constitution of Lesotho, and this is evidenced under Regulation 10(1) where it is provided that the rights guaranteed by section 14 of the Constitution are adhered to by availing the information to subscribers. The subscribers are only entitled to the database information regarding their own information only. Such information is held in a strictly confidential manner and an individual cannot have access to it except if it is provided for in the Regulations. Licensees are prohibited from retaining, duplicating and/or making copies of such information for any other purpose except if it is stipulated in the Regulations. The Authority and the licensee shall take reasonable precautions in accordance with international practice to preserve the integrity and prevent corruption, loss or unauthorised disclosure of information obtained pursuant to the Regulations.

The release of information to Security Agents shall be in accordance with the applicable laws and the Regulations and shall be halted if an eminent breach of a Constitutional and/or any other right is witnessed. The subscriber must also issue prior written consent before their information can be obtained from the licensee and it shall not be transferred outside Lesotho without the written consent of the Authority. Furthermore, these Regulations will have to be read in line with the Data Protection Act, 2010 in terms of the processing of personal information pertaining to a data subject.

In light of the above, a subscriber shall be liable for any activities carried out when using a mobile device and SIM card registered in their personal information. Fraud prevention is also stipulated and as such, a licensee is required to compensate a victim of any material loss suffered from fraudulent activity associated with biometric mobile device and SIM registration of which the licensee failed to identify the responsible customers There are also fines and penalties in place for licensees that do not adhere to the Regulations and misuse the subscriber information.

From the aforementioned it seems that the regulations have been passed in order to curb the abuse of the internet by users and provide a stricter cyber law regime. It remains to be seen as to whether Security Agencies will not abuse these regulations and if the Authority will adhere to their Constitutional obligations under which they are required to operate.