The Tunisian constitution of 2014 enshrines (via Article 24) the protection of privacy at home and in the domains of communications correspondence and personal data. The text itself conforms with European case law, but what about current legislation, its application, and its impact on Tunisians?
A legal framework in need of reform
Although the organic law of 2004 is considered to reflect international standards, it is in need of reforms in three specific areas.
● Independence of the National Authority for Protection of Personal Information (INPDP): The procedures for appointing the members of this organism are ambiguous as is the nature of its current member-base. The selection process is carried out by government officials whose choice of members is formalized by decree. Moreover—and in spite of the fact that the Authority exists under the Ministry of Justice—there are no measures in place to ensure members’ independence from external powers or lobbies.
● Public sector adherence: Tunisian legislation requires actors of the private sector to follow a preliminary declarations procedure in order to use personal information. These same actors must fill out an authorization request for the use of or access to information including health records (which constitute “sensitive information”), and for the transfer of information abroad. The public sector, in contrast, is not subject to any control procedures prior to the treatment of information, with the exception of the Tunisian postal service which voluntarily signed a memorandum of understanding with the INPDP.2 Other public institutions remain silent concerning what they intend to do with citizens’ personal information, whether for the purposes of security, surveillance, or, more worrisome, the project Identifiant Unique du Citoyen.3
Thus the most urgent reforms are to:
● amend the INPDP to ensure its financial and administrative autonomy;
● ensure the independence of its members;
● apply standards and control procedures to the public sector which holds the greatest proportion of personal information.
Key concepts such as “sensitive information” should be better defined in the new draft law. Additionally, it will be necessary to add more restrictive rules governing the use of information in the project Identifiant Unique du Citoyen; in both cases, reforms must adhere to the standards of European case law.4
Reform of the law of 2004 is prerequisite for Tunisia’s adherence the European Council’s Convention 108 concerning the Protection of Individuals with regard to Automatic Processing of Personal Data. As these changes are realized, it will be important to simplify and to effectively communicate procedures —which remain highly bureaucratic— through a single online outlet. If these changes cannot be implemented, it will be worth creating a new authority at the constitutional level that will be independent and driven by the principle mission to regulate the right to privacy.
Enforcing application of the law
During his first public appearance, INPDP president Chawki Gaddes declared his intention to apply the current law and to “render effective the application of penal measures in the law of 2004 against recalcitrant parties.” Gaddes even went so far as to designate a deadline on 30 September 2015.5 With the exception of a handful of actors (private operators, administrations, clinics), there has been little response to the INPDP’s call for compliance.
The protection of personal information, however, represents a comparative advantage for businesses looking to attract investors or grow their client bases. If officials are not yet aware of the importance of consumer confidence, lobbying for this advantage might prove to be more effective than a coercive approach.
Indeed, a participatory process might, for instance, include informative meetings with key actors in the private sector and then those in the public sector; such a strategy could employ an information guide defining procedures, and an online platform where authorization requests and declarations can be submitted. Such measures and many others are likely to encourage concerned actors to adhere to the principle of protecting personal information.
An Ill-adapted outreach approach
Raising public awareness about citizens’ right to privacy, and the discourse and actions undertaken by those who handle private information are currently ill-adapted to the Tunisian context. Like its predecessors, the current government employs a security-driven discourse that emphasizes the fight against terrorism and criminality. Mainstream media has only served to reinforce this vision. Rare are those in the sphere of civil society who have contradicted this fear-based communication strategy to emphasize instead the right to privacy.
Like citizens throughout the world, Tunisians do not bother to read the famous “Conditions of Use” for social media networks, nor do they protect themselves by adjusting the functions provided for this purpose. Furthermore, they share all kinds of information pertaining to lifestyle, the places they frequent, health, and other private and sensitive data. This lack of vigilance on the part of internet users is often justified by the fallacious nothing to hide argument. In the West, this justification has been deconstructed and rejected6 by those who defend the right to privacy.
Faced with biased discourse, a lack of information and awareness, the INPDP is hard-pressed to accomplish its mission. This much was apparent on 22 October 2015, the would-be launching of the Authority’s awareness campaign. An invitation to the event was posted on the INPDP Facebook page7 and officially addressed to designated public authorities including the Technical Telecommunications Agency (ATT), the Tunisian Internet Agency (ATI), and the National Agency for Computer Security (ANSI). After opening statements were made by event organizers, sponsors, and government officials, the INPDP faced a nearly empty conference room to discuss the intrusion of businesses into the private life of citizens8 and the procedures associated with applying the legal framework.9 Even the few media outlets in attendance had little more to relay about the conference than the address of Noomane Fehri, Minister of Information and Communication Technologies, who spoke about the draft law on cybercrime.10
The topic of targeted or mass surveillance carried out by state institutions was avoided, as well as its impact on public confidence and the promotion of innovative technologies. The Authority’s silence on these issues is all the more concerning given that the country’s many years of dictatorship are intimately associated with digital policing. Both the new counterterrorism law11 and Identifiant Unique du Citoyen project12 forebode a precipitous return to former surveillance practices.
The INPDP should have engaged in a partnership with actors of civil society and national media agencies in order to fine-tune its interaction with the public and dissemination of information regarding “the democratic and economic imperative” in the protection of personal information.
Indeed, the INPDP would do well to establish a multi-stakeholder advisory committee composed of experts in the protection of personal information and related domains. Such a committee might assemble civil society representatives and actors from the public and private sectors to develop initiatives to inform internet-users about the importance of encrypting their personal information.