W7y8w3

• Decree 4506 states that the ATT provides “technicalsupport for judicial investigations” intoICT crimes. It is also tasked with “receivingand treating orders from the judicial authorityto investigate and record ICT-related crimes inaccordance with the legislation in effect.” However,the decree’s language does not ensureindependent judicial control of communicationssurveillance but rather attributes too manyprerogatives to the Ministry of Informationand Communications Technologies. The decreeestablishes the ATT as a “public entity of anadministrative nature” under the aegis of theMinistry of ICTs. Under article 12, the ministryis tasked with appointing the agency’s generaldirectorand department directors. Besides this,the agency is required to carry out “any othermission linked to its activity that it is assignedby the Ministry of Information and CommunicationsTechnology” (article 5). This means thatthe ICT ministry could be involved in issuingsurveillance requests.• The lack of independent oversight mechanismsis also a cause for concern. Decree 4506 establishesan “oversight committee” to “ensure theproper functioning of the national systems forcontrolling telecommunications traffic in theframework of the protection of personal dataand civil liberties.” However, the role of thiscommittee remains unclear. Its board is presidedby the ATT’s general-director and dominatedby representatives from the government ministriesof defence, interior, ICTs, justice and humanrights, which strips it of the required neutralityto carry out any supervisory role.• Decree 4506 does not put in place transparencymechanisms which would reveal to the publicthe scope of the agency’s activities. Article 5only tasks the agency’s general-director withdrafting annual reports to be submitted to theICT ministry.With so many loopholes, the ATT could easilyviolate citizens’ rights, especially without an independentdata protection authority which could actas a guarantee against unchecked and indiscriminatesurveillance.Tunisia does have a data protection authority,the National Authority for the Protection of PersonalData (INPDP), established under the PersonalData Protection Law of 26 July 2004. Establishedin an era of mass surveillance, the authority wasmarginalised and its role was only nominal. Asinterim authorities continue to disregard legalreforms which would guarantee the authority’sindependence from government interference andconsolidate its prerogatives, the INPDP remainspowerless.Under article 78 of the 2004 Personal Data ProtectionLaw, the INPDP is made up of two membersof parliament and government representatives fromthe prime minister’s office and the defence, interior,scientific research, health and ICT ministries.The same law makes state authorities exemptfrom the supervision of and accountability to the IN-PDP. For instance, state bodies are not required tonotify the INPDP or obtain the “explicit and writtenapproval” of data subjects before processing theirpersonal data. Data subjects also cannot file objectionson state authorities’ processing of their datato the INPDP.In 2012 the INPDP announced that it was planningto submit draft amendments 13 to the 2004privacy law to the National Constituent Assembly(NCA). To date, the assembly is yet to debate, letalone adopt, these amendments, which the governmentdoes not consider as “an urgent priority,” 14the authority’s head told Index on Censorship lastJanuary.In addition to a powerless data protection authorityincapable of supervising the country’s newBig Brother, the surveillance laws 15 inherited fromthe dictatorship era, which to this date remain onthe books, are worrisome. For instance, Decree97-501 of 14 March 1997 concerning value-addedtelecommunications services and the Regulationsof 22 March 1997 concerning the specificationsfor setting up and operating value-added internettelecommunications services make internet serviceproviders (ISPs) liable for third-party content, bindingthem to monitor and take down objectionablecontent.Under articles 8 and 9 of the Internet Regulations,ISPs are further required to submit lists oftheir subscribers to the authorities on a monthlybasis and to retain archives of content for up to oneyear. Article 14 of the 2001 TelecommunicationsCode requires telecom networks operators to submita list containing the names, phone numbers andaddresses of their subscribers with the exception ofthose “explicitly refusing the publication” of their13 Abrougui, A. (2012, August 15). New-era privacy law drafted toprotect Tunisians from the surveillance state. Index on Censorship.uncut.indexoncensorship.org/2012/08/tunisia-drafts-new-eraprivacy-law14 Abrougui, A. (2014, January 2). Tunisians cast a wary eye on newcrime agency. Index on Censorship. www.indexoncensorship.org/2014/01/tunisians-cast-a-wary-eye-on-att/15 Article 19. (2013). Tunisia: Background paper on Internetregulation. www.article19.org/resources.php/resource/37135/en/tunisia:-background-paper-on-internet-regulationdetails. Article 87 of the same code bans the useof encryption technologies without the authorities’authorisation.ConclusionsThere is no doubt that a cyber-crime surveillancebody is needed for any country to fight seriouscrimes such as child pornography, fraud and cyberterrorism. However, the creation of such an agencyrequires deep reflection and the participation of allstakeholders, in particular civil society.Tunisia’s setting up of the ATT was a hasty step.The government created the agency by decree andnot by law, which would require a debate at and theapproval of the constituent assembly.In addition, the authorities did not put in placeeffective and sufficient mechanisms and measuresto ensure that any interference with citizens’ communicationsupholds international standards anddoes not infringe on their rights. “Communicationssurveillance should be regarded as a highly intrusiveact that potentially interferes with the rights tofreedom of expression and privacy and threatensthe foundations of a democratic society,” 16 statesa report delivered last year by the United NationsSpecial Rapporteur on freedom of expression andopinion in the wake of the revelations about the USNational Security Agency (NSA).In a statement published on 20 November 2013,the ICT ministry asserted that Decree 4506 does includea “set of guarantees” to “consolidate respectfor human rights, personal data protection, freedomof expression on the internet and the right to accessinformation.” Yet an analysis 17 of the decree provesthe exact opposite. Vague language and a lack ofoversight mechanisms, transparency and independentjudicial control are all menacing Tunisians’rights to privacy and free expression.16 Report of the Special Rapporteur on the promotion and protectionof the right to freedom of opinion and expression, Frank LaRue, to the 23rd session of the UN Human Rights Council, 17April 2013. www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf17 Reporters Without Borders. (2013, December 2). Authorities urgedto rescind decree creating communications surveillance agency.Reporters Without Borders. en.rsf.org/tunisia-authorities-urgedto-rescind-02-12-2013,45531.htmlAction stepsIn late January 2014, Tunisia’s National ConstituentAssembly adopted a constitution guaranteeing privacyrights. Article 24 of the document states that“the state protects the right to privacy, the sanctityof domiciles, the confidentiality of correspondenceand communications, and personal data.”However, these constitutional provisions arepointless as long as the authorities do not initiateserious reforms on communications surveillance.Before rushing to establish a new spying agency,Tunisia’s authorities should have first enactedmuch-needed privacy reforms including:• Amending the 2004 privacy law to consolidatethe role of the INPDP as the country’s data protectionauthority and ensure that the processingand collection of personal data by state authoritiesdoes not go unchecked and unaccountable.• Abolishing or amending Ben Ali-era surveillancelaws.• Abolishing all laws that criminalise free speech,in particular those that criminalise free speechthrough ICTs, namely article 86 of the TelecommunicationCode, which punishes by upto two years imprisonment anyone convictedof “insulting and disrupting the lives of othersthrough public communications networks.”• Signing the Council of Europe’s Convention forthe Protection of Individuals with regard to AutomaticProcessing of Personal Data. 18Though most of the reforms suggested above canonly see daylight after a constitutional court is inplace and only once legislative and presidentialelections due later this year are held, to cut with theabuses of the past, political willingness is equallyessential.18 Council of Europe. (2008). Convention for the Protection ofIndividuals with regard to Automatic Processing of Personal Data.conventions.coe.int/Treaty/en/Treaties/Html/108.htm246 / Global Information Society Watch tunisia / 247