Digest: Facial recognition technology and privacy rights
In early April 2018, President Mnangagwa made his first official state visit to China in his current role as president.
While there, his delegation signed a number of agreements meant to strengthen ties between the two countries. Details of what these agreements involve are sketchy, only time will tell on how these deals will affect the protection and promotion of fundamental rights in Zimbabwe.
The details of one agreement have however, been revealed by the Chinese media outlet Global Times. According to the report, the Zimbabwean government seeks to utilise facial recognition technology to improve its law enforcement capabilities and strengthen security in the country. To achieve this, the Zimbabwean government has partnered with a Chinese company, Cloudwalk Technology Co. on a mass facial recognition project. This partnership has huge implications for privacy and data protection in Zimbabwe.
Details of this partnership fit in with reports that China, Iran and Russia are helping the Zimbabwean government to set up a security arm or body with surveillance capabilities similar to those of the United States’ Central Intelligence Agency and the National Security Agency. Facial recognition technology would also work well with the smart cities initiative which was launched in Harare in mid-March, an initiative which the government backed.
Facial recognition technology is technology that learns the unique features of an individual’s face. After enough input, this technology is able to differentiate a specific person’s face from that of another based on the slight differences and unique features of each face.
This technology has found various uses which range from identification purposes to security purposes for example when one can use an image of their face to unlock or access their mobile phone. Lately, law enforcement agencies have turned to facial recognition as a tool to identify and keep track of suspects and persons under investigation.
Facial recognition based systems are convenient, but China has shown how this same technology can be used to oppress people’s fundamental rights. For example, in the southern Chinese city of Shenzhen, facial recognition software is used to shame people guilty of petty crimes such as jaywalking (walking along or crossing a road without paying attention to traffic).
Photographs of pedestrians caught in the act are instantly displayed on LED screens, with their names and social identification numbers, installed at Shenzhen road junctions.
More seriously, facial recognition software is used to enforce China’s recently launched Social Credit System. This is a government rating system where citizens get positive or negative points based on their behaviour. More negative points earned results in more restrictions being placed on an individual.
Examples of such restrictions can be in the form of being banned from using aeroplanes, high-speed trains, or even being prohibited from staying in certain parts of a city or province. The government has the sole discretion on what counts for positive and negative behaviour. Believe it or not, such ratings can also earned by cheating during video games or not showing up for restaurant dates or appointments.
Meanwhile, to make their partnership with the Zimbabwean government a success, Cloudwalk Technology Co. will have to develop a facial recognition system that recognises the facial features of Zimbabweans. To do this, the company will have to teach its machinery how to “read” and differentiate between one Zimbabwean face and another.
This is why and as part of this partnership, the Zimbabwean government will have to turn over large amounts of photographic data to the Chinese company. The gathering of this data and its transfer to Cloudwalk Technology Co. raises privacy and data protection concerns.
Section 29 (b) of the Access to Information and Protection of Privacy Act (AIPPA), permits public bodies to collect personal information for the purposes of national security, public order and law enforcement.
However, is this provision wide enough to cover the transfer of facial data in government’s hands to a Chinese private company? This transfer of Zimbabweans information also highlights the current lack of laws that regulate the cross-border transfer of Zimbabweans’ data from Zimbabwe to other foreign countries such as China. The lack of data transfer laws makes it harder to hold government and foreign entities to account on how they use Zimbabwean data.
Section 57 of the Zimbabwean Constitution guarantees every person’s right to privacy, this also means that every person has a right to have their data adequately protected from abuse and any form of misuse.
Data protection principles dictate that data only be used for the purpose for which it was originally gathered. Facial data, which the government has, may have been collected for purposes of issuing national identity cards, passports, driver’s licenses, and lately during the biometric voter registration exercise.
If government were to turn over the data collected from those activities to the Chinese, would such use be justifiable and still be within the purpose for which it was collected? Would such use still be justifiable in terms of the constitutional right to privacy?
In conclusion, Section 327 (3) of the Constitution states that the Zimbabwean Parliament has a duty to approve international agreements entered into by the Zimbabwean President or with his authority.
MISA-Zimbabwe therefore, urges Parliament to consider the privacy and data protection implications of this agreement.
It is imperative to maintain and improve Zimbabwe’s security, but this should not come at the cost of Zimbabweans’ rights to privacy and adequate data protection.
Civil society and citizens in general, should monitor such actions and speak against the wrongful use of their data while working towards an effective data protection law that prevents such situations from occurring.