Notwithstanding the intense debates that have greeted the five-year, $89m Ghana-KelniGVG deal, the drama of corruption allegations, threats of legal suits, actual suits, bribery accusations, alleged death threats, the all-too-familiar partisan equalization antics, and personality clashes, is increasingly marginalizing the needed debate on the deal’s implications for data protection and personal privacy. How sure are we that the job of KelniGVG is not going to infringe on personal and data privacy rights? So far, the Government of Ghana’s (GOG) refrain is that the KelniGVG contract takes cognizance of data protection and citizens must be rest assured. The Minister of Communications and her Deputy have even suggested that it is disrespectful to the laws of Ghana for anybody to have data protection and privacy reservations about this deal, ironically. The GOG seems to want citizens to trust KelniGVG and the GOG on the privacy front. Mind you, this is the same GOG brandishing at the doorsteps of telcos, a placard with the words; ‘we trust you but will still verify your traffic.’ Similarly, Ghanaians can trust the GOG and KelniGVG but not blindly.
In the present KelniGVG contract, the former is expected to monitor in real time, the volume of communications and not the content. This is in compliance with the Communication Services Tax (Amendment) Act 864 (7)(6). Positively, the said Act does not just say content must not be monitored but rather that the system being used “shall not have the capability to actively or passively record, monitor, or tap into the content of any incoming or outgoing electronic communications traffic…” In essence, a major hurdle that KelniGVG must pass is to show that although their system can monitor communication volumes in real time, it does not have the capacity to record, tap or monitor the content of phone calls and text messages. A clear public statement on this by the GOG is in order as belief and hope that KelniGVG will only monitor volume is not what the law asks for. If the GOG is confident that KelniGVG passes this requirement, citizens must be made aware so we can share in the GOG’s confidence. The need for this clarity is made more urgent by the fact that Global Voice Group proudly asserts on its parent website that; their Telecom Traffic Monitoring System “structures call detail records and other data records for a number of critical purposes relating to telecommunications including… national security analyses and investigations”.
The failed IPPTM Bill (commonly called the Spy Bill) was to force telcos to put in place real time content monitoring systems to aid the work of National Security and similar agencies. On the back of this history, Ghanaians need to be assured that KelniGVG is not a backdoor replacement for the abortive ‘Spy Bill’. Even where the GOG has not a modicum of intent of using this platform for pursuits unrelated to those specified in the contract, it is important for Ghanaians to know if the GOG has the capacity to detect where KelniGVG on its own, monitors content. Such alertness is made more important in the context of allegations connecting GVG’s systems to some spying episode against Uganda’s presidency in the past. Indeed, it is such a risk that Act 864 (7)(6) seeks to forestall by demanding that the monitoring system does not have the capability to tap, record or monitor content in the first place. Even where KelniGVG is not accessing content, metadata, as research has shown, is as important as actual content, as the former on its own, can be used to reveal one’s personal information. In fact, anonymity is not equal to de-identification. In this sense, not monitoring content does not even mean there cannot be personal and data privacy infringements.
Also, checks on the Data Protection Commission’s (DPC) website by this author on 31st May, 2018 found neither of Kelni, GVG and KelniGVG registered as a Data Controller. A firm accessing tonnes of call detail records allays some fears if it begins by respecting our Data Protection law and registering with the DPC. If it fails to do so, doubts and suspicions automatically will grow. Subah and Afriwave are both registered with the DPC, and as such, it will be strange if KelniGVG does not do same, especially as they will be accessing more data than Subah and Afriwave ever did. Random fact: the African countries that GVG has operated in, unlike Ghana, mostly do not have explicit Data Protection laws in place.
Random fact: the African countries that GVG has hitherto operated in are mostly behind Ghana in terms of democratic credentials. It is a credit to this country if citizens can thoroughly, freely and openly scrutinize a Government’s dealings. IMANI has done well. Without them, there would likely have been no sustained public debate on this deal. The argument that citizens challenging the contract must have been paid by telcos is unfair. Think about it this way: the ramifications of this deal are not only additional tax revenues but also about how little GOG can spend in getting this extra revenue, as well as data and personal privacy concerns. Any Government that sets its sights on legally blocking corporate tax holes should be applauded. Any citizen scrutinizing governmental dealings in favour of a value for money ethos deserves some accolades. Any mobile operating company challenging government policy on the basis of protecting the privacy of the communications of its customers must be appreciated. We just need to find the best middle ground.