Provision of Real-time Lawful Interception Assistance

Constitution of Malawi

The right to personal privacy is guaranteed under section 21 of the Constitution as follows: “every person shall have the right to personal privacy, which shall include the right not to be subjected to – (a) searches of his or her person, home or property; (b) the seizure of private possessions; or (c) interference with private communication, including mail and all forms of telecommunication.” However, Malawi has no law giving effect to the section. 

Electronic Transactions and Cyber Security Act (ETA), 2016

The Electronic Transactions and Cyber Security Act, No. 33 of 2016 (ETA), makes provision for electronic transactions, criminalizing offences related to computer systems and information communication technologies, and regulates online communication and content providers. The ETA also provides for the investigation, collection, and use of electronic evidence. However, the ETA does not provide a specific interpretation for legal interception of communication.

 Modelled on the Southern Africa Development Community  Model Law on Electronic Transactions and Electronic Commerce, ETA defines online public communication as meaning “any transmission of digital data, signs, signals, texts, images, sounds or messages, of whatever nature, that are not private correspondence, by electronic communication means that enable a reciprocal exchange of information between an issuer and the receiver.”’ This includes online content. This Act excludes private communications. 

Disclosure of Communications Data

Electronic Transactions and Cyber Security Act (ETA), 2016

Section 83(1) provides for a lawful search warrant of premises and information systems.  A court, on application by a cyber-inspector, may issue a search warrant in relation to an investigation of a crime While section 83(6) prohibits disclosure of information obtained through search warrants to unauthorized persons.

National Security and Emergency Powers

Malawi Constitution

The Malawi Constitution places limitations on freedom of expression. Section 45(3) provides for the derogation of certain rights during a state of emergency, including freedom of expression, freedom of movement, and freedom of assembly. However, the Malawi Constitution does not give a “blank check”  to state derogation of human rights but only to the extent that such derogation is consistent with the state obligations under International Law; and in the case of war or threat of war, it is strictly applicable to prevent the lives of defensive combatants and legitimate military objectives from being placed in direct jeopardy; or in the case of a widespread natural disaster, it is strictly required for the protection and relief of those people in the disaster.  Further, while section 45(2) gives powers to the President to declare a state of emergency, such a declaration is subject to approval by the Defence and Security Committee of the National Assembly. In addition, under section 45(5), a High Court is competent to hear applications challenging the validity of a declaration of a state of emergency, any extension thereof, and any action taken, including any regulation enacted, under such declaration. 

Data Protection Act, 2024

Sections 19 to  25 of the Data Protection Act provide for rights of  data subject including right to access personal data, right to data portability, right to rectification of personal data, right to erasure of personal data, right to restriction of processing personal data, right to object to the processing of personal data of the data subject at any time, and the right not to be subject to a decision based solely on automated processing of personal data, including profiling, which produces a legal or similarly significant effect concerning the data subject.

However, Section 26 of the Act provides derogations of rights. The rights of a data subject provided under the Act may be restricted where the processing of the personal data of the data subject is for the purpose of— (a) national security, including safeguarding against and the prevention of a threat to national security; (b) the prevention, investigation, detection or prosecution of a criminal offence or the execution of a criminal penalty; (c) pursuing a national economic or financial interest, including a monetary, budgetary and taxation matter; (d) public health; (e) social security; (f) judicial proceedings; (g) the prevention, investigation, detection and prosecution of a breach of ethics for a regulated profession; (h) monitoring, inspection or exercise of a regulatory function by a public authority; (i) protecting the data subject or the rights and freedoms of another natural person; or (j) the enforcement of a civil law claim.

Preservation of Public Security Act, Cap 14:02 

Under Section 3 of the Preservation of Public Security Act, , the Minister has powers to make regulations which include prohibiting the publication and dissemination of any matter that appears to be prejudicial to public security. Section 3 (2) provides that the Minister may, for the preservation of public security by regulations— (a) make provision for the prohibition of the publication and dissemination of any matter which appears to him to be prejudicial to public security and, to the extent which it appears to him to be necessary for that purpose, the regulation and control of the production, publishing, sale, supply, distribution and possession of publications. 

While section 84 prohibits the gaining of unauthorised access to or interception, or interference of data, Section 84(2) gives a minister (Minister of Information and Digitalisation) discretion to come up with specific cases where unauthorized access to or interception of, or interference with, data may be permitted in specific conditions set out in the regulations.

Oversight of the Use of Powers

Data Protection Act, 2024

Section 5 of the Act designates the Malawi Regulatory Authority (MACRA) to regulate the processing of personal data  and oversee the implementation, and enforcement, of the Data Protection Act (DPA). For example, MACRA is responsible for (a) designating a country, region or sector as affording adequate personal data protection standards for cross-border transfer; (b) prescribing and approving standard personal data protection contractual clauses; and (c) issuing compliance orders in cases where DPA is contravened. 

Under Section 8 (1) of the Data Protection Act, a data controller and data processor are under obligation to process personal data lawfully, fairly and in a transparent manner. The processing of personal data shall be lawful if— (a) the data subject provides consent to a data controller or data processor to process the data for one or more specific purposes or, where the data subject has no capacity to provide consent, another natural person who has authority to provide consent on behalf of the data subject provides the consent; or (b) the processing of the data is— (i) necessary for the performance of a contract to which the data subject is a party or, at the request of the data subject prior to the data subject entering into the contract.

Section 9 provides limitations to data access and processing. Thus, a data controller and data processor shall collect personal data for a specific and legitimate purpose and shall not process the data in a manner that is incompatible with the purpose for which it was collected. In addition, a data controller and data processor shall ensure that the appropriate technical or organizational security measures are implemented to guarantee the security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage of the data.

In addition, section 44 of the DPA offers a complaints mechanism for a data subject who is aggrieved by any action or inaction of a data controller or data processor to lodge a complaint, in writing, with the MACRA. MACRA also has powers to initiate investigations against violations. However, persons aggrieved by a decision of the MACRA may, within thirty days of receiving the decision, apply to the high court for review of the decision. 

Electronic Transactions and Cyber Security Act (ETA), 2016

Part VII of ETA provides for data protection and privacy. Section 71(2) of ETA regulates how personal data may be processes as follows: Personal data may be processed only if—(a) the data subject has unambiguously given his consent; (b) the processing is necessary for the performance of a contract to which a data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) the processing is necessary for compliance with a legal obligation to which a data controller is subject; (d) the processing is necessary in order to protect the vital interests of a data subject; (e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in a data controller or in a third party to whom the data is disclosed; or (f) the processing is necessary for the purposes of the legitimate interests pursued by a data controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. Therefore, no personal data may be collected, processed or stored by a data controller without any freely given consent by a data subject. 

Section 72(1) of the ETA provides for the rights of a data subject. The data subject is entitled to obtain from a data controller, without any constraint or unreasonable delay and at no expense, confirmation of whether or not data relating to them is being processed. The data controller is also mandated to communicate to the subject whether their data is undergoing processing, the purposes of the processing, and the recipients to whom the data is disclosed. Section 72(2) entitles the data subject to object at any time, on legitimate grounds, relating to the processing of data relating to them. Section 72(3) entitles the data subject to obtain from the data controller, as appropriate, the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of the Act, in particular, because of the incomplete or inaccurate nature of the data. Articles 74(1) & (2) provides for security obligations.

Regarding data security provided in section 74, the controller must implement technical and organisational measures to protect personal data against accidents or unlawful destruction of accidental loss, alteration, unauthorised disclosure or access. In particular, where the processing involves data transmission over a network and against all other unlawful forms of processing. In addition to the above safeguard of personal data, section 84 asserts that “A person shall not gain unauthorised access to, or intercept, or interfere with data”, and contravention of this provision attracts a fine of K2,000,000 (US$ 2,000) and imprisonment for five years.

Communications Act No. 34 of 2016

The Communications Act, No. 34 of 2016, was preceded by the Communications Act No. 41 of 1998. The core purpose of this Act is as follows: “provide for the regulation of the provision of services in the electronic communications sector, posts, information society; for the establishment of the Malawi Communications Regulatory Authority, the Malawi Broadcasting Corporation and the Malawi Posts Corporation; and for matters connected therewith or incidental thereto.”  The Act prohibits the unlawful interception of communications regarding the right to privacy.  Section 176 (1) asserts that any licensee operating an electronic communications network or providing an electronic communications service which, other than in the course of its duty, intercepts, interferes with the contents of, or modifies, any message sent as part of the electronic communications service, commits an offence and shall, upon conviction, be liable to a fine of K5,000,000 (US$ 5000) and imprisonment for five years.

Similarly, Section 176(2) of the Act prohibits any person without lawful authority from intercepting, attempting to intercept, or causing any other person to intercept or to attempt to intercept any communications; disclosing or attempting to disclose to any person the contents of any communications, knowingly or having reason to believe that the information was obtained through the interception of any communications. Contravention, upon conviction, is punishable by a fine of K5,000,000 (US$ 5000) and imprisonment for five years.

It is worth noting that there have been some cases regarding potential communications interception, and Malawi is a common law jurisdiction. Kimu v Access Malawi Limited and Others (2011), was a case that resulted after MACRA asked telecommunication companies to provide it with personal call detail records, “including information about who called who, time and duration of such calls, the location where calls were made from, SMSs sent and received and the identity of handsets used.”  Effectively, the court stated that any unauthorized access to personal data by the telecommunication companies would be a “limitation and/or erosion of the right to privacy.” The court concluded that if the telecommunication companies complied with the directive from MACRA they would be in “breach of the plaintiff’s right to privacy as provided for under the Constitution, the Act and the licenses”. The Court added that MACRA’s directive was incapable of passing the human rights limitation test placed under section 44 of the Constitution. The Court also upheld that MACRA and telecommunication companies were under obligation to safeguard the right to privacy as provided under the Constitution, the Act and the operating licenses. Thus, the telecommunications companies did not give MACRA the information.

Censorship-related Powers

The Malawi Constitution 

Sections 34 and 35 of the Malawi Constitution guarantee freedom of opinion and expression. Under section 34, “Every person shall have the right to freedom of opinion, including the right to hold opinions without interference to hold, receive and impart opinions.”  Section 35 is even more explicit: “Every person shall have the right to freedom of expression.”

Electronic Transactions and Cyber Security Act (ETA), 2016

Section 24(1) of the ETA guarantees freedom of online communications, providing that “there shall be no limitation to online public communication.” However, Section 24(2) provides that: “(2) Notwithstanding the provisions of subsection (1), online public communication may be restricted in order to: (a). prohibit child pornography; (b). prohibit incitement of racial hatred, xenophobia or violence; (c). prohibit justification for crimes against humanity; (d). promote human dignity and pluralism in the expression of thoughts and opinions; (e). protect public order and national security; (f). facilitate technical restriction to conditional access to online communication; and (g). enhance compliance with the requirements of any other written law.”

Under Section 31(1), online content providers must display details of the address, email, and phone number for an “editor.” For a legal entity, the Act requires posting of the corporate name, postal and physical address of the registered office, telephone number, email address, authorised share capital, and registration number of the editor. In some cases, the information includes the name of the corporate officer appointed as director of the publication and the editor-in-chief. Online content providers must also provide the name, title, and corporate name, as well as the postal and physical address, of any intermediary service providers they use to have access to communications networks, storage, hosting, or transmission of information by communications networks. Failure to provide the above information is a criminal offence under section 95 of the ETA, punishable by a fine of MK5,000,000 (US$ 5,000 ) or imprisonment for seven years.  

Section 75 of ETA empowers the telecommunications regulator, the Malawi Communications Regulatory Authority (MACRA), to manage the country’s domain space through a Registrar. Among others, the Registrar shall ensure compliance by users with international best practices in the administration of the “.mw” domain name space and any other Malawian names to be used for domain names; publishing guidelines; enhance public awareness on the economic and commercial benefits of domain name registration; and regulate the domain space.

Section 87 of the Act criminalises offensive communications and imposes stiff penalties of 1 million MWK (US$ 1 000) and up to 12 months imprisonment. The Act, however, does not define what constitutes offensive content.

Censorship and Control of Entertainments Act, Chapter 21:01 (CCEA)

The CCEA came into force in 1968. The primary purpose of the Act is to regulate and control the making and the exhibition of cinematograph pictures, the importation, production, and dissemination of undesirable publications, pictures, statues and records, the performance or presentation of stage plays and public entertainments, the operation of theatres and like places for the performance or presentation of stage plays and public entertainments in the interest of safety. 

Section 23(1) of the Act prohibits the importation, publication, distribution, selling or offering of any publication which is “undesirable.” This includes any newspaper, book, periodical, or other printed matter deemed undesirable. According to section 23(2)(b)(iv), a publication may be deemed undesirable if it is likely to be contrary to the interests of public safety or public order. Contravention of this provision is punishable by a fine and imprisonment. Further, under section 24 of the Act, the Board has powers to declare whether or not any publication, picture, statute or record is, in the opinion of the Board, undesirable within the meaning of section 23 (2). Such broad and vague powers are prone to abuse by authorities. 

Oversight of the Use of Powers (Censorship-related)

Section 30 of the CCEA provides for appeals to the Minister within seven days by any person aggrieved against the refusal by the Board or by the Chief Censoring Officer, or any other person duly authorized in that behalf by the Board.  The Minister’s decision is final and not subject to court review.