The object of the Bill is simple – it aims to ensure that ALL SIM cards used in Solomon Islands are registered. The Bill also sets a minimum age for acquiring a SIM card at 15 years old. The Bill compels service providers to each establish and maintain an electronic register of personal identity information for each SIM card they or their agents sell.
In pursuit of its object, the Bill in Clause 4 seeks to amend the Telecommunications Act 2009 by inserting a new Part 11A.
There are a number of issues in the Bill that require the attention of the House.
Firstly, the Bill fails in its primary object to ensure that all SIM cards used in Solomon Islands are registered. In its current form, the Bill only requires new SIM cards bought or issued after the establishment of the registers to be registered. There is no provision in the Bill to require already issued SIM cards to be registered. In that the object is clear that ALL SIM cards are to be registered, I take it that this oversight is the result either of ambiguity in the drafting instructions or laziness in the drafting and proof reading process itself. This oversight also highlights the lack of robustness of government’s internal processes to ensure that Bills that go before Parliament are accurate and complete in representing the policy intentions of government. This is a recurring theme unfortunately. There are a number of points in the internal processes that such a significant oversight should have been picked up and rectified. It is not the role of the Bills’ Committee to rectify government Bills. I urge the government to give attention to this matter to ensure that Bills presented to the House have been through a thorough and robust process. I note the Corrigendum seeks to remedy this oversight.
Secondly, in clause 4 of the Bill under 78A, the definition of “caregiver” read with the definition of “parent” gives a lot of power to a caregiver. This power may become a tool for abuse of minors or persons with disabilities under care. Abuse and exploitation is rife in society and it is important that law does not, by default, put minors or persons with disabilities at a vulnerable position. Although other laws are in place to punish such abuse of vulnerable persons, it is important that we are sensitive and not create avenues that could be used as leverage against vulnerable persons.
Thirdly, 78B(4) sets 5 years as the mandatory minimum period for information to be kept in the register maintained by the service providers. The service provider has the discretion to remove all information that has reached this minimum. It is unclear what the policy benefit is from this choice. This creates the possibility that SIMS that have been on the register for more than 5 years could have their personal identification information removed from the register. It is therefore possible that in the sixth year after registration commences many users will seek to remove their private data from the register, and the service providers would be under no legal compulsion to refuse it. This would seem to me to be counter-productive to the object of the Bill and serves no useful policy purpose. Why should there be a minimum time limit at all? And why is the discretion over this matter given to service providers? Both service providers were bemused by this requirement.
Fourthly, the penalties in 78© are excessive, in light of the Miscellaneous Penalties Act. It is not in sync with the scheme of offences and penalties in our Penal Code. This is also the case with penalties under 78(J) & 78(K). All the penalties in this Bill need to be revised down substantially. In a democracy, it is an important principle that penalties are proportionate to the crime or offence. And the Miscellaneous Penalties Act provides something of a yardstick for what is reasonable in our jurisdiction. It is important that those writing policy are familiar with the penalty scheme in the Miscellaneous Penalties Act and use it as a guide. The reduced penalty proposed in the Corrigendum for a natural person is still too high for the offence. And the penalty for a body corporate is way too excessive for the offence.
Fifthly, in 78(E)(b) where any two forms of ID may be presented to a service provider or agent, there is no requirement that one of those two must be a recent photograph of the applicant for a SIM. The explanation for this was that in rural areas it is not possible to obtain photographic ID. However, this could be a loophole for those wishing to abuse the system. There ought to be a requirement that the service provider or agent take a photo ID of the person to be stored in the register before issuing the SIM. As we know, some people go by various names, and unless tied to a photo ID could be a vulnerability in the register. Such a person should be able to purchase a SIM if vouched for by another who already holds a registered SIM. This is not provided for in the Bill. Conversely, that 78(E)(b) only applies to applicants for SIMs within the geographic vicinity of the issuing office of a service provider or agent. Although this may then consequentially require physical demarcations for each agent’s location, which may be impractical.
Sixthly, the Bill is drafted for natural persons in mind. A company that issues phones to its senior staff as part of their entitlements or work would be forced to register its SIMs under natural persons names not the company name. There is no provision for registration of SIMs under a company or other legally constituted organizations. Furthermore, in such a situation who is liable for offences committed using a company issued SIM? The Corrigendum seeks to remedy this by requiring that a SIM may only be sold to an organization’s authorized officer. However, current practice is that when an employee leaves an organization, the SIM is handed to another employee who takes up the position – so that SIM numbers are tied to positions within the organization to maintain contacts etc. The Corrigendum does not address this.
Seventhly, 78(I) requires users to report the loss of a SIM card to the police. Under 78(I) what happens if the person who lost his or her SIM card fails to report the loss to the police or the service provider/agent? Why is this even necessary? Is this an offence without a penalty? I can’t see why law should require that lost SIMs are reported to the police. What is the police supposed to do with that report? The police is overworked already as it is, without adding more pressure on their workload with matters that are cost inefficient for them to even attempt any work on. On a practical level, I find it a little silly that a person living in Tikopia who loses his/her SIM is required to travel to Lata to file a report with the police. And it isn’t clear what Lata police is expected to then do about it. Of all the countries I have visited that issue registered SIM cards, I cannot remember one that has this requirement. This requirement should be removed from the Bill. All stakeholders asked why this is even necessary. Users may report lost SIM cards to service providers and the lost SIM is deactivated and the number may then be re-issued to the user, if they so wish. But why impose the requirement to report to the police? Surely this is unnecessary. I note there is no penalty for lack of reporting to the police. Were the police consulted on this matter?
Eighthly, the Bill does nothing about protecting the privacy of user information. Clause 4 under the new section 78 K only deals with a service provider or agent or employee or consultant of a service provider or agent. Now that the Bill is compelling individuals to provide their private data, it must also protect that information from hackers, commercial harvesters and other malign actors domestically or overseas. Who is liable when private individual data is harvested from the registers? This is a significant neglect. Once law requires the collection of private individual data in today’s world, the law must also protect that data. This is a new subject for us, and ought to attract excessive penalties. This subject matter has not been dealt with before and therefore not comparable to anything we have in our Penal Code or the Miscellaneous Penalties Act. This is not a matter that could be remedied by Regulations. The Corrigendum does not address it.
Ninth, both service providers expressed regret that the requirements of the Bill will impose significant cost on their operations. Neither were meaningfully consulted so they were not given the opportunity to outline what these costs are and to seek government support. Further, both service providers expressed concern about the administrative burden the bill imposes on their agents, who are by and large general merchants with limited capacity. Again, the lack of meaningful consultations with both service providers meant that these issues were not considered.
Financial institutions were not consulted at all in the processes leading to the Bill. This is a significant omission, given that those offering mobile financial services ought to be important stakeholders in the Bill. This omission is unjustified. The current proposals in the Bill will not add value to current financial services, as a result. This is regrettable in that the Bill represents an opportunity to address bottleneck issues in the sector.
The Bill’s focus seems to be simplistic and targeted at phone calls and text messages that are offensive or criminal. This in itself is not wrong, but it foregoes the opportunity to address other related issues. It also needs to be said that the service providers do not have the technology to store content of voice and text communications. The only real achievement by this Bill is that the call log history can be linked to names on the register. This may be intentional, but it is little gain at a high risk to data privacy.
The Bill does not address cyber-crime and illicit activity, although this was announced by the Minister earlier in the year as one of its benefits. I note the Minister said in his 2nd reading speech that a different Bill will address that.
The register is to be maintained by individual service providers, and the information cannot be shared without a court order. Is there a place for the Regulator to host a centralized register and regulate protocols on and levels of access to information?
In the current proposal, who owns the register? It is maintained by the service providers, but who has ownership control of the data? We read of data harvesting by hackers and sale of data and private information that happens around the world. It was reported last year that a Chinese company harvested data from 40 people in Solomon Islands. This raises the significance of the need for clarity on ownership of the registers and the data they contain.
What rights do users have over their private data? Are users permitted to apply to remove their information once they leave the country, for instance, or no longer need to use a sim card, or have outlived the 5 years minimum requirement that service providers must maintain information on their registers? There is no clarity to these questions in the Bill. This is a direct result of the neglect of a proper legislative review and consultations process.
The minimum age threshold for purchasing a sim ought to be lowered to 15 to allow students and young people to have unimpeded access to the use of SIM cards. There is no justifiable evidence-based reason for the proposal to require adult permission for this age group. Further, those below 15 ought to be allowed access to sim purchase by authority of a parent or guardian.
NPF cards are recognized as proof of identification in the Bill. NPF suggested that perhaps it could also explicitly include NPF YouSave ID cards as well.
BSP and NPF confirm that they currently do not have any issues or problems with persons impersonating others in the identification authentication process. They have not had any ID fraud incidents. Given the current internet & mobile banking protocols, the registration of SIMs will not add value to these. They are already in operation without registered SIMs.
Illegal intercept and back-end operations by systems and equipment vendors are a particular vulnerability identified by service providers to the privacy of user data. The Bill makes no attempt to address this critical vulnerability. This is a the greatest threat to the integrity of our entire telecommunications systems and user data. And because the Bill compels the collection of private data, it naturally creates the need for protection of that data – but the Bill does not do this in its current form. This is a very serious oversight.
Both service providers stated that they were not thoroughly consulted beyond a general introduction to the issues the ministry wanted the Bill to address. This is a terrible neglect of critical stakeholders in the matters that the Bill seeks to address.
The Regulator was not properly consulted as required by the principal Act. He was invited to and attended a public consultation session conducted by the ministry on the early proposals for the Bill. He pointed out that TCSI is the administrator of the Act and ought to be an integral agency in the review of the Act and any reform processes. Why was the TCSI ignored? TCSI was not furnished a copy of the policy document which is the basis of the proposals in this Bill. I have to confirm, the BLC itself was not furnished such a policy document. This is bad governance and practice. Legislation must be based on developed informed policy that has been subjected to robust public and stakeholder consultations. It seems therefore that this Bill is the result of a rush by the ministry to address an issue that is at present and on the face of the evidence a relatively minor issue. Even a cursory reading of sections 5 & 6 of the Telecommunications Act 2009 will reveal the need to properly and thoroughly involve the TCSI in any reforms targeted at the telecommunications sector. There is a justifiable public policy reason for this – to give transparency and certainty to the industry about government policy intentions. So it is clear from this therefore that this Bill is not the result of a proper legislative review process. This is really bad policy making, as it is bad law making.
Let me conclude:
No policy document was issued as the basis for any consultations. None of the stakeholders and witnesses that appeared before the Committee were given the benefit of any policy document. The Telecommunications Commission was not specifically consulted on this Bill. Both service providers were not meaningfully consulted. The financial institutions were not at all consulted. There is broad support for the registration of SIM cards. The Bill compels data collection but offers no protection for the privacy of that data. Nor does it clarify the ownership of the data or the rights of users over their personal data. It is important that these prerequisite processes are fulfilled and all the issues consequential to the registration of SIMs comprehensively given due consideration to avoid a piecemeal approach. That would be good lawmaking practice.
These are some of the concerns raised by the Bills Committee, and which form the basis of its recommendation that the Bill be withdrawn and a genuinely robust consultation process be pursued after policy on these matters have been properly formulated and clearly articulated. Given the current lack of evidence of widespread abuse of SIMs, the government has time to deal with these matters comprehensively. I therefore urge the government to consider the Committee’s recommendation and withdraw the Bill and undertake further work on it.